Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byMarshall Berry Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Malware

2 Topics Malware Detection Virus Types Infection Methods Rootkits
Malware Analysis Protective Mechanisms Malware Factories Botnets

3 Malware Malware, short for malicious software, is software designed to gain access to confidential information, disrupt computer operations, and/or gain access to private computer systems. Malware can be classified by how it infects systems: Trojan Horses Viruses Worms Or by what assets it targets: Ransomware Information stealers Spyware and adware Backdoors Rootkits Botnets

4 How much malware is out there?
See for updates.

5 Static Malware Detection
Signature-based Look for known patterns of bytes in malicious code. Defeated by polymorphic/metamorphic viruses. Decryption Brute-forces simple XOR-based encryption. Checks decrypted text against small virus signature set to decide whether has plaintext or not. Heuristics Set of signatures that can match in any order, with stretches of metamorphic or legitimate code between. List of suspicious coding techniques (a type of signature). Software scored on number of signatures matched, weighted by the importance of each one.

6 Sandboxes Isolated VMs for dynamic malware detection.
Execute potential malware on VM. Scan VM after a certain amount of time. Examine memory, filesystem, network.

7 https://www. virustotal

8 Theory of Malicious Code
Theorem 1: It is undecidable whether an arbitrary program contains a computer virus. Proof: Define virus v as TM program that copies v to other parts of the tape, while not overwriting any part of v. Reduce to Halting Problem: T’ running code V’ reproduces V iff running T on V halts. Theorem 2: It is undecidable whether an arbitrary program contains malicious logic.

9 Viruses A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other files. This process is called infecting.

10 Types of Viruses Boot Sector Executable Dynamic Library
When system boots, code in boot sector executed. Propagate by altering boot disk creation. Uncommon today because of low use of boot floppies, but some Vista laptops shipped with one. Executable Infects executable programs (e.g., COM, EXE). Executes when infected program is run. Virus usually runs first, then runs original code. Dynamic Library Infected dynamically linked libraries (DLLs.) Executed when any program uses infected DLL.

11 Types of Viruses Device Driver Virtual Machine (.NET)
Infects loadable device driver. Executes in kernel mode. Virtual Machine (.NET) Infects .NET MSIL binaries. Portable: compiled to native code by CLR. Archive Infectors Inserts Trojan Horse into ZIP files. Uses social engineering techniques to get user to run.

12 Types of Viruses Macro Virus Infects embedded interpreted code.
Needs interpreter like sh, MS Word macro. Can infect executables or data files Executables must invoke appropriate interpreter. Most modern data formats support some type of scripting, including Microsoft Office Windows Help files HTML: VBScript, JScript

13 Infection Methods Overwriting Companion
Overwrites section of program file with virus. May break infected program. Companion Infects COM file of same name as EXE file. Given a name, Windows runs COM before EXE Infects alternate data stream of Win32 file. Legitimate application Virus: infect() if trigger payload() run file.exe file.exe file.com

14 Infection Methods: Prepending
Insert virus code at beginning of executable. Shift original code to follow virus. Executable code Virus code Infection

15 Infection Methods: Appending
Append virus code to executable. Insert JMP at beginning of executable. Executable code Jump to Virus Executable code Infection infect() if trigger payload() goto start

16 Infection Methods: Fragmenting
Append virus code to executable. Insert JMP at beginning of executable. Executable code Jump to Virus Executable code Virus code Infection Executable code Virus code Executable code Virus code

17 Rootkits hide Malware A rootkit is a type of software used to hide files, processes, network connections. Much modern malware uses rootkit techniques to hide. Rootkits can be detected by examining filesystem when OS is not running. Rootkit detectors can find some rootkits while running by looking for modifications of OS data structures. User Program Rootkit Operating System

18 Malware Handling Process
Static Analysis (for signatures) Dynamic Analysis (for signatures) Reverse Engineering (if needed) Signature Creation Quality Assurance Signature Deployment

19 Static Analysis Static analysis includes any approach to analyzing a program without running it. File type Strings found in file Assembly code for program Safest form of analysis, as malware is never executed.

20 Dynamic Analysis Dynamic analysis includes any approach to analyzing a program while running it. Malware sandbox (to run malware safely). Host analysis tools (local changes). Network analysis tools (network traffic). Autoruns is a tool to show which services are started at boot from the many different configuration options that allow such.

21 Reverse Engineering Reverse engineering is the use of static analysis (decompilers, disassemblers) and dynamic analysis (debuggers) techniques to determine precisely how a program works. Screen shot of IDA Pro disassembler.

