Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor,

Published byDiego Padilla Modified over 11 years ago

Similar presentations

Presentation on theme: "Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor,"— Presentation transcript:

1 Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/EC/... ETS2 {.html,.ppt} ANU RSCS, 15 October 2012

2 Copyright 2000-12 2 MalContent Spam Email-Attachments (e.g. pornography) Downloads over the Web and P2P (e.g. ads)... How Much Illegal Porn is on Your Personal DeVices? How can you know? How did it get there?

3 Copyright 2000-12 3 MalContent Spam Email-Attachments Downloads over the Web and P2P (e.g. ads)...

4 Copyright 2000-12 4 MalContent Spam Email-Attachments Downloads over the Web and P2P (e.g. ads)... How Much Illegal Porn is on Your Personal DeVices?

5 Copyright 2000-12 5 MalContent Spam Email-Attachments Downloads over the Web and P2P (e.g. ads)... How Much Illegal Porn is on Your Personal DeVices?

6 Copyright 2000-12 6 MalContent Spam Email-Attachments Downloads over the Web and P2P (e.g. ads)... How Much Illegal Porn is on Your Personal DeVices? How can you know?

7 Copyright 2000-12 7 MalBehaviour Many categories, including Flaming, Incitement, 'Trolling',... 'Social Engineering' Enveigling users into harmful actions 'Phishing', esp. for authenticators Download of 'free anti-virus software'

8 Copyright 2000-12 8 Social Engineering Phishing Sending people {e-mail, IM,...} messages, in order to lure them into divulging sensitive data The data sought is commonly passwords, and credit-card details The sender commonly assumes the identity of a 'trusted organisation', e.g. a finl institution The data is commonly keyed into a web-form that purports to be provided by the trusted orgn

9 Copyright 2000-12 9 MalWare, Informally MalContent in the form of software Software that does harm Recognisable in retrospect as early as 1971 The term 'virus' was borrowed from biology in 1983 Transferred by floppy disk: initially among Apple micros in 1981 major infections on 'IBM PCs' from the late 1980s Network transmission dominant since the mid-1990s

10 Copyright 2000-12 10 Challenges in Defining Malware Form: program, program-fragment, or pgm-feature Dependence: hardware, system software, or app Code: executable, or interpreter-dependent Execution: conscious, implied, or auto-invoked Storage: locally stored, or executed without storage Operation: invoked or latent Harm: harm, or no harm Category: type(s) of harm caused Sufferer:who or what the harm is caused to Intention: harmful intent ('malicious'), accidental harm ('malprogrammed') or beneficial intent

11 Copyright 2000-12 11 Malware, More Formally Software, or a software component or feature, that is capable of being Invoked on a device and that on invocation, has an Effect that is: Unintended by the person responsible for the device; and Potentially Harmful to an interest of that or some other person

12 Copyright 2000-12 12 Conventional IT Security Model

13 Copyright 2000-12 13 Malware from the Viewpoint of the Conventional IT Security Model Malware external to a device is a Threat An attempt to migrate it to a device is an Attack An Attack depends on existing Vulnerabilities Malware internal to a device as a result of a successful Attack is a new Vulnerability Once invoked, installed Malware may: do Harm create additional Vulnerabilities

14 Copyright 2000-12 14 2.Categorisation of Malware Malware (1) uses a 'Vector' (2) to deliver a 'Payload' which performs (3) a function that is 'Invoked' by some means...... and is harmful to some party

15 Copyright 2000-12 15 Criterion 1 – Vector The means whereby undesired content reaches a device The alternatives, viewed broadly: Unit Storage Proliferation: Copying from portable storage that is directly-connected to the device (diskette, CD, DVD, solid-state electronic 'drive') Network Transmission: Transmission or download from another device on a local area network, or from a device on a remote network

16 Copyright 2000-12 16 Network Vectors – 1 File Transfer (FTP get or put) Email-Attached Executable (push): default auto-invocation remote settings-change to auto-invocation manual settings-change to auto-invocation manual invocation Social Engineering using an email-message, chat/IM, bulletin-board, Web-pages or P2P, to enveigle a user into downloading a file (pull) The Web and P2P, using a variety of features...

