malware
play

Malware Prof. Tom Austin San Jos State University Malware: The Cat - PowerPoint PPT Presentation

Jun 22, 2023 •284 likes •1.11k views

CS 166: Information Security Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers and Defenders Play 1971 "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU

  1. CS 166: Information Security Malware Prof. Tom Austin San José State University

  2. Malware: The Cat & Mouse Game Attackers and Defenders Play

  3. 1971

  4. "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU CAN." "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN."

  5. Creeper • The world's first computer virus (probably) • Created by Bob Thomas as an experiment in "mobile" self-replicating programs • Not malicious, just annoying… • …Very annoying.

  6. Reaper • A second self-replicating program soon appeared. It 1. Deleted Creeper 2. Spread to other machines 3. Deleted itself • Arguably the first anti-virus software… • …and the second virus. • "Core War" game inspired by Creeper/Reaper.

  7. The ongoing struggle The contest between malware writers and anti-malware writers has continued ever since…

  8. Malware has gone from a lone-wolf's tool for petty revenge…

  9. ...to the realm of the professional criminal…

  10. …even to weapons for nation states.

  11. What is malware? • Mal icious soft ware • Covers a variety of hostile or intrusive software

  12. Types of Malware Trojan horse: Appears benign, but has some malicious behavior. Backdoor: Allows unauthorized access.

  13. Yay, free music! To listen: 1. Double click on the file 2. iTunes opens But then things get weird…

  14. Mac Trojan • Double click on freeMusic.mp3 – iTunes opens (expected) – “Wild Laugh” (not expected) – Message box (not expected)

  15. Trojan Example • How does freeMusic.mp3 trojan work? • This “mp3” is an application, not data • This trojan is harmless, but… • …could have done anything user could do (like delete all of your files)

  16. More Types of Malware Rabbit: exhausts system resources. Worm: Actively spreads over the network. Many more exist: Rootkits, Adware, Keyloggers…

  17. Trojan Rabbit? These categories often overlap. • A Trojan Horse might attempt to exhaust system resources • A worm might install a backdoor on its victim

  18. One type of malware I have not defined so far… Computer Viruses In the vernacular, 'virus' is often a synonym for malware. So how do computer scientists use the term?

  19. The Many Definitions of "Virus" "A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself." --Frederick Cohen "A computer virus is a program that recursively and explicitly copies a possibly modified version of itself." --Peter Szor

  20. Infection process (viruses under Cohen's definition) • Attacker creates an initial germ file. • The germ infects other programs. • When infected programs run, they spread the virus to other programs.

  21. How a file gets infected original code infected code

  22. How a file gets infected original code infected code JMP JMP

  23. History of Famous Worms

  24. November 2, 1988 Apple and Micro$oft were fighting for control of the PC market. Windows 3.0 had not yet been released.

  25. Robert Tappan Morris • Cornell grad student. • Allegedly, he wanted to gauge the size of the Internet. • He wrote a program that would: 1. Determine where it could spread 2. Transmit itself 3. Hide, and then repeat the process.

  26. How Morris Worm Spread • Obtained access to machines by… – User account password guessing – Exploit buffer overflow in fingerd – Exploit trapdoor in sendmail • Flaws in fingerd and sendmail were well-known, but not widely patched

  27. Bootstrap Loader • Once Morris worm got access… • “Bootstrap loader” sent to victim – 99 lines of C code • Victim compiled and executed code • Bootstrap loader fetched the worm • Victim authenticated sender – Don’t want user to get a bad worm…

  28. How to Remain Undetected? • If transmission interrupted, code deleted • Code encrypted when downloaded • Code deleted after decrypt/compile • When running, worm regularly changed name and process identifier (PID)

  29. Whoops Morris's program had a bug (or so he claimed). • It would re-infect the same systems • It acted like a fork-bomb (a type of rabbit) and took out many systems

  30. The Internet had been designed to survive a nuclear war… …but apparently not one grad student.

  31. Morris Worm Aftermath • Estimate of damages: between $100,000 and $10 million • Morris became the first person convicted under the 1986 Computer Fraud and Abuse Act • The Computer Emergency Response Team Coordination Center (CERT/CC) was created as a direct result of this attack • Increased awareness of computer security

  32. 2001 We had survived Y2K. The world did not end. Windows XP began its long reign.

  33. HELLO! Welcome to http://www.worm.com! Hacked By Chinese! In 15 hours , 250,000 machines were infected

  34. Code Red Worm • Eventually infected 750,000 out of about 6,000,000 vulnerable systems • Exploited buffer overflow in Microsoft IIS server software – Then monitor traffic on port 80, looking for other susceptible servers

  35. Code Red: What it Did • Day 1 to 19 of month: spread its infection • Day 20 to 27: distributed denial of service attack (DDoS) on www.whitehouse.gov • Later version (several variants) – Included trapdoor for remote access – Rebooted to flush worm, leaving only trapdoor • Some say it was “beta test for info warfare” – But no evidence to support this

  36. January 25, 2003 As impressive as Code Red was, 2 years later we saw an even more effective worm.

  37. SQL Slammer • Infected 75,000 systems in 10 minutes! • At its peak, infections doubled every 8.5 seconds • Spread “too fast”… • …so it “burned out” available bandwidth

  38. Why was Slammer Successful? • Worm size: one 376-byte UDP packet • Firewalls often let one packet thru – Then monitor ongoing “connections” • Expectation was that much more data required for an attack – So no need to worry about 1 small packet • Slammer defied “experts”

  39. The Worms of the Future?

  40. Warhol Worm • “In the future everybody will be world-famous for 15 minutes” ¾ Andy Warhol • Warhol Worm is designed to infect the entire Internet in 15 minutes • Slammer infected 250,000 in 10 minutes – “Burned out” bandwidth – Could not have infected entire Internet in 15 minutes ¾ too bandwidth intensive • Can rapid worm do “better” than Slammer?

