vulnerabilities malicious code
play

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 - PowerPoint PPT Presentation

Aug 29, 2022 •301 likes •1.02k views

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

  1. Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

  2. Announcement  Presence sheet  Solution to Homework 2 is out  Grades will follow … 2 CIS-5372: 9.Nov.2011

  3. What Did We Cover Before ?  Nonmalicious Program Errors  Buffer Overflows  Incomplete Mediation  TOCTTOU  Introduction to Malicious Code 3 CIS-5372: 9.Nov.2011

  4. In this lecture  Viruses  How they attach  How they gain control  Where they are stored  Detection …  Worms  Web Bugs  Trapdoors  … 4 CIS-5372: 9.Nov.2011

  5. What is a Virus ?  Program that can infect other programs by modifying them to include a, possibly evolved, version of itself  Fred Cohen 1983 5 CIS-5372: 9.Nov.2011

  6. Qualities of Virus  Hard to detect  Not easily destroyed or deactivated  Spreads widely  Can re-infect home program/other programs  Easy to create  Machine/OS independent 6 CIS-5372: 9.Nov.2011

  7. How Viruses Attach 1. Virus is on CD  When executed, the virus can  Install on hard drive  Attach to any executing program in memory 2. E-mail virus  The attacker convince victim to open attachment  Executable file  Graphics, photos … 7 CIS-5372: 9.Nov.2011

  8. How Viruses Attach (cont’d)  Appending  Surrounding  Integrated  Overwriting 8 CIS-5372: 9.Nov.2011

  9. Apending Virus  Add to beginning of target  First instruction of new program Virus Targeted Virus Original Executable Program Virus writer doesn’t need to know target program 9 CIS-5372: 9.Nov.2011

  10. Surrounding Virus  Add to beginning and end of target  Control before and after target program Virus A Original Virus Program Targeted Executable Virus B 10 CIS-5372: 9.Nov.2011

  11. Surrounding Virus - Example  Prevent user from detecting virus  Using file name and size during ls/dir command  Virus attaches to ls/dir command  When ls/dir completes, virus takes control  Eliminate entry from listing  Distribute space among other programs to hide size 11 CIS-5372: 9.Nov.2011

  12. Integrated Virus  Replace some of target Virus Targeted Virus Infected Executable host Executable Virus writer needs to know target program 12 CIS-5372: 9.Nov.2011

  13. Integrated Virus (cont’d) Virus Part 1 Targeted Virus Executable Virus Part 2 Virus Part n 13 CIS-5372: 9.Nov.2011

  14. Overwriting Virus  Replace entire target  Mimick effect of target or  Not – user likely to perceive virus Targeted Virus Virus Executable 14 CIS-5372: 9.Nov.2011

  15. How Viruses Gain Control  After attachment virus needs to be invoked  Overwriting a target program  Changing pointers to programs  V denotes virus, T is the target program 15 CIS-5372: 9.Nov.2011

  16. Overwriting the Target File Directory When T is invoked V is actually executed ! T T V V Hard Disk  Overwrite T with V 16 CIS-5372: 9.Nov.2011

  17. Changing Pointer To Target File Directory When T is invoked V is again executed ! T T V Hard Disk  Change pointer to T to point to V 17 CIS-5372: 9.Nov.2011

  18. Where Are Viruses Stored  One-Time execution  Boot sector  Memory resident  … 18 CIS-5372: 9.Nov.2011

  19. One-Time Execution: E-mail Virus writer generates e-mail Sends it to all addresses in victim’s address book 1. 2. Or leave it to the victim to forward it 19 CIS-5372: 9.Nov.2011

  20. One-Time Execution: Valentine Day 20  Waledac malicious domain from pandalab blog CIS-5372: 9.Nov.2011

  21. One-Time Execution: Fake Antivirus 21 CIS-5372: 9.Nov.2011  from pandalab blog

  22. One-Time Execution: Fake Page 22 CIS-5372: 9.Nov.2011  from pandalab blog

  23. One-Time Execution: P2P Files  Popular query  35.5% are malwares ( Kalafut 2006) 23 CIS-5372: 9.Nov.2011

  24. Boot Sector Viruses  When computer starts  Firmware determines hardware components  Transfer control to OS  OS stored on disk  Bootstrap process:  Firmware reads boot sector to a fixed address in mem  Jump to that address  Boot sector contains the bootloader  Bootloader pulls the rest of the OS from disk 24 CIS-5372: 9.Nov.2011