22 Static Malware Protection
Encryption. Virus starts with small decryption algorithm. Remainder of virus is encrypted, typically XOR with key. Often encrypts different parts of virus with different encryption techniques or keys. Polymorphism Changes encryption key or technique each infection. Dynamic scan can wait til malware decrypts self in RAM. Metamorphism Rewrites decryption code using different machine instructions each infection too. Too many variants for signature detection

23 Dynamic Malware Protection
Anti-sandboxing techniques. Researchers use VMs to analyze malware safely, so If detect VM, then disable or delete self. Anti-debugging tricks. Researchers use debuggers to analyze software activity. Detect some debuggers and break debugging session. Write code in such a way to make it difficult to debug. Anti-detection techniques. Disable AV software on system. Obfuscate code.

24 Malware Factories Malware factories are software and processes to automate the production and protection of malware, allowing threats to produce thousands of different malware from an original program, all of which are well protected.

25 Malware Factory Process
Mutate malware code (metamorphism). Encrypt malware (polymorphism). Pack malware. Bind malware to Trojan cover file. Armor malware (anti-sandbox,debug,detect) Quality assurance Upload to vscan.novirusthanks.org to verify no current AV tool can detect it.

26 Runtime Packers Runtime packers compress the code of programs better than general purpose compression tools and automatically decompress the program upon execution. Today they are primarily used to prevent analysis of programs. Thousands of packers exist. Can pack code multiple times with different packers. AV can unpack some formats, but not all.

27 EXE Binding An EXE binder takes multiple programs and merges them into a single executable file that performs the functions of all of them. It is primarily used to bind malware into legitimate programs to make Trojan horses.

28 Botnets A botnet is A network of compromised machines
that can be controlled remotely used for malicious activities. Bot 1 Bot 2 Threat Command & Control Server Bot n

29 Botnets

30 Botnet Components Host Component Network Components
Malware running on victim’s computer. Receives commands from botmaster. Executes attacks. Sends data to botmaster. Network Components Command & Control (C&C) servers. Malware distribution servers. Drop zone (for data exfiltration).

31 C&C Structure Centralized Decentralized (peer-to-peer) Hybrid
All bots connect to a single C&C server. Single point of failure that can take down botnet. Decentralized (peer-to-peer) Every bot is also a C&C server. Botmaster can administrate from any bot. Hybrid Every bot is a C&C server. Also have separate C&C server.

32 Botnet Applications Distributed Denial of Server (DDoS) Click fraud
Spam replay Pay-per-install agent Large-scale information harvesting Information processing

33 Stopping Botnets Identify C&C server(s) and take down.
Block C&C server DNS name. Block C&C server IP address. Update anti-virus to identify host component and remove (difficult to reach every infected host.) Identify botmaster(s) and work with law enforcement to stop them.

34 Protecting C&C Bulletproof Hosting Dynamic DNS Fast Fluxing
ISP that permits criminal activity, spamming, &c. Dynamic DNS C&C changes IP addresses every few minutes. Uses DDNS service to point to changing IPs. Fast Fluxing DNS requests resolve to set of flux agent IPs. Flux agents redirect traffic to C&C server.

35 Single Flux Networks

36 Double Flux Networks Single flux change DNS name to IP mapping.
Double flux change DNS servers for domain too.

37 Domain Generation Algorithms
Generate domain names for C&C servers Algorithmic, but hard to predict. Generate hundreds to thousands per day. Botmaster knows DGA domains Sets up C&C at one of the domains. Waits for bots to contact & request commands. Defends against C&C takedown Too many domains to blacklist. Generated domains are expendable, so takedowns don’t matter as botmaster has moved on to new ones. Botmaster can register C&C domains in future, so they’re not available to takedown on infection.

38 DGA Disadvantages DGA bots produce much network traffic to nonexistent domains, returning errors. If DGA is reverse engineered, someone can take control of botnet by registering domain name of a future C&C server.

39 Key Points Malware Handling Process
Static Analysis (for signatures), Dynamic Analysis (for signatures), Reverse Engineering (if needed), Signature Creation, QA, Signature Deployment Rootkit techniques hide malware from running software. Malware Factory Process Mutate malware code (metamorphism), Encrypt malware (polymorphism), Pack malware, Bind malware to Trojan cover file, Armor malware (anti-sandbox, debug, detect), QA Botnets Host and network components. Command & Control servers are weak point. C&C protection: bulletproof hosting, dynamic DNS, fast flux, DGA Provably impossible to construct perfect AV software.

40 References AV-Test.org, Malware Statistics, Christopher Elisan, Malware, Rootkits, & Botnets: A Beginner’s Guide, Mc-Graw Hill Osborne Media, 2012. William Salusky and Robert Danford, Know Your Enemy: Fast-Flux Service Networks, Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, No Starch Press, 2012. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Chapter 14 Computer Security Threats

Chapter 14 Computer Security Threats
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Structure Classifications &

Structure Classifications &
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.
1 Higher Computing Topic 8: Supporting Software Updated 16-6-11.

1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Similar presentations

Ads by Google