malicious software computer security peter reiher
play

Malicious Software Computer Security Peter Reiher November 25, - PowerPoint PPT Presentation

Mar 18, 2024 •159 likes •838 views

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

  1. Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014

  2. Outline • Introduction • Viruses • Trojan horses • Trap doors • Logic bombs • Worms • Botnets • Spyware • Malware components Lecture 12 Page 2 CS 136, Fall 2014

  3. Introduction Clever programmers can get software to do their dirty work for them Programs have several advantages for these purposes – Speed – Mutability – Anonymity Lecture 12 Page 3 CS 136, Fall 2014

  4. Where Does Malicious Code Come From? • Most commonly, it’s willingly (but unwittingly) imported into the system – Electronic mail – Downloaded executables • Often automatically from web pages – Sometimes shrink-wrapped software • Sometimes it breaks in • Sometimes an insider intentionally introduces it Lecture 12 Page 4 CS 136, Fall 2014

  5. Magnitude of the Problem • Considering viruses only, by 1994 there were over 1,000,000 annual infections – One survey shows 10-fold increase in viruses since 1996 • In November 2003, 1 email in 93 scanned by particular survey contained a virus • 2008 CSI report shows 50% of survey respondents had virus incidents – Plus 20% with bot incidents • 2009 Trend Micro study shows 50% of infected machines still infected 300 days later Lecture 12 Page 5 CS 136, Fall 2014

  6. Viruses • “Self-replicating programs containing code that explicitly copies itself and that can ‘infect’ other programs by modifying them or their environment” • Typically attached to some other program – When that program runs, the virus becomes active and infects others • Not all malicious codes are viruses Lecture 12 Page 6 CS 136, Fall 2014

  7. How Do Viruses Work? • When a program is run, it typically has the full privileges of its running user • Including write privileges for some other programs • A virus can use those privileges to replace those programs with infected versions Lecture 12 Page 7 CS 136, Fall 2014

  8. Before the Infected Program Runs Virus Code Infected Uninfected Program Program Lecture 12 Page 8 CS 136, Fall 2014

  9. The Infected Program Runs Virus Code Infected Uninfected Program Program Lecture 12 Page 9 CS 136, Fall 2014

  10. Infecting the Other Program Virus Code Virus Code Infected Infected Uninfected Program Program Program Lecture 12 Page 10 CS 136, Fall 2014

  11. Macro and Attachment Viruses • Modern data files often contain executables – Macros – Email attachments • Many formats allow embedded commands to download of arbitrary executables • Popular form of viruses – Requires less sophistication to get right Lecture 12 Page 11 CS 136, Fall 2014

  12. Virus Toolkits • Helpful hackers have written toolkits that make it easy to create viruses • A typical smart high school student can easily create a virus given a toolkit • Generally easy to detect viruses generated by toolkits – But toolkits are getting smarter Lecture 12 Page 12 CS 136, Fall 2014

  13. How To Find Viruses • Basic precautions • Looking for changes in file sizes • Scan for signatures of viruses • Multi-level generic detection Lecture 12 Page 13 CS 136, Fall 2014

  14. Precautions to Avoid Viruses • Don’t import untrusted programs – But who can you trust? • Viruses have been found in commercial shrink-wrap software • The hackers who released Back Orifice were embarrassed to find a virus on their CD release • Trusting someone means not just trusting their honesty, but also their caution Lecture 12 Page 14 CS 136, Fall 2014

  15. Other Precautionary Measures • Scan incoming programs for viruses – Some viruses are designed to hide • Limit the targets viruses can reach • Monitor updates to executables carefully – Requires a broad definition of “executable” Lecture 12 Page 15 CS 136, Fall 2014

  16. Containment • Run suspect programs in an encapsulated environment – Limiting their forms of access to prevent virus spread • Requires versatile security model and strong protection guarantees – No use to run in tightly confined mode if user allows it to get out Lecture 12 Page 16 CS 136, Fall 2014

  17. Viruses and File Sizes • Typically, a virus tries to hide • So it doesn’t disable the infected program • Instead, extra code is added • But if it’s added naively, the size of the file grows • Virus detectors look for this growth • Won’t work for files whose sizes typically change • Clever viruses find ways around it – E.g., cavity viruses that fit themselves into “holes” in programs Lecture 12 Page 17 CS 136, Fall 2014

  18. Signature Scanning • If a virus lives in code, it must leave some traces • In unsophisticated viruses, these traces are characteristic code patterns • Find the virus by looking for the signature Lecture 12 Page 18 CS 136, Fall 2014

  19. How To Scan For Signatures • Create a database of known virus signatures • Read every file in the system and look for matches in its contents • Also check every newly imported file • Also scan boot sectors and other interesting places • Can use same approach for other kinds of malware Lecture 12 Page 19 CS 136, Fall 2014

  20. Weaknesses of Scanning for Signatures • What if the virus changes its signature? • What if the virus takes active measures to prevent you from finding the signature? • You can only scan for known virus signatures Lecture 12 Page 20 CS 136, Fall 2014

  21. Polymorphic Viruses • A polymorphic virus produces varying but operational copies of itself • Essentially avoiding having a signature • Sometimes only a few possibilities – E.g., Whale virus has 32 forms • But sometimes a lot – Storm worm had more than 54,000 forms Lecture 12 Page 21 CS 136, Fall 2014

