malware viruses
play

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code - PowerPoint PPT Presentation

Oct 18, 2022 •199 likes •1.02k views

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

  1. MALWARE: 
 VIRUSES CMSC 414 FEB 08 2018

  2. MALWARE Malicious code that is stored on and runs on a victim’s system • How does it get to run? • Attacks a user- or network-facing vulnerable service • Backdoor: Added by a malicious developer • Social engineering: Trick the user into running/ clicking/installing • Trojan horse: Offer a good service, add in the bad • Drive-by download: Webpage surreptitiously installs • Attacker with physical access downloads & runs it

  3. MALWARE Malicious code that is stored on and runs on a victim’s system • How does it get to run? • Attacks a user- or network-facing vulnerable service • Backdoor: Added by a malicious developer • Social engineering: Trick the user into running/ clicking/installing • Trojan horse: Offer a good service, add in the bad • Drive-by download: Webpage surreptitiously installs • Attacker with physical access downloads & runs it Potentially from any mode of interaction (automated or not), provided sufficient vulnerability

  4. MALWARE: WHAT CAN IT DO? Virtually anything, subject only to its permissions • Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!” • Destroy: Delete/mangle files - Damage hardware (more later this lecture) - • Crash the machine, e.g., by over-consuming resources Fork bombing or “rabbits”: while(1) { fork(); } - • Steal information (“exfiltrate”) • Launch external attacks Spam, click fraud, denial of service attacks - • Ransomware: e.g., by encrypting files • Rootkits: Hide from user or software-based detection Often by modifying the kernel - Man-in-the-middle attacks to sit between UI and reality -

  5. MALWARE: WHEN DOES IT RUN? Some delay based on a trigger • Time bomb: triggered at/after a certain time On the 1st through the 19th of any month… - • Logic bomb: triggered when a set of conditions hold If I haven’t appeared in two consecutive payrolls… - • Can also include a backdoor to serve as ransom “I won’t let it delete your files if you pay me by Thursday…” - Some attach themselves to other pieces of code • Viruses: run when the user initiates something Run a program, open an attachment, boot the machine - • Worms: run while another program is running No user intervention required -

  6. SELF-PROPAGATING MALWARE • Virus: propagates by arranging to have itself eventually executed • At which point it creates a new, additional instance of itself • Typically infects by altering stored code • User intervention required • Worm: self -propagates by arranging to have itself immediately executed • At which point it creates a new, additional instance of itself • Typically infects by altering running code • No user intervention required The line between these is thin and blurry Some malware uses both styles

  7. MALWARE: TECHNICAL CHALLENGES • Viruses: Detection • Antivirus software wants to detect • Virus writers want to avoid detection for as long as possible • Evade human response • Worms: Spreading • The goal is to hit as many machines and as quickly as possible • Outpace human response

  8. VIRUS DESIGN

  9. VIRUSES • They are opportunistic : they will eventually be run due to user action • Two orthogonal aspects define a virus: 1. How does it propagate ? 2. What else does it do (what is the “ payload ”)? • General infection strategy: • Alter some existing code to include the virus • Share it, and expect users to (unwittingly) re-share • Viruses have been around since at least the 70s

  10. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program

  11. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Take over the 
 Original program point Virus entry point

  12. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT

  13. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments)

  14. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments) • Boot sector viruses • Boot sector: small disk partition at a fixed location • If the disk is used to boot , then the firmware loads the boot sector code into memory and runs it • What’s supposed to happen: this code loads the OS • Similar: AutoRun on music/video disks • (Why you shouldn’t plug random USB drives into your computer)

  15. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments) • Boot sector viruses • Boot sector: small disk partition at a fixed location • If the disk is used to boot , then the firmware loads the boot sector code into memory and runs it • What’s supposed to happen: this code loads the OS • Similar: AutoRun on music/video disks • (Why you shouldn’t plug random USB drives into your computer) • Memory-resident viruses • “Resident code” stays in memory because it is used so often

  16. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion

  17. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 evasive 
 propagation

  18. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention

  19. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention

  20. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention Want to be able to 
 Want to be able to 
 claim wide coverage 
 claim the ability to 
 for a long time detect many viruses

  21. HOW VIRUSES PROPAGATE • First, the virus looks for an opportunity to run . 
 Increase chances by attaching malicious code to something a user is likely to run • autorun.exe on storage devices • Email attachments • When a virus runs, it looks for an opportunity to infect other systems. • User plugs in a USB thumb drive: try to overwrite autorun.exe • User is sending an email: alter the attachment • Viruses can also proactively create emails (“I Love You”)

  22. DETECTING VIRUSES • Method 1: Signature-based detection • Look for bytes corresponding to injected virus code • Protect other systems by installing a recognizer for a known virus • In practice, requires fast scanning algorithms • This basic approach has driven the multi-billion dollar antivirus market • #Recognized signatures is a means of marketing and competition • But what does that say about how important they are?

