more on malware cs 136 computer security peter reiher
play

More on Malware CS 136 Computer Security Peter Reiher March 4, - PowerPoint PPT Presentation

Jan 15, 2023 •156 likes •701 views

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

  1. More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008

  2. Outline • Introduction • Viruses • Trojan horses • Trap doors • Logic bombs • Worms • Botnets • Spyware • Some related topics – Hoaxes – Rootkits Lecture 14 Page 2 CS 136, Winter 2008

  3. Worms • Programs that seek to move from system to system – Making use of various vulnerabilities • Other performs other malicious behavior • The Internet worm used to be the most famous example – Blaster, Slammer, Witty are other worms • Can spread very, very rapidly Lecture 14 Page 3 CS 136, Winter 2008

  4. The Internet Worm • Created by a graduate student at Cornell in 1988 • Released (perhaps accidentally) on the Internet Nov. 2, 1988 • Spread rapidly throughout the network – 6000 machines infected Lecture 14 Page 4 CS 136, Winter 2008

  5. The Effects of the Worm • Essentially, affected systems ended up with large and increasing numbers of processes devoted to the worm • Eventually all processes in the process table used up • Rebooting didn’t help, since other infected sites would immediately re-infect the rebooted machine Lecture 14 Page 5 CS 136, Winter 2008

  6. A Visual Picture of the Infection A B C D Lecture 14 Page 6 CS 136, Winter 2008

  7. And What If Someone Reboots? Reboot A B C D Lecture 14 Page 7 CS 136, Winter 2008

  8. How Did the Internet Worm Work? • The worm attacked network security vulnerabilities in one class of OS – Unix 4 BSD variants • These vulnerabilities allowed improper execution of remote processes • Which allowed the worm to get a foothold on a system Lecture 14 Page 8 CS 136, Winter 2008

  9. The Worm’s Actions on Infecting a System • Find an uninfected system and infect that one • Using the same vulnerabilities • Here’s where it ran into trouble: – It re-infected already infected systems – Each infection was a new process Lecture 14 Page 9 CS 136, Winter 2008

  10. The Worm’s Breaking Methods • rsh - if the remote host is on the trusted hosts lists, simply rsh ’ing could work • fingerd - exploit a bug in the fingerd program to overwrite a buffer in a useful way • sendmail - invoke a debugging option in sendmail and issue commands Lecture 14 Page 10 CS 136, Winter 2008

  11. What Didn’t the Worm Do? • It didn’t attempt to intentionally damage a system • It didn’t attempt to divulge sensitive information (e.g., passwords) • It didn’t try hard to become root – And didn’t exploit root access if it got superuser access Lecture 14 Page 11 CS 136, Winter 2008

  12. Stopping the Worm • In essence, required rebooting all infected systems – And not bringing them back on the network until the worm was cleared out – Though some sites stayed connected • Also, the flaws it exploited had to be patched Lecture 14 Page 12 CS 136, Winter 2008

  13. Effects of the Worm • Around 6000 machines were infected and required substantial disinfecting activities • Many, many more machines were brought down or pulled off the net – Due to uncertainty about scope and effects of the worm Lecture 14 Page 13 CS 136, Winter 2008

  14. How Much Did the Worm Cost? • Hard to quantify – Typical for costs of computer attacks • Estimates as high as $98 million – Probably overstated, but certainly millions in down time, sysadmin and security expert time, and costs of disconnections Lecture 14 Page 14 CS 136, Winter 2008

  15. What Did the Worm Teach Us? • The existence of some particular vulnerabilities • The costs of interconnection • The dangers of being trusting • Denial of service is easy • Security of hosts is key • Logging is important • We obviously didn’t learn enough Lecture 14 Page 15 CS 136, Winter 2008

  16. Santy Worm • Exploited a vulnerability in phpBB software (2004) • Cleverly used Google queries to automatically find systems to infect • Infected 30,000-40,000 • Demonstrated innovation in finding infectable sites Lecture 14 Page 16 CS 136, Winter 2008

  17. Code Red • A malicious worm that attacked Windows machines • Basically used vulnerability in Microsoft IIS servers • Became very widely spread and caused a lot of trouble Lecture 14 Page 17 CS 136, Winter 2008

  18. How Code Red Worked • Attempted to connect to TCP port 80 (a web server port) on randomly chosen host • If successful, sent HTTP GET request designed to cause a buffer overflow • If successful, defaced all web pages requested from web server Lecture 14 Page 18 CS 136, Winter 2008

  19. More Code Red Actions • Periodically, infected hosts tried to find other machines to compromise • Triggered a DDoS attack on a fixed IP address at a particular time • Actions repeated monthly • Possible for Code Red to infect a machine multiple times simultaneously Lecture 14 Page 19 CS 136, Winter 2008

  20. Code Red Stupidity • Bad method used to choose another random host – Same random number generator seed to create list of hosts to probe • DDoS attack on a particular fixed IP address – Merely changing the target’s IP address made the attack ineffective Lecture 14 Page 20 CS 136, Winter 2008

  21. Code Red II • Used smarter random selection of targets • Didn’t try to reinfect infected machines • Adds a Trojan Horse version of Internet Explorer to machine – Unless other patches in place, will reinfect machine after reboot on login • Also, left a backdoor on some machines • Doesn’t deface web pages or launch DDoS Lecture 14 Page 21 CS 136, Winter 2008

