Presentation is loading. Please wait.

Presentation is loading. Please wait.

Karlstad University Malware Ge Zhang Karlstad Univeristy.

Published bySimon Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Karlstad University Malware Ge Zhang Karlstad Univeristy."— Presentation transcript:

1 Karlstad University Malware Ge Zhang Karlstad Univeristy

2 Karlstad University Focus What malware are Types of malware How do they infect hosts How do they propagate How do they hide How to detect them

3 Karlstad University What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.

4 Karlstad University What it is good for ? Steal personal information Steal valuable data Destroy data Denial of Service Use your computer as relay

5 Karlstad University Viruses A malicious piece of code that spreads itself from file to file A virus needs a host file Requires user interaction –Like opening a file Different types of viruses –Program viruses –Boot viruses –Macro viruses Infected File Virus as payload

6 Karlstad University Worms A malicious piece of code that spreads itself from computer to computer by exploiting vulnerabilities –A worm needs no host file –Spreads without user interaction Can spread via –e-mail attachments –LAN or Internet 2 nd generation of worms automatically search for vulnerable computers and infect them –Whole Internet can be infected in less than 20 minutes

7 Karlstad University Malicious Scripts Malicious scripts written in JavaScript, VBScript, ActiveX, Flash, etc Can be hidden in e-mails or websites –Flash banners and included JavaScript files –Cross Site Script (XSS) –Cookie steal

8 Karlstad University Trojans “Trojan Horse” Programs with hidden malicious functionalities Appear to be screen savers, games, or other “useful” programs –“There’s an app for that!” IPhone and Android apps

9 Karlstad University Backdoors & Rootkits A secret entry point into a program/system that allows someone aware of the trap door to gain access without going through the usual security access procedures Backdoors –Usually left by programmers for debugging and testing purposes, intentionally or unintentionally Rootkits –Usually installed by an attacker after having gained root/administrator access –Modifies the entire system and avoids detection

10 Karlstad University Logical Bombs Malicious code programmed to be activated on a specific date, time or circumstances Action could be everything from formatting hard drive to display a silly message on the user’s screen Often combined with a virus/worm (e.g, Chernobyl virus)

11 Karlstad University Blended Threats Advanced malicious software that combines the characteristics of viruses, worms, trojans and malicious scripts are sometimes called “Blended Threats” –It’s hard to know where to draw the line Exploits one or many vulnerabilities in programs or operating system * Mick Douglas, PaulDotCom Podcast https://twitter.com/#!/haxorthematrix/statuses/2421087772https://twitter.com/#!/haxorthematrix/statuses/2421087772

12 Karlstad University Viruses 4 phases: –Dormant phase: It is idle, waiting for some event –Triggering phase: activated to perform some intended actions –Propagation phase: Copy itself into other programs –Execution phase: execute the payload

13 Karlstad University DOS boot Sequence ROM BIOS: locates the master boot sector Master boot sector: partition table DOS boot sector: executable codes and FAT

14 Karlstad University DOS bootstrap virus A bootstrap virus resides in one of the boot sectors Becomes active before DOS is operational Example: stoned virus

15 Karlstad University How a bootstrap virus takes control?

16 Karlstad University Parasitic virus Overwriting virus Appending virus

17 Karlstad University Companion virus Do not need to modify the original files Create a new file with a specific name

18 Karlstad University Lifecycle of virus A virus gets created and released The virus infects several machines Samples are sent to anti-virus companies Records a signature from the virus The companies include the new signature in their database Their scanner now can detect the virus

19 Karlstad University Virus hidden mechanisms Encrypt virus code with random generated keys What happens if the boot area is encrypted?