  23. Um.. thanks?

  25. YOU ARE A VIRUS WRITER…

  26. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide

  27. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software?

  28. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find

  29. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending”

  30. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp

  31. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp Entry point Original program Overwrite uncommonly 
 used parts of the program etc.

  32. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp Confuse 
 scanners Entry point Original program Overwrite uncommonly 
 used parts of the program etc.

  33. YOU ARE A VIRUS WRITER…

  34. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find

  35. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find 2. Change your code so they can’t pin down a signature

  36. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find 2. Change your code so they can’t pin down a signature Mechanize code changes: Goal: every time you inject your code, it looks different

  37. BUILDING BLOCK: ENCRYPTION Key Key Plaintext Plaintext Encrypt Ciphertext Decrypt Symmetric key: both keys are the same 
 Asymmetric key: different keys Important property: the ciphertext is nondeterministic i.e., “Encrypt” has a different output each time but decrypting always returns the plaintext

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

551 views • 40 slides
AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES, WORMS, AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

915 views • 56 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Foundations Security in MAS Conclusion Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till Drges td@pre-secure.de PRESECURE Consulting GmbH June 20, 2007 Till Drges Protection Malware seen

739 views • 57 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

1.06k views • 31 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates Virus = code that propagates (replicates) across systems by arranging to have itself eventually executed Generally infects by altering stored code

800 views • 67 slides
Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison MU Department of Computer Science Hi, Im Bill, glad to meet you } Ph.D 2001, UIUC } Thesis: Modular Compilers and Their Correctness Proofs }

936 views • 60 slides
Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate

555 views • 28 slides
Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1 Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs

1.29k views • 86 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and Defense Reading } Start reading Chapter 4 of Szor 2 Virus Infection Techniques } We will survey common locations of virus infections: MBR (Master

727 views • 49 slides
CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4 Viruses, Worms, Trojans, Rootkits Malware = Malicious Software can be classified into several categories, depending on propagation and concealment

472 views • 46 slides
TITLE Insert the Sub Title of Your Presentation Table of content 01 Contents Get a modern

TITLE Insert the Sub Title of Your Presentation Table of content 01 Contents Get a modern

TITLE Insert the Sub Title of Your Presentation Table of content 01 Contents Get a modern PowerPoint Presentation that is beautifully designed. I hope and I believe that this Template will your Time. 02 Contents Get a modern PowerPoint

521 views • 16 slides
viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb 2017: slide 31: visible space after negative foo example 8 Feb 2017: slide 35: [a-zA-Z]*ing instead of [a-zA-Z]ing 8 Feb 2017: slide 56: correct

1.32k views • 116 slides
To add an arrow in Google Slides click the line icon in the toolbar then select Arrow in

To add an arrow in Google Slides click the line icon in the toolbar then select Arrow in

To add an arrow in Google Slides click the line icon in the toolbar then select Arrow in menu To make an arrow more visible: 1.) click the arrow 2.) click the Line Weight icon in the toolbar 3.) then select the size from the menu

513 views • 3 slides
Adding Slides to Homepage SlideShow From Wordpress dashboard, open MetaSlider. You may have to

Adding Slides to Homepage SlideShow From Wordpress dashboard, open MetaSlider. You may have to

Adding Slides to Homepage SlideShow From Wordpress dashboard, open MetaSlider. You may have to scroll down to see it. Select Add Slide from the top menu Here you can choose to an existing image from the Media Library or you can Upload a

450 views • 10 slides
Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and

Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and

CSE 127: Computer Security Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and David Wagner Vulnerability of the week: Sudo flaw thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html Today

748 views • 39 slides
CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU CURITY ROP AND D ADVANCE CED

CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU CURITY ROP AND D ADVANCE CED

CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU CURITY ROP AND D ADVANCE CED D EX EXPL PLOITS Dr. Ben Livshits Java and Native Interactions 2 Possible to compile bytecode class file to native code class

1.22k views • 86 slides
Second Quarter 2020 Earnings Slides August 4, 2020 Forward-Looking Statements This presentation

Second Quarter 2020 Earnings Slides August 4, 2020 Forward-Looking Statements This presentation

Second Quarter 2020 Earnings Slides August 4, 2020 Forward-Looking Statements This presentation includes forward-looking statements as that term is defined in the Private Securities Litigation Reform Act of 1995. Such forward looking statements

401 views • 29 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides

More recommend