co 445h
play

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: - PowerPoint PPT Presentation

Feb 28, 2024 •142 likes •716 views

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

  1. CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits

  2. Malware: Different Types 2  Spyware is software that aids in gathering  A virus is a computer program that is information about a person or organization capable of making copies of itself without their knowledge and that may send and inserting those copies into other such information to another entity programs.  A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected  A worm is a virus that uses a network computer. to copy itself onto other computers.  A drive-by-download attack is a malware delivery technique triggered when the user visits a website.

  3. Wait, There’s More 3

  4. Malware Volume 4 The AV-TEST Institute registers over 450,000 new malicious programs every day http://www.av-test.org/en/statistics/malware/

  5. A Lot of Commercial Activity 5 Cyber Security Market worth $155.74 Billion by 2019 http://www.marketsandmarkets.com/PressReleases/cyber-security.asp

  6. What is a Virus? a program that can infect other programs by modifying them to include a, possibly evolved , version of itself Fred Cohen, 1983

  7. Brief History of Malware 7 Mac users can often be heard to say “I don’t need antivirus software, I have an Apple”. Unfortunately, this is a misguided conclusion. Whilst the dangers are certainly much less than with Windows computers, they do exist nonetheless. Mac users who think they do not need to concern themselves have created an illusion. The claim that Apple users are less threatened than Windows users is currently still correct, but could change rapidly. It was the low market share of Macs that limited the attentions of online criminals; now that Macs are becoming more popular, this state of affairs is changing. http://www.itsecuritywatch.com/

  8. Coevolution: Basic Setup 8 Virus Antivirus  Wait for user to execute an  Identify a sequence of infected file instructions or data  Formulate a signature  Infect other (binary) files by  Scan all files modifying them  Look for signature found verbatim  Spread that way  Bottleneck: scanning speed

  9. Signatures 9

  10. Signatures Are Updated All The Time 10

  11. Coevolution: Entry Point Scanning 11 Virus Antivirus  Entry point scanning  Place virus at the entry point or make it directly reachable from the entry point  Do exploration of reachable instruction starting with the entry point of the program  Make virus small to avoid being easily noticed by user  Continue until no more instructions are found

  12. Coevolution: Virus Encryption 12 Virus Antivirus  Decryption (and encryption) routines  Decryption routine (packers) used by viruses are easy to  Virus body fingerprint  Decrypt into memory, not do disk  Set PC to the beginning of the  Develop signatures to match these routines decryption buffer  Attempt to decrypt the virus body to  Encrypt with a different key before perform a secondary verification (x-raying) adding virus to new executable D E

  13. Simple Decryption Routine 13

  14. Jumping Ahead: Similar Behavior in JavaScript 14

  15. Coevolution: Polymorphic 15 Virus Antivirus  Custom detection program designed Use a mutation engine to generate a (decryption  routine, encryption routine) pair to recognize specific detection engines Functionally similar or the same, but syntactically very  different  Generic decryption (GD) Use the encryption routine to encode the body of the   Emulator virus  Signature matching engine  Scan memory/disk at regular intervals No fixed part of the virus preserved (decryption,  in hopes of finding decoded virus body encryption, body) D1 D2 E1 E2

  16. Emulation Challenges 16  How long to emulate the execution? Viruses use padding instructions to delay execution. Can also use sleep for a while to slow down the scanner.  What is the quality of the emulator? How many CPUs to support?  What if decryption starts upon user interactions? How do we trigger it?  What about anti-emulation tricks?