  22. A Major Difference • Code Red periodically turns on and tries to infect again • Code Red II worked intensively for 24-48 hours after infection – Then stopped • Eventually, Code Red II infected all infectable machines – Some are still infected, but they’ve stopped trying to spread it Lecture 14 Page 22 CS 136, Winter 2008

  23. Impact of Code Red and Code Red II • Code Red infected over 250,000 machines • In combination, estimated infections of over 750,000 machines • Code Red II is essentially dead – Except for periodic reintroductions of it • But Code Red is still out there Lecture 14 Page 23 CS 136, Winter 2008

  24. A Bad Secondary Effect of Code Red • Generates lots of network traffic • U. of Michigan study found 40 billion attempts to infect 8 fake “machines” per month – Each attempt was a packet – So that’s ~1 billion packets per day just for those eight addresses • “The new Internet locust 1 ” 1 Farnham Jahanian, talk at DARPA FTN meeting, Jan 18, 2002 Lecture 14 Page 24 CS 136, Winter 2008

  25. Worm, Virus, or Trojan Horse? • Terms often used interchangeably • Trojan horse formally refers to a program containing evil code – Only run when user executes it – Effect isn’t necessarily infection • Viruses seek to infect other programs • Worms seek to move from machine to machine Lecture 14 Page 25 CS 136, Winter 2008

  26. Storm Worm • A mixed threat that isn’t ideologically pure about how it gets around • Uses Trojan horse methods, but also other techniques to spread • Hundreds of thousands to millions of nodes infected by Storm • And it’s still going strong Lecture 14 Page 26 CS 136, Winter 2008

  27. What Does the Storm Worm Do? • Spreads • Also used for sending spam – Stock scams, on-line “pharmacies,” etc. • Launches denial of service attacks on sites it thinks are trying to analyze it • Authors/controllers keep adapting it Lecture 14 Page 27 CS 136, Winter 2008

  28. Interesting Storm Features • Stealth – Tries hard not to be noisy/intrusive • Polymorphism – Changes its spreading payload frequently – Also has changed basic mechanism (PDF spam, e-cards, YouTube invites) • Peer control structures • Use of fast flux technology Lecture 14 Page 28 CS 136, Winter 2008

  29. Fast Flux • Constantly changing DNS records – Given name serially maps to large number of different IP addresses • Designed to make it hard to track down attackers • Can change mapping of name to address every three minutes or so Lecture 14 Page 29 CS 136, Winter 2008

  30. Status of Storm • Owners/controllers tracked down to Russia – Whose authorities are not cooperative • Microsoft has issued patches to prevent spread and disinfect – Cleaning up ~200,000 machines per month • Symantec estimates Storm only responsible for .25% of all infections in 2007 Lecture 14 Page 30 CS 136, Winter 2008

  31. Botnets • A collection of compromised machines • Under control of a single person • Organized using distributed system techniques • Used to perform various forms of attacks – Usually those requiring lots of power Lecture 14 Page 31 CS 136, Winter 2008

  32. What Are Botnets Used For? • Spam • Distributed denial of service attacks • Hosting of pirated content • Hosting of phishing sites • Harvesting of valuable data – From the infected machines • Much of their time spent on spreading Lecture 14 Page 32 CS 136, Winter 2008

  33. Botnet Software • Each bot runs some special software – Often built from a toolkit • Used to control that machine • Generally allows downloading of new attack code – And upgrades of control software • Incorporates some communication method – To deliver commands to the bots Lecture 14 Page 33 CS 136, Winter 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

838 views • 67 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

859 views • 70 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Some Important Network Characteristics for Security Degree of locality Media used Protocols used Lecture 9

156 views • 11 slides
Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L.

Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L.

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for

355 views • 19 slides
Network Economics -- Lecture 4: Incen5ves and games

Network Economics -- Lecture 4: Incen5ves and games

Network Economics -- Lecture 4: Incen5ves and games in security Patrick Loiseau EURECOM Fall 2015 1 References J. Walrand. Economics

882 views • 70 slides
TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT ATTACKS IN THE INTERNET

The 15th International Conference on Availability, Reliability and Security (ARES 2020) August 25 to August 28, 2020 in Dublin, Ireland ID-86 workshop paper (IoT-SECFOR) TAXONOMY AND CHALLENGES IN MACHINE LEARNING-BASED APPROACHES TO DETECT

583 views • 13 slides
Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

1 Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An optional recitation at 4:30-5:30pm on Wed (in CBC 104A) Due: Lab03 (stack overflow) on Sept 21 at midnight NSA Codebreaker Challenge

423 views • 20 slides
Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University

Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University

Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University of Lisboa, Portugal 2 University of Erlangen-N urnberg, Germany September 22, 2009 Overview Background 1 Why? When? Where? Towards

603 views • 34 slides
and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and

and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and

A RIZONA S TATE U NIVERSITY Fall 2016 Robust and Scalable Security Monitoring and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and Gail-Joon Ahn 11/18/2016 1 A RIZONA S TATE U NIVERSITY Background

893 views • 40 slides
Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security

Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security

Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security & Network Research Group University of Plymouth, UK http://www.network-research-group.org/ Agenda Basic definitions. Manifestation of

1.07k views • 50 slides
CCW Workshop Technical Session on Mobile Cloud Compu<ng

CCW Workshop Technical Session on Mobile Cloud Compu<ng

CCW Workshop Technical Session on Mobile Cloud Compu<ng Panelists: Dijiang Huang (ASU, Moderator) Mario Gerla (UCLA) Huan

626 views • 30 slides

More recommend