Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and Denial of Service Stephen McCamant Denial of service and the network University of Minnesota, Computer Science & Engineering Malicious software Trojan (horse) Shortened to Mal. . . ware Looks benign, has secret malicious Software whose inherent goal is functionality malicious Not just used for bad purposes Key technique: fool users into installing/running Strong adversary Concern dates back to 1970s, MLS High visibility Many types (Computer) viruses Worms Completely automatic self-propagation Attaches itself to other software Requires remote security holes Propagates when that program runs Classic example: 1988 Morris worm Once upon a time: floppy disks “Golden age” in early 2000s More modern: macro viruses Internet-level threat seems to have Have declined in relative importance declined
Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can Pre-scan list of likely targets deceive normal code Accelerate cold-start phase Rootkit: hide malware by changing Permutation-based sampling kernel behavior Systematic but not obviously patterned Pseudorandom permutation MBR virus: take control early in boot Approximate time: 15 minutes Blue-pill attack: malware is a VMM “Warhol worm” running your system Too fast for human-in-the-loop response Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial Modest-size industry credentials Competition and specialization Ransomware Also significant: nation-states Application of public-key encryption Industrial espionage Malware encrypts user files Only $300 for decryption key Stuxnet (not officially acknowledged) Bots and botnets Bot monetization Bot: program under control of remote attacker Click (ad) fraud Botnet: large group of bot-infected Distributed DoS (next section) computers with common “master” Bitcoin mining Command & control network protocol Pay-per-install (subcontracting) Once upon a time: IRC Spam sending Now more likely custom and obfuscated Centralized ✦ peer-to-peer Gradually learning crypto and protocol lessons
Malware/anti-virus arms race Signature-based AV “Anti-virus” (AV) systems are really Similar idea to signature-based IDS general anti-malware Would work well if malware were static Clear need, but hard to do well In reality: No clear distinction between benign Large, changing database Frequent updated from analysts and malicious Not just software, a subscription Endless possibilities for deception Malware stays enough ahead to survive Emulation and AV Polymorphism Simple idea: run sample, see if it does Attacker makes many variants of something evil starting malware Obvious limitation: how long do you Different code sequences, same wait? behavior Simple version can be applied online One estimate: 30 million samples observed in 2012 More sophisticated emulators/VMs used in backend analysis But could create more if needed Packing Fake anti-virus Sounds like compression, but real goal Major monentization strategy recently is obfuscation Your system is infected, pay $19.95 for Static code creates real code on the fly cleanup tool Or, obfuscated bytecode interpreter For user, not fundamentally Outsourced to independent “protection” distinguishable from real AV tools
Outline Note to early readers Malware and the network This is the section of the slides most likely to change in the final version Announcements intermission If class has already happened, make sure you have the latest slides for Denial of service and the network announcements Outline DoS versus other vulnerabilities Effect: normal operations merely Malware and the network become impossible Software example: crash as opposed Announcements intermission to code injection Less power that complete compromise, Denial of service and the network but practical severity can vary widely Airplane control DoS, etc. When is it DoS? Algorithmic complexity attacks Can an adversary make your algorithm Very common for users to affect have worst-case behavior? others’ performance ❖ ✭ ♥ ✷ ✮ quicksort Focus is on unexpected and unintended Hash table with all entries in one bucket effects Exponential backtracking in regex Unexpected channel or magnitude matching
XML entity expansion Compression DoS XML entities (c.f. HTML ✫❧t ) are like C Some formats allow very high macros compression ratios Simple attack: compress very large input ★❞❡❢✐♥❡ ❇ ✭❆✰❆✰❆✰❆✰❆✮ More powerful: nested archives ★❞❡❢✐♥❡ ❈ ✭❇✰❇✰❇✰❇✰❇✮ Also possible: “zip file quine” ★❞❡❢✐♥❡ ❉ ✭❈✰❈✰❈✰❈✰❈✮ decompresses to itself ★❞❡❢✐♥❡ ❊ ✭❉✰❉✰❉✰❉✰❉✮ ★❞❡❢✐♥❡ ❋ ✭❊✰❊✰❊✰❊✰❊✮ DoS against network services Tiny bit of queueing theory Mathematical theory of waiting in line Common example: keep legitimate Simple case: random arrival, sequential users from viewing a web site fixed-time service Easy case: pre-forked server supports M/D/1 100 simultaneous connections If arrival rate ✕ service rate, expected Fill them with very very slow downloads queue length grows without bound SYN flooding SYN cookies Change server behavior to stateless SYN is first of three packets to set up approach new connection Embed small amount of needed Traditional implementation allocates information in fields that will be echoed space for control data in third packet However much you allow, attacker fills MAC-like construction with unfinished connections Other disadvantages, so usual Early limits were very low (10-100) implementations used only under attack
DoS against network links Traffic multipliers Third party networks (not attacker or Try to use all available bandwidth, victim) crowd out real traffic One input packet causes ♥ output Brute force but still potentially effective packets Baseline attacker power measured by Commonly, victim’s address is forged packet sending rate source, multiply replies Misuse of debugging features “Smurf” broadcast ping Distributed DoS Many attacker machines, one victim ICMP echo request with forged source Easy if you own a botnet Sent to a network broadcast address Impractical to stop bots one-by-one Every recipient sends reply May prefer legitimate-looking traffic Now mostly fixed by disabling this over weird attacks feature Main consideration is difficulty to filter Next time Network anonymity with overlay networks
Recommend
More recommend