17 Copyright 2000-12 17 Network Vectors – 2 The Ever-Extending MalWeb Features of HTTP (e.g. additional Methods, esp. the Microsoft invention 'XMLHttpRequest') Features of HTML Features of Javascript Server-side capabilities Increased server-side power over browsers The Result: File-download to the user device, based on a user-performed trigger, but without an intentional request or an informed response to a request

18 Copyright 2000-12 18 Network Vectors – 3 Host Control over Remote Devices 'Drive-By Downloads' ActiveX Controls within.NET Absence of a Sandbox Unsafeguarded Computing Resources Adobe Flash, MS Silverlight Features AJAX, Reverse AJAX, Comet HTML5 Server-Sent Events, WebSockets

19 Copyright 2000-12 19 Criterion 2 – Payload The carriage capacity of aircraft (1930s) The content of a communication (1970s) The active code delivered to the target device in order to perform some function or functions The scope may extend to functions ancillary to the ultimate purpose, e.g. means of obscuring the existence or operation of the malware

20 Copyright 2000-12 20 Categories of Payload Operations on Data: Data Creation (entries in control files) Data Deletion or Directory-Entry Deletion Data Modification (security-settings, parameter- settings, port-settings) Data Capture (spyware), generally surreptitious, e.g. Keystroke Logging, Adware Data Disclosure S'ware Installation or Mod, to: Establish a 'Backdoor', for remote control Install a 'Rootkit', to obscure malware ops Upgrade malware payload Undermine anti-malware software The Downloading of Files, e.g. Large malware apps Adapted malware payload Detection of a triggering event

21 Copyright 2000-12 21 Trojan Vector-Based Interpretation: Malware that reaches a device by means of an intentional act by an authorised user, as a result of a social engineering exploit Payload-Based Interpretation: Malware with unexpected functionality that facilitates unauthorised remote access to the device Preferred Usages: A Trojan is any malware whose vector is an intentional act by an authorised user, as a result of a social engineering exploit that involves convincing the user that the software is beneficial A Backdoor Trojan is a Trojan whose payload is a means of facilitating remote access to the device

22 Copyright 2000-12 22 Criterion 3 – Invocation The causing of the code to run in the target device Various categories of code: native to the instruction-set of the target device in a form that requires a compiler, an interpreter or a run-time interpreter embedded, such as macros within word processing and spreadsheet documents System software may include safeguards against unauthorised invocation of programs, e.g. permissions limitations. Malware seeks to circumvent or subvert such safeguards

23 Copyright 2000-12 23 Forms of Invocation – 1. Human Triggered An Authorised User's explicit, intentional action: Directly acting on the device Remotely, through a user-account An Authorised User's implicit, unintentional action: Invocation of a macro, by opening a document A request from a web-browser which triggers a 'website application attack' An act by someone other than an Authorised User: Directly acting on the device Remotely, through a user-account Remotely, using a 'bot'

24 Copyright 2000-12 24 Forms of Invocation – 2. Auto-Triggered Automated Invocation of Stored Software e.g. inclusion in the list of start-up routines e.g. timed action, as for 'run the backups at midnight' Auto-Download and Immediate Invocation e.g. system software version updates and patches e.g. protection software updates and virus signatures Pushing of Malware by a Remote Device taking advantage of existing device vulnerabilities

25 Copyright 2000-12 25 Web-Site Application Attack An Important Special Case of an Authorised User's implicit and unintentional action A web-browser request triggers the delivery of malware to the device running the web-browser: with delivery directly by the web-server; OR with indirect delivery, through invocation by the web-server of a component from another site In each case, the delivery may arise: by intent of the web-server manager; OR through a connivance by another party

26 Copyright 2000-12 26 Malware Persistence Briefly memory-resident and then terminates Memory-resident and active Memory-resident but dormant, pending some trigger Such software is commonly referred to as a 'daemon', or in Microsoft environments a 'Windows service' Memory-resident malware can perform functions that a load-and-run program cannot e.g. to take advantage of ephemeral data, or a communications channel that is only open briefly

27 Copyright 2000-12 27 Categories of Malware Definitions at the Back End of the Slide-Set Virus Worm Spyware Backdoor / Trapdoor Remote Admin Tool Rootkit Drive-by-Download Exploit Bug Social Engineering Phishing 'Incitement to Download'

28 Copyright 2000-12 28 Bot / Robot / Agent Positive Use of the Terms Software that interacts with other software or human users as though it were a human, and in some sense at least on behalf of a human Web crawler or spider Re enquiries / requests / incident reports Auto-acknowledgement Auto-response Online Games Automated Trading

29 Copyright 2000-12 29 Bots, Zombies and Botnets A Bot is any malware that is capable of being invoked remotely in order to perform a particular function Typical functions include emailing spam and distributed denial of service (DDOS) attacks A Zombie is any device on which a bot is installed A Botnet is a set of devices on which bots are installed A Botnet Master or Botnet Herder is any person who can exercise control over a botnet

30 Copyright 2000-12 30 3.Safeguards Against Malware

31 Copyright 2000-12 31 An Architecture for IT Security Safeguards External Security Internal Security Perimeter Security

