Embed Size (px)
Citation preview
Payload – System Corruption
Data destruction Chernobyl virus
First seen in 1998 (Windows 95 and 98 virus) Infects executable files and corrupts the entire file system when a trigger date is reached (deletes data by overwriting the first megabyte of the HDD with zeros) More than one million computers were affected on April 26, 1999
Klez First seen in October 2001 Mass mailing worm infecting Windows 95 to XP systems On trigger date, causes files on the hard drive to become empty
Ransomware Encrypts the user’s data and demands payment in order to access the key needed to recover the information PC Cyborg Trojan (1989) Gpcode Trojan (2006)
access the
Payload – System Corruption
Real-world damage Causes damage to physical equipment
Chernobyl virus rewrites BIOS code used to initially boot the computer (BIOS chip should be re-programmed or replaced)
Stuxnet worm Targets specific industrial control system software
E.g., Centrifuges used in Iranian uranium enrichment program were strongly suspected as the target
There are concerns about using sophisticated targeted malware for industrial sabotage
Payload – System Corruption
Logic bomb Code embedded in the malware that is set to “explode” when certain conditions are met (e.g., particular date or day, particular version of software, presence or absence of certain devices)
Code fragment
if data is Thursday the 17th;
shutDown_computer();
Code fragment
Code fragment
if data is Thursday the 17th;
shutDown_computer();
Code fragment
Payload – Attack Agents
Bot, zombie, or drone Malware that subvert the computational and network resources of the infected systems Takes over another Internet attached computer and uses that computer to launch or manage attacks
Botnet Collection of bots (hundreds or thousands of computers) capable of acting in a coordinated manner under control of an attacker (botmaster) Upon infection, new bot “phones home” to rendezvous w/ botnet command-and-control (C&C) Botmaster uses C&C to push out commands and updates
This type of payload attacks the integrity and availability of the infected system
Constitute the Great Modern Threat of Internet security
Why botnets rather than worms? Greater control Less emergent Quieter Optimal flexibility
Why the shift towards valuing these instead of seismic worm infection events?
$$ Profit $$
Payload – Attack Agents
Payload – Attack Agents
Uses of Bots Distributed denial-of-service (DDoS) attacks Spamming Sniffing traffic Keylogging: steal financial/email/social network accounts Spreading new malware Installing advertisement add-ons and browser helper objects (BHOs)
E.g., clicks are executed each time the victim uses the browser Attacking Internet replay chat (IRC) networks
Clone-attack – the victim is flooded by service requests from thousands of bots or channel-joins by these cloned bots
Manipulating online polls/games Since every bot has a distinct IP address, every vote will have the same credibility
Which of these cause serious pain for infected user? None. Users have little incentive to prevent
Remote Control Facility
Distinguishes a bot from a worm Worm propagates itself and activates itself Bot is initially controlled from some central facility
Typical means of implementing the remote control facility is on an IRC server
All bots join a specific channel on this server and treat incoming messages as commands More recent botnets use covert communication channels via protocols such as HTTP Distributed control mechanisms use peer-to-peer protocols to avoid a single point of failure
Once a communication path is established, the control module can activate the bots
Payload – Information Theft
Payloads where the malware gathers data stored on the infected system
Common target: user’s login and password credential E.g., Banking, gaming
These attacks target the confidentiality of the information
Payload – Information Theft Keyloggers and Spyware
Keylogger Captures keystrokes on the infected machine to allow an attacker to monitor the sensitive information Bypasses protection over encrypted communication channel (e.g., HTTPS, POP3S) Typically uses some form of filtering mechanism that only returns information close to keywords (“login”, “password”) In response to keylogger, some banking switched to using a graphical applet to enter information such as passwords
Spyware Subverts the compromised machine to allow monitoring of a wide range of activity on the system (e.g., Zeus banking Trojan)
Monitoring history and content of browsing activity Redirecting certain Web page requests to fake sites Dynamically modifying data exchanged between the browser and certain Web sites of interest
Payload – Information Theft Phishing
Phishing – exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source
Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site Suggests that urgent action is required by the user to authenticate their account Attacker exploits the account using the captured credentials
