Computer Security DD2395 - - PowerPoint PPT Presentation

computer security dd2395
SMART_READER_LITE
LIVE PREVIEW

Computer Security DD2395 - - PowerPoint PPT Presentation

Aug 31, 2023 435 likes •845 views

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin l Lab 2: - prepare before lab session - signup!

slide-1
SLIDE 1

Computer Security DD2395

http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/

Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software

1 DD2395 Sonja Buchegger

slide-2
SLIDE 2

DD2395 Sonja Buchegger 2

Course Admin

l Lab 2:

  • prepare before lab session
  • signup!

l Lab 3:

  • prepare: webgoat, gruyere

l Lab 4:

  • signup
  • finding group partners: meet here during break
slide-3
SLIDE 3

DD2395 Sonja Buchegger 3

Malicious Software

l programs exploiting system vulnerabilities l known as malicious software or malware

  • program fragments that need a host program

l e.g. viruses, logic bombs, and backdoors

  • independent self-contained programs

l e.g. worms, bots

  • replicating or not

l sophisticated threat to computer systems

slide-4
SLIDE 4

DD2395 Sonja Buchegger 4

Malware Terminology

l Virus l Worm l Logic bomb l Trojan horse l Backdoor (trapdoor)‏ l Mobile code l Auto-rooter Kit (virus generator)‏ l Spammer and Flooder programs l Keyloggers, Spyware l Rootkit l Zombie, bot l Adware

slide-5
SLIDE 5

Would you trust this program?

DD2395 Sonja Buchegger 5

slide-6
SLIDE 6

Trojan Horse

l First identified at NSA in 1972 by Daniel

Edwards

l It's a program with two purposes, one obvious

and one hidden from the user

l Today it's often used to install other software or

backdoors

l Trojan horses can be built from existing

programs using a special wrapper

l Or designed from the start to be one. DD2395 Sonja Buchegger 6

slide-7
SLIDE 7

What would you do?

l How to get someone to run a trojan? l How to not run a trojan? DD2395 Sonja Buchegger 7

slide-8
SLIDE 8

Backdoor

l Software that gives access to a system l Bypassing OS restrictions l Can be part of a trojan l Often installed for legitimate reasons l Only to later be abused l Typically very very hard to find DD2395 Sonja Buchegger 8

slide-9
SLIDE 9

Legitimate Reasons?

l What would be a legitimate reason to install a

backdoor?

DD2395 Sonja Buchegger 9

slide-10
SLIDE 10

Grayware

l In the gray zone between harmless and

harmful, mostly annoying

l Popup windows l For teh lulz l Can include adware, spyware DD2395 Sonja Buchegger 10

slide-11
SLIDE 11

Logic Bomb

l A small bit of code that triggers on a specific

condition

l Typically with malicious results l No vector for spreading l Installed directly DD2395 Sonja Buchegger 11

slide-12
SLIDE 12

DD2395 Sonja Buchegger 12

Viruses

l piece of software that infects programs

  • modifying them to include a copy of the virus
  • so it executes secretly when host program is run

l specific to operating system and hardware

  • taking advantage of their details and weaknesses

l a typical virus goes through phases of:

  • dormant
  • propagation
  • triggering
  • execution
slide-13
SLIDE 13

DD2395 Sonja Buchegger 13

Virus Structure

l components:

  • infection mechanism - enables replication
  • modification engine – for disguise
  • trigger - event that makes payload activate
  • payload - what it does, malicious or benign

l prepended / appended / embedded l when infected program invoked, executes

virus code then original program code

l can block initial infection (difficult)‏ l or propagation (with access controls)‏

slide-14
SLIDE 14

DD2395 Sonja Buchegger 14

Virus Structure

slide-15
SLIDE 15

DD2395 Sonja Buchegger 15

Virus Classification

l boot sector l file infector l macro virus l encrypted virus: different keys l stealth virus: evade detection, e.g.

compression

l polymorphic virus l metamorphic virus

slide-16
SLIDE 16

DD2395 Sonja Buchegger 16

Compression Virus

slide-17
SLIDE 17

Polymorphic Virus

l A virus can take things one step further:

Rebuild the whole virus at every infection to something functionally identical

l There are many ways to do nothing on a

computer

l Instructions can be reordered in many ways l To detect these the AV engine often has to

simulate the virus to figure out what it is.