32 Copyright 2000-12 32 3.Safeguards Against Malware Perimeter Security Anti-Malware Software i.e. Anti-Virus Software, extended Applied to: all inbound network traffic all newly-mounted storage volumes the storage of all newly-mounted devices

33 Copyright 2000-12 33 3.Safeguards Against Malware Internal Security Threat Scanning Anti-Malware Software Applied to all storage, to cater for: Newly-recognised malware Malware that slipped through Perimeter Defences Malware that went around the Perimeter Defences Vulnerability Scanning Periodically (but frequently) on all storage

34 Copyright 2000-12 34 4.Attacks and Safeguards Hacking?? / 'Break-in'? / Cracking? To computer services or computer-storage MalActions taken after a Break-in, incl.: Defacing of web-pages Data Access, e.g. credit-card details 'Denial of Service' Attack (DoS), usually Distributed Denial of Service (DDoS) Attack

35 Copyright 2000-12 35 Attacks by Whom, and Why? Principals Opportunists Hacktivists Vigilantes Organised Crime Corporations Nation-States Agents Mercenaries Motivations Politics Protest against action Retaliation / Revenge Espionage Economics Financial Gain Financial Harm Social/Cultural Factors Challenge Dispute Celebration

36 Copyright 2000-12 36 Team Cymru's Anatomy of a Network Attack

37 Copyright 2000-12 37 Exploits – 'Packaged Threats' An Exploit is an established way of performing an Attack on a Vulnerability Standard techniques are supported by established guidelines and code, which circulate on the Internet Code that enables easy performance of an exploit is expressed in a Script Script Kiddies is a derogatory term for relatively unskilled crackers who rely on techniques and program code developed by other, more skilled people

38 Copyright 2000-12 38 Bugs 'Ready-Made Vulnerabilities' Errors in systems software (esp. MS Windows) or in applications (esp. MS Internet Explorer) They may create vulnerabilities The vulnerabilities may be attacked by crackers This gives rise to the need for urgent patches http://www.microsoft.com/technet/security/current.aspx AusCERT Security Bulletins http://www.auscert.org.au/render.html?cid=1

39 Copyright 2000-12 39 Features Even More 'Ready-Made Vulnerabilities' Convenience for Users Insecure defaults Passwords in cookies Auto-invocation Convenience for Sysadmins 'Unpublished' loginids Trapdoors

40 Copyright 2000-12 40 Safeguards Against Attacks Perimeter Defence – Firewalls A Firewall is a device interposed between two networks (and especially between an internal network and the Internet), which determines: which incoming traffic is permitted which outgoing traffic is permitted Types of Firewall Processing: Application Layer – Proxy-Server / Gateway Network Layer – Packet-Filtering Router Circuit-Level (Physical Layer) Gateway

41 Copyright 2000-12 41 Packet-Filtering Router Packets are forwarded according to filtering rules The rules are applied to the data that is available in the packet header, i.e. Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port ICMP message type Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel)

42 Copyright 2000-12 42 Commonly-Open Ports 20, 21 (ftp) or 115 (sftp) 23 (telnet) or 22 (ssh) 25 (smtp) 53 (dns) S: 80 (http), 443 (https) C: a big number (http/s) 110 (pop) 123 (ntp) 161 (snmp) 427 (slp) 548 (afp) 631 (ipp)

43 Copyright 2000-12 43 5.Denial of Service (DoS) Attack An Attack that renders a net-connected device unusable, generally by overloading it Many Pings Over-sized Pings Forged Echo Packets (Smurfing) Traffic from a single IP-address can be blocked. So traffic is sent from many devices / IP-addresses Hence Distributed Denial of Service (DDoS) An Attacker can be prosecuted. So the Attacker obscures themselves by using a Botnet

44 Copyright 2000-12 44 Safeguards Against DoS Attacks Proactive Minimise Vulnerabilities by updating systems software and applications with available 'patches' Minimise the Self-Inflicted Harm sought by Attackers, by using appropriate settings Reactive Detect Attacks Respond, e.g., by upscaling network and/or computing resources, throttling, or disconnection Counteractive Identify the Attack Pattern or 'Signature' Request Blocking of Traffic that conforms with the signature – which depends on good relations and plans in place with upstream retail and wholesale ISPs Counter-attack: Find and attack the attacker's vehicles Find and attack the attacker

45 Copyright 2000-12 45 E-Trading Security – Malware and Other Attacks Agenda 1.MalContent Malbehaviour Malware 2.The Dimensions: Vector Payload Invocation 3.Safeguards Against Malware 4.Attacks and Safeguards 5.DOS Attacks and Safeguards

