sigurnost ra unala i podataka n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Sigurnost računala i podataka PowerPoint Presentation
Download Presentation
Sigurnost računala i podataka

Loading in 2 Seconds...

play fullscreen
1 / 43

Sigurnost računala i podataka - PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on

Sigurnost računala i podataka. Mario Č agalj Sveučilište u Splitu 2013/2014. Malicious Software. Internet Security & Worms by Prasad S. Athawale (University at Buffalo) Computer Security: Principles and Practice by William Stallings and Lawrie Brown

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Sigurnost računala i podataka' - jaegar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sigurnost ra unala i podataka

Sigurnost računala i podataka

MarioČagalj

Sveučilište u Splitu

2013/2014.

malicious software
Malicious Software

Internet Security & Worms

by Prasad S. Athawale (University at Buffalo)

Computer Security: Principles and Practice

by William Stallings and Lawrie Brown

Code Red Worm Propagation Modeling and Analysisby Zou et al.

Produced by Mario Čagalj

malicious software1
Malicious Software
  • Programs exploiting computing system vulnerabilities
  • Known as malicious software or malware
  • Malware can be divided into two categories
    • Program fragments that need host program - parasitic malware
      • E.g. viruses, logic bombs, and backdoors – cannot exist independently of some actual application program, utility or system program
    • Independent self-contained programs
      • E.g. worms, bots – can be run directly by the operating system
  • We differentiate between software threats that
    • Do not replicate – activated by a trigger (e.g., logic bombs, bot)
    • Do replicate/propagate itself (e.g., viruses and worms)
malicious software2
Malicious Software

Malicious programs

Need host program

Independent

Trapdoors

Logic bombs

Trojan horse

Viruses

Worms

Zombie (Bot)

Replicate

malware terminology 1 3
Malware Terminology (1/3)
  • Virus:A piece of code that inserts itself into a host program (infects it). It cannot run independently. It requires that its host program be run to activate it.
  • Worm: A program that can run independently and can propagate a complete working version of itself onto other hosts on a network.
  • Logic bomb: A program inserted into software by an intruder. It executes on specific condition (trigger). Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.

legitimate code

if date is Friday the 13th;

crash_computer();

legitimate code

malware terminology 2 3
Malware Terminology (2/3)
  • Trojan horse: Programs that appear to have one (useful) function but actually perform another (malicious) function, without the user’s knowledge.
  • Backdoor (trapdoor):Any mechanism that bypasses a normal security check. It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programms.

username = read_username();

  • password = read_password();

if username is “112_h4ck0r”

return ALLOW_LOGIN;

  • if username and password are valid
  • return ALLOW_LOGIN
  • else return DENY_LOGIN
malware terminology 3 3
Malware Terminology (3/3)
  • Exploit: Malicious code specific to a single vulnerability.
  • Keylogger: Captures key strokes on a compromised system.
  • Rootkit: A set of hacker tools installed on a computer system after the attcker has broken into the system and gained administrator (root-level) access.
  • Zombie, bot:Program on infected machine activated to launch attacks on other machines.
  • Spyware: Collects info from a computer and transmits it to another system.
internet worms
Internet Worms
  • Self-replicatingprogramthat propagates over Internet
    • Using email – a worm mails a copy of itself to other system
    • Remote execution capability – a worm executes a copy of itself on a remote system, either using explicit remote execution facility or by exploiting flaw (e.g., buffer overflow) in some net service
    • Remote login – a worm logs onto a remote system as a user then uses commands to copy itself from one to the remote system
internet worms uses applications
Internet Worms Uses/Applications
  • Launch a DDoS
  • Access to Sensitive Information
  • Spread Disinformation
  • Unknown reasons
    • Most generally is the need for being recognized and famous (never has it been that it was an accident)
worm operation
Worm Operation
  • Has phases like a virus
    • Dormant phase
      • Worm is idle, waiting for trigger event (e.g., date, time, program)
    • Propagation phase
      • Wormsearches for other systems, connects to it, copies self to it and runs (the copy may not be identical – it morphs to avoid detection)
    • Triggering phase
      • Worm activated by some trigger event to perform intended function
    • Execution phase
      • The intended function is performed
      • E.g., DDoS attack on a specified target
worm operation propagation phase
Worm Operation: Propagation Phase
  • To propagate a worm generally performes the following functions
    • Search for other systems to infect by examining different repositories of remote system addresses
      • IP address-space probing to detect vulnerable targets
      • Note that this active aquisition/seach phase is not present in viruses
    • Establish a connection with a remote system
    • Copy itself to the remote system and cause the copy to be run
generalized worm propagation model
Generalized Worm Propagation Model
  • In the first stage the infected host searches for vulnerable targets
  • When the target is found, the infected host tries to deliver malcode to the selected target
  • Executing the malcode, the target host would be comprimised
  • Once the system is compromised, some malware can perform additional tasks
    • Payload refers to those additional tasks by a worm (DoS, install backdoors, self-replicate)

Infected Host

Compromise System

Payload

Yes

Select Target

Execute Payload

No

Deliver Malcode

Infection Completed

actions in each of the stages
Actions in Each of the Stages
  • The target selecting stage
    • Random IP address probing
    • Harvesting email addresses (e.g., from the address book)
    • Through file sharing systems
  • The malcode delivery stage (can send only a part in this stage)
    • A payload associated with buffer overflows
    • Using mail of messaging services
    • Specially crafted HTML pages hosted on a web server
  • Compromising the system
    • Execute malcode: email vulnerabilites, user intervention, automatic execution
    • E.g., buffer overflow, backdoors, etc.

Infected Host

Compromise System

Payload

Yes

Select Target

Execute Payload

No

Deliver