The Attack and Defense of Computers Dr.許 富 皓
Malicious Software (Malware): • Security tools and toolkits • Back doors (trap doors) • Logic bombs • Viruses • Worms • Binders • Droppers • Trojan Horses • Browser Hijacker • Spyware • Rootkit • URL Injection • …
Security Tools and toolkits • Automatically scan for computer security weaknesses. • Can be used by both security professionals and attackers. • e.g. Nessus, COPS, ISS, Tiger, … and so on. • Unwittingly release reports to the public • There are also programs and tool sets whose only function is to attack computers. • Script kids • P.S. These tools may damage the systems that install them or may contain booby-trap that will compromise the systems that install them.
Logic Bombs • A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. • For example, a programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database). • Usually written by inner programmers.
Logic Bombs and Viruses and Worms • Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload • at a pre-defined time or • when some other condition is met. • Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. • Trojans that activate on certain dates are often called "time bombs".
Key Logger • A program or hardware device that captures every key depression on the computer. • Also known as "Keystroke Cops," they are used to monitor a user's activities by recording every keystroke the user makes, including typos, backspacing, and retyping.
Security Concerns about Key Loggers • Keystroke logging can be achieved by both hardware and software means. • There is no easy way to prevent keylogging software being installed on your PC, as it is usually done by a method of stealth. • If you are using a home PC, then it is likely to be free on any keystroke logging hardware (but remember there may be keystroke logging software).
Precautions against Key Loggers • Try and avoid typing private details on public PCs, • Always try and avoid visiting sites on public PCs that require you to enter your login details, e.g. an online banking account.
Example • Ardamax Keylogger
URL Injection • Change the URL submitted to a server belonging to some or all domains.
Browser Hijacker [Rouse] A browser hijacker (sometimes called hijackware) is a type of malware program that alters your computer's browser settings so that you are redirected to Web sites that you had no intention of visiting.
Symptoms of Browser Hijackers (1) [Khanse] • Home page is changed • Default search engine is changed • You can’t navigate to certain web pages like home pages of security software • You get re-directed to pages you never intended to visit
Symptoms of Browser Hijackers (2) • You see ads or ads pop up on your screen. But these ads are not served by the website • You see new toolbars added • You see new Bookmarks or Favorites added. • Your web browser starts running sluggishly.
Infection of Browser Hijackers [Rouse] A browser hijacker may be installed as part of freeware installation. A browser hijacker may also be installed without user permission, as the result of an infected e-mail, a file share, or a drive-by download.
Redirection [PCSTATS] As well as making changes to your home page and other IE settings, a hijacker may also make entries to the hosts file on your system. This special file directly maps DNS addresses (web URLs) to IP addresses, so every time you typed certain URLs you might be redirected to the IP address of a sponsored search or porn site instead.
Absolute File Name of file hosts C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Self-Protection Mechanisms of Browser Hijackers [PCSTATS] These programs often use a combination of hidden files and a registry settings to reinstall themselves after removal, so deleting them or changing your IE settings back may well not work.
Add-on [stackoverflow] • Add-on: essentially anything that can be installed into the browser. • This includes for example • extensions • themes • plug-ins • dictionaries • language packs • search engines.
Terminologies [alex301] plug-in = 指那些需編譯成執行檔，用以提供瀏覽器額外功能的東西。 extension = 使用瀏覽器支援的程式語法，用來改變瀏覽器功能與操作的東西。 theme = 使用瀏覽器支援的程式語法，用來改變瀏覽器外觀介面的東西。 addon = plugin +extension + theme = 總稱所有瀏覽器本體之外，用來改變瀏覽器的東西。
Plug-in [mozillazine] • Plug-ins add new functionality to an application, such as • viewing special graphical formats or • playing multimedia content in a web browser. • Plug-ins also differ from extensions, which modify or add to existing functionality.
Plug-in [wikipedia] Plug-ins add specific abilities into browsers using application programming interfaces (APIs) allowing third parties to create plug-ins that interact with the browser. The original API was NPAPI, but subsequently Google introduced the PPAPI interface in Chrome.
