is malware

7/27/2019 Is Malware

1/33

Information Security

Malwares


2/33

Trapdoor

Secret entry point into a system

Specific user identifier or password that circumvents

normal security procedures.

Commonly used by developers Could be included in a compiler.


3/33

Logic Bomb

Embedded in legitimate programs

Activated when specified conditions met

E.g., presence/absence of some file; Particulardate/time or particular user

When triggered, typically damages system

Modify/delete files/disks


4/33

Example of Logic Bomb

In 1982, the Trans-Siberian Pipeline incidentoccurred. A KGB operative was to steal the plansfor a sophisticated control system and its

software from a Canadian firm, for use on theirSiberian pipeline. The CIA was tipped off bydocuments in the Farewell Dossier and had thecompany insert a logic bomb in the program for

sabotage purposes. This eventually resulted in"the most monumental non-nuclear explosionand fire ever seen from space.


5/33

Trojan Horse

Example: Attacker:

Place the following file

cp /bin/sh /tmp/.xxsh

chmod u+s,o+x /tmp/.xxsh

rm ./ls

ls $*

as /homes/victim/ls

Victim

ls

Program with an overt(expected) and covert effect Appears normal/expected

Covert effect violates securitypolicy

User tricked into executingTrojan horse Expects (and sees) overt

behavior

Covert effect performed withusers authorization


6/33

Virus

Self-replicating code Like replicating Trojan horse

Alters normal code with infected version

No overtaction

Generally tries to remain undetected Operates when infected code executed

Ifspread condition then

Fortarget filesifnot infectedthen alter to include virus

Perform malicious actionExecute normal program


7/33

Virus Infection Vectors

Boot Sector (USB drives)

Executable

Macro files


8/33

Virus Properties

Terminate and Stay Resident Stays active in memory after application complete Allows infection of previously unknown files

Trap calls that execute a program

Stealth Conceal Infection

Trap read and disinfect Let execute call infected file

Encrypt virus Prevents signature to detect virus Polymorphism

Change virus code to prevent signature


9/33

Worm

Runs independently

Does not require a host program

Propagates a fully working version of itself to other

machines Carries a payload performing hidden tasks

Backdoors, spam relays, DDoS agents;

Phases ProbingExploitationReplicationPayload


10/33

Examples of Worm attacks

Morris worm, 1988 Exploits buffer overflow in fingerd, and other

vulnerabilities

Infected approximately 6,000 machines

10% of computers connected to the Internet

cost ~ $10 million in downtime and cleanup

Code Red I & II worms, 2001

Direct descendant of Morris worm; Exploit bufferoverflow in IIS

Infected more than 500,000 servers

Caused ~ $2.6 Billion in damages,


11/33

More Examples of Worm Attacks

Nimda Worm (2001) Fast spreading Uses five different ways to propagate

Including using backdoors left by other worms

SQL Slammer (2003) Fast spreading Exploits Microsoft SQL server

Infects 75,000 hosts within 10 minutes

Conficker (2008,2009) Evolving & Exploits Windows server service (and other vectors in variants)

Infects between 9 and 15 million computers Evolver, persists, self-update, and eventually install a spambot & a

scareware

E il W S di E il


12/33

Email Worms: Spreading as Email

Attachments

Love Bug worm (ILOVEYOU worm) (2000): May 3, 2000: 5.5 to 10 billion dollars in damage

MyDoom worm (2004) First identified in 26 January 2004:

On 1 February 2004, about 1 million computers infectedwith Mydoom begin a massive DDoS attack against theSCO group

Storm worm & Storm botnet (2007) Identified on January 17

gathering infected computers into the Storm botnet.

By around June 30th infected 1.7 million computers,

By September, has between 1 and 10 million bots


13/33

Zombie & Botnet

Secretly takes over another networked computerby exploiting software flows

Builds the compromised computers into azombie network or botnet a collection of compromised machines running

programs, usually referred to as worms, Trojanhorses, or backdoors, under a common command andcontrol infrastructure.

Uses it to indirectly launch attacks E.g., DDoS, phishing, spamming, cracking


14/33

Detailed Steps (1)

Unsecured Computers

Attacker

Attacker scansInternet for

unsecured systems thatcan be compromised

1

Internet


15/33

Detailed Steps (2)

Unsecured Computersbie

Attacker

Internet

Attacker secretlyinstalls zombie agent

programs, turningunsecured computers

into zombies

2Zombies


16/33

Detailed Steps (3)

Attacker

Internet

Zombie agents``phone home

and connect to amaster server

3Zombies

MasterServer


17/33


18/33

Internet

Detailed Steps (5)

Attacker

Zombies

MasterServer

Master Serversends signal to

zombies to launchattack on targeted

system

5

TargetedSystemSystem


19/33

Internet

Detailed Steps (6)

Attacker

Zombies

MasterServer

Targeted system isoverwhelmed by

zombie requests,denying requests

from normal users

6

TargetedSystemSystemUser

Request Denied


20/33

Botnet Using peer-to-peer structure, rather than a central

command & control Encrypting/authenticating communications.

