malware
Download
Skip this Video
Download Presentation
MALWARE

Loading in 2 Seconds...

play fullscreen
1 / 48

MALWARE - PowerPoint PPT Presentation


  • 288 Views
  • Uploaded on

MALWARE. Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008. AGENDA. PART I: INTRODUCTION TO MALWARE PART II: MOBILE MALICIOUS CODE PART III: PURPOSE OF MALWARE PART IV: AVOIDING MALWARE . PART I: INTRODUCTION TO MALWARE.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' MALWARE' - etan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
malware

MALWARE

Tomas Kegel Sørensen

Esben B. Larsen

Christoph Froeschel

Magnus Koch

ITU Copenhagen 07.11.2008

agenda
AGENDA
  • PART I: INTRODUCTION TO MALWARE
  • PART II: MOBILE MALICIOUS CODE
  • PART III: PURPOSE OF MALWARE
  • PART IV: AVOIDING MALWARE
what is malware
WHAT IS MALWARE?
  • Malware is a contraction of mal-ious soft-ware
  • Malwarerefers to various types of software thatcancause problems, damage, disrupt a computer
  • Installedwithoutuserknowledgeorapproval
definitions of common attacks
DEFINITIONS OF COMMON ATTACKS
  • Virus
  • is a program thatcopiesitselfintoother programs. Virusesinfect host files

associatedwithapplications.

- typically, user interaction is required for propagation, such as running a program or opening a document file.

definition of common attacks
DEFINITION OF COMMON ATTACKS
  • Worm

- is a program thatcopiesitself over computer networks, infectionmachines in remote locations.

  • typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems.
  • Expontielgrowth
slide7

Definitions of commonattacks

  • Warhead : Penetrate the target
  • BrowersThat surf infected webservers
  • Outlook E-mail
  • Windows File Sharing
  • Backdoors from previousworms
  • PropagationEngine : Moves the body to the destination
  • -Filessharing programs such as FTP, HTTP and SMB
  • Mail programs
  • TSA : Looking for new victims to attack
  • - Recievedor send emails
  • - Ip adresses that is similar to victim
  • Scanning Engine : Fire warheadsagainst the new victims
  • Payload : What it does to the target
  • Nothingcallednullpayloadworms
  • Opening up Backdoors
  • Planting a zombie
  • Performing a Mathematical Operation
definitions of common attacks1
DEFINITIONS OF COMMON ATTACKS
  • Trojan horse

- is a program thatseems to do somethingusefullorinteresting, but actually runs maliciouscodebehind the scene.

- Eg. Screen savers

- a commonuse is a ”trap door” thatenables a maliouscodeadversarydiscreet acces to the machine at a future date.

definitions of common attacks2
DEFINITIONS OF COMMON ATTACKS
  • Time bombsorlogicbombs

- are programs thathibernatesuntil at specified event happendsoruntil a condition is true.

