Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Published byGloria Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security."— Presentation transcript:

1 Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security

2 Malware  How to define malware? Over a broad sense, any malicious program  Types Viruses Trojans Rootkits Spyware

3 Virus  A program that can attach itself to another program Can replicate Encrypted  How to prevent them? Anti–virus???  How do they work No – real Answer

4 Types of Viruses [Evolution?]  Parasitic Viruses Also known as file infectors  Date / Logic bomb Michaelangelo, Sunday, Century  Macro Viruses Infect macro utility feature in word  Encrypted Virus cascade  Polymorphic Virus 1260  Stealth Virus

5 Encrypted Viruses  Viruses have certain patterns present in them Signatures  AV looks for these patterns in files  To avoid detection, the virus encrypts itself 1.Mov 2.Fetch 3.###$$$ 4.&&^^^^ Decryption engine Encrypted virus body

6 Encrypted virus  It is not possible to find out what the encrypted text is  So how to find if an encrypted entity is a virus? Look in previous slide  Next step – polymorphic viruses

7 Polymorphic  Can change form from infection to infection  There is a mutation engine present in the virus body  During run time – the virus loads the mutation engine  The ME changed the decryption routine  The virus changes form on every encryption Now the virus is difficult to spot

8 Detection  Creating random encryption – decryption routines is difficult See how many badly designed encryption algorithms are present  CSS  Hence encryption is weak, can be broken  Can this be reliable? No  Then what to do?

9 Detection  AV scanners use what is known as simulation  They create a virtual PC in the RAM  Load the program in the Virtual PC  The program executes, and shows its true behavior eventually You can read the following paper for further details  Understanding and Managing polymorphic viruses –  Google it, it’s a white paper by Symantec

10 A new trend in Virus  Viruses have become complex  Anti-Virus programs are running powerful engines game of cat and mouse  What further can virus writers do to prevent detection Go stealth  Install rootkits  Install portions of program in various other executables Disable detectors?

11 Disabling detectors  If you don’t have a defense mechanism, you cant escape infection  Kill all security processes Works, but a smart user can figure something Patch on the definitions Patch on the program policies  How does that help  Disable updates?

12 Examples of such viruses  SpamThru Locates existing AV in the machine Patches them to prevent updates Installs its own virus scanner  Why?  Beast Kills all existing security services Hooks on to winlogon.exe  What is winlogon.exe

13 Implications?  AV does not function  No method to detect the presence of viruses  How to solve this? Borrow some virus tricks Hide the AV Move the program code Hide files Hide Process name

14 Other Miscellaneous Malware  Worms Self replicating program Does not require host to replicate It uses the network to send copies of itself They use the bandwidth and harm the network  Viruses harm the computer (host)  Does worm not harm the PC? Not necessarily Worms for ATM’s  Slammer, Nachi

15 Trojan  USC Trojans?  People from the affair of Helen of Troy?  NO  Program that enters a system disguised as something else Never trust the gifts from Greeks (lesson learned from trojan war)  Trojan perhaps looks harmless Or useful  Allow installation Backdoors Rootkits

16  Term derived from UNIX account ‘root’  Patches on to host kernel libraries, routines  Place hooks on API’s, OS services, Routines, etc  A good rootkit cannot be detected Does the statement sound too strong?

17 Shadow Walker  Designed to deceive in signature scanners That is how Anti-Virus and most Rootkit detectors work  Hides its presence in the system  It hooks on to the page table entries & the page fault handler  It flushes the TLB No page can be accessed bypassing the page fault handler initially

18 Shadow Walker ….  So how does that help A scanner attempts to read a page A fault is generated This causes a fetch The rootkit ensures that the scanenr never gets any access to infected pages

19 BluePill  Rootkit designed for Vista running on AMD pacifica technology Has special mode for VM executions  Allocate memory for a process More than required What does this do?  Rootkit writes on the paged drivers  When the drivers are loaded back, you have infected drivers in memory  Allows Vista to be moved in guest environment  Rootkit becomes a hypervisor

20 Bluepill.. contd  So what happens due to that?  The Vista OS becomes the guest, and is completely under the control of the rootkit. Any scanner working from within the OS can never see the rootkit.  Why? An OS process cannot have access to the layer below the OS So if we placed something below the OS, the OS cannot find out about it.

