Upload
phunghuong
View
215
Download
2
Embed Size (px)
Citation preview
1
Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
Network Security Fundamentals
Module 5 Viruses & Worms, Botnets,
Today’s Threats
Viruses & Worms
2
Viruses
• Program that copies itself to other programs In the same directory In a fixed directory
• Virus spreads by the copying of files By users, typically
• When program invoked Virus executes first
Copies itself to other programs Optionally, performs some malicious action
Then executes host program • Example:
W97M.Marker
4 04/13 cja 2013
Worms
• Viruses that use network to replicate • No dependence on copying files • Worm generates its own targets
Via self-stored data Via host-stored data Randomly Combinations thereof
• Example: Blaster
5 04/13 cja 2013
Types of Viruses
• Boot sector • Executable infector • Multipartite • TSR • Stealth • Encrypted • Polymorphic • Metamorphic
6 04/13 cja 2013
3
Macro Viruses
• Virus instructions are interpreted Platform independent
• Infect common applications Microsoft Excel, …
• Easily spread • Easily defeated
Prohibit automatic execution of code
7 04/13 cja 2013
Virus distribution
• Sophos study (2002) 26.1% macro viruses 26.1% Trojan horses 19.2% executable viruses 6.8% script viruses 21.8% other (Unix, boot sector, worms, file,
Macintosh, multipartite)
8 04/13 cja 2013
Malicious code types, 2010
9
Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011
04/13 cja 2013
4
Malicious Code Types, 2012
02/13 10
Figure B11: Propagation Mechanisms Source: Symantec Internet Security Threat Report, Vol. 17, April 2012
cja 2013
Antiviral approaches
• Detection Scan for virus code “signatures” More difficult for encrypting viruses
Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically
Metamorphic - harder • Identification
Vendor databases • Removal
Quarantine render harmless by encryption or compression copy to quarantine area
Delete
11 04/13 cja 2013
12
U-M Anti-virus
• http://safecomputing.umich.edu/antivirus/ • Free Microsoft Security Essentials for personally-owned Windows
machines • Microsoft Forefront Endpoint Protection for university owned
Windows machines 32- and 64-bit versions
• Free Sophos Anti-Virus for Mac OS X machines All versions of OS X up to and including 10.7 (Lion)
• Good, concise security recommendations http://www.safecomputing.umich.edu/tools/security_shorts.html" http://www.safecomputing.umich.edu/MDS/ http://www.safecomputing.umich.edu/students.php
• More information http://www.safecomputing.umich.edu/
04/13 cja 2013
5
Spyware
• Generic name for software that tracks users’ behavior • Wide range of activities
Keystroke loggers Tracking cookies File inspectors Location awareness Remote video & audio recording
• Store-and-forward As hard to detect remotely as botnets are
13 04/13 cja 2013
Spyware
• Detection and removal tools Windows Defender (née Microsoft AntiSpyware)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Lavasoft Ad-Aware http://www.lavasoftusa.net/
Spybot Search&Destroy http://www.safer-networking.org/
14 04/13 cja 2013
Botnets
6
Botnets
• Malware installed on victim machines listens for transmitted instructions Attack other machines Transmit spam Participate in DDOS attacks Crack passwords …
• Installed via well-known vectors • Communicate with command and control host(s) via
anonymous message services Typically irc Typically encrypted Typically silent, so hard to find
16 04/13 cja 2013
17
Botnets
• One of the major threats Large increase in 4Q2006 spam traffic 30-450% increase
Very large botnets 1.5 x 106 bots in Dutch botnet (2005) 5 x 106 bots in Conficker (2009)
» Encrypted & authenticated » Some recent progress in detection
2 x 106 bots in CoreFlood (2011) » Operating for 8+ years
04/13 cja 2013
Microsoft Security Intelligence Report 1H2011
04/13 18 http://www.microsoft.com/security/sir/default.aspx cja 2013
7
Microsoft Security Intelligence Report 1H2012
04/13 19 http://www.microsoft.com/security/sir/default.aspx cja 2013
Super botnets
• 1Q2013 DDOS attacks 48 Gbps average (130 Gbps peak) Up from 6 Gbps 1Q2012
• Attackers targeting Web servers Much more bandwidth Wordpress, Joomla, other DIY
04/13 cja 2013 20
Source: Prolexic Quarterly Global Ddos Attack Report, Q1 2013
Today’s Threats
8
Attack Toolkits, 2011
10/12 cja 2012 22
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
Total vulnerabilities, 2011
10/12 cja 2012 23
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
Web Browser Vulnerabilities, 2011
10/12 cja 2012 24
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
9
Web Browser Vulnerabilities, 2010
10/12 cja 2012 25
Source: Symantec Global Internet Security Threat Report, Vol. 16, April 2011
26
Today’s threats
• In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim.
10/12 cja 2012
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
27
Today’s threats
• We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executive Assistants, and Media/Public Relations.
10/12 cja 2012
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
10
28
Today’s threats
• High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL.
• . 10/12 cja 2012
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
29
Today’s threats
• Gartner predicts sales of smartphones to end users will reach 461.5 million in 2011 and rise to 645 million in 2012. [M]obile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card may go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text.
10/12 cja 2012
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
30
Today’s threats
• More than 232.4 million identities were exposed overall during 2011. [B]reaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011. The most frequent cause of data breaches was theft or loss of a computer or other medium, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed.
10/12 cja 2012
Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012
11
References
• http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
• http://www.symantec.com/threatreport/ Symantec Internet Security Threat Report, Volume 17, April 2012
• http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
• http://arstechnica.com/security/2013/04/fueled-by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/
04/13 31 cja 2013