Malware
Download
1 / 48

MALWARE - PowerPoint PPT Presentation


  • 288 Views
  • Uploaded on

MALWARE. Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008. AGENDA. PART I: INTRODUCTION TO MALWARE PART II: MOBILE MALICIOUS CODE PART III: PURPOSE OF MALWARE PART IV: AVOIDING MALWARE . PART I: INTRODUCTION TO MALWARE.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MALWARE' - etan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Malware

MALWARE

Tomas Kegel Sørensen

Esben B. Larsen

Christoph Froeschel

Magnus Koch

ITU Copenhagen 07.11.2008


Agenda
AGENDA

  • PART I: INTRODUCTION TO MALWARE

  • PART II: MOBILE MALICIOUS CODE

  • PART III: PURPOSE OF MALWARE

  • PART IV: AVOIDING MALWARE



What is malware
WHAT IS MALWARE?

  • Malware is a contraction of mal-ious soft-ware

  • Malwarerefers to various types of software thatcancause problems, damage, disrupt a computer

  • Installedwithoutuserknowledgeorapproval


Definitions of common attacks
DEFINITIONS OF COMMON ATTACKS

  • Virus

  • is a program thatcopiesitselfintoother programs. Virusesinfect host files

    associatedwithapplications.

    - typically, user interaction is required for propagation, such as running a program or opening a document file.


Definition of common attacks
DEFINITION OF COMMON ATTACKS

  • Worm

    - is a program thatcopiesitself over computer networks, infectionmachines in remote locations.

  • typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems.

  • Expontielgrowth


Definitions of commonattacks

  • Warhead : Penetrate the target

  • BrowersThat surf infected webservers

  • Outlook E-mail

  • Windows File Sharing

  • Backdoors from previousworms

  • PropagationEngine : Moves the body to the destination

  • -Filessharing programs such as FTP, HTTP and SMB

  • Mail programs

  • TSA : Looking for new victims to attack

  • - Recievedor send emails

  • - Ip adresses that is similar to victim

  • Scanning Engine : Fire warheadsagainst the new victims

  • Payload : What it does to the target

  • Nothingcallednullpayloadworms

  • Opening up Backdoors

  • Planting a zombie

  • Performing a Mathematical Operation


Definitions of common attacks1
DEFINITIONS OF COMMON ATTACKS

  • Trojan horse

    - is a program thatseems to do somethingusefullorinteresting, but actually runs maliciouscodebehind the scene.

    - Eg. Screen savers

    - a commonuse is a ”trap door” thatenables a maliouscodeadversarydiscreet acces to the machine at a future date.


Definitions of common attacks2
DEFINITIONS OF COMMON ATTACKS

  • Time bombsorlogicbombs

    - are programs thathibernatesuntil at specified event happendsoruntil a condition is true.

    - effectivewhencoupled to a virus


Taxonomy of malware
TAXONOMY OF MALWARE

Malicious

Programs

Need Host Program

Independent

Worms

Viruses

Logic Boms

Trojan

Horses


Combining malware
COMBINING MALWARE

  • Worms and viruses is the transport mechanism for maliciouscode

  • Trojan horses and time/logicbombs is the maliciouscode.


Part ii malicious mobile code

PART II: MALICIOUS MOBILE CODE


Malicious mobile code
MALICIOUS MOBILE CODE

  • Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention

  • Malicious mobile code is mobile code that makes your system do something that you do not want it to do.


Malicious mobile code for a variety of nasty activities
MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES

  • Monitoring your browsing activities

  • Obtaining unauthorized access to your file system

  • Infecting your machine with a Trojan horse

  • Hijacking your Web browser


Mobile code examples
MOBILE CODE EXAMPLES

  • Browser Scripts

  • ActiveX Controls

  • Java Applets

  • Mobile Code in E-mail Clients


Browser scripts
BROWSER SCRIPTS

  • <script type="text/javascript"> <-- a

  • function do_something() {

  • // Code for this function would go here.

  • }

  • </script> <-- b

  • (a)Script begins

  • (b)Script ends


Activex controls
ACTIVEX CONTROLS

  • A software component based on Microsoft's ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic.

  • The first time a control is accepted it is downloaded to your computer and registered.



Java applets
JAVA APPLETS

  • Java applets are relatively lightweight programs designed to be transmitted across the Internet

  • Java Applet Security Model

    • Java applet security model forces downloaded Java applets to run within a highly restrictive sandbox.

  • Exploit bugs in the implementation of the JRE to allow an un trusted applet to escape from its sandbox.

    • program called Brown Orifice


Mobile code in e mail clients
MOBILE CODE IN E-MAIL CLIENTS

  • The majority of modern e-mail clients contains some form of Web browser functionality to display HTML.

  • Turn off support for mobile code in your e-mail client if you don't use this functionality.


