Cit 380 securing computer systems
Download
1 / 40

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 314 Views
  • Updated On :

CIT 380: Securing Computer Systems. Malware. Facebook. http://www.nku.edu/~frank/cit380/docs/facebook.htm. Quarantine. http://www.nku.edu/~frank/cit380/docs/Quarantine.htm. Morris Worm. First Internet Worm: November 1988 Multi-architecture: Sun, VAX Multi-vector

Related searches for CIT 380: Securing Computer Systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cit 380 securing computer systems l.jpg

CIT 380: Securing Computer Systems

Malware

CIT 380: Securing Computer Systems


Facebook l.jpg
Facebook

  • http://www.nku.edu/~frank/cit380/docs/facebook.htm

CIT 380: Securing Computer Systems


Quarantine l.jpg
Quarantine

  • http://www.nku.edu/~frank/cit380/docs/Quarantine.htm

CIT 380: Securing Computer Systems


Morris worm l.jpg
Morris Worm

  • First Internet Worm: November 1988

  • Multi-architecture: Sun, VAX

  • Multi-vector

    • sendmail (debug backdoor)

    • fingerd (buffer overflow)

    • rsh (open .rhosts; password cracking)

CIT 380: Securing Computer Systems


Morris worm5 l.jpg
Morris Worm

Spreading algorithm

Local network topology: gateways, neighbors.

Used users’ .rhosts, .forward files.

Limited reinfection rate.

Detection Avoidance

Forged process listing as (sh).

Removed created files quickly after use.

CIT 380: Securing Computer Systems


Morris worm6 l.jpg
Morris Worm

Resource Requirements

Disk Space.

C compiler and linker.

Network connection to parent computer.

Problems

Didn’t limit re-infections.

Saturated CPU, network resources.

CIT 380: Securing Computer Systems


Malware self protection l.jpg
Malware Self-Protection

Anti-debugging

Detect/disable debuggers when used to analyze code.

Attack anti-malware tools

Disable anti-malware tools upon infection.

Kill processes or destroy/modify signatures.

API checksums

Avoid having UNIX/Win32 API calls in code.

Store checksums of API names and search for match.

CIT 380: Securing Computer Systems


Malware self protection8 l.jpg
Malware Self-Protection

Code obfuscation

Use unusual tricks and unused code to avoid dissassembly and prevent quick analysis of purpose.

Self-modifying code.

CIT 380: Securing Computer Systems


Self protection l.jpg
Self-Protection

Compression

Code looks almost random; size is smaller.

Use unusual executable packers to avoid analysis.

Data encryption

Encrypt strings, hostnames, IP addresses to avoid detection.

CIT 380: Securing Computer Systems


Self protection10 l.jpg
Self-Protection

Embedding

Use multiple levels of executable packers like UPX.

Scanners have to understand and have time to parse and decompress each file format.

CIT 380: Securing Computer Systems


Self protection11 l.jpg
Self-Protection

Entry-Point Obscuring

Changing initial code or entry point easy to notice.

Alter program code to gain control randomly.

Host morphing

Alter host file during infection to prevent removal.

CIT 380: Securing Computer Systems


Self protection encryption l.jpg
Self-Protection: Encryption

Encrypt all code except small decryptor.

  • Note that copy protected files will have similar decryptors to prevent analysis too.

  • Often uses multiple decryptors.

  • Change encryption key dynamically.

    Random Decryption Algorithm (RDA)

  • Choose random key for encryption.

  • Brute force search for key to decrypt.

  • Slows VMs/debuggers used for analysis.

CIT 380: Securing Computer Systems


Self protection polymorphism l.jpg
Self-Protection: Polymorphism

Alter malware code with each infection.

  • Cannot be detected by signature scanning.

  • May alter decryptor only or entire code.

  • Insert junk instructions that do nothing.

  • Fragment and rearrange order of code.

  • Alternate sets of instructions for the same task.

    • Ex: SUB -1 instead of ADD 1

  • Randomize names in macro viruses.

CIT 380: Securing Computer Systems


Case study zmist l.jpg
Case Study: Zmist

http://en.wikipedia.org/wiki/Zmist

EPO, encrypted, polymorphic virus.

Code integration

Decompiles PE files to smallest elements.

Inserts virus randomly into existing code.

Rebuilds executable.

Polymorphic decryptor

Inserted as random fragments linked by JMPs.

Randomizes self with ETG engine.

CIT 380: Securing Computer Systems


Payloads l.jpg
Payloads

Accidentally destructive.

Replication damages data or exhausts system resources due to malware bugs.

Ex: Morris Worm reinfected hosts, using all CPU.

Nondestructive.

Displays message, graphics, sound, or open CD door.

Ex: Christma worm on IBM network in 1987.

Destructive.

Triggers randomly or on some event or machine type.

Deletes files or overwrites data.

Hardware destroyers: overwrite BIOS.

CIT 380: Securing Computer Systems


Payloads16 l.jpg
Payloads

Denial of Service

Sometimes accidental due to high network use.