Spear-phishing More dangerous variant E-mail claiming to be from a trusted source But recipients are carefully researched by the attacker E-mail is crafted to specifically suit its recipient, often quoting a range of information to convince them of its authenticity Greatly increases the likelihood of the recipient responding
Payload – Stealthing
Payload that hides its presence on the infected system and provides covert access to the system
This type of payload attacks the integrity of the infected system
Backdoor, Rootkit
Payload – Stealthing Backdoor
Also known as a trapdoor
Secret entry point into a program allowing the attacker to gain access and bypass the security access procedures
Maintenance hook is a backdoor used by programmers to debug and test programs
Difficult to implement operating system controls for backdoors in applications
Payload – Stealthing Backdoor
Consider the following fragment in an authentication program:
userid = read_userid();
password = read_password();
if userid is “257u h4fk0q”
return ALLOW_LOGIN;
if userid and password are valid
return ALLOW_LOGIN
else return DENY_LOGIN
userid = read_userid();
password = read_password();
if userid is “257u h4fk0q”
return ALLOW_LOGIN;
if userid and password are valid
return ALLOW_LOGIN
else return DENY_LOGIN
Payload – Stealthing Rootkit
Set of hidden programs installed on a system to maintain covert access to that system with root privilege
Provides access to all the functions and services of the OS Alters the host’s standard functionality in a malicious and stealthy way
Add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand
Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer
Make it difficult to determine that the rootkit is present, and to identify what changes have been made
Rootkit Classification
Persistent Memory based User mode
Kernel mode Virtual
machine based
External mode
Rootkit Classification
Persistent Activates each time the system boots Easier to detect as the copy in persistent storage can potentially be scanned
Memory based Cannot survive a reboot Harder to detect as it is only in memory
User mode Intercept calls to APIs and modifies returned result
E.g., when an application performs a directory listing, the return result don’t include entries identifying the rootkit
Rootkit Classification
Kernel mode Intercept calls to native APIs in kernel mode Rootkit can hide the presence of a malware process by removing it from the kernel’s list of active processes
Virtual machine based Rootkit installs a lightweight virtual machine monitor, and then runs OS in a virtual machine above it Rootkit then transparently intercept and modify states and events occurring in the virtualized system
External mode Malware is located in BIOS or system management mode, where it can directly access hardware
Malware Countermeasure Approaches
Ideal solution to the threat of malware is prevention
Four main elements of prevention Policy, awareness, vulnerability mitigation, threat mitigation
Countermeasure to worm, virus, some trojans Vulnerability mitigation
Ensure all systems are as current as possible, with all patches applied Set appropriate access controls on the applications and data
Countermeasure to social engineering attack Appropriate user awareness and training
Malware Countermeasure Approaches
If prevention fails, technical mechanisms can be used to support the following threat mitigation options
Detection Determine that the infection has occurred and locate the malware
Identification Identify the specific malware that has infected the system
Removal Remove all traces of malware virus from all infected system
Anti-Virus Software Location
1. On each end system Host-based scanners Gives the software the maximum access to information on the malware behavior and the smallest overall view of malware activity
2. On an organization’s firewall and IDS Perimeter scanning approaches Gives the anti-virus software access to malware in transit over a network connection providing a larger scale of view of malware activity
3. In a distributed configuration Distributed intelligence gathering approaches Gathers data from a large number of both host-based and perimeter sensors, relays this intelligence to a central analysis system to defend against malware attack
Host-Based Scanners – Generations of Anti-Virus Software
First generation: Simple scanners Requires a malware signature to identify the malware Limited to the detection of known malware
Second generation: Heuristic scanners Uses heuristic rules to search for probable malware instances (looks for code fragments that are often associated with malware) Another approach is integrity checking using checksum
Third generation: Activity traps Memory-resident programs that identify malware by its actions rather than its structure in an infected program Need only to identify the small set of actions indicating malicious activity
