is malware
TRANSCRIPT
-
7/27/2019 Is Malware
1/33
Information Security
Malwares
-
7/27/2019 Is Malware
2/33
Trapdoor
Secret entry point into a system
Specific user identifier or password that circumvents
normal security procedures.
Commonly used by developers Could be included in a compiler.
-
7/27/2019 Is Malware
3/33
Logic Bomb
Embedded in legitimate programs
Activated when specified conditions met
E.g., presence/absence of some file; Particulardate/time or particular user
When triggered, typically damages system
Modify/delete files/disks
-
7/27/2019 Is Malware
4/33
Example of Logic Bomb
In 1982, the Trans-Siberian Pipeline incidentoccurred. A KGB operative was to steal the plansfor a sophisticated control system and its
software from a Canadian firm, for use on theirSiberian pipeline. The CIA was tipped off bydocuments in the Farewell Dossier and had thecompany insert a logic bomb in the program for
sabotage purposes. This eventually resulted in"the most monumental non-nuclear explosionand fire ever seen from space.
-
7/27/2019 Is Malware
5/33
Trojan Horse
Example: Attacker:
Place the following file
cp /bin/sh /tmp/.xxsh
chmod u+s,o+x /tmp/.xxsh
rm ./ls
ls $*
as /homes/victim/ls
Victim
ls
Program with an overt(expected) and covert effect Appears normal/expected
Covert effect violates securitypolicy
User tricked into executingTrojan horse Expects (and sees) overt
behavior
Covert effect performed withusers authorization
-
7/27/2019 Is Malware
6/33
Virus
Self-replicating code Like replicating Trojan horse
Alters normal code with infected version
No overtaction
Generally tries to remain undetected Operates when infected code executed
Ifspread condition then
Fortarget filesifnot infectedthen alter to include virus
Perform malicious actionExecute normal program
-
7/27/2019 Is Malware
7/33
Virus Infection Vectors
Boot Sector (USB drives)
Executable
Macro files
-
7/27/2019 Is Malware
8/33
Virus Properties
Terminate and Stay Resident Stays active in memory after application complete Allows infection of previously unknown files
Trap calls that execute a program
Stealth Conceal Infection
Trap read and disinfect Let execute call infected file
Encrypt virus Prevents signature to detect virus Polymorphism
Change virus code to prevent signature
-
7/27/2019 Is Malware
9/33
Worm
Runs independently
Does not require a host program
Propagates a fully working version of itself to other
machines Carries a payload performing hidden tasks
Backdoors, spam relays, DDoS agents;
Phases ProbingExploitationReplicationPayload
-
7/27/2019 Is Malware
10/33
Examples of Worm attacks
Morris worm, 1988 Exploits buffer overflow in fingerd, and other
vulnerabilities
Infected approximately 6,000 machines
10% of computers connected to the Internet
cost ~ $10 million in downtime and cleanup
Code Red I & II worms, 2001
Direct descendant of Morris worm; Exploit bufferoverflow in IIS
Infected more than 500,000 servers
Caused ~ $2.6 Billion in damages,
-
7/27/2019 Is Malware
11/33
More Examples of Worm Attacks
Nimda Worm (2001) Fast spreading Uses five different ways to propagate
Including using backdoors left by other worms
SQL Slammer (2003) Fast spreading Exploits Microsoft SQL server
Infects 75,000 hosts within 10 minutes
Conficker (2008,2009) Evolving & Exploits Windows server service (and other vectors in variants)
Infects between 9 and 15 million computers Evolver, persists, self-update, and eventually install a spambot & a
scareware
E il W S di E il
-
7/27/2019 Is Malware
12/33
Email Worms: Spreading as Email
Attachments
Love Bug worm (ILOVEYOU worm) (2000): May 3, 2000: 5.5 to 10 billion dollars in damage
MyDoom worm (2004) First identified in 26 January 2004:
On 1 February 2004, about 1 million computers infectedwith Mydoom begin a massive DDoS attack against theSCO group
Storm worm & Storm botnet (2007) Identified on January 17
gathering infected computers into the Storm botnet.
By around June 30th infected 1.7 million computers,
By September, has between 1 and 10 million bots
-
7/27/2019 Is Malware
13/33
Zombie & Botnet
Secretly takes over another networked computerby exploiting software flows
Builds the compromised computers into azombie network or botnet a collection of compromised machines running
programs, usually referred to as worms, Trojanhorses, or backdoors, under a common command andcontrol infrastructure.
Uses it to indirectly launch attacks E.g., DDoS, phishing, spamming, cracking
-
7/27/2019 Is Malware
14/33
Detailed Steps (1)
Unsecured Computers
Attacker
Attacker scansInternet for
unsecured systems thatcan be compromised
1
Internet
-
7/27/2019 Is Malware
15/33
Detailed Steps (2)
Unsecured Computersbie
Attacker
Internet
Attacker secretlyinstalls zombie agent
programs, turningunsecured computers
into zombies
2Zombies
-
7/27/2019 Is Malware
16/33
Detailed Steps (3)
Attacker
Internet
Zombie agents``phone home
and connect to amaster server
3Zombies
MasterServer
-
7/27/2019 Is Malware
17/33
-
7/27/2019 Is Malware
18/33
Internet
Detailed Steps (5)
Attacker
Zombies
MasterServer
Master Serversends signal to
zombies to launchattack on targeted
system
5
TargetedSystemSystem
-
7/27/2019 Is Malware
19/33
Internet
Detailed Steps (6)
Attacker
Zombies
MasterServer
Targeted system isoverwhelmed by
zombie requests,denying requests
from normal users
6
TargetedSystemSystemUser
Request Denied
-
7/27/2019 Is Malware
20/33
Botnet Using peer-to-peer structure, rather than a central
command & control Encrypting/authenticating communications.
