malware defense i
play

Malware Defense I TDDD17 Information Security, Second Course Ulf - PowerPoint PPT Presentation

Oct 03, 2022 •212 likes •621 views

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

  1. Malware Defense I TDDD17 – Information Security, Second Course Ulf Kargén Department of Computer and Information Science Linköping University

  2. Malware Defense – Agenda 2 • Two lectures – Lecture I : Malware basics, malware on the PC, antivirus techniques – Lecture II : Mobile malware and machine learning for malware detection Today’s agenda: • – Basic concepts and terminology – Types of malware – The malware detection cat-and-mouse game • Common techniques used by antivirus software • Common obfuscation used by malware to evade detection

  3. 3 350,000 new unique malware samples per day according to AV-TEST • Around 1 billion known unique malware samples exist today Estimated cost of malware attacks 2019 was $2 trillion

  4. 4 350,000 new unique malware samples per day according to AV-TEST • Around 1 billion known unique malware samples exist today Estimated cost of malware attacks 2019 was $2 trillion

  5. Definition and Terminology 5 Malware is software designed with the intention of causing some harmful effects. Basic terminology A piece of malware typically belong to an entire family of malicious software with • similar functionality and code structure – New variants of a family appear as malware authors update their code to add new functionality, or to evade existing malware defenses • An individual member of a family is called a variant A specific malware binary is typically referred to as a sample • Most PC malware target the Windows platform due to its large market share • Mac and Linux malware also exist, but is comparably more rare Today, smartphones are also heavily targeted by malware authors – more about • this in next lecture

  6. Malware Naming 6 Antivirus (AV) companies often assign names to malware • For example, “W32/ Zeus.B ” is the name given to a variant of the Zeus malware by a particular AV company Common that different AV companies use different names and naming schemes • For example, “Trojan -Spy:W32/Zbot ” is an alias for the Zeus malware (assigned by a different AV company) • File hashes (e.g. MD5, SHA1 or SHA256) are typically used to uniquely identify individual samples

  7. Malware Nomenclature 7 Malware is divided into different types according to an “informal” nomenclature • Not entirely consistent… Based on either • The malware’s goal/functionality • The method of infection

  8. Malware Types based on Functionality 8 • Spyware extracts sensitive information from victim system and sends it to attacker. Logs keystrokes or scrapes screen contents for stealing e.g.: – Credentials for email/social media accounts, – Credit card numbers, – Banking details Adware modifies e.g. browser settings to litter user with ad popups. • • Botnet clients silently turn victim machines into a remotely controlled node in a botnet – Malware connects to a Command & Control (C&C) server to receive instructions from botnet operator – Botnet can be used to stage DDoS attacks for e.g. extortion – Operators of botnet frequently also rent out DDoS capacity to other criminals

  9. Malware Types based on Functionality 9 • Cryptojackers use infected computer’s hardware to mine cryptocurrency for attackers • Ransomware either lock the GUI of infected computer or encrypt all files on hard drive. Then requires a ransom to be paid for restoring the system. – Encrypting ransomware typically use public-key crypto  Only operators have secret to decrypt files – After ransom is paid (typically in Bitcoin), operators use C&C channel to instruct malware to decrypt files • Droppers are simple executables designed to “drop” other malware onto a computer. Payload malware can either be contained inside dropper itself, or be downloaded • Remote Access Tools (RATs) provide remote “back door” access into infected machines • “Advanced Persistent Threats” (APTs) are advanced malware designed to evade detection for an extended period of time. Used for e.g. espionage (nation state or corporate) or “cyber warfare”.

  10. Malware Types based on Method of Infection 10 Three main types based on infection strategy • Viruses • Worms • Trojans

  11. Malware Types based on Method of Infection 11 True viruses are the earliest form of malware • Emerged during the 1980s – basically extinct today • Needs a “host” program to be able to function – When executed, virus will splice its own code into other executables in system 11010101001011101010 Then virus code 00111001001011101010 Virus code 10011011011010101001 is copied into 10011011011010101001 Virus must first 01110101010011011001 jumps back to 01110101010011011001 executable 10100010101101101001 locate unused 10100010101101101001 real program 10101010101011101001 10101010101011101001 part in victim 00000000000000000000 starting point to …and entry 00011010010001011101 executable 00000000000000000000 retain program 11101111110101001101 point is patched 00000000000000000000 (e.g. padding 01011111010011011010 functionality 01011101001010111010 to jump to virus 01011101001010111010 between sections) 11101101000101011011 code 11101101000101011011 01001111010101001011 01001111010101001011 10101010011011001101 10101010011011001101