  17. AV: Static and Runtime 17  Signature-based virus detection – static techniques  Emulation-based detection – runtime technique  Generally, both are used at the same time (hybrid)

  18. False Positives 18 A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens, it can • cause serious problems. For example, if an antivirus program is configured to immediately delete or quarantine infected files, a false • positive in an essential file can render the operating system or some applications unusable.  In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot  Also in May 2007, the executable file required by Pegasus Mail was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton anti-virus had falsely identified three releases of Pegasus Mail as malware, and would delete the Pegasus Mail installer file when that happened n response to this Pegasus Mail stated:  On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favor of alternative, less buggy anti-virus packages

  19. More False Positives 19 In April 2010, McAfee VirusScan detected  svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access In December 2010, a faulty update on the AVG  anti-virus suite damaged 64-bit versions of Windows 7, rendering it unable to boot, due to an endless boot loop created In October 2011, Microsoft Security Essentials  removed the Google Chrome browser, rival to Microsoft's own Internet Explorer. MSE flagged Chrome as a Zbot banking trojan

  20. False Alarms 20

  21. Vulnerability Gap 21  As long as user has the right virus signatures and computer has recently been scanner, detection will likely work  But the virus landscape changes fast  This calls for monitoring techniques for unknown viruses http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  22. Limitations of AV 22  Reactive approach renders existing security solutions less effective, because they are too slow to respond and require up-to-date signatures, before they can be effective  While the reactive signature approach provides adequate identification of existing attacks, it is virtually useless in protecting against new and unknown attacks

  23. Malwarebytes: Not Signature-Based 23 https://www.youtube.com/watch?v=PGLGyPuxP7c

  24. IDS: Intrusion Detection Systems 24  Collect signals  Behavioral models can be quite complex  Build a model of  Are often graph-based normal (and  Or regex-based abnormal behavior)  Influence false positive and  Process logs and false negative rates create alerts  Notify system operators

  25. Host-Based vs. Network-Based IDS 25  Log analyzers  Scan incoming and outgoing traffic  Signature-based sensors  Primarily signature-based  System call analyzers  Combined into firewalls  Application behavior analyzers  Can be located on a different  File integrity checkers machine

  26. System Call Log 26 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] close 11:33:27;[pid 1286] munmap 11:33:27;[pid

  27. Registry Access Log 27

  28. Host-Based Intrusion Detection open() f(int x) { Entry(g) Entry(f) x ? getuid() : geteuid(); x++ } g() { close() getuid() geteuid() fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0); exit() } Exit(g) Exit(f) If the observed code behavior is inconsistent with the statically inferred model, something is wrong

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they doing with this data? We dont know what is happening with this data once it is collected. Its conceivable that this information could be analysed

959 views • 59 slides
CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits Some Survey Responses 2 Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/ Details 4 Notifications 5

1.12k views • 64 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

CO 445H COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level Course Logistics 2 https:/ ://www.doc.ic ic.ac.uk/~liv livshit its/cla lasses/CO445H/ / Course Logistics 3 Monday: 2-hour time

874 views • 53 slides
1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2

1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2

Slide 1 / 133 1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2 How many degrees are subtended by a 0.10 m arc of a circle of radius of 0.40 m? Slide 3 / 133 3 A ball rotates 2 rad in 4.0 s.

1.5k views • 133 slides
Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and

Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and

Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and look around once in a while, you could miss it Ferris Buellers Day Off (1986) A different kind of newsroom. Slow news. Open journalism.

749 views • 19 slides
1 1 One of the many joys of living in Melbourne is a ride along the bike path next to the

1 1 One of the many joys of living in Melbourne is a ride along the bike path next to the

1 ENDING THE GREAT AUSTRALIAN COMPLACENCY OF THE EARLY TWENTY FIRST CENTURY Ross Garnaut Vice-Chancellors Fellow and Professorial Fellow in Economics, The University of Melbourne Victoria University 2013 Vice-Chancellors Lecture

530 views • 26 slides
Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J.

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J.

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J. Wilkes Email: ph116@u.washington.edu Announcements - PHYS 116 Course home page: visit frequently for updated course info!

