View
18
Download
0
Category
Tags:
Preview:
DESCRIPTION
Presentation about mailicious software made by Jan Devos
Citation preview
pag. 1 Jan Devos
IT Beveiliging
Prof. Dr. ir Jan Devos Universiteit Gent, Campus Kortrijk
Graaf Karel De Goedelaan 5
BE-8500 KORTRIJK - BELGIUM
T: +32 56 24 12 72 (rechtstreeks nr)
e-mail: jang.devos@ugent.be
linkedIn: www.linkedin.com/in/jangdevos
Blog: jangdevos.wordpress.org
twitter: @jangdevos
pag. 2 Jan Devos
Malicious Software
A program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity or availability of the victim’s
data, applications, or operating system or
otherwise annoying or disrupting the victim.
pag. 3 Jan Devos
Malicious Software • programs exploiting system vulnerabilities
• known as malicious software or malware
– program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
– independent self-contained programs
• e.g. worms, bots
– replicating or not
• sophisticated threat to computer systems
pag. 5 Jan Devos
classified into two broad categories:
based first on how it spreads or propagates to reach the desired
targets
then on the actions or payloads it performs once a target is reached
also classified by:
those that need a host program (parasitic code such as viruses)
those that are independent, self-contained programs (worms,
trojans, and bots)
malware that does not replicate (trojans and spam e-mail)
malware that does replicate (viruses and worms)
pag. 6 Jan Devos
propagation mechanisms include:
• infection of existing content by viruses that is subsequently spread to other systems
• exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate
• social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks
payload actions performed by malware once it reaches a target system can include:
• corruption of system or data files
• theft of service/make the system a zombie agent of attack as part of a botnet
• theft of information from the system/keylogging
• stealthing/hiding its presence on the system
pag. 8 Jan Devos
Backdoor / Trapdoor
• Secret entry point into a program
Any mechanism that bypasses a normal security check
• Legitimately: maintenance hook (CTRL-ALT-DEL)
– Quit access to a program (by the developer)
– Avoiding the authentication procedure
• Threat:
– difficult to prevent or detect
– Control over the development
and maintenance activities
pag. 9 Jan Devos
Easter Eggs http://www.eeggs.com
Examples:
WORD:
1. Open a new word document
2. Type "=rand(200,99)" (without the quotes)
3. Press enter
4. Wait a few second and see
FIREFOX
1. Type about:mozilla in address bar
2. Hit enter.
pag. 11 Jan Devos
Logic Bomb
• Program inserted into software by an intruder
• Dormant until a predefined condition is met
• Unauthorized act
Case Study Tim Lloyd / Omega
pag. 12 Jan Devos
Trojan Horses • An apparently useful program containing hidden
code that performs some unwanted or harmful function
• Harmful functions: – Authorization for unauthorized users
– Data destruction
– Spyware
• Techniques: – Modified compiler
– Internet downloads
pag. 13 Jan Devos
Mobile Code
• Programs that can be shipped unchanged to a heterogeneous collections of platforms (e.g. Windows) and execute with identical semantics
• Mobile Code act as a mechanism for a virus, worm or Trojan Horse to be transmitted
• Examples of Mobile Code: – Java Applets
– ActiveX controls
– JavaScript
– VB-Script
pag. 14 Jan Devos
Viruses
• Malware that, when executed, tries to replicate itself into other executable code.
• First appearance in 1983 (after launching the PC)
• Fred Cohen
pag. 15 Jan Devos
Viruses
• piece of software that infects programs
– modifying them to include a copy of the virus
– it executes secretly when host program is run
• specific to operating system and hardware
– taking advantage of their details and weaknesses
• a typical virus goes through phases of:
infection / dormant / propagation / triggering / execution
pag. 16 Jan Devos
Viruses
• components: – infection mechanism - enables replication
– trigger - event that makes payload activate
– payload - what it does, malicious or benign
• prepended / postpended / embedded
• when infected program invoked, executes virus code then original program code
• can block initial infection (difficult)
• or propagation (with access controls)
pag. 19 Jan Devos
Viruses Classification • boot sector
• file infector
• macro virus
• encrypted virus: creates a Key and encrypts
itself (= another pattern)
• stealth virus: hides itself from detection
• polymorphic virus: virus mutates !
