Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcement r Midterm 11/14, recitation 11/11 afternoon r Homework 3 out, due 11/10 midnight r Solutions of homework 1 and 2 will be emailed to you after.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Announcement r Midterm 11/14, recitation 11/11 afternoon r Homework 3 out, due 11/10 midnight r Solutions of homework 1 and 2 will be emailed to you after."— Presentation transcript:

1 Announcement r Midterm 11/14, recitation 11/11 afternoon r Homework 3 out, due 11/10 midnight r Solutions of homework 1 and 2 will be emailed to you after all homework are graded r Feedback form at the end of class

2 Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attack

3 Mobile Malcode Overview r Malicious programs which spread from machine to machine without the consent of the owners/operators/users m Windows Automatic Update is (effectively) consensual r Many strains possible m Viruses m Worms m Compromised Auto-updates No user action required, very dangerous

4 Malicious Software

5 Trapdoors (Back doors) r Secret entry point into a program r Allows those who know access bypassing usual security procedures r Have been commonly used by developers r A threat when left in production programs allowing exploited by attackers r Very hard to block in O/S r Requires good s/w development & update

6 Logic Bomb r one of oldest types of malicious software r code embedded in legitimate program r activated when specified conditions met m eg presence/absence of some file m particular date/time m particular user m particular series of keystrokes r when triggered typically damage system m modify/delete files/disks

7 Trojan Horse r Programs that appear to have one function but actually perform another.  Modern Trojan Horse: resemble a program that the user wishes to run - usually superficially attractive m eg game, s/w upgrade etc r When run performs some additional tasks m allows attacker to indirectly gain access they do not have directly r Often used to propagate a virus/worm or install a backdoor r Or simply to destroy data

8 Zombie r program which secretly takes over another networked computer r then uses it to indirectly launch attacks r often used to launch distributed denial of service (DDoS) attacks r exploits known flaws in network systems

9 Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attacks

10 Viruses r Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. r On execution m Search for valid target files Usually executable files Often only infect uninfected files m Insert a copy into targeted files When the target is executed, the virus starts running r Only spread when contaminated files are moved from machine to machine r Mature defenses available

11 r 1988: Less than 10 known viruses r 1990: New virus found every day r 1993: 10-30 new viruses per week r 1999: 45,000 viruses and variants Source: McAfee

12 Virus Operation r virus phases: m dormant – waiting on trigger event m propagation – replicating to programs/disks m triggering – by event to execute payload m execution – of payload r details usually machine/OS specific m exploiting features/weaknesses

13 Anatomy of a Virus r Two primary components m Propagation mechanism m Payload r Propagation m Method by which the virus spreads itself. m Old days: single PC, transferred to other hosts by ways of floppy diskettes. m Nowadays: Internet.

14 Structure of A Virus Virus() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; } void infectExecutable() { file = choose an uninfected executable file; prepend V to file; } void doDamage() {... } int triggered() { return (some test? 1 : 0); }

15 Virus Infectables r Executable files:.com,.exe,.bat r Macros m With macro languages the line between pure data files and executable files is blurring m An infected file might be attached to an E-mail m E-mail programs may use other programs (e.g., word) with macros to display incoming mail r System sector viruses m Infect control sectors on a disk DOS boot sectors Partition (MBR) sectors m System sector viruses spread easily via floppy disk infections

16 Virus Infectables (cont’d) r Companion viruses m Create a.com files for each.exe files m DOS runs COM files before EXE files m Relatively easy to find and eliminate r Cluster viruses m Change the DOS directory info so that directory entries point to the virus code instead of the real program m Even though every program on the disk may be "infected“, there is only one copy of the virus on the disk

17 Variable Viruses r Polymorphic viruses m Change with each infection Executables virus code changing (macros: var name, line spacing, etc.) Control flow permutations (rearrange code with goto’s) m Attempt to defeat scanners r Virus writing tool kits have been created to "simplify" creation of new viruses m Current tool kits create viruses that can be detected easily with existing scanner technology m But just a matter of time …

18 Virus Detection/Evasion r Look for changes in size r Check time stamp on file r Look for bad behavior m False alarm prone r Look for patterns (byte streams) in virus code that are unique r Look for changes in file checksum r Compression of virus and target code r Modify time stamp to original r Do bad thing insidiously r Change patterns – polymorphism r Rearrange data in the file r Disable anti-virus programs

19 More on Virus Detection r Scanning m Depend on prior knowledge of a virus m Check programs before execution m Need to be regularly updated r Integrity Checking m Read entire disk and record integrity data that acts as a signature for the files and system sectors m Use cryptographic computation technique instead of simple checksum

20 More on Virus Detection r Interception m Monitoring for system-level routines that perform destructive acts m Good for detecting logic bomb and Trojan horse m Cannot depend entirely upon behavior monitors as they are easily bypassed. r Combination of all three techniques can detect most viruses