46 Copyright 2000-12 46 COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/EC/... ETS2 {.html,.ppt} ANU RSCS, 15 October 2012

47 Copyright 2000-12 47

48 Copyright 2000-12 48 Categories of Malware Definitions at the Back End of the Slide-Set Virus Worm Spyware Backdoor / Trapdoor Remote Admin Tool Rootkit Drive-by-Download Exploit Bug Social Engineering Phishing 'Incitement to Download'

49 Copyright 2000-12 49 Virus... Worm A Virus is a block of code that replicates itself by seeking out other executable files and inserting copies of the block of code into them. (It commonly carries a payload, and it commonly delays the invocation of the payload, in order to avoid early detection. It may be limited to specific contexts, hence, for example, 'boot sector virus' and 'macro virus') A Worm is a program that propagates copies of itself over networks. It does not infect other programs. Viruses and Worms flourish because of: the naiveté of users inadequate care by I.T. professionals OS and apps distributed in a culpably insecure state

50 Copyright 2000-12 50 Spyware Software that surreptitiously: gathers data within a device; and e.g. about its user, or the uses made of it makes it available to one or more other parties (The data may be extracted from files on the device, may reflect the behaviour of a device and/or the user of the device, and/or may reflect the behaviour of other devices on the same network) (The data may then be transmitted to a remote device) Key applications: keystroke logger (esp. for passwords) monitoring of consumer behaviour (adware) monitoring of uses of copyright works

51 Copyright 2000-12 51 Backdoor / Trapdoor A feature, possibly software, that enables unauthorised remote access to a device, bypassing or subverting authentication and other security safeguards. (The access is usually contrived to have a high level of privileges)...

52 Copyright 2000-12 52 Remote Administration Tool (RAT) Software that enables remote access to a device, with a high level of privileges, and with the capacity to monitor user behaviour, adapt the device's software configurations, and install and/or invoke software (RATs are essential for the provision of remote management and support. But unauthorised use represents a serious threat because of the power they provide over the device)

53 Copyright 2000-12 53 Rootkit (Literally software that allows an intruder to gain access to a device with the highest level of privileges available, i.e. associated with the root or system-administrator account. By extension:) Software that assists in obscuring the existence of malware on a device, and/or establishes an obscured environment within which malicious code can be executed

54 Copyright 2000-12 54 Drive-By Download A technique whereby malware is downloaded to a device as a result of a user action, but such that the user is unaware that they are triggering the download. (The user is probably also unaware during and after the download that they have triggered it)

55 Copyright 2000-12 55 Exploit An Exploit is an established way of performing an attack on a vulnerability Standard techniques are supported by guidelines and programming code, which circulate on the Internet Code that enables easy performance of an exploit is expressed in a Script Script Kiddies is a derogatory term for relatively unskilled crackers who rely on techniques and program code developed and published by others

56 Copyright 2000-12 56 Bug An error in systems software (esp. MS Windows) or applications (esp. MS IE and MS Office) It is impossible to produce software without bugs Less prevalent in MS products than previously, but MS products remain the primary target Bugs may create vulnerabilities The vulnerabilities may be attacked by crackers This gives rise to the need for urgent patches Which give rise to risks of new bugs...

57 Copyright 2000-12 57 Social Engineering (1) Phishing Sending people e-mail messages in order to lure them into divulging sensitive data The data sought is commonly passwords and credit-card details The sender commonly assumes a relatively highly trusted identity e.g. a finl institution The data is commonly keyed into a web-form on a site that purports to be operated by the trusted identity Phishing is not Malware, but Phishing may be supported by Malware

58 Copyright 2000-12 58 Social Engineering (2) Incitement to Download and/or Invoke The use of social engineering to manipulate a person into downloading and/or invoking malware A common example: free 'anti-virus software'

Download ppt "Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor,"

Similar presentations

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Copyright 2009 1 Malware Categorisation in Support of Malware Policy Analysis Roger Clarke Xamax Consultancy, Canberra Visiting Professor, CLPC UNSW, and.

Copyright Malware Categorisation in Support of Malware Policy Analysis Roger Clarke Xamax Consultancy, Canberra Visiting Professor, CLPC UNSW, and.
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Processes and Operating Systems

Processes and Operating Systems
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
CALENDAR.

CALENDAR.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.

1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
Break Time Remaining 10:00.

Break Time Remaining 10:00.
Configuration management

Configuration management
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
PP Test Review Sections 6-1 to 6-6

PP Test Review Sections 6-1 to 6-6
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.

Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.

Similar presentations

Ads by Google