Network Security Fundamentals Security Training Course Dr. Charles - PowerPoint PPT Presentation

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Today’s Threats

Viruses & Worms

Viruses • Program that copies itself to other programs  In the same directory  In a fixed directory • Virus spreads by the copying of files  By users, typically • When program invoked  Virus executes first  Copies itself to other programs  Optionally, performs some malicious action  Then executes host program • Example:  W97M.Marker 04/13 cja 2013 4

Worms • Viruses that use network to replicate • No dependence on copying files • Worm generates its own targets  Via self-stored data  Via host-stored data  Randomly  Combinations thereof • Example:  Blaster 04/13 cja 2013 5

Types of Viruses • Boot sector • Executable infector • Multipartite • TSR • Stealth • Encrypted • Polymorphic • Metamorphic 04/13 cja 2013 6

Macro Viruses • Virus instructions are interpreted  Platform independent • Infect common applications  Microsoft Excel, … • Easily spread • Easily defeated  Prohibit automatic execution of code 04/13 cja 2013 7

Virus distribution • Sophos study (2002)  26.1% macro viruses  26.1% Trojan horses  19.2% executable viruses  6.8% script viruses  21.8% other (Unix, boot sector, worms, file, Macintosh, multipartite) 04/13 cja 2013 8

Malicious code types, 2010 Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011 04/13 cja 2013 9

Malicious Code Types, 2012 Figure B11: Propagation Mechanisms Source: Symantec Internet Security Threat Report, Vol. 17, April 2012 02/13 cja 2013 10

Antiviral approaches • Detection  Scan for virus code “ signatures ”  More difficult for encrypting viruses  Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically  Metamorphic - harder • Identification  Vendor databases • Removal  Quarantine  render harmless by encryption or compression  copy to quarantine area  Delete 04/13 cja 2013 11

U-M Anti-virus • http://safecomputing.umich.edu/antivirus/ • Free Microsoft Security Essentials for personally-owned Windows machines • Microsoft Forefront Endpoint Protection for university owned Windows machines  32- and 64-bit versions • Free Sophos Anti-Virus for Mac OS X machines  All versions of OS X up to and including 10.7 (Lion) • Good, concise security recommendations  http://www.safecomputing.umich.edu/tools/security_shorts.html �  http://www.safecomputing.umich.edu/MDS/  http://www.safecomputing.umich.edu/students.php • More information  http://www.safecomputing.umich.edu/ 04/13 cja 2013 12

Spyware • Generic name for software that tracks users ’ behavior • Wide range of activities  Keystroke loggers  Tracking cookies  File inspectors  Location awareness  Remote video & audio recording • Store-and-forward  As hard to detect remotely as botnets are 04/13 cja 2013 13

Spyware • Detection and removal tools  Windows Defender (née Microsoft AntiSpyware)  http://www.microsoft.com/athome/security/spyware/ software/default.mspx  Lavasoft Ad-Aware  http://www.lavasoftusa.net/  Spybot Search&Destroy  http://www.safer-networking.org/ 04/13 cja 2013 14

Botnets

Botnets • Malware installed on victim machines listens for transmitted instructions  Attack other machines  Transmit spam  Participate in DDOS attacks  Crack passwords  … • Installed via well-known vectors • Communicate with command and control host(s) via anonymous message services  Typically irc  Typically encrypted  Typically silent, so hard to find 04/13 cja 2013 16

Botnets • One of the major threats  Large increase in 4Q2006 spam traffic  30-450% increase  Very large botnets  1.5 x 10 6 bots in Dutch botnet (2005)  5 x 10 6 bots in Conficker (2009) » Encrypted & authenticated » Some recent progress in detection  2 x 10 6 bots in CoreFlood (2011) » Operating for 8+ years 04/13 cja 2013 17

Microsoft Security Intelligence Report 1H2011 04/13 cja 2013 http://www.microsoft.com/security/sir/default.aspx 18

Microsoft Security Intelligence Report 1H2012 04/13 cja 2013 http://www.microsoft.com/security/sir/default.aspx 19

Super botnets • 1Q2013 DDOS attacks  48 Gbps average (130 Gbps peak)  Up from 6 Gbps 1Q2012 • Attackers targeting Web servers  Much more bandwidth  Wordpress, Joomla, other DIY Source: Prolexic Quarterly Global Ddos Attack Report, Q1 2013 04/13 cja 2013 20

Today ’ s Threats

Attack Toolkits, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 22

Total vulnerabilities, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 23

Web Browser Vulnerabilities, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 24

Web Browser Vulnerabilities, 2010 Source: Symantec Global Internet Security Threat Report, Vol. 16, April 2011 10/12 cja 2012 25

Today’s threats • In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 26

Today’s threats • We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executive Assistants, and Media/ Public Relations. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 27

Today’s threats • High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 28 • .

Today’s threats • Gartner predicts sales of smartphones to end users will reach 461.5 million in 2011 and rise to 645 million in 2012. [M]obile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card may go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 29

Today’s threats • More than 232.4 million identities were exposed overall during 2011. [B]reaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011. The most frequent cause of data breaches was theft or loss of a computer or other medium, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 30

References • http://en.wikipedia.org/wiki/ Timeline_of_notable_computer_viruses_and_worms • http://www.symantec.com/threatreport/  Symantec Internet Security Threat Report, Volume 17, April 2012 • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/ BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf • http://arstechnica.com/security/2013/04/fueled-by-super-botnets- ddos-attacks-grow-meaner-and-ever-more-powerful/ 04/13 cja 2013 31