21 Virus Recovery r Extricate the virus from the infected file to leave the original behind r Remove the redirection to the virus code r Recover the file from backup r Delete the files and move on with life

22 Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attacks

23 Worms r Autonomous, active code that can replicate to remote hosts without any triggering m Replicating but not infecting program r Because they propagate autonomously, they can spread much more quickly than viruses! r Speed and general lack of user interaction make them the most significant threats

24 + Attacker Target Discovery Carrier Activation Payload Worm Overview

25 Target Discovery Port Scanning Sequential: working through an address block Random Target Lists Externally generated through Meta servers Internal target list Passive worms

26 External Target Lists: Metaserver Worms r Many systems use a "metaserver", a server for information about other servers m Games: Use as a matchmaker for local servers m Google: Query google to find web servers m Windows Active Directory: Maintains the "Network Neighborhood" r Worm can leverage these services m Construct a query to find new targets m Each new victim also constructs queries Creates a divide-and-conquer infection strategy r Original strategy, not yet seen Metaserver Server

27 How Fast Are Metaserver Worms? r Game Metaserver: Use to attack a small population (eg, all Half-Life servers) m ~1 minute to infect all targets r Google: Use to enhance a scanning web worm m Each worm conducts initial queries to find URLs

28 Internal Target Lists: Topological Information r Look for local information to find new targets m URLs on disk and in caches m Mail addresses m.ssh/known_hosts r Ubiquitous in mail worms m More recent mail worms are more aggressive at finding new addresses r Basis of the Morris worm m Address space was too sparse for scanning to work

29 How Fast are Topological Worms? r Depends on the topology G = (V, E) m Vulnerable machines are vertices, edges are local information m Time to infect is a function of the shortest paths from the initial point of infection r Power law or similar graph (KaZaA) m Depends greatly on the parameters, but generally very, VERY fast

30 Passive Worms r Wait for information about other targets m CRclean, an anti-CodeRed II worm Wait for Code Red, respond with counterattack m Nimda: Infect vulnerable IE versions with Trojan web-page r Speed is highly variable m Depends on normal communication traffic r Very high stealth m Have to detect the act of infection, not target selection

31 Carrier Self-Carried active transmission Second Channel e.g. blaster worm use RPC to exploit, but use TFTP to download the whole virus body Embedded e.g. web requests

32 Activation

33 r Human Activation m Needs social engineering, especially for email worms Melissa – “Attached is an important message for you!” Iloveyou – “Open this message to see who loves you!” r Human activity-based activation m E.g. logging in, rebooting (Nimda’s secondary propagation) r Scheduled process activation m E.g. updates, backup etc. r Self Activation m E.g. Code Red exploit the IIS web servers

34

35

36

37 Payload

38 Payloads r None/nonfunctional m Most common m Still can have significant effects through traffic and machine load (e.g., Morris worm) r Internet Remote Control m Code Red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code r Internet Denial of Service (DOS) m E.g., Code Red, Yaha r Data Collection r Data Damage: Chernobyl, Klez r Worm maintenance

39 Attacker Experimental Curiosity Pride and Power Commercial Advantage Extortion and criminal gain Terrorism Cyber Warfare

40 Some Major Worms WormYearStrategyVictimsOther Notes Morris1988 Topological6000First major autonomous worm. Attacked multiple vulnerabilities. Code Red2001 Scanning~300,000First recent "fast" worm, 2 nd wave infected 360,000 servers in 14 hours CRClean2001 PassivenoneUnreleased Anti-Code-Red worm. Nimda2001 Scanning IIS, Code Red 2 backdoor, etc ~200,000Local subnet scanning. Effective mix of techniques Scalper2002 Scanning<10,000Released 10 days after vulnerability revealed Slammer2003 Scanning>75,000Spread worldwide in 10 minutes

41 The Spread of the Sapphire/Slammer SQL Worm

42 How Fast was Slammer? r Infected ~75,000 machines in 10 minutes r Full scanning rate in ~3 minutes m >55 Million IPs/s r Initial doubling rate was about every 8.5 seconds

43 Why Was Sapphire Fast: A Bandwidth-Limited Scanner r Code Red's scanner is latency-limited m In many threads: send SYN to random address, wait for response or timeout m Code Red  ~6 scans/second, population doubles about every 40 minutes r Every Sapphire copy sent infectious packets at maximum rate m 1 Mb upload bandwidth  280 scans/second m 100 Mb upload bandwidth  28,000 scans/second r Any reasonably small TCP worm can spread like Sapphire m Needs to construct SYNs at line rate, receive ACKs in a separate thread

44 Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Service Attacks

45 Denial of Service Attacks r Definition r Point-to-point network denial of service m Smurf r Distributed denial of service attacks m Trin00, TFN, Stacheldraht, TFN2K