Conclusion
CONCLUSION

  • Do not execute ActiveX controls, whether signed or not signed, unless you trust their author with access to your system.

  • Do not execute signed Java applets unless you trust their author with access to your system.

  • Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access.

  • Disable support for mobile code that you do not require in your browser and e-mail software.




Change of perspective i
CHANGE OF PERSPECTIVE I

  • Hacker wanted to show they can

    • Morris Worm in 1988

  • Malware used to be destructive

    • ”I Love You” Virus – deleted files send and forwarded itself to contacts in outlook (2000)

  • Today Malware is not destructive anymore – it works silent on a PC


It s business
IT’S BUSINESS

  • ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM)

  • ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (TorstenHolz, University of Mannheim)


Botnets for rent
BOTNETS FOR RENT

  • Hacker groups rent out their botnets

  • Reports suggest that botnets can be rented for $100/hour

  • Pay-as-you go scheme – cybercrime made easy!


Return on investment
RETURN ON INVESTMENT

  • Crime syndicates blackmail gambling sites/online shops

  • They demand up to 50.000$

  • Stealing personal information (credit cards, bank accounts)


Beyond traditional crime i
BEYOND TRADITIONAL CRIME I

  • The Sony RootKit scandal

    • automatically installing software on PCs

    • Sony wanted an improved copy protection

    • …but introduced new security holes on computers with a Windows OS


Beyond traditional crime ii
BEYOND TRADITIONAL CRIME II

  • Remote Forensic Software

    • Government installs spyware on computers of ”suspected” persons

    • FBI uses a tool called ”Magic Lantern”

    • Use key loggers in order to get sensitive information

    • Conflicts with the legislation


Future trends
FUTURE TRENDS

  • Cybercrimes in virtual worlds

  • Increase in botnets

  • Mobile Devices

  • Virtual Machine RootKit (Blue Pill)


Sum up
SUM UP

  • High Risk

  • Focus is on ”business” - earning money is important

  • Malware gets smarter and thus hard to detect

  • Magnus will now talk about avoiding malware



Strategy
STRATEGY

1: User Education & restricted user privileges.

2: Avoiding common software “packages”

3: Anti-virus software (locally and at network gateways.)


1 user education
1 USER EDUCATION

METHODS

  • Educate users to avoid them making known mistakes.

  • Restrict the privileges of user accounts (Configuration Hardening).

    PROBLEMS

  • Most users are not willing to spend time learning security.

  • Even expert users are not immune to unexpected attacks (Bubble Boy).



1 user education1
1 USER EDUCATION

METHODS

  • Educate users to avoid them making known mistakes.

  • Restrict the privileges of user accounts. (Configuration Hardening)

    PROBLEMS

  • Most users are not willing to spend time learning security.

  • Even expert users are not immune to unexpected attacks.


2 avoid common software
2 AVOID COMMON SOFTWARE

EXAMPLES

  • The “Microsoft Word” – “Outlook” combination.

  • The “Wordpress” cms system.

    METHOD

  • Avoid common software, or at least include less popular software somewhere in your workflow.

    PROBLEM

  • What is common software?

  • How can you be sure that security issues will be identified and addressed when using less common software?


3 anti virus software
3 ANTI-VIRUS SOFTWARE

METHOD

  • Scan all incoming files for malware.

    PROBLEMS

  • New malware emerges.

  • Malware-authors camouflage already known threats.



Malware signatures
MALWARE SIGNATURES

  • The fingerprints of malware (also called dat files)

  • Performance improvements

    • Fingerprints are matched to certain file types.

    • Depending on the file type different areas are scanned.


3 anti virus software1
3 ANTI-VIRUS SOFTWARE

METHOD

  • Scan all incoming files for malware.

    PROBLEMS

  • New malware emerges.

  • Malware-authors camouflage already known threats.


New malware
NEW MALWARE

  • Can actually be new malware, or camouflaged versions of old threats.

  • Polymorphism (obfuscated code)

    • Changed variable names.

    • Changed order of the instructions in the malware program.

    • Encryption.

    • Metamorphism.


How to identify malware with an unknown signature
HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE

  • Generic Signatures.

    • Often broken up and containing “wildcard areas”.

    • Not god for totally new malware.

  • Emulation.

  • Heuristics.


Heuristics
HEURISTICS

  • Establish a database of typical malware traits.

    • Attempts to access the boot sector.

    • to locate all documents in a current directory.

    • to write to an EXE file.

    • to delete hard drive contents.


Current threat patterns
CURRENT THREAT PATTERNS

  • Classic & server-side polymorphism

  • 10.000+ new strains per day.

  • Each victim potentially attacked by a different strain.

  • Today a signature protects < 20 users. Earlier > 100.000

  • Blacklisting strategy increasingly ineffective.


Solutions according to symantec
SOLUTIONS (ACCORDING TO SYMANTEC)

  • Whitelisting signatures for non-malware.

  • Reputation based approach.