Launch DDOS attack with all infected systems.

Data Theft

Phishing scams and spyware.

Encryptors (ransomware)

Encrypts user data.

Ex: One_Half encrypts disk; enables access while running.

Ex: AIDS Info: encrypts disk and holds for ransom.

Spam

Use network of infected systems to launder spam email.

Ex: Sobig worm.

CIT 380: Securing Computer Systems


Malware interactions l.jpg
Malware Interactions

What happens when a virus infects a worm?

Typically both propagate.

May use each other’s self-protection techniques.

What if anti-virus software removes a virus?

Likely leaves unknown virus/worm alone.

Partial removal can mutate the malware into a new form.

CIT 380: Securing Computer Systems


Malware interactions18 l.jpg
Malware Interactions

Competition and Parasitism

Malware may remove competing malware.

May exploit backdoors/RCI left by previous malware.

May infect competing malware, hijacking its propagation.

CIT 380: Securing Computer Systems


Theory of malicious code l.jpg
Theory of Malicious Code

Theorem 1: It is undecidable whether an arbitrary program contains a computer virus.

Proof:

Define virus v as TM program that copies v to other parts of the tape, while not overwriting any part of v.

Reduce to Halting Problem: T’ running code V’ reproduces V iff running T on V halts.

Theorem 2: It is undecidable whether an arbitrary program contains malicious logic.

CIT 380: Securing Computer Systems


Detecting malware l.jpg
Detecting Malware

Signature-based

  • Look for known patterns in malicious code.

  • Defeated by polymorphic viruses.

    Smart scanning

  • Skips junk instructions inserted by poly engines.

  • Skips whitespace/case changes in macro viruses.

CIT 380: Securing Computer Systems


Detecting malware21 l.jpg
Detecting Malware

Decryption

  • Brute-forces simple XOR-based encryption.

  • Checks decrypted text against small virus sig to decide whether has plaintext or not.

CIT 380: Securing Computer Systems


Detecting malware22 l.jpg
Detecting Malware

Code Emulation

  • Execute potential malware on VM.

  • Scan VM memory after certain # iterations.

  • Watch instructions for decryptor profile.

    Code Optimization.

  • Optimize away junk instructions and odd techniques used by polymorphic viruses.

CIT 380: Securing Computer Systems


Detecting malware23 l.jpg
Detecting Malware

Heuristics

  • Code execution starts in last section.

  • Suspicious code redirection.

  • Suspicious section ACLs or size.

  • Suspicious library routine imports.

  • Hard-coded pointers into OS kernel.

    Neural Network Heuristics

  • IBM researchers trained neural net to recognize difficult polymorphic viruses.

  • Released in Symantec antivirus.

CIT 380: Securing Computer Systems


Detecting malware24 l.jpg
Detecting Malware

Behavior-based

  • Watch for known actions from malicious code.

  • Network access signature of worm.

  • Unexpected use of dangerous system calls.

CIT 380: Securing Computer Systems


Detecting malware25 l.jpg
Detecting Malware

Integrity Checking

  • Host-based Intrusion Detection System.

  • Record MAC, size, dates, ACL of files.

  • Periodically check for changes.

  • ex: Tripwire, AIDE, Osiris

CIT 380: Securing Computer Systems


Defenses data vs code l.jpg
Defenses: Data vs. Code

Separate data and instructions

  • Virus treats program as data

    • Writes self to file.

  • Virus treats program as instructions

    • Virus executes when program is run.

  • Solution: Treat all programs as data until trusted authority marks as executable.

    • Development difficult when compilers can’t produce executable code.

CIT 380: Securing Computer Systems


Defenses information flow l.jpg
Defenses: Information Flow

Limit Information Flow

  • Virus executes with user’s identity.

  • Soln: Limit information flow between users.

    • Set flow distance to be one for users A, B, C.

    • A creates virus (fd=0), B executes it (fd=1).

    • C cannot execute B’s infected program (fd=2).

  • Indirect virus spread limited.

  • How can we track information flow?

CIT 380: Securing Computer Systems


Defenses least privilege l.jpg
Defenses: Least Privilege

Limit programs to least privilege needed

example: SELinux

Mail virus example

  • Virus arrives via email.

  • Virus exploits bug in email client to execute.

  • Virus saves self to file in Startup folder.

  • Virus infects Office documents.

    How least privilege would stop

  • Mail application cannot create virus binaries.

  • Mail application cannot write to Startup folder.

  • Mail application cannot write to Office documents.

CIT 380: Securing Computer Systems


Defenses sandboxes l.jpg
Defenses: Sandboxes

Execute code in protected sandbox or VM.

Virtual Browser Appliance

Linux guest running Firefox under VMWare.

Infections can only attack VM, not real host.

Reset VM to initial state if infected.

CIT 380: Securing Computer Systems


Defenses anomaly detection l.jpg
Defenses: Anomaly Detection

Validate program actions with policy

Limit access to system calls.