DD2395 Sonja Buchegger 17

slide-18
SLIDE 18

Metamorphic Virus

l Complete rewrite l Can also change behavior DD2395 Sonja Buchegger 18

slide-19
SLIDE 19

DD2395 Sonja Buchegger 19

Macro Virus

l became very common in mid-1990s since

  • platform independent
  • infects documents
  • is easily spread

l exploit macro capability of office apps

  • executable program embedded in office doc
  • often a form of Basic

l more recent releases include protection l recognized by many anti-virus programs

slide-20
SLIDE 20

DD2395 Sonja Buchegger 20

E-Mail Viruses

l more recent development l e.g. Melissa

  • exploits MS Word macro in attached doc
  • if attachment opened, macro activates
  • sends email to all on users address list
  • and does local damage

l then saw versions triggered reading email l hence much faster propagation

slide-21
SLIDE 21

DD2395 Sonja Buchegger 21

Virus Countermeasures

l prevention - ideal solution but difficult l realistically need:

  • detection
  • identification
  • removal

l if detected but can’t identify or remove, must

discard and replace infected program

slide-22
SLIDE 22

DD2395 Sonja Buchegger 22

Anti-Virus Evolution

l virus & antivirus tech have both evolved l early viruses simple code, easily removed l as become more complex, so must the

countermeasures

l generations

  • first - signature scanners
  • second - heuristics
  • third - identify actions
  • fourth - combination packages
slide-23
SLIDE 23

DD2395 Sonja Buchegger 23

Generic Decryption

l runs executable files through GD scanner:

  • CPU emulator to interpret instructions
  • virus scanner to check known virus signatures
  • emulation control module to manage process

l lets virus decrypt itself in interpreter l periodically scan for virus signatures l issue is long to interpret and scan

  • tradeoff chance of detection vs time delay
slide-24
SLIDE 24

DD2395 Sonja Buchegger 24

Digital Immune System

slide-25
SLIDE 25

DD2395 Sonja Buchegger 25

Behavior-Blocking Software

slide-26
SLIDE 26

DD2395 Sonja Buchegger 26

Worms

l replicating program that propagates over net

  • using email, remote exec, remote login

l has phases like a virus:

  • dormant, propagation, triggering, execution
  • propagation phase: searches for other systems, connects to

it, copies self to it and runs

l may disguise itself as a system process l implemented by Xerox Palo Alto labs in 1980’s

slide-27
SLIDE 27

DD2395 Sonja Buchegger 27

Morris Worm

l one of best known early worms l released by Robert Morris in 1988 l various attacks on UNIX systems

  • cracking password file to use login/password to

logon to other systems

  • exploiting a bug in the finger protocol
  • exploiting a bug in sendmail

l if succeed have remote shell access

  • sent bootstrap program to copy worm over
slide-28
SLIDE 28

DD2395 Sonja Buchegger 28

Worm Propagation Model

slide-29
SLIDE 29

DD2395 Sonja Buchegger 29

Why the slow finish phase?

slide-30
SLIDE 30

DD2395 Sonja Buchegger 30

Recent Worm Attacks

l Code Red

  • July 2001 exploiting MS IIS bug
  • probes random IP address, does DDoS attack
  • consumes significant net capacity when active

l Code Red II variant includes backdoor l SQL Slammer

  • early 2003, attacks MS SQL Server
  • compact and very rapid spread

l Mydoom

  • mass-mailing e-mail worm that appeared in 2004
  • installed remote access backdoor in infected systems
slide-31
SLIDE 31

DD2395 Sonja Buchegger 31

Recent Worm Attacks

l Conficker 2009 l Stuxnet 2010 l Duqu 2011

slide-32
SLIDE 32

DD2395 Sonja Buchegger 32

Worm Technology

l multiplatform l multi-exploit l ultrafast spreading l polymorphic l metamorphic l transport vehicles l zero-day exploit

slide-33
SLIDE 33

DD2395 Sonja Buchegger 33

Worm Countermeasures

l overlaps with anti-virus techniques l once worm on system A/V can detect l worms also cause significant net activity l worm defense approaches include:

  • signature-based worm scan filtering
  • filter-based worm containment
  • payload-classification-based worm containment
  • threshold random walk scan detection
  • rate limiting and rate halting
slide-34
SLIDE 34

DD2395 Sonja Buchegger 34

Proactive Worm Containment

slide-35
SLIDE 35

DD2395 Sonja Buchegger 35

Network Based Worm Defense

slide-36
SLIDE 36

DD2395 Sonja Buchegger 36

Bots

l program taking over other computers l to launch hard to trace attacks l if coordinated form a botnet l characteristics:

  • remote control facility

l via IRC/HTTP etc

  • spreading mechanism

l attack software, vulnerability, scanning strategy

l various counter-measures applicable

slide-37
SLIDE 37

DD2395 Sonja Buchegger 37

Rootkits

l set of programs installed for admin access l malicious and stealthy changes to host O/S l may hide its existence

  • subverting report mechanisms on processes, files, registry entries

etc

l may be:

  • persistent or memory-based
  • user or kernel mode

l installed by user via trojan or intruder on system l range of countermeasures needed

slide-38
SLIDE 38

DD2395 Sonja Buchegger 38

Rootkit System Table Mods

slide-39
SLIDE 39

DD2395 Sonja Buchegger 39

Summary

l introduced types of malicous software

  • incl backdoor, logic bomb, trojan horse
  • virus types and countermeasures

l worm types and countermeasures l bots l rootkits