- effectivewhencoupled to a virus

taxonomy of malware
TAXONOMY OF MALWARE

Malicious

Programs

Need Host Program

Independent

Worms

Viruses

Logic Boms

Trojan

Horses

combining malware
COMBINING MALWARE
  • Worms and viruses is the transport mechanism for maliciouscode
  • Trojan horses and time/logicbombs is the maliciouscode.
malicious mobile code
MALICIOUS MOBILE CODE
  • Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention
  • Malicious mobile code is mobile code that makes your system do something that you do not want it to do.
malicious mobile code for a variety of nasty activities
MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES
  • Monitoring your browsing activities
  • Obtaining unauthorized access to your file system
  • Infecting your machine with a Trojan horse
  • Hijacking your Web browser
mobile code examples
MOBILE CODE EXAMPLES
  • Browser Scripts
  • ActiveX Controls
  • Java Applets
  • Mobile Code in E-mail Clients
browser scripts
BROWSER SCRIPTS
  • <script type="text/javascript"> <-- a
  • function do_something() {
  • // Code for this function would go here.
  • }
  • </script> <-- b
  • (a)Script begins
  • (b)Script ends
activex controls
ACTIVEX CONTROLS
  • A software component based on Microsoft\'s ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic.
  • The first time a control is accepted it is downloaded to your computer and registered.
java applets
JAVA APPLETS
  • Java applets are relatively lightweight programs designed to be transmitted across the Internet
  • Java Applet Security Model
    • Java applet security model forces downloaded Java applets to run within a highly restrictive sandbox.
  • Exploit bugs in the implementation of the JRE to allow an un trusted applet to escape from its sandbox.
    • program called Brown Orifice
mobile code in e mail clients
MOBILE CODE IN E-MAIL CLIENTS
  • The majority of modern e-mail clients contains some form of Web browser functionality to display HTML.
  • Turn off support for mobile code in your e-mail client if you don\'t use this functionality.
conclusion
CONCLUSION
  • Do not execute ActiveX controls, whether signed or not signed, unless you trust their author with access to your system.
  • Do not execute signed Java applets unless you trust their author with access to your system.
  • Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access.
  • Disable support for mobile code that you do not require in your browser and e-mail software.
change of perspective i
CHANGE OF PERSPECTIVE I
  • Hacker wanted to show they can
    • Morris Worm in 1988
  • Malware used to be destructive
    • ”I Love You” Virus – deleted files send and forwarded itself to contacts in outlook (2000)
  • Today Malware is not destructive anymore – it works silent on a PC
it s business
IT’S BUSINESS
  • ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM)
  • ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (TorstenHolz, University of Mannheim)
botnets for rent
BOTNETS FOR RENT
  • Hacker groups rent out their botnets
  • Reports suggest that botnets can be rented for $100/hour
  • Pay-as-you go scheme – cybercrime made easy!
return on investment
RETURN ON INVESTMENT
  • Crime syndicates blackmail gambling sites/online shops
  • They demand up to 50.000$
  • Stealing personal information (credit cards, bank accounts)
beyond traditional crime i
BEYOND TRADITIONAL CRIME I
  • The Sony RootKit scandal
    • automatically installing software on PCs
    • Sony wanted an improved copy protection
    • …but introduced new security holes on computers with a Windows OS
beyond traditional crime ii
BEYOND TRADITIONAL CRIME II
  • Remote Forensic Software
    • Government installs spyware on computers of ”suspected” persons
    • FBI uses a tool called ”Magic Lantern”
    • Use key loggers in order to get sensitive information
    • Conflicts with the legislation
future trends
FUTURE TRENDS
  • Cybercrimes in virtual worlds
  • Increase in botnets
  • Mobile Devices
  • Virtual Machine RootKit (Blue Pill)
sum up
SUM UP
  • High Risk
  • Focus is on ”business” - earning money is important
  • Malware gets smarter and thus hard to detect
  • Magnus will now talk about avoiding malware
strategy
STRATEGY

1: User Education & restricted user privileges.

2: Avoiding common software “packages”

3: Anti-virus software (locally and at network gateways.)

1 user education
1 USER EDUCATION

METHODS

  • Educate users to avoid them making known mistakes.
  • Restrict the privileges of user accounts (Configuration Hardening).

PROBLEMS

  • Most users are not willing to spend time learning security.
  • Even expert users are not immune to unexpected attacks (Bubble Boy).
1 user education1
1 USER EDUCATION

METHODS

  • Educate users to avoid them making known mistakes.
  • Restrict the privileges of user accounts. (Configuration Hardening)

PROBLEMS

  • Most users are not willing to spend time learning security.
  • Even expert users are not immune to unexpected attacks.
2 avoid common software
2 AVOID COMMON SOFTWARE

EXAMPLES

  • The “Microsoft Word” – “Outlook” combination.
  • The “Wordpress” cms system.

METHOD

  • Avoid common software, or at least include less popular software somewhere in your workflow.

PROBLEM

  • What is common software?
  • How can you be sure that security issues will be identified and addressed when using less common software?
3 anti virus software
3 ANTI-VIRUS SOFTWARE

METHOD

  • Scan all incoming files for malware.

PROBLEMS

  • New malware emerges.
  • Malware-authors camouflage already known threats.
malware signatures
MALWARE SIGNATURES
  • The fingerprints of malware (also called dat files)
  • Performance improvements
    • Fingerprints are matched to certain file types.
    • Depending on the file type different areas are scanned.
3 anti virus software1
3 ANTI-VIRUS SOFTWARE

METHOD

  • Scan all incoming files for malware.

PROBLEMS

  • New malware emerges.
  • Malware-authors camouflage already known threats.
new malware
NEW MALWARE
  • Can actually be new malware, or camouflaged versions of old threats.
  • Polymorphism (obfuscated code)
    • Changed variable names.
    • Changed order of the instructions in the malware program.
    • Encryption.
    • Metamorphism.
how to identify malware with an unknown signature
HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE
  • Generic Signatures.
    • Often broken up and containing “wildcard areas”.
    • Not god for totally new malware.
  • Emulation.
  • Heuristics.
heuristics
HEURISTICS
  • Establish a database of typical malware traits.
    • Attempts to access the boot sector.
    • to locate all documents in a current directory.
    • to write to an EXE file.
    • to delete hard drive contents.
current threat patterns
CURRENT THREAT PATTERNS
  • Classic & server-side polymorphism
  • 10.000+ new strains per day.
  • Each victim potentially attacked by a different strain.
  • Today a signature protects < 20 users. Earlier > 100.000
  • Blacklisting strategy increasingly ineffective.
solutions according to symantec
SOLUTIONS (ACCORDING TO SYMANTEC)
  • Whitelisting signatures for non-malware.
  • Reputation based approach.
ad