  25. Boot Sector  Boot sector has 512 bytes  Bootstrap loader size > 512 bytes  Use chaining Boot sector Bootstrap Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 25 CIS-5372: 9.Nov.2011

  26. Placing Virus in Boot Sector  The virus could be placed in any bootstrap sector  But … boot sector particularly appealing  Virus gains control right at the beginning  Protection tools are not yet active Boot sector Bootstrap Virus Code Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 26 CIS-5372: 9.Nov.2011

  27. Example: The BRAIN Virus  Changes label of infected disks to BRAIN   From Pakistan (Believed)  Sole purpose: to pass the infection  Traps disk read interrupts  Only interested in reads in the boot sector  Believed to be proof-of-concept  Many other variants, more efficient … 27 CIS-5372: 9.Nov.2011

  28. The BRAIN Virus Location Before Boot Hard Drive sector After … BRAIN BRAIN BRAIN Boot BRAIN BRAIN BRAIN 1 3 1-dup sector 2-dup 3-dup 2 Marked as faulty 28 CIS-5372: 9.Nov.2011

  29. The BRAIN Virus Infection Memory Interrupt Address Table To upper BRAIN # 6 Reset Upper Memory Bound Code for # 19 interrupt 19 1. Locates in upper memory 2. System call to reset upper memory below it To lower 3. Traps interrupt #19 (disk read) 4. Any disk read for boot sector returns content of hijacked sector 29 CIS-5372: 9.Nov.2011

  30. In this lecture  Viruses  How they attach  How they gain control  Where they are stored  Detection …  Worms  Web Bugs  Trapdoors  … 30 CIS-5372: 9.Nov.2011

  31. Virus Detection  Based on  Virus Signatures  Storage Patterns  Execution Patterns  Transmission Patterns  Virus scanner uses such patterns to  Detect  And even remove viruses 31 CIS-5372: 9.Nov.2011

  32. Virus signatures  Virus cannot be completely invisible  Code must be stored somewhere  Code must be in memory to execute Signature  Executes according to a pattern  Spreads using certain mechanisms  Example: Code Red GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 32 CIS-5372: 9.Nov.2011

  33. In this lecture  Viruses  Worms  Web Bugs  Trapdoors  … 33 CIS-5372: 9.Nov.2011

  34. Reminder: What is a Worm  Reproducing programs that run independently and travel across network connections.  Reproduction Differences:  A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread.  A worm can run completely independently and spread of its own will through network connections. 34 CIS-5372: 9.Nov.2011

  35. Example: The Internet Worm  November 2 nd 1988  Internet Worm released  Infected many computers  Many more severed network connection  Robert T. Morris Jr.  $10,000 fine  3 year suspended jail sentence  400 hours community service  Now with MIT 35 CIS-5372: 9.Nov.2011

  36. Intent of Internet Worm 1. Determine where it could spread 2. Spread to new target 3. Remain undiscovered and undiscoverable 36 CIS-5372: 9.Nov.2011

  37. Determine Targets  Exploited three known vulnerabilities 1. Find user accounts to invade on target system  Remember password vulnerabilities  432 common passwords + dictionary file 2. Fingerd: daemon which responds to queries about users  Known buffer overflow vulnerability  Give worm a remote shell 3. Sendmail trapdoor  In debug mode, sendmail can execute input string 37 CIS-5372: 9.Nov.2011

  38. Spread Infection  Send a bootstrap loader to target machine  99 lines of C code  Compile and execute on target machine  Fetch rest of worm code from the sending system  Element of good security   Bootstrap loader required to provide password to sending system  If fail, sending system breaks connection 38 CIS-5372: 9.Nov.2011