A b t t i ll ti f i t t t d
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internet


21/33

A botnet is a collection of internet-connectedcomputers whose security defenses have beenbreached and control ceded to a malicious party.

Each such compromised device, known as a "bot", iscreated when a computer is penetrated by softwarefrom a malware distribution; otherwise knownas malicious software.

The controller of a botnet is able to direct the activitiesof these compromised computers throughcommunication channels formed by standards-

based network protocols such as IRC (Internet RelayChat) and HTTP (Hypertext Transfer Protocol)
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internet_bothttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocolhttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Internet_Relay_Chathttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Internet_bothttp://en.wikipedia.org/wiki/Internet


22/33

Rootkit

Software used after system compromise to: Hide the attackers presence

Provide backdoors for easy reentry

Simple rootkits: Modify user programs (ls, ps)

Detectable by tools like Tripwire

Sophisticated rootkits: Modify the kernel itself

Hard to detect from userland


23/33

A rootkit is a stealthy type of malicioussoftware designed to hide the existence of certainprocesses or programs from normal methods of

detection and enable continued privileged access toa computer.

The term rootkit is a concatenation of "root" (the

traditional name of the privileged accounton Unix operating systems) and the word "kit" (whichrefers to the software components that implementthe tool).

The term "rootkit" has negative connotationsthrough its association with malware.
http://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Concatenationhttp://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Concatenationhttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Privileged_accesshttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_softwarehttp://en.wikipedia.org/wiki/Malicious_software


24/33

Rootkit detection is difficult because a rootkit maybe able to subvert the software that is intended tofind it.

Detection methods include using an alternative andtrusted operating system , behavioral-basedmethods, signature scanning, difference scanning,

and memory dump analysis. Removal can be complicated or practically

impossible, especially in cases where the rootkitresides in the kernel; reinstallation of the operating

system may be the only available solution to theproblem.

When dealing with firmware rootkits, removal may

require hardware replacement, or specialisede ui ment.
http://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Behavioralhttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Kernel_(computing)http://en.wikipedia.org/wiki/Firmwarehttp://en.wikipedia.org/wiki/Firmwarehttp://en.wikipedia.org/wiki/Kernel_(computing)http://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Core_dumphttp://en.wikipedia.org/wiki/Behavioralhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Operating_system


25/33

Rootkit Classification

Traditional RootKit

Kernel

Trojanlogin

Trojanps

Trojanifconfig

goodtripwire

Kernel-level RootKit

Kernel

good

login

good

ps

good

ifconfig

good

tripwire

Trojan

Kernel Module

Application-level Rootkit

Kernel

Evil Program

good

program

good

program

good

program

good

program

Shadow Walker, adoreHxdef, NTIllusion Lrk5, t0rn


26/33

Rootkit Classification

Under-Kernel RootKit

Kernel

good

login

good

ps

good

ifconfig

good

tripwire

Evil VMM

SubVirt, ``Blue Pill

Hypervisor

Hardware/firmware


27/33

Spyware

Malware that collects little bits of information at atime about users without their knowledge

Keyloggers:

May also tracking browsing habit May also re-direct browsing and display ads

Typically do not self-propagate


28/33

The presence of spyware is typically hidden fromthe user and can be difficult to detect.

Some spyware, such as keyloggers, may beinstalled by the owner of a shared, corporate,or public computer intentionally in order to monitorusers.
http://en.wikipedia.org/wiki/Keyloggerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Public_computerhttp://en.wikipedia.org/wiki/Keylogger


29/33

Scareware

Software with malicious payloads, or of limited or no benefit

Sold by social engineering to cause shock, anxiety, orthe perception of a threat

Rapidly increasing

Anti-Phishing Working Group: # of scareware packagesrose from 2,850 to 9,287 in 2nd half of 2008.

In 1st half of 2009, the APWG identified a 583% increasein scareware programs.


30/33

Scareware comprises several classes ofscam software with malicious payloads, or oflimited or no benefit, that are sold to consumers via

certain unethical marketing practices.

The selling approach uses social engineering to

cause shock, anxiety, or the perception of a threat,generally directed at an unsuspecting user.
http://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Anxietyhttp://en.wiktionary.org/wiki/threathttp://en.wiktionary.org/wiki/threathttp://en.wikipedia.org/wiki/Anxietyhttp://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Social_engineering_(security)http://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Marketing_ethicshttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Software


31/33


32/33

Ransomware

Holds a computer system, or the data it contains, hostageagainst its user by demanding a ransom. Disable an essential system service or lock the display at system

startup

Encrypt some of the user's personal files, originally referred to ascryptoviruses, cryptotrojans orcryptoworms

Victim user has to

enter a code obtainable only after wiring payment to the attackeror sending an SMS message

buy a decryption or removal tool
http://en.wikipedia.org/wiki/Malware


33/33

Ransomware comprises a class ofmalware whichrestricts access to the computer system that itinfects, and demands a ransom paid to the creator

of the malware in order for the restriction to beremoved
http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Ransomhttp://en.wikipedia.org/wiki/Ransomhttp://en.wikipedia.org/wiki/Malware

is malware

Documents