• metamorphic virus: virus mutates + rewrites
itself
pag. 20 Jan Devos
Macro Viruses • very common in mid-1990s since
– platform independent
– infect documents
– easily spread
• exploit macro capability of office apps
– executable program embedded in office doc
– often a form of Basic
• more recent releases include protection
• recognized by many anti-virus programs
pag. 21 Jan Devos
E-Mail Viruses
• more recent development
• e.g. Melissa
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list
– and does local damage
• then saw versions triggered reading email
• hence much faster propagation
pag. 22 Jan Devos
Virus Countermeasures
• prevention - ideal solution but difficult
• realistically need:
– detection
– identification
– removal
• if detect but can’t identify or remove, must
discard and replace infected program
pag. 23 Jan Devos
Virus Countermeasures
• virus & antivirus tech have both evolved
• early viruses simple code, easily removed
• as become more complex, so must the countermeasures
• generations – first - signature scanners
– second - heuristics
– third - identify actions
– fourth - combination packages
pag. 24 Jan Devos
Virus Countermeasures • first - signature scanners
– Static
– Signature-specific scanners
– Detection of known viruses
– Detection based on the length of the programs
• second - heuristics
– No specific signature
– Heuristic rules
• Fragments of code
• Integrity checking (checksum check / hashing)
pag. 25 Jan Devos
Virus Countermeasures
• third - identify actions
– Memory-resident
– Identification by its actions rather than structure
• fourth - combination packages
– Variety of antivirus techniques used in conjunction
– Scanning and activity trap
pag. 26 Jan Devos
Generic Decryption
• runs executable files through GD scanner:
– CPU emulator to interpret instructions
– virus scanner to check known virus signatures
– emulation control module to manage process
• lets virus decrypt itself in interpreter
• periodically scan for virus signatures
• issue is long to interpret and scan
– tradeoff chance of detection vs time delay
pag. 29 Jan Devos
Worms
• replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems,
connects to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
pag. 30 Jan Devos
Morris Worm • one of best known worms
• released by Robert Morris in 1988
• various attacks on UNIX systems
– cracking password file to use login/password to logon to other systems
– exploiting a bug in the finger protocol
– exploiting a bug in sendmail
• if succeed have remote shell access
– sent bootstrap program to copy worm over
pag. 32 Jan Devos
• Code Red – July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack (360,000 servers in 14 hours)
– consumes significant net capacity when active
• Code Red II variant includes backdoor
• SQL Slammer – early 2003, attacks MS SQL Server
– compact and very rapid spread
• Mydoom – mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
pag. 33 Jan Devos
• multiplatform
• multi-exploit
• ultrafast spreading
• polymorphic
• metamorphic
• transport vehicles
• zero-day exploit
• mobile phone worms (since 2004: BlueTooth, MMS)
pag. 34 Jan Devos
Worm Countermeasures • overlaps with anti-virus techniques
• once worm on system AntiVirus can detect
• worms also cause significant net activity
• worm defense approaches include:
– signature-based worm scan filtering
– filter-based worm containment
– payload-classification-based worm containment
– threshold random walk scan detection
– rate limiting and rate halting
pag. 37 Jan Devos
(Ro)Bots
• aka Zombies, Drones
• program taking over other computers
• to launch hard to trace attacks
• if coordinated form a botnet
• characteristics: – remote control facility (differs from worms)
• via IRC/HTTP etc
– spreading mechanism • attack software, vulnerability, scanning strategy
• various counter-measures applicable
pag. 38 Jan Devos
Uses of (Ro)Bots
• DDOS attacks
• Spamming
• Sniffing traffic
• Keylogging: capturing keystrokes
• Spreading new malware
• Ad add-ons and BHO (Browser helper objects): Generating clicks
• Attacking IRC chat networks
• Manipulating online polls and games
pag. 39 Jan Devos
Remote Controle Facilty
• A bot is controlled by a RCF
• The RCF is typically implemented via an IRC server or via HTTP
• Simplest form = issuing commands
• Advanced form = update commands for downloads and then execution
pag. 40 Jan Devos
Constructing a bot network
• Software that carries out the attack
– Run on a large number of machines
– Conceal its existence
– Able to communicate with the attacker or have a time-triggered mechanism (e.g. Friday the 13th)
• A vulnerability in a large number of systems
• Scanning or fingerprinting = locating and identifying vulnerable machines
pag. 41 Jan Devos
Constructing a bot network
• Scanning or fingerprinting strategies
– Random: each host probes random IP addresses
– Hit-list: a compiled list with potential vulnerable machines
– Topological: using information on the infected victim machine
– Local subnet: looking for victims behind the firewall
pag. 42 Jan Devos
Countermeasures
• IDS
• Honeypots
• DIS
• Try to detect the botnet during its construction phase
pag. 43 Jan Devos
Rootkits / Crimeware
• set of programs installed for admin access
• malicious and stealthy changes to host O/S
• may hide its existence
– subverting report mechanisms on processes, files, registry entries
etc
• may be:
– persisitent or memory-based
– user or kernel mode
• installed by user via trojan or intruder on system
• range of countermeasures needed
Recommended