31
PROOF AGAINST MALWARE Proofing against malware attacks Marco Slaviero

Proofing against malware

Embed Size (px)

DESCRIPTION

Presentation by Marco Slaviero at Tshwane University Of Technology. This presentation is about protecting your your computer against malware. The presentation begins with a look at different types of malware. Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.

Citation preview

Page 1: Proofing against malware

PROOF AGAINST MALWARE

Proofing against malware attacks

Marco Slaviero

Page 2: Proofing against malware

PROOF AGAINST MALWARE

• State of anti-malware

• Chronic malware treatment

Summary

Page 3: Proofing against malware

PROOF AGAINST MALWARE

• Obvious– Virii– Spyware– Worms– Trojans

• Less obvious– “Legal” rootkits (ala

Sony)– EULA-protected tools– Dual purpose tools– Poorly designed tools

Malware? What’s that?

Page 4: Proofing against malware

PROOF AGAINST MALWARE

INTENT MATTERS

Page 5: Proofing against malware

PROOF AGAINST MALWARE

CAN WE DETERMINE PROGRAM INTENT IN A

GENERAL WAY?

Page 6: Proofing against malware

PROOF AGAINST MALWARE

• Real-time / point-in-time• Signatures

– Byte sequences on disk– Byte sequences over the network– Known suspicious system calls

Specific solutions

Page 7: Proofing against malware

PROOF AGAINST MALWARE

• Polymorphic malware– Encrypt the virus, and include a tiny

decryption engine that runs first.– Response: virtualise the first couple of

hundred instructions, then see if known signatures are present

• Metamorphic malware– Alter the instruction sequence such that it

remains semantically identical, but syntactically different

Antimalware fails

Page 8: Proofing against malware

PROOF AGAINST MALWARE

• Signature stream:“Our computing systems are generally very insecure.”

• Polymorphic manipulation:“Replace each ‘ZZ’ with an ‘e’ in the next sentence. Our computing systZZms arZZ gZZnZZrally vZZry insZZcurZZ”.

• Metamorphic manipulation:“Mankind’s information systems do not exhibit safe security practices.”

Examples

Page 9: Proofing against malware

PROOF AGAINST MALWARE

Dan Geer’s security monoculture

Page 10: Proofing against malware

PROOF AGAINST MALWARE

Artificial distinctions

Page 11: Proofing against malware

PROOF AGAINST MALWARE

SO, CAN WE MALWARE-PROOF A COMPUTER?

Page 12: Proofing against malware

PROOF AGAINST MALWARE

Safe from infection

Page 13: Proofing against malware

PROOF AGAINST MALWARE

Safe from infection #2

Page 14: Proofing against malware

PROOF AGAINST MALWARE

Safe from infection #3

&

Page 15: Proofing against malware

PROOF AGAINST MALWARE

State of the art

Page 16: Proofing against malware

PROOF AGAINST MALWARE

And it ignores the unexpected

Page 17: Proofing against malware

PROOF AGAINST MALWARE

NO

Verdict

Page 18: Proofing against malware

PROOF AGAINST MALWARE

DOES IT GET LESS GLOOMY?

Page 19: Proofing against malware

PROOF AGAINST MALWARE

Side bar: Attack Graphs

Create and host malicious website

Obtain target’s contact details

Entice user to click on link

Exploit flaw in unpatched

Adobe Flash Player

Download body of malware

Execute malware

Search disk for information

Upload documents via

configured proxy

Page 20: Proofing against malware

PROOF AGAINST MALWARE

LENGTHEN THE ATTACK GRAPH

Page 21: Proofing against malware

PROOF AGAINST MALWARE

Not like this

Page 22: Proofing against malware

PROOF AGAINST MALWARE

Or this

Page 23: Proofing against malware

PROOF AGAINST MALWARE

Better…

Page 24: Proofing against malware

PROOF AGAINST MALWARE

MOST IMPORTANT: PROTECT THE ORGANISATION, NOT THE

COMPUTER

Page 25: Proofing against malware

PROOF AGAINST MALWARE

Where does your risk lie?

Page 26: Proofing against malware

PROOF AGAINST MALWARE

• Not much infrastructure to lengthen attack chains

• Consider– Decentralising your online life– Multiple (virtual) machines, each devoted to a

single level of task– Security by isolation– Examples: VMWare, Qubes

Practical strategies: Home users

Page 27: Proofing against malware

PROOF AGAINST MALWARE

http://qubes-os.org/Architecture.html

Qubes

Page 28: Proofing against malware

PROOF AGAINST MALWARE

• Regular stuff (remove unneeded software, patch, segregated networks, etc)

• Expect that you’re infected• Develop rapid response measures to detect and

isolate infection using signatures on both the host and network.

• Monitor and log process execution• Whitelist binaries• Close access channels (no browsing, severe email

limitations, no flash disks)• Risk management: loss is inevitable, absorb the cost• Introduce heterogeneity

Practical strategies: Enterprise users

Page 29: Proofing against malware

PROOF AGAINST MALWARE

Side bar: walled gardens

Page 30: Proofing against malware

PROOF AGAINST MALWARE

BUT DON’T FOOL YOURSELF.

YOU’RE STILL NOT MALWARE-PROOF.

Page 31: Proofing against malware

PROOF AGAINST MALWARE

Questions?

Thank you to Prof. Ojo and TUT for the opportunity

[email protected]