Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.

Published bySuzanna Bradford Modified over 9 years ago

Similar presentations

Presentation on theme: "Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention."— Presentation transcript:

1 Why you should never use the internet

2 Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention

3 The Situation: Shit Just Got Real  The players and the game has changed Criminal organizations* Governments**  Profit/Politically driven Cyber weapons FBI vs Coreflood  Professionally developed User manuals MaaS *may or may not be organized ** may or may not be criminals

4 Infiltration  Legitimate (compromised) hosts Direct: Wordpress hacked Indirect: Advertisements  Exploit Packs  Search Engine Optimization hacks Breaking news Celebrities (Snookie causes infections)  Social Facebook, Twitter, etc

5 Characteristics (the lines have blurred)  Virus  Trojan/Backdoor  Rootkit  Scam/Scareware/Randsomware  Password stealers  Worms

6 Techniques  API Hooking  Run-time Patching  Boot sector modification  Browser Content replacement

7 API Hooking  Allows malware to intercept Windows API calls  Can be done in user or kernel space, but in kernel space it’s much more powerful

8 API Hooking Program KERNEL MODE USER MODE DeleteFile[A|W] NtDeleteFile ZwDeleteFile System Service Descriptor Table SSDT

9 API Hooking: Example Program KERNEL MODE USER MODE DeleteFile[A|W] NtDeleteFile ZwDeleteFile System Service Descriptor Table SSDT fakeDelete

10 API Hooking  Allows rootkits to do a lot of nasty things Hide processes/files Hide networking (to a degree) Basically take over your system  Fairly straightforward to implement  However, it is easy to detect

11 Run-time Patching  Replaces API calls with your own by patching the API routine itself  Can achieve the same goals as API hooking, but harder to detect

12 Run-time Patching: Example Target Code

13 Run-time Patching: Example Detour JumpMalicious Code Target Code Jump Back

14 Run-time Patching  Very tricky to implement  Harder to detect You have to scan the memory space If it’s not permanent, an offline analysis isn’t very helpful

15 Boot Sector Modification  Changes boot sector code to load an alternative boot loader  This boot loader can change the way Windows boots, including disabling checks and protections  Can be difficult to remove (and detect)

16 Browser Content Replacement  Allows the malware to modify what you see and send in your web browser  Can replace forms, POST data, POST locations, hide data…  “View Source” does nothing: modifications are done in memory  HTTPS is not relevant

17 Browser Content Replacement: Zeus botnet  From the user manual: “Intercepting HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries: 1. Modification of the loaded pages content (HTTP-inject). 2. Transparent pages redirect (HTTP-fake). 3. Getting out of the page content the right pieces of data (for example the bank account balance). 4. Temporary blocking HTTP-injects and HTTP-fakes. 5. Temporary blocking access to a certain URL. 6. Blocking logging requests for specific URL. 7. Forcing logging of all GET requests for specific URL. 8. Creating a snapshot of the screen around the mouse cursor during the click of buttons. 9. Getting session cookies and blocking user access to specific URL.”

18 Detection  AV (loosing race)  Monitor outbound communications TCPView Netstat Border monitoring Outbound watching IDS (snort)  System Internals TCPView Procmon RootKitRevealer

19 Detection: GMER  Rootkit detector  Detects: Hidden processes, hidden files, hidden DLLs, hidden registry keys, hidden* SSDT, IAT, EAT hooks MBR modification Suspicious drivers …lots more

20 Detection: GMER

21 Prevention  Update software (not just Windows)  Windows 7 (x64)  EMET  Uninstall Adobe Reader  Chrome/Firefox  VMs/Linux/OSX

22 Further Information  Blogs F-secure: http://www.f-secure.com/weblog/ Sophos: http://nakedsecurity.sophos.com/ Inreverse: http://www.inreverse.net/http://www.inreverse.net/  Online tools Virus Total: http://www.virustotal.com/http://www.virustotal.com/ Anubis: http://anubis.iseclab.org/http://anubis.iseclab.org/  Samples: Malware domain list: http://www.malwaredomainlist.com/ http://www.malwaredomainlist.com/ Offensive Security: http://www.offensivecomputing.net/ http://www.offensivecomputing.net/

23 LayerOne  Hacker con at the Anaheim Marriott  May 28-29  Hardware Hacking, Lockpicking, Contests  $100 online, $140 at the door

24 References  2010 Websense Threat Report: http://www.websense.com/content/threat- report-2010-introduction.aspx?cmpid=prbloghttp://www.websense.com/content/threat- report-2010-introduction.aspx?cmpid=prblog  Verizon 2011 Data Breach Investigations Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report- 2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id= http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report- 2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id  Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/ http://www.microsoft.com/security/sir/  Book: “The Rootkit Arsenal”, by Reverend Bill Blunden  Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M. Richard  Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam  MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspxhttp://msdn.microsoft.com/en-us/library/default.aspx

25 Questions? seanbmcallister@gmail.com

Download ppt "Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Malware Spyware & Viruses Overview  What does it look like?  What is it?  How can you prevent it?  What can you do about it when you get it?

Malware Spyware & Viruses Overview  What does it look like?  What is it?  How can you prevent it?  What can you do about it when you get it?
Security for Seniors SeniorNet Help Desk 631.629.5426

Security for Seniors SeniorNet Help Desk
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Similar presentations

Ads by Google