  39. Remain Undiscovered 1. If transmission error occurs during worm fetch  Bootstrap loader removes code and exits 2. Bring all worm code in memory  Encrypt copy in memory  Delete copy from disk  Thus, the worm cannot easily be discovered 3. Periodic change of name and process id  Avoid single process running a long time 39 CIS-5372: 9.Nov.2011

  40. Effect of Internet Worm 1. Resource exhaustion  If target was already infected, propagate one copy  Bug in code (  ): many copies did not terminate !  Thus, serious performance degradation 2. Disconnection of machines from Internet  To prevent copies from trying to propagate  … or to prevent infection 3. Isolation and inability to perform work  Estimated cost $100,000 - $97 million  Thousands of systems were disconnected 40 CIS-5372: 9.Nov.2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of

373 views • 22 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
CS3157: Advanced Programming Lecture #10 June 26 Shlomo Hershkop shlomo@cs.columbia.edu 1

CS3157: Advanced Programming Lecture #10 June 26 Shlomo Hershkop shlomo@cs.columbia.edu 1

CS3157: Advanced Programming Lecture #10 June 26 Shlomo Hershkop shlomo@cs.columbia.edu 1 Outline wrap up CPP templates file handling Reading: chapters 20 Advanced Topics Review for final 2 1

1.65k views • 128 slides
Git it Together Beginner Slides Paul Johnson 1 1 Center for Research Methods and Data Analysis

Git it Together Beginner Slides Paul Johnson 1 1 Center for Research Methods and Data Analysis

Git it Together Beginner Slides Paul Johnson 1 1 Center for Research Methods and Data Analysis 2018 Paul Johnson (K.U.) Git it Together 2018 1 / 71 Outline Motivation 1 Git BASH: Gitting to Know You 2 3 Common Scenarios 3 Scenario 1:

1.05k views • 71 slides
AppStream & Listaller Matthias Klumpp mak@debian.org matthias@tenstral.net February 2014

AppStream & Listaller Matthias Klumpp mak@debian.org matthias@tenstral.net February 2014

The Problem AppStream Listaller Conclusion AppStream & Listaller Matthias Klumpp mak@debian.org matthias@tenstral.net February 2014 The Problem AppStream Listaller Conclusion Who am I? PackageKit Developer Debian Developer

1.66k views • 145 slides
sysctlinfo: a new interface to visit the FreeBSD sysctl MIB and to pass the objects info to

sysctlinfo: a new interface to visit the FreeBSD sysctl MIB and to pass the objects info to

sysctlinfo: a new interface to visit the FreeBSD sysctl MIB and to pass the objects info to userland Alfonso Sabato Siciliano alfonso.siciliano@email.com BSDCan 2020, Ottawa, Canada Abstract known as sysctl MIB-Tree or sysctl tree . Listing 1:

332 views • 7 slides
Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection Interprocess communications protection Security for Networks and File protection System Software Authentication May 20, 2002 Lecture 13 Lecture

348 views • 12 slides
Validation and Experimentation Board of Innovation The Growth Revolution Intro Validation

Validation and Experimentation Board of Innovation The Growth Revolution Intro Validation

Validation and Experimentation Board of Innovation The Growth Revolution Intro Validation of new Ventures Experimentation Process Assumptions Hypotheses Experiment Types Metrics Wrap-up Introductions HI THERE! 3 ABOUT US

1.08k views • 86 slides
BoardGame: A MiniDraw extension Henrik Brbak Christensen Status: Draft. November 29, 2010

BoardGame: A MiniDraw extension Henrik Brbak Christensen Status: Draft. November 29, 2010

BoardGame: A MiniDraw extension Henrik Brbak Christensen Status: Draft. November 29, 2010 Chapter 1 Boardgame Architecture The MiniDraw framework is described in Chapter 30 in Flexible, Reliable Software . The Boardgame extension is a set of

481 views • 20 slides
Routing Security Training Course Training Services | RIPE NCC | November 2015 Schedule 09:00 -

Routing Security Training Course Training Services | RIPE NCC | November 2015 Schedule 09:00 -

Routing Security Training Course Training Services | RIPE NCC | November 2015 Schedule 09:00 - 09:30 Co ff ee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End Routing Security 2 Introductions Name

1.66k views • 139 slides

More recommend