  41. A Possible Warhol Worm • Seed worm with an initial hit list containing a set of vulnerable IP addresses – Depends on the particular exploit – Tools exist for identifying vulnerable systems • Each successful initial infection would attack selected part of IP address space

  42. Flash Worm • Can we do “better” than Warhol worm? • Infect entire Internet in less than 15 minutes? • Searching for vulnerable IP addresses is the slow part of any worm attack • Searching might be bandwidth limited – Like Slammer • Flash worm designed to infect entire Internet almost instantly

  43. Flash Worm • Predetermine all vulnerable IP addresses – Depends on details of the attack • Embed these addresses in worm(s) – Results in huge worm(s) – But, the worm replicates, it splits • No wasted time or bandwidth! Original worm(s) 1st generation 2nd generation

  44. Flash Worm • Estimated that ideal flash worm could infect the entire Internet in 15 seconds! • So how could we defend against this attack? • Any defense must be fully automated

  45. We have reviewed different types of malware. How do we stop its spread? Protect against the attacks Detect when malware has spread

  46. Stopping the Spread of Malware

  47. Attack vectors • Spread by network (worms) • Drive by downloads • Code injection vulnerabilities – Cross-site scripting (XSS) attacks – Buffer overflow vulnerabilities • USB sticks

  48. Stopping Trojan Horses and Backdoors

  49. Defending against a Trojan horse with cryptographic hashes • A Trojan horse relies on a user downloading it • Using checksums provided by a cryptographic hash verifies that a file has not been tampered with.

  50. Sandboxing • Applications written for the web browser in JavaScript, Flash, Java, etc. rely on sandboxing. • Code run in the sandbox has reduced privileges. • Provided it does not escape from its sandbox.

  51. App Stores • Applications are reviewed by a trusted party. • Therefore, applications can be given greater permissions. • Examples include Apple's app store, Mozilla's Firefox addon gallery, etc. • Labor intensive

  52. Firewalls Great tool for fighting viruses: • Stop malware from entering the network • Detect messages coming from infected machines on your network (botnet)

  53. USB Drives • Common method of transmitting data between machines. • Potentially dangerous: – Pass out infected drives to compromise machines – Convince users to plug drives into infected machines

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia,

Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia,

Clst 181SK Ancient Greece and the Origins of Western Culture Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia, Greece, Peloponnesus, Ionia, Crete, Cyprus, Delphi, Mycenae, Troy, Aulis, Hellespont Aulis

613 views • 27 slides
GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester 2 What we

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester 2 What we

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester 2 What we will look at today Technical and Organisational Security Handling data breaches Case law Newcastle | Leeds | Manchester 3 Data

929 views • 76 slides
Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This

Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This

Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This course The web is a endless source of security problems. Why? The web is very widely used, so its interesting to attack The web is very complex

1.11k views • 61 slides
1 User Datagram Protocol (UDP) User Datagram Protocol (UDP) Services Provided Services

1 User Datagram Protocol (UDP) User Datagram Protocol (UDP) Services Provided Services

The primary primary (in (in principle principle unique unique) ) The role of Internet of Internet transport transport protocols protocols role

780 views • 6 slides
From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre

From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre

IOTA/FAST Workshop, 2018-05-10 Bernhard Hidding From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre for the Application of Plasma-Based Accelerators SCAPA, Department of Physics, University of

415 views • 20 slides
Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research

Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research

Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research Mumbai shyam@tifr.res.in Confidentiality Example (Contd) Principal Preparer distributor of WebTax-may have privacy interests WebTax

673 views • 38 slides
Real Time BoF LinuxCon Japan 2011 This session provides a forum to discuss Real Time Linux, share

Real Time BoF LinuxCon Japan 2011 This session provides a forum to discuss Real Time Linux, share

Real Time BoF LinuxCon Japan 2011 This session provides a forum to discuss Real Time Linux, share how you are using it, and learn from the experiences of others. Please come prepared to discuss your experiences with and hear about: - fields of

313 views • 18 slides
Understanding Trolls with Efficient Analytics of Large Graphs in Neo4j David Allen, Amy

Understanding Trolls with Efficient Analytics of Large Graphs in Neo4j David Allen, Amy

Understanding Trolls with Efficient Analytics of Large Graphs in Neo4j David Allen, Amy E.Hodler, Michael Hunger, Martin Knobloch, William Lyon, Mark Needham, Hannes Voigt BTW Rostock Feb 2019 Michael Hunger Director Neo4j Labs at Neo4j

706 views • 69 slides

More recommend