212 views • 19 slides
CDW Corporation Webcast Conference Call May 6, 2020 CDW.com | 800.800.4239 Disclaimers

CDW Corporation Webcast Conference Call May 6, 2020 CDW.com | 800.800.4239 Disclaimers

CDW Corporation Webcast Conference Call May 6, 2020 CDW.com | 800.800.4239 Disclaimers Forward-Looking Statements Statements in this presentation that are not statements of historical fact are forward-looking statements within the meaning of

600 views • 22 slides
Viruses cont 1 Changelog Corrections made in this version not in fjrst posting: 6 Feb 2017:

Viruses cont 1 Changelog Corrections made in this version not in fjrst posting: 6 Feb 2017:

Viruses cont 1 Changelog Corrections made in this version not in fjrst posting: 6 Feb 2017: slide 62: mov %ebp, %esp corrected to mov %esp, %ebp 1 ASM assignment is out 2 anonymous feedback Please make the homeworks due at midnight

1.24k views • 111 slides
CSE543 Computer and Network Security Module: Malware Professor Trent Jaeger CSE543 -

CSE543 Computer and Network Security Module: Malware Professor Trent Jaeger CSE543 -

616 views • 33 slides
Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&A content will be posted to the HUD Exchange within 2-3 business days Event

645 views • 39 slides
Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian Kurmann Balaji Raghavan Matt Seegmiller The need to solve performance crimes Performance crimes are anything that unnecessarily increase

529 views • 42 slides
Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com

Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com

Network Science Spreading Phenomena Albert-Lszl Barabsi with Emma K. Towlson and Sean P. Cornelius www.BarabasiLab.com Section 10.7 Epidemic Prediction Case Study 1: Epidemic Forecast Network Science: Robustness Cascades H1N1

879 views • 31 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 , Phillip Porras 2 , Wenke Lee 1 1 Georgia Institute of Technology 2 SRI International Outline Background White Hole: Design & Operation

238 views • 20 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL Configuration (1) 3 Client completed verification of received certificate chain Testing SSL Configuration (2) 4 Received certificate chain (two

623 views • 49 slides
Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium,

Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium,

Static Analysis of Executables to Detect Malicious Patterns [12 th USENIX Security Symposium, 2003] Mihai Christodorescu Somesh Jha CS @ University of Wisconsin, Madison Presented by K. Vikram Cornell University Problem & Motivation

969 views • 30 slides
FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas

FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas

Review Vanna Volga Stochastic-Local-Volatility Mixture Local Volatility Model Summary FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas Weber MathFinance AG uwe.wystup@mathfinance.com July 2020

1.11k views • 68 slides
Stochastic Local Volatility in QuantLib J. Gttker-Schnetmann, K. Spanderen QuantLib User

Stochastic Local Volatility in QuantLib J. Gttker-Schnetmann, K. Spanderen QuantLib User

Stochastic Local Volatility in QuantLib J. Gttker-Schnetmann, K. Spanderen QuantLib User Meeting 2014 Dsseldorf 2014-12-06 Gttker-Schnetmann, Spanderen Towards SLV in QuantLib QuantLib User Meeting 1 / 41 Heston Stochastic Local

440 views • 41 slides
Real Solving on Bivariate Systems with Sturm Sequences and SLV Maple TM library Dimitris Diochnos

Real Solving on Bivariate Systems with Sturm Sequences and SLV Maple TM library Dimitris Diochnos

Real Solving on Bivariate Systems with Sturm Sequences and SLV Maple TM library Dimitris Diochnos University of Illinois at Chicago Dept. of Mathematics, Statistics, and Computer Science September 27, 2007 D. I. Diochnos (UIC - MSCS) Real

1.34k views • 82 slides
Software Development @ PolSys (Elias @ PolSys . lip6 . FR) Software @ PolSys JNCF @ CIRM 2014

Software Development @ PolSys (Elias @ PolSys . lip6 . FR) Software @ PolSys JNCF @ CIRM 2014

Software Development @ PolSys (Elias @ PolSys . lip6 . FR) Software @ PolSys JNCF @ CIRM 2014 while true ++i; Polynomial System Solving Solving efficiently polynomial system of equations is a fundamental problem in Computer Algebra with many

412 views • 38 slides

More recommend