Fourth generation: Full-featured protection Packages consisting of a variety of anti-virus techniques used in conjunction Include scanning and activity trap components and access control capability
Host-Based Scanners – Generic Decryption (GD)
Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds
Recall that polymorphic virus decrypts itself to activate
In order to detect virus structure, executable files are run through a GD scanner which contains the following elements:
CPU emulator Virtual computer that interpret instructions in an executable file Underlying processor is unaffected by programs interpreted on the emulator
Virus signature scanner Scan target code looking for known malware signatures
Emulation control module Control the execution of the target code
The most difficult design issue with a GD scanner is to determine how long to run each interpretation
Host-Based Scanners – Host-Based Behavior-Blocking Software
Integrates with the operating system of a host computer and monitors program behavior in real time for malicious action
Blocks potentially malicious actions before they have a chance to affect the system Blocks suspicious software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristics
Limitations
Because malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked
Perimeter Scanning Approaches
Typically included in e-mail and Web proxy services running on an organization’s firewall and IDS May also be included in the traffic analysis component of an IDS May include intrusion prevention measures, blocking the flow of any suspicious traffic Limited to scanning malware content as it does not have access to any behavior of it
Ingress monitors
Located at the border between the enterprise network
and the Internet
One technique is to look for incoming traffic to unused
local IP addresses
Egress monitors
Located at the egress point of individual LANs as well as at the border between the enterprise
network and the Internet
Catch the source of malware attack by
monitoring outgoing traffic for signs of scanning or other
suspicious behavior
Two types of monitoring software
Perimeter Scanning Approaches – Worm Countermeasures
Considerable overlap in techniques for dealing with viruses and worms
Once a worm is resident on a machine anti-virus software can be used to detect and possibly remove it
Because worm propagation generates considerable network activity, perimeter network activity and usage monitoring can form the basis of a worm defense
Worm defense approaches include: Signature-based worm scan filtering Filter-based worm containment Payload-classification-based worm containment Threshold random walk (TRW) scan detection Rate limiting Rate halting
Perimeter Scanning Approaches – Worm Countermeasures
1. Signature-based worm scan filtering Generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host Vulnerable to polymorphic worms
2. Filter-based worm containment Similar to signature-based filtering But focuses on worm content rather than a scan signature
3. Payload-classification-based worm containment Network based technique that examines packets to see if they contain a worm Does not generate signatures but looks for control and data flow structures that suggest an exploit
Perimeter Scanning Approaches – Worm Countermeasures
4. Threshold random walk (TRW) scan detection Exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation
5. Rate limiting Limits the rate of scan-like traffic from an infected host
E.g., limiting the number of new machines a host can connect to and the number of IP addresses a host can scan in a window of time, detecting a high connection failure rate
6. Rate halting Immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts
Distributed Intelligence Gathering Approaches – Digital Immune System
Two major trends in Internet technology have an increasing impact on the rate of virus propagation
Integrated mail systems (e.g., MS Outlook) Mobile program systems (e.g., Java, ActiveX)
Digital immune system Virus protection developed by IBM, refined by Symantec Provide rapid response time so that malware can be stamped out almost as soon as they are introduced
Digital Immune System
Suspect program
prescription
prescription
Prescription includesRegular anti-virus updates
Encrypted sample
prescription
Worm Countermeasure Architecture
Summary
Types of malicious software (malware) Terminology for malicious software Propagation
Viruses – infected content
Worms – vulnerability exploit
Spam e-mail/trojans – social engineering
Payload System corruption
Attack agent – Zombie, bots
Information theft – keyloggers, phishing, spyware
Stealthing – backdoors, rootkits
Countermeasures Prevention
Detection, identification, removal
Host based scanners / behavior blocking software
Digital immune system
Type( a(malTermTTerm