  22. Polymorphism By Hand • Malware writers have become professional and security-aware • They know when their malware has been identified – And they know the signature used – Smart ones subscribe to all major anti- virus programs • They change the malware to remove that signature and re-release it Lecture 12 Page 22 CS 136, Fall 2014

  23. Stealth Viruses • A virus that tries actively to hide all signs of its presence • Typically a resident virus • For example, it traps calls to read infected files – And disinfects them before returning the bytes – E.g., the Brain virus Lecture 12 Page 23 CS 136, Fall 2014

  24. Combating Stealth Viruses • Stealth viruses can hide what’s in the files • But may be unable to hide that they’re in memory • Careful reboot from clean source won’t allow stealth virus to get a foothold • Concerns that malware can hide in other places, like peripheral memory Lecture 12 Page 24 CS 136, Fall 2014

  25. Other Detection Methods • Checksum comparison • Intelligent checksum analysis – For files that might legitimately change • Intrusion detection methods – E.g., look for attack invariants instead of signatures • Identify and handle “clusters” of similar malware Lecture 12 Page 25 CS 136, Fall 2014

  26. Preventing Virus Infections • Run a virus detection program – Almost all serious organizations do this – And many still get clobbered • Keep its signature database up to date – Modern virus scanners do this by default • Disable program features that run executables without users asking – Quicktime had this problem a few years ago • Make sure users are careful about what they run • Also make sure users are careful about what they attach to computers Lecture 12 Page 26 CS 136, Fall 2014

  27. How To Deal With Virus Infections • Reboot from a clean, write-protected medium – Vital that the medium really is clean – Necessary, but not sufficient • If backups are available and clean, replace infected files with clean backup copies – Another good reason to keep backups • Proof-of-concept code showed infection of firmware in peripherals . . . Lecture 12 Page 27 CS 136, Fall 2014

  28. Disinfecting Programs • Some virus utilities try to disinfect infected programs – Allowing you to avoid going to backup • Potentially hazardous, since they may get it wrong – Some viruses destroy information needed to restore programs properly Lecture 12 Page 28 CS 136, Fall 2014

  29. Trojan Horses • Seemingly useful program that contains code that does harmful things • When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 29 CS 136, Fall 2014

  30. Basic Trojan Horses • A program you pick up somewhere that is supposed to do something useful • And perhaps it does – But it also does something less benign • Games are a common location host program • Downloaded applets are also popular • Frequently found in email attachments • Bogus security products also popular • Flash drives are a hardware vector Lecture 12 Page 30 CS 136, Fall 2014

  31. Recent Trends in Trojan Horses • Qakbot Trojan steals online banking credentials • Android/IoS Trojan targeting Hong Kong protestors • Trojan targeting customers of Islamic banks – Using man-in-the-middle techniques to overcome 2 factor authentication – Other similar Trojans floating around, including a toolkit for them • Citadel Trojan stole sensitive info from petrochemical companies Lecture 12 Page 31 CS 136, Fall 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

859 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid

Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid

Converting Scripts into Reproducible Workflow Research Objects Lucas A. M. C. Carvalho, Khalid Belhajjame, Claudia Bauzer Medeiros lucas.carvalho@ic.unicamp.br Baltimore, Maryland, USA October 23-26, 2016 Background and Motivation

745 views • 43 slides
Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State

Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State

Overview of a C Program Programming with C CSCI 112, Spring 2015 Patrick Donnelly Montana State University C Language Components Preprocessor Directives Comments The main function Variable Declarations and Data Types

777 views • 42 slides
FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW

FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW

FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1 OVERVIEW Linux Reverse Engineering Reverse Engineering on Linux What? Why? How? 2 OVERVIEW Linux Reverse Engineering Reverse

1.02k views • 59 slides
From theory to practice of information-flow control Andrei Sabelfeld Chalmers

From theory to practice of information-flow control Andrei Sabelfeld Chalmers

From theory to practice of information-flow control Andrei Sabelfeld Chalmers http://www.cse.chalmers.se/~andrei FOSAD 2014 2 <!-- Input validation --> <form name="cform" action="script.cgi"

931 views • 58 slides
Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus engines resulted in stronger virus scanners. Paper focuses on how virus creators have challenged virus scanners over the past decade. Evolution of

446 views • 16 slides
Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER

Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER

Peer to Peer Networks and Security Kostya Kortchinsky CERT RENATER Kostya.Kortchinsky@renater.fr 23/06/2003 Kostya Kortchinsky - RENATER 1 Agenda Some Figures Security Issues Viruses, trojans, and other malware

757 views • 33 slides
Inventing Managerial Inventing Managerial Information: Information: Systems Men and the

Inventing Managerial Inventing Managerial Information: Information: Systems Men and the

Inventing Managerial Inventing Managerial Information: Information: Systems Men and the Computer 1957- -67 67 Systems Men and the Computer 1957 Tom Haigh thaigh@sas.upenn.edu 1 My Topic: My Topic: Managerial Information

558 views • 41 slides
Executive Office of Public Safety and Security Department of Criminal Justice Information

Executive Office of Public Safety and Security Department of Criminal Justice Information

Executive Office of Public Safety and Security Department of Criminal Justice Information Services CORI Training October 20, 2020 What is the Department of Criminal Justice Information Services (DCJIS)? DCJIS is the Massachusetts agency

529 views • 16 slides

More recommend