Example: systrace.

Check statistical characteristics.

Programmer style.

Compare source code with object.

Statistics of write frequencies, program executions.

CIT 380: Securing Computer Systems


Defenses counter worms l.jpg
Defenses: Counter-worms

Worm that removes other worms from net.

Nachi/Welchia

  • Multi-vector W32 worm

  • Nachi.A removes W32/Blaster worm

  • Nachi.B removes W32/MyDoom worm

  • Installed MSRPC DCOM patch to prevent future infections from Blaster.

  • Removes self after 2004.

    Side-effects

  • Infected Diebold ATMs

  • Worm traffic DOSed Internet, esp Microsoft.

CIT 380: Securing Computer Systems


Fast worms l.jpg
Fast Worms

Slammer Worm Characteristics

  • Attacked MS SQL servers.

  • Worm is single 404-byte UDP packet.

  • Random-scan (PRNG bugs limited.)

  • Limited by network bandwidth, not latency.

  • Observed scan rate of 26,000 hosts/second.

CIT 380: Securing Computer Systems


Fast worms33 l.jpg
Fast Worms

  • Infected 90% of vulnerable hosts in 10 min.

  • Too fast for humans to react.

  • Shutdown 13,000 Bank of America ATMs due to compromising db servers, heavy traffic.

CIT 380: Securing Computer Systems


Profitable malware l.jpg
Profitable Malware

Sobig

  • W32 worm using email/network share vectors.

  • Contains upgrade mechanism

    • Worm checked sites every few minutes.

    • When site valid, downloaded code.

    • Later variants could update upgrade server list.

  • Downloaded payload from upgrade mechanism

    • Key logger.

    • Wingate proxy server (for spam proxying.)

CIT 380: Securing Computer Systems


Profitable malware35 l.jpg
Profitable Malware

Trojans

Backdoor.Lala transfers authentication cookies for eBay, PayPal, etc. to maker.

PWSteal.Bancos automates phishing by displaying fake web pages when browser goes to certain bank sites.

Spyware and Adware

More than ever using Trojan techniques.

Win32/Bube virus exploits IE flaw and acts as a virus infecting IE, then downloads adware.

CIT 380: Securing Computer Systems


Mobile malware l.jpg
Mobile Malware

2004: Cabir virus infecting Symbian OS mobile phones using Bluetooth appeared in June.

2005: Commwarrior-A worm spreads to Symbian series 60 phones via phone’s MMS.

CIT 380: Securing Computer Systems


Mobile malware37 l.jpg
Mobile Malware

Around a 1000 pieces of mobile malware exist.

For Blackberries and Palm Pilots too.

Expect more as smart phones become common.

CIT 380: Securing Computer Systems


Offline impact l.jpg
Offline Impact

Davis-Besse nuclear power plant

Slammer infected Plant Process Computer and Safety Parameter Display System (Jan 2003.)

Analog backups unaffected.

Infected contractor’s network, then moved through T1 line that bypassed plant firewall.

Seattle 911 system

Slammer disabled computer systems.

Dispatchers reverted to manual systems.

2003 Blackout

Blaster infected First Energy systems.

CIT 380: Securing Computer Systems


Modern malware is l.jpg
Modern Malware is

Stealthy: rootkit techniques common.

Targeted: targets smaller banks and countries, leverages current events:

  • January: Storm Worm appears via email with subject “230 dead as storm batters Europe.”

  • February: Miami Dolphins Stadium site hacked before superbowl so that it would infect browsers with trojan that grabbed WoW data.

    Blended: combine trojan, virus, worm features.

    Web-based: use web for delivery and update.

    Profit-driven: the goal is to make money.

CIT 380: Securing Computer Systems


References l.jpg
References

  • Ross Anderson, Security Engineering, Wiley, 2001.

  • Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2003.

  • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003.

  • Fred Cohen, http://www.all.net/books/virus/part1.html, 1984.

  • Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

  • Alexander Gostev, “Malware Evolution: January - March 2005,” http://www.viruslist.com/en/analysis?pubid=162454316, April 18 2005.

  • Elias Levy, “Crossover: Online Pests Plaguing the Offline World,” IEEE Security & Privacy, 2003.

  • Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 5th edition, McGraw-Hill, 2003.

  • Hilarie Orman, “The Morris Worm: A Fifteen-Year Perspective,” IEEE Security & Privacy, 2003

  • Cyrus Peikari and Anton Chuvakin, Security Warrior, O’Reilly & Associates, 2003.

  • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

  • Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, Prentice Hall, 2003.

  • Staniford, Stuart, Paxson, Vern, and Weaver, Nicholas, ‘How to 0wn the Internet in Your Spare Time,” Proceedings of the 11th USENIX Security Symposium, 2002

  • Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley, 2005.

  • Trend Micro, “1H2007 Threat Roundup,” http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/1h_2007_threat_roundup_final_jul2007.pdf, 2007.

CIT 380: Securing Computer Systems


ad