Network Security Fundamentals Security Training Course Dr. Charles - - PowerPoint PPT Presentation

Network Security Fundamentals

Security Training Course

• Dr. Charles J. Antonelli

The University of Michigan 2013

Network Security Fundamentals

Module 5 Viruses & Worms, Botnets, Today’s Threats

Viruses & Worms

Viruses

• Program that copies itself to other programs
• In the same directory
• In a fixed directory
• Virus spreads by the copying of files
• By users, typically
• When program invoked
• Virus executes first

 Copies itself to other programs  Optionally, performs some malicious action

• Then executes host program
• Example:
• W97M.Marker

4 04/13

cja 2013

Worms

• Viruses that use network to replicate
• No dependence on copying files
• Worm generates its own targets
• Via self-stored data
• Via host-stored data
• Randomly
• Combinations thereof
• Example:
• Blaster

5 04/13

cja 2013

Types of Viruses

• Boot sector
• Executable infector
• Multipartite
• TSR
• Stealth
• Encrypted
• Polymorphic
• Metamorphic

6 04/13

cja 2013

Macro Viruses

• Virus instructions are interpreted
• Platform independent
• Infect common applications
• Microsoft Excel, …
• Easily spread
• Easily defeated
• Prohibit automatic execution of code

7 04/13

cja 2013

Virus distribution

• Sophos study (2002)
• 26.1% macro viruses
• 26.1% Trojan horses
• 19.2% executable viruses
• 6.8% script viruses
• 21.8% other (Unix, boot sector, worms, file,

Macintosh, multipartite)

8 04/13

cja 2013

Malicious code types, 2010

9

Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011

04/13

cja 2013

Malicious Code Types, 2012

02/13 10

Figure B11: Propagation Mechanisms Source: Symantec Internet Security Threat Report, Vol. 17, April 2012

cja 2013

Antiviral approaches

• Detection
• Scan for virus code “signatures”
• More difficult for encrypting viruses

 Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically  Metamorphic - harder

• Identification
• Vendor databases
• Removal
• Quarantine

 render harmless by encryption or compression  copy to quarantine area

• Delete

11 04/13

cja 2013

12

U-M Anti-virus

• http://safecomputing.umich.edu/antivirus/
• Free Microsoft Security Essentials for personally-owned Windows

machines

• Microsoft Forefront Endpoint Protection for university owned

Windows machines

• 32- and 64-bit versions
• Free Sophos Anti-Virus for Mac OS X machines
• All versions of OS X up to and including 10.7 (Lion)
• Good, concise security recommendations
• http://www.safecomputing.umich.edu/tools/security_shorts.html
• http://www.safecomputing.umich.edu/MDS/
• http://www.safecomputing.umich.edu/students.php
• More information
• http://www.safecomputing.umich.edu/

04/13

cja 2013

Spyware

• Generic name for software that tracks users’ behavior
• Wide range of activities
• Keystroke loggers
• Tracking cookies
• File inspectors
• Location awareness
• Remote video & audio recording
• Store-and-forward
• As hard to detect remotely as botnets are

13 04/13

cja 2013

Spyware

• Detection and removal tools
• Windows Defender (née Microsoft AntiSpyware)

 http://www.microsoft.com/athome/security/spyware/ software/default.mspx

• Lavasoft Ad-Aware

 http://www.lavasoftusa.net/

• Spybot Search&Destroy

 http://www.safer-networking.org/

14 04/13

cja 2013

Botnets

Botnets

• Malware installed on victim machines listens for

transmitted instructions

• Attack other machines
• Transmit spam
• Participate in DDOS attacks
• Crack passwords
• …
• Installed via well-known vectors
• Communicate with command and control host(s) via

anonymous message services

• Typically irc
• Typically encrypted
• Typically silent, so hard to find

16 04/13 cja 2013

17

Botnets

• One of the major threats
• Large increase in 4Q2006 spam traffic

 30-450% increase

• Very large botnets

 1.5 x 106 bots in Dutch botnet (2005)  5 x 106 bots in Conficker (2009)

» Encrypted & authenticated » Some recent progress in detection

 2 x 106 bots in CoreFlood (2011)

» Operating for 8+ years

04/13 cja 2013

Microsoft Security Intelligence Report

1H2011

04/13 18

http://www.microsoft.com/security/sir/default.aspx

cja 2013

Microsoft Security Intelligence Report

1H2012

04/13 19

http://www.microsoft.com/security/sir/default.aspx

cja 2013

Super botnets

• 1Q2013 DDOS attacks
• 48 Gbps average (130 Gbps peak)

 Up from 6 Gbps 1Q2012

• Attackers targeting Web servers
• Much more bandwidth
• Wordpress, Joomla, other DIY

04/13 cja 2013 20

Source: Prolexic Quarterly Global Ddos Attack Report, Q1 2013

Today’s Threats

Attack Toolkits, 2011

10/12 cja 2012 22

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

Total vulnerabilities, 2011

10/12 cja 2012 23

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

Web Browser Vulnerabilities, 2011

10/12 cja 2012 24

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

Web Browser Vulnerabilities, 2010

10/12 cja 2012 25

Source: Symantec Global Internet Security Threat Report, Vol. 16, April 2011

26

Today’s threats

• In addition to the 81% surge in attacks, the

number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version

• f their malware for each potential victim.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

27

Today’s threats

• We saw a rising tide of advanced targeted

attacks in 2011 (94 per day on average at the end of November 2011). In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executive Assistants, and Media/ Public Relations.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

28

Today’s threats

• High-profile hacks of Certificate Authorities,

providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. Website

• wners recognized the need to adopt SSL more

broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL.

• .

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

29

Today’s threats

• Gartner predicts sales of smartphones to end

users will reach 461.5 million in 2011 and rise to 645 million in 2012. [M]obile offers new

• pportunities to cybercriminals that potentially

are more profitable. A stolen credit card may go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

30

Today’s threats

• More than 232.4 million identities were exposed
• verall during 2011. [B]reaches caused by

hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011. The most frequent cause of data breaches was theft or loss of a computer or other medium, such as a USB key or a back-up medium. Theft

• r loss accounted for 34.3% of breaches that

could lead to identities exposed.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

References

• http://en.wikipedia.org/wiki/

Timeline_of_notable_computer_viruses_and_worms

• http://www.symantec.com/threatreport/
• Symantec Internet Security Threat Report, Volume 17, April 2012
• http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/

BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

• http://arstechnica.com/security/2013/04/fueled-by-super-botnets-

ddos-attacks-grow-meaner-and-ever-more-powerful/

04/13 31 cja 2013