  12. Malware Types based on Method of Infection 12 Virus code must be small to allow piggybacking on existing executables Viruses typically had simple functionality • • Written mostly as digital “pranks” (though some were extremely destructive) • Motivation was mostly the challenge itself and to “show off” to others in the hacker community Today, malware writers are almost exclusively motivated by some kind of gains (economical, political, etc.) • Viruses too simple to support “useful” functionality – therefore basically unheard of nowadays

  13. Malware Types based on Method of Infection 13 Worms are standalone malicious programs capable of automatically spreading from system to system • Most prevalent from mid-early 2000s until around 2010 • Typically exploits unprotected network shares or unpatched vulnerabilities in network protocols to spread • More rarely seen today For example the Conficker worm exploited a buffer overflow in a – Modern systems have sufficiently Windows service to spread and hardened default configuration to form a botnet. avoid automatically exploitable flaws in most cases Later versions attempted to spread via poorly configured This means too few infectable – network shares, using a dictionary systems to support worm attack to attempt to break “business model” password-protected shares.

  14. Malware Types based on Method of Infection 14 Trojans are malware that attempts to pose as useful software to trick victims into installing/running it • A very broad term… • In practice, used for most malware that doesn’t contain functionality for automatically spreading to new systems (i.e. everything that isn’t a virus or worm) Trojans frequently pose as, for example Seemingly legitimate documents with malicious macros – drops malware onto • system if opened and macro execution is allowed • Fake video codecs/players • Fake antivirus software • Fake pirated software/games or fake game “cracks” (DRM bypasses) Trojanized versions of real software • • … among others

  15. Malware Types based on Method of Infection 15 According to recent statistics, > 90% of malware is delivered via email (e.g. malicious Word documents) Another common infection vector are drive-by-downloads • Automatically infect users who visit a malicious web page Often performed using an exploit kit (EK) • Web app specifically designed to infect visitors with malware • Either made for in-house use by organized crime group, or sold to others on the black market

  16. Exploit Kits 16 Attacks typically happen like this: 1. Attackers either manage to get an ad distributor to show malicious ads on a web page, or they hack a legitimate web page – Malicious ad or hacked page opens an iframe or redirects to exploit kit landing page 2. Visitors of affected web page is redirected to EK landing page 3. EK uses the “user agent” information to find out OS and browser version – Checks internal database for known exploits for the browser, and serves up the right exploit to victim 4. Exploit runs in victim browser, and installs malware of attacker’s choice EKs usually uses relatively “old” known exploits, taking advantage of users who don’t install updates.

  17. Malware Detection 17 Antivirus programs detect malware samples by scanning files of the computer and matching them against signatures and heuristics Exact inner workings of AV software is mostly kept secret • Knowledge of commercial AV techniques pieced together from public documentation, educated guesswork and reverse-engineering of AV products…

  18. Malware Detection – AV Fundamentals 18 AV software scan files in filesystem both periodically and on-demand • By “hooking” system APIs for opening files, a file can be scanned as soon as it is e.g. downloaded or the user attempts to access it The database of malware signatures is updated typically several times a day • AV companies typically receive millions of new samples every day – Filtered using data-mining techniques before manual analysis to create new signatures and updated heuristics to be sent out to clients – Signatures can match individual samples or entire families of malware

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan

Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan

Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan Department of Computer and Information Science Linkping University TDDD17 - Malware Defense II 1/31/2020 2 What Has Been Covered Malware

760 views • 50 slides
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not

1.1k views • 58 slides
malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today: tourist attraction obligatory narcissism worked in IT security for > 10 years employed with the BT ethical hacking team contribute to

841 views • 45 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at this: } https://www.corelan.be/index.php/articles/ } Check out the Exploit Writing Tutorials } Starting Szor, Chapter 2. } Check out the Virus

1.34k views • 46 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a funny message send passwords/credit card numbers to criminals take pictures to send to criminals delete data hold data hostage insert/replace ads

1.17k views • 63 slides
File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

1.06k views • 31 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

567 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t) (t)st st] understand it PERSISTENT we detected it [p s st st nt nt] too late Ma Mari rion on Ma Marsc rschalek halek

440 views • 32 slides
OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Contents Problem: Social Engineering concepts

857 views • 23 slides
Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why putting a focus on text? Multimedia: Text plus Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet Chapter

1.16k views • 81 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai

819 views • 30 slides
Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University 2 University of Auckland 3 Australian National University 2nd ATE Symposium University of New South Wales Business School December, 2014 Fabrizi,

498 views • 24 slides
OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

Pierre-Marc Bureau bureau@eset.sk Joan Calvet - j04n.calvet@gmail.com UNDERSTANDING SWIZZORS OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries daily. Nice icons : Little publicly

966 views • 62 slides

More recommend