21 Scenario 1 Hardware OS Kernel Applications Application level malware – easy/slightly difficult to detect kernel level malware – very difficult to detect

22 Scenario 2 Hardware OS Kernel Applications VMM layer malware Not possible to detect from within the OS. Requires Hardware detection

23 Solutions  VM based rootkit detectors  Hardware based rootkit detectors

24 VMM based detector  Type I VMM [XEN]  The VMM runs on top of the hardware.  Root of trust mechanism  VMM checks the privileged VM  The PVM checks the SM  SM checks the other VM’s

25 VMM  The VMM runs 1 Privileged VM(VM0), and many other guest VM’s  The VMM checks the VM0 over periods of time Ensures the kernel of VM0 is not tampered with  VM0 runs the SM It contains the integrity values of SM, to detect tampering

26 VMM detector - contd  The SM can access the states of all applications running on all the Guest VM’s  Guest VM’s run OS’s that run user applications  So what has this achieved? Layered Software

27 The Trusted VM  What has to be done to penetrate the VMM layer Attack the applications Attack the guest OS Attack the Guest VM Finally attack the VMM  SM detects these before the final step

28 VMM layer  Is a micro kernel What is a micro kernel  Answer: Best left to OS classes Hence not a general purpose OS Does not execute third party software Due to this, it is secure  Too strong a statement?  Ok, has fewer vulnerabilities (due to less code)  Has fewer loopholes to exploit  Does not suffer from infected third party drivers

29 What does the VMM do?  Isolation between programs in an Operating System’s is a very difficult process  Many researches on it, fairly inconclusive  VMM provides isolation between the Guest VM’s  VMM also allows us to sandbox an OS and monitor it

30 VM0  Monitors the SM  It can also allow and prevent other VM’s from accessing certain memory locations  It can protect sections in memory  It can prevent other VM’s from accessing some I/O devices Why is this important?

31 SM  Checks the VM  Provides secure communication to User Why is this important?  The SM has access to the state of registers, memory and instructions being executed by each Guest Vm This helps to monitor the GVM’s

32 SM - contd  Checks the integrity values of Guest OS’s during boot Allows detection of boot sector infections, rootkits Can this help us detect VM based rootkits?  Checks kernel integrity, OS text section, interrupt vectors, etc

33 Last step  Can a rootkit impersonate a user Yes, at least it will attempt to do so  So how can this be prevented? The last module Secure I/O device Do you see the answer to a question regarding I/O device access 3 slides back?

34 Secure I/O  Provides a trusted mode of communication between user and VMM  It should be a separate device Why? Why cant it be a software channel

35 Why do we need secure I/O  Are human validations really true What happens if this step is not followed  A viral program can trick the guest OS into sending a message that an update was performed  Allows changing of integrity values  The malware gets certified by the SM

36 Hardware detectors  Separate hardware device  Attached to the PCI slots  Can be attached in other places also  Some implementations involve placing a co-processor on the motherboard

37 Hardware detectors  This is also a root of trust device  The hardware device runs an OS  Its resources and state are not accessible by host CPU/HW  It is capable of accessing the host’s memory  It can halt a system if required

38 Heirachical checking  Each level stored the integrity values of the level above it  The SecCore contains the integrity values of certain critical sections of the kernel

39 SecCore  The critical sections of the kernel is responsible for checking the rest of the kernel  It is also responsible for checking the applications  The kernel is responsible for maintaining the integrity of the User level programs

40 Advantages  The Coprocessor does not have to attest the entire OS  Keeps load low  It stores information only about a small space  Memory requirements low  Most of the checking is offloaded to the Host CPU

41 Problems  Many integrity values reside inside the kernel  Can be infected  Solution? Sign them  Digital Signatures

42 Thanks

Download ppt "Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security."

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.

CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Similar presentations

Ads by Google