20 Karlstad University Virus hidden mechanisms (2) Polymorphism: randomly changes the encryption/decryption portion of a virus –Change key each time the virus starts –Change the range of plaintext –Change the location of encryption subroutine Countermeasure: scan in RAM (after self- decrypting)

21 Karlstad University Virus hidden mechanisms (3) Entry point changes Random execution (JMP)

22 Karlstad University Macro viruses Macro: an executable program embedded in a document to automate repetitive tasks. (save keystrokes) Application-dependent, e.g., MS office Cross the O.S. platform Why virus writers like macro viruses? –Easy to learn –Easy to write –Popularity of MS office

23 Karlstad University How macro virus works Every word document is based on a template When an existing or new document is opened, the template setting are applied first A global template: NORMAL.DOT

24 Karlstad University Worm Worm: self-replicating over networks, but not infecting program and files Example: Morris worm, blaster worm

25 Karlstad University The structure of worms Target locator (find the target) –Email address collector –IP/port scanner Warhead –Break into remote machines Propagation –Automatically sending emails –Automatically attack remote hosts Remote control and update –Download updates from a web server –Join a IRC channel Lifecycle management –Commit suicide –Avoid repeatedly infecting the same host Payload

26 Karlstad University State of Worm Technology Multiplatform: Windows, unix, mac, … Multiexploit: web server, browser, email,… Ultrafast spreading: host/port scanning Polymorphic: Each copy has new code generated by equivalent instructions and encryption techniques. Metamorphic: different behavior patterns Transport vehicles: for the payloads (spread attacking tools and zombies) Zero-day exploit: self-updated

27 Karlstad University discussion Is it a good idea to spread worms with system patches?

28 Karlstad University Trojan A program with hidden side-effects that are not specified in the program documentation and are not intended by the user executing the program

29 Karlstad University What a trojan can do Remote administration trojans: attackers get the complete control of a PC Backdoor: steal data and files Distributed attacks: zombie network Password stealers: capture stored passwords Audio, video capturing: control devices Keyloggers: capture inputting passwords Adware: popup advertisements Logic bomb: only executed when a specific trigger condition is met

30 Karlstad University Familiar with your PC Startup programs/services Frequently used IP ports –20/21 FTP –23 Telnet –25 SMTP –80 WWW Netstat

31 Karlstad University Malware Payloads No payload Payload without damage –Only display some information Payload with little impact –Modify documents (wazzu virus) Payload with heavy impact –Remove files, format storage –Encrypting data (blackmail) –Destroy hardware (W95.CIH): rewrite flash bios DDoS attacks Steal data for profit

32 Karlstad University Malware naming CARO (computer antivirus researchers organization) CARO naming convention (1991).... –e.g., cascade.1701.A. Platform prefix –win32.nimda.A@mm

33 Karlstad University Malware defenses (1) Detection: once the infection has occurred, determine that it has occurred and locate the virus Identification: once detection has been achieved, identify the specific virus that has infected a program Removal: once the specific virus has been identified, remove the virus from the infected program and restore it to its original state

34 Karlstad University Malware defenses (2) The first generation scanner –Virus signature (bit pattern) –Maintains a record of the length of programs The second generation scanner –Looks for fragments of code (neglect unnecessary code) –Checksum of files (integrity checking) Virus-specific detection algorithm –Deciphering (W95.Mad, xor encrypting) –Filtering

35 Karlstad University Malware defenses (3) The third generation scanner –Identify a virus by its actions The fourth generation scanner –Include a variety of anti-virus techniques Collection method –Using honeypots

36 Karlstad University Malware in Mobile Phones Mobile phones are computers with great connectivity –Internet –WLAN –Bluetooth –Regular phone network (SMS, MMS) –RFID

37 Karlstad University In the future… New spreading methods: e.g., RFID Infected!

38 Karlstad University Questions?

Download ppt "Karlstad University Malware Ge Zhang Karlstad Univeristy."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,

Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
1. 2 What is security? Computer Security deals with the prevention and detection of, and the reaction to, unauthorized actions by users of a computer.

1. 2 What is security? Computer Security deals with the prevention and detection of, and the reaction to, unauthorized actions by users of a computer.

Similar presentations

Ads by Google