malice on the internet
play

Malice on the Internet A Peek into Todays Security Attacks Arvind - PowerPoint PPT Presentation

Jan 09, 2023 •36 likes •926 views

Malice on the Internet A Peek into Todays Security Attacks Arvind Krishnamurthy Thursday, November 4, 2010 Bit of History: Morris Worm Worm was released in 1988 by Robert Morris Graduate student at Cornell, son of NSA scientist

  1. Malice on the Internet A Peek into Today’s Security Attacks Arvind Krishnamurthy Thursday, November 4, 2010

  2. Bit of History: Morris Worm • Worm was released in 1988 by Robert Morris • Graduate student at Cornell, son of NSA scientist • Worm was intended to propagate slowly and harmlessly measure the size of the Internet • Due to a coding error, it created new copies as fast as it could and overloaded infected machines • $10-100M worth of damage • Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probabation • Now an EECS professor at MIT Thursday, November 4, 2010

  3. Morris Worm and Buffer Overflow • One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems • By sending a special string to the finger daemon, worm caused it to execute code creating a new worm copy • Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy) Thursday, November 4, 2010

  4. Buffer Overflow Attacks Over Time • Used to be a very common cause of Internet attacks • 50% of advisories from CERT in 1998 • Morris worm (1988): overflow in fingerd • 6,000 machines infected • CodeRed (2001): overflow in MS-IIS server • 300,000 machines infected in 14 hours • SQL Slammer (2003): overflow in MS-SQL server • 75,000 machines infected in 10 minutes • Question: how effective are buffer overflow attacks today? Thursday, November 4, 2010

  5. Today’s Security Landscape • How are today’s attacks executed? • How can we defend against them? • What are the economic incentives? Thursday, November 4, 2010

  6. Economic Incentives • Phishing • Steal personal information • Click Fraud • DDoS (distributed denial of service) • Compromise machines to perform all of the above Thursday, November 4, 2010

  7. Example 1 • Phishing campaign to steal critical information Thursday, November 4, 2010

  8. Example 2 • Compromising website that downloads malware Thursday, November 4, 2010

  9. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  10. Devising Defenses • Comprehensive defense is necessary • Measure and understand • Learn from attacker’s actions • Infiltration is an effective technique Thursday, November 4, 2010

  11. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  12. Typical Timeline • Step 1: Compromise a popular webserver • Target popular webservers because they are likely to attract more web traffic • How does the attacker find a server to compromise? Thursday, November 4, 2010

  13. The dark side of Search Engines • Poorly configured servers may expose sensitive information • Attackers can craft malicious queries "index of /etc” • Find misconfigured or vulnerable servers Thursday, November 4, 2010

  14. Finding vulnerable servers search term Text Thursday, November 4, 2010

  15. Finding vulnerable servers search term Text Thursday, November 4, 2010

  16. Finding vulnerable servers search term Text “Powered by DataLife Engine” Thursday, November 4, 2010

  17. Finding vulnerable servers search term Text Thursday, November 4, 2010

  18. Defense: “Search Engine Audits” • Identify malicious queries issued by an attacker • can filter results for such queries • Study and gain insights • follow attackers trail and understand objectives • detect attacks earlier Thursday, November 4, 2010

  19. Our dataset • Bing search logs for 3 months • 1.2 TB of data • Billions of queries Thursday, November 4, 2010

  20. SearchAudit: the approach • Two stages: Identification & Investigation • Identification 1. Start with a few known malicious queries (seed set) 2. Expand the seed set 3. Generalize • Investigation • Analyze identified queries to learn more about attacks Thursday, November 4, 2010

  21. The seed set Seed queries Seed queries Seed queries Thursday, November 4, 2010

  22. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries Thursday, November 4, 2010

  23. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries Thursday, November 4, 2010

  24. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries • We crawl these forums to find such posts • We used 500 seed queries posted between May ’06 - August ’09 Thursday, November 4, 2010

  25. Seed set expansion Seed queries Search Seed queries log Seed queries Seed query IPs Expanded query set Thursday, November 4, 2010