46 Denial of Service Attack Definition r An explicit attempt by attackers to prevent legitimate users of a service from using that service r Threat model – taxonomy from CERT m Consumption of network connectivity and/or bandwidth m Consumption of other resources, e.g. queue, CPU m Destruction or alternation of configuration information Malformed packets confusing an application, cause it to freeze m Physical destruction or alternation of network components

47 Status r DoS attacks increasing in frequency, severity and sophistication m 32% respondents detected DoS attacks (1999 CSI/FBI survey) m Yahoo, Amazon, eBay and MicroSoft DDoS attacked m About 4,000 attacks per week in 2000 m Internet's root DNS servers (9 out of 13) attacked on Oct 2002

48 Two General Classes of Attacks r Flooding Attacks m Point-to-point attacks: TCP/UDP/ICMP flooding, Smurf attacks m Distributed attacks: hierarchical structures r Corruption Attacks m Application/service specific

49 Smurf DoS Attack r Send ping request to brdcst addr (ICMP Echo Req) r Lots of responses: m Every host on target network generates a ping reply (ICMP Echo Reply) to victim m Ping reply stream can overload victim Prevention: reject external packets to brdcst address. gateway DoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target

50 DDOS Handler Agent Victim Unidirectional commands Attack traffic Coordinating communication BadGuy Handler

51 Attack using Trin00 r In August 1999, network of > 2,200 systems took University of Minnesota offline for 3 days m scan for known vulnerabilities, then attack with UDP traffic m once host compromised, script the installation of the DDoS master agents r According to the incident report m Took about 3 seconds to get root access m In 4 hours, set up > 2,200 agents

52 Can you find source of attack? r Hard to find BadGuy m Originator of attack compromised the handlers m Originator not active when DDOS attack occurs r Can try to find agents m Source IP address in packets is not reliable m Need to examine traffic at many points, modify traffic, or modify routers

53 Backup Slides

54 Internet checksum Sender: r treat segment contents as sequence of 16-bit integers r checksum: addition (1’s complement sum) of segment contents r sender puts checksum value into UDP checksum field Receiver: r compute checksum of received segment r check if computed checksum equals checksum field value: m NO - error detected m YES - no error detected. But maybe errors nonetheless? More later …. Goal: detect “errors” (e.g., flipped bits) in transmitted segment (note: used at transport layer only)

55 Fred Cohen’s Work: 1983 r First documented work with viruses m Cohen’s PhD advisor, Leo Adelman, coined the term “virus” m Virus: “a program that can infect other programs by modifying them to include a … version of itself” m Viruses can quickly (~30 min) spread through a networked file system r Dissertation (1986) conclusion: "universal" detection of a virus is undecidable m No 100% guaranteed detection for virus/worm

56 Early Mail Virus: Happy99 (1999) r One of the earliest viruses that propagated automatically when an infected attachment is executed r Did not infect files, only email user accounts r Email sent from infected person to others in address book (novelty at the time)

57 Morris Worm r best known classic worm r released by Robert Morris in 1988 r targeted Unix systems r using several propagation techniques m simple password cracking of local pw file m exploit bug in finger daemon m exploit debug trapdoor in sendmail daemon r if any attack succeeds then replicated self

58 History of Viruses

59 First Wild Viruses Apple I/II/III: 1981 r Three viruses for the Apple machines emerged in 1981 m Boot sector viruses r Floppies of that time had the disk operating system (DOS) on them by default m Wrote it without malice

60 First PC Virus: Pakistani Brain Virus (1986) r Written by Pakistani brothers to protect their copyright m Claim: infect only machines that had an unlicensed copy of their software m Boot sector m Printed “Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............. !!"

61 Destructive Virus: Chernobyl (1998) r Designed to inflict harm m Flash BIOS: would cause permanent hardware damage to vulnerable motherboards m Also overwrote first 2K sectors of each disk Typically resulted in a loss of data and made it unbootable r Previously believed that being benign was necessary for virus longevity m Chernobyl provided evidence to the contrary

62 Early Macro Virus: Melissa (1999) r Microsoft Word 97 Macro virus r Target first 50 entries in Outlook’s address book r Adjusted subject “Important messages from ______” r Points to attachment as a document requested m Contains a list of porn sites r Macro security was greatly increased with Melissa

Download ppt "Announcement r Midterm 11/14, recitation 11/11 afternoon r Homework 3 out, due 11/10 midnight r Solutions of homework 1 and 2 will be emailed to you after."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.
Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.

Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Outlines Mobile malcode Overview Viruses Worms.

Outlines Mobile malcode Overview Viruses Worms.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Outlines r Mobile malcode Overview r Viruses r Worms.

Outlines r Mobile malcode Overview r Viruses r Worms.
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.

A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.
Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week.

Announcement r Project dates adjusted (correct those on the syllabus handed out last time) r Sign-up for the paper presentation at the end of next week.
Outlines r Mobile malcode Overview r Viruses r Worms.

Outlines r Mobile malcode Overview r Viruses r Worms.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google