Plug-in Mechanism [wikipedia] A host application provides services which the plug-in can use, including a way for plug-ins to register themselves with the host application and a protocol for the exchange of data with plug-ins.
Uses of Plug-ins • Common uses of plug-ins on the web include • displaying video in the browser, • games, and • music playback. • Widely used plug-ins include Java, Flash, Quicktime, and Adobe Reader.
Plug-in Form A plug-in in the context of Mozilla-based applications is a binary component that, when registered with a browser, can display content that the browser itself cannot display natively.
Extension [wikipedia 1] [wikipedia 2] • Extensions can be used to • modify the behavior of existing features to an application or • add entirely new features. • Therefore, after integration, extensions can be seen as part of the browser itself, tailored from a set of optional modules.
Extension technologies (2) [wikipedia] XPConnect XPI (Cross-Platform Installer) XUL (XML User Interface Language) – Used to define the UI (User Interface) and interaction with user. Mozilla Jetpack – a development kit aiming to lower the learning curve and development time for making add-ons
IE Extension [ivy] Internet Explorer->Tools->Manage Addons
Mozilla Firefox [ivy] Mozilla Firefox->Tools->Add-ons->Extensions
Google Chrome [ivy] Google Chrome->Wrench Icon->Tools->Extensions
Browser Toolbar[wikipedia] A browser toolbar is a toolbar that resides within a browser's window. All major web browsers provide support to browser toolbar development as a way to extend the browser's GUI and functionality. Browser toolbars are considered to be a particular kind of browser extensions that present a toolbar.
Definition of Binder • A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. • A binder compiles the list of files that you select into one host file, which you can rename. • A host file is a simple custom compiled program that will decompress and launch the embedded programs. • When you start the host, the embedded files in it are automatically decompressed and launched.
Example • When a piece of malware is bound with Notepad, for instance, the result will appear to be Notepad, and appear to run like Notepad, but the piece of malware will also be run.
Program • YAB: Yet Another Binder • User Guide
Embedded Files • The files embedded in a host file is not always binary file. It can be a file of any type. • Even an embedded file is a binary file, it may be a normal program.
Definition of a Dropper • A dropper is a program (malware component) that has been designed to "install" some sort of malware (virus, backdoor, etc) to a target system. • Single stage: the malware code can be contained within the dropper in such a way as to avoid detection by virus scanners • Two stages: the dropper may download the malware to the target machine once activated
Types of Droppers • Depending on how a dropper is executed, there are two major types of droppers: • those that do not require user interaction • perform through the exploitation of a system by some vulnerability • those that require user interaction by convincing the user that it is some legitimate or benign program.
Trojan Horse • In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded withinlegitimate software. • Trojans use false and fake names to trick users into executing them. • These strategies are often collectively termed social engineering. • A Trojan is designed to operate with functions unknown to the victim. • The useful, or seemingly useful, functions serve as camouflage for these undesired functions.
Properties of Trojan Horses • Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like worms. • Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, • Trojan horse programs depend on actions by the intended victims • if Trojans replicate and even distribute themselves, each new victim must run the program/Trojan. • Due to the above reasons Trojan horses’ virulence depends on • successful implementation of social engineering concepts but doesn’t depend on • the flaws in a computer system's security design or configuration.
Categories of Trojan Horses • There are two common types of Trojan horses: • a useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. • Examples include various implementations of • weather alerting programs • computer clock setting software • peer to peer file sharing utilities. • a standalone program that masquerades as something else, like a game or image file (e.g. firework.jpg.exe in Windows.
Malware Parasitizes inside Trojan Horses • In practice, Trojan Horses in the wild often contain: • spying functions (such as a packet sniffer) • backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a zombie computer. • The Sony/BMGrootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. • Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.
Example of a Simple Trojan Horse • A simple example of a Trojan horse would be a program named waterfalls.jpg.exe claiming to be a free waterfall picture which, when run, instead begins erasing all the files on the computer.
E-Mail Trojan Horses • On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. • The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. • Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse has an extension that might be "masked" by giving it a name such as Readme.txt.exe. • With file extensions hidden, the user would only see Readme.txt and could mistake it for a harmless text file. • Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.