A b t t i ll ti f i t t t d
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internet -
7/27/2019 Is Malware
21/33
A botnet is a collection of internet-connectedcomputers whose security defenses have beenbreached and control ceded to a malicious party.
Each such compromised device, known as a "bot", iscreated when a computer is penetrated by softwarefrom a malware distribution; otherwise knownas malicious software.
The controller of a botnet is able to direct the activitiesof these compromised computers throughcommunication channels formed by standards-
based network protocols such as IRC (Internet RelayChat) and HTTP (Hypertext Transfer Protocol)
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internet_bothttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Internet_bothttp://en.wikipedia.org/wiki/Internet -
7/27/2019 Is Malware
22/33
Rootkit
Software used after system compromise to: Hide the attackers presence
Provide backdoors for easy reentry
Simple rootkits: Modify user programs (ls, ps)
Detectable by tools like Tripwire
Sophisticated rootkits: Modify the kernel itself
Hard to detect from userland
-
7/27/2019 Is Malware
23/33
A rootkit is a stealthy type of malicioussoftware designed to hide the existence of certainprocesses or programs from normal methods of
detection and enable continued privileged access toa computer.
The term rootkit is a concatenation of "root" (the
traditional name of the privileged accounton Unix operating systems) and the word "kit" (whichrefers to the software components that implementthe tool).
The term "rootkit" has negative connotationsthrough its association with malware.
http://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Concatenationhttp://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Concatenationhttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_software -
7/27/2019 Is Malware
24/33
Rootkit detection is difficult because a rootkit maybe able to subvert the software that is intended tofind it.
Detection methods include using an alternative andtrusted operating system , behavioral-basedmethods, signature scanning, difference scanning,
and memory dump analysis. Removal can be complicated or practically
impossible, especially in cases where the rootkitresides in the kernel; reinstallation of the operating
system may be the only available solution to theproblem.
When dealing with firmware rootkits, removal may
require hardware replacement, or specialisede ui ment.
http://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Behavioralhttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Kernel_(computing)http://en.wikipedia.org/wiki/Firmwarehttp://en.wikipedia.org/wiki/Firmwarehttp://en.wikipedia.org/wiki/Kernel_(computing)http://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Behavioralhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Operating_system -
7/27/2019 Is Malware
25/33
Rootkit Classification
Traditional RootKit
Kernel
Trojanlogin
Trojanps
Trojanifconfig
goodtripwire
Kernel-level RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Trojan
Kernel Module
Application-level Rootkit
Kernel
Evil Program
good
program
good
program
good
program
good
program
Shadow Walker, adoreHxdef, NTIllusion Lrk5, t0rn
-
7/27/2019 Is Malware
26/33
Rootkit Classification
Under-Kernel RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Evil VMM
SubVirt, ``Blue Pill
Hypervisor
Hardware/firmware
-
7/27/2019 Is Malware
27/33
Spyware
Malware that collects little bits of information at atime about users without their knowledge
Keyloggers:
May also tracking browsing habit May also re-direct browsing and display ads
Typically do not self-propagate
-
7/27/2019 Is Malware
28/33
The presence of spyware is typically hidden fromthe user and can be difficult to detect.
Some spyware, such as keyloggers, may beinstalled by the owner of a shared, corporate,or public computer intentionally in order to monitorusers.
http://en.wikipedia.org/wiki/Keyloggerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Keylogger -
7/27/2019 Is Malware
29/33
Scareware
Software with malicious payloads, or of limited or no benefit
Sold by social engineering to cause shock, anxiety, orthe perception of a threat
Rapidly increasing
Anti-Phishing Working Group: # of scareware packagesrose from 2,850 to 9,287 in 2nd half of 2008.
In 1st half of 2009, the APWG identified a 583% increasein scareware programs.
-
7/27/2019 Is Malware
30/33
Scareware comprises several classes ofscam software with malicious payloads, or oflimited or no benefit, that are sold to consumers via
certain unethical marketing practices.
The selling approach uses social engineering to
cause shock, anxiety, or the perception of a threat,generally directed at an unsuspecting user.
http://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Anxietyhttp://en.wiktionary.org/wiki/threathttp://en.wiktionary.org/wiki/threathttp://en.wikipedia.org/wiki/Anxietyhttp://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Software -
7/27/2019 Is Malware
31/33
-
7/27/2019 Is Malware
32/33
Ransomware
Holds a computer system, or the data it contains, hostageagainst its user by demanding a ransom. Disable an essential system service or lock the display at system
startup
Encrypt some of the user's personal files, originally referred to ascryptoviruses, cryptotrojans orcryptoworms
Victim user has to
enter a code obtainable only after wiring payment to the attackeror sending an SMS message
buy a decryption or removal tool
http://en.wikipedia.org/wiki/Malware -
7/27/2019 Is Malware
33/33
Ransomware comprises a class ofmalware whichrestricts access to the computer system that itinfects, and demands a ransom paid to the creator
of the malware in order for the restriction to beremoved
http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Ransomhttp://en.wikipedia.org/wiki/Ransomhttp://en.wikipedia.org/wiki/Malware