  26. Seed set expansion Seed set is small and incomplete Seed queries To expand the small seed set: Search Seed queries log Seed queries 1. Find exact query match from search logs Seed query IPs 2. Find IPs which performed these malicious queries Expanded query set 3. Mark other queries from these IPs as suspect Thursday, November 4, 2010

  27. Generalize the queries Seed queries • Exact queries are too specific at times Search Seed queries log Seed • queries Problem if queries are modified slightly • Seed Regular Solution: Regular Expressions query IPs Attackers' expressions queries + results • captures the structure of the query Regular Expanded • expression query set match similar queries in the future engine Thursday, November 4, 2010

  28. Generalize the queries Seed queries • Exact queries are too specific at times Search Seed queries log Seed • queries Problem if queries are modified slightly • Seed Regular Solution: Regular Expressions query IPs Attackers' expressions queries + results • captures the structure of the query Regular Expanded • expression query set match similar queries in the future engine Thursday, November 4, 2010

  29. A quantitative example Seed queries Unique 122 Queries 174 IPs Thursday, November 4, 2010

  30. A quantitative example Seed queries Expanded set Unique 122 800 Queries 174 264 IPs Thursday, November 4, 2010

  31. A quantitative example Seed queries Expanded set RegEx match Unique 122 800 3560 Queries 174 264 1001 IPs Thursday, November 4, 2010

  32. Looping back • We now have a larger set of malicious queries • These can be fed back to SearchAudit as a new set of seeds Thursday, November 4, 2010

  33. Architecture Loop back seed queries Seed queries Search Seed queries log Seed queries Seed Regular query IPs Attackers' expressions queries + results Regular Expanded expression query set engine Thursday, November 4, 2010

  34. A quantitative example RegEx match + Seed queries Expanded set RegEx match loopback Unique 122 800 3560 ~540k Queries 174 264 1001 ~40k IPs Total pageviews : 9M+ Thursday, November 4, 2010

  35. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  36. An Example • OSCommerce is a web software for managing shopping carts • Compromise is simple: just upload a file! • If http://www.example.com/store is the site, upload a file by issuing a post on: http://www.example.com/store/admin/file_manager.php/ login.php?action=processuploads • Post argument provides the file to be uploaded • Uploaded file is typically a graphical command interpreter Thursday, November 4, 2010

  37. Command Module • Allows hacker to navigate through the file system, upload new files, perform brute force password cracking, open a network port, etc . Thursday, November 4, 2010

  38. Uploaded PHP Script Thursday, November 4, 2010

  39. Web Honeypots • First goal is to understand what techniques are being used to compromise • Setup web honeypots that appear attractive to attackers • Log all interactions with attackers Thursday, November 4, 2010

  40. Options • Install popular vulnerable software • Create front pages that appear to be running vulnerable software • Proxy requests to website running vulnerable software • Issues: • Manual overhead in installing specific packages • High interaction vs. low interaction honeypots Thursday, November 4, 2010

  41. Heat-Seeking Honeypots World Wide Web Search 2 3 results 1 1 Web pages Attack request 6 1 Malicious query Webapp feed 4 Apache 1 1 1 Encapsulated VM pages Attackers Query Add to search 5 1 engine index HEAT-SEEKING HONEYPOT 7 1 Attack log Thursday, November 4, 2010

  42. Heat-Seeking Honeypots World Wide Web Search 2 3 results 1 1 Web pages Attack request 6 1 Malicious query Webapp feed 4 Apache 1 1 1 Encapsulated VM pages Attackers Query Add to search 5 1 engine index HEAT-SEEKING HONEYPOT 7 1 Attack log • Step 1: obtain malicious queries from SearchAudit Thursday, November 4, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday,

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday,

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday, August 2, 13 So, there are three takeaways from my talk: (next slide) Everything leaks too much data. At every level, weve forgotten that privacy,

783 views • 46 slides
Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison MU Department of Computer Science Hi, Im Bill, glad to meet you } Ph.D 2001, UIUC } Thesis: Modular Compilers and Their Correctness Proofs }

936 views • 60 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

5/15/2012 How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been tremendously successful From Architecture to Network Has sustained tremendous growth g Supports very diverse set of applications

484 views • 10 slides
IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites Robert Bjekovic, University of applied sciences Ravensburg Weingarten, Weingarten, Germany Michael Elwert, University of applied

351 views • 32 slides
Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of

Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of

Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of Networking and Computing, Where Everything Is Intelligently Connected Family device layout. Think weve done in past. Add in printer, electric meter,

397 views • 22 slides
Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet

Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet

Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet Internet is international scope with users on every continent Asians make up 40% of Internet population Europeans about 20% North America

1.01k views • 56 slides
Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ram Durairajan Computer Sciences University of Wisconsin Motivation rkrish@cs.wisc.edu 2

505 views • 33 slides
History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet

History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet

History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet timeline from 1970s until today The Internet today 2 Origins of the Internet J.C.R. Licklider of MIT in August 1962 wrote about the

562 views • 13 slides
Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
1 Internet Email Internet Commercialization SMTP is Internet Email protocol Rapid and

1 Internet Email Internet Commercialization SMTP is Internet Email protocol Rapid and

Background of Chapter Software Infrastructure of the Commercializing Internet Not finished Mostly journalistic Recounting of basic events from secondary sources Focus on interplay between technology and business models Thomas

463 views • 3 slides
CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

10/4/16 CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of the Internet in 1990 The Global Internet (And Now) A simple multi-provider Internet 1 10/4/16 The Global Internet Some large

307 views • 12 slides
The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The Internet of Things (IoT ). A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send

575 views • 24 slides
The History of the Internet Presented by the St. Martins Episcopal Technology Department

The History of the Internet Presented by the St. Martins Episcopal Technology Department

The History of the Internet Presented by the St. Martins Episcopal Technology Department Agenda Internet History Internet Evolution Internet Pioneers Internet Growth The Future of the Internet Conclusion

540 views • 24 slides
Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet is the largest computer network in the world, connecting millions of computers. A network can also be a group of two or more computer systems linked

371 views • 13 slides
Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair

Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair

Apache Apex: Next Gen Big Data Analytics Thomas Weise <thw@apache.org> @thweise PMC Chair Apache Apex, Architect DataTorrent Apache Big Data Europe, Sevilla, Nov 14 th 2016 Stream Data Processing Real-time Data Delivery Transform /

632 views • 35 slides
CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West | Room: 3002 Overview What are these guys talking about? Main Topics Could we build a botnet from freely available cloud services? Will we

887 views • 39 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

423 views • 21 slides
HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers

HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers

HOW TO DETECT AND PREVENT FRAUD The webinar will begin shortly. Make sure your computers sound (volume) is un -muted ( icon) We recommend using headphones for better sound quality INTRODUCTION NAU MAI HAERE MAI Francesca Ephraim

359 views • 24 slides
Broadening the Housing Movement Webinar August 16, 2018 @OppStartsatHome National

Broadening the Housing Movement Webinar August 16, 2018 @OppStartsatHome National

@OppStartsatHome #OpportunityStartsatHome www.opportunityhome.org Broadening the Housing Movement Webinar August 16, 2018 @OppStartsatHome National Campaign Staff #OpportunityStartsatHome www.opportunityhome.org Mike Koprowski

316 views • 18 slides
FEDEX CORPORATION GLOBALLY 69.7 Billion FY19 AnnualRevenue > 15M Shipments each business day

FEDEX CORPORATION GLOBALLY 69.7 Billion FY19 AnnualRevenue > 15M Shipments each business day

FEDEX CORPORATION GLOBALLY 69.7 Billion FY19 AnnualRevenue > 15M Shipments each business day (avg. daily volume) > 65K Unique fedex.com visitors monthly > 250M 679 aircrafts Package-status tracking > 180K > 475K > 220

598 views • 7 slides
Measure data for AmeriCorps VISTA projects, and how you might support that process as a VISTA

Measure data for AmeriCorps VISTA projects, and how you might support that process as a VISTA

Welcome to the final training video in the Supporting Your VISTA Project & Region topic area of the Virtual Leader Orientation. In the previous training you began to learn more about why we collect Performance Measure data for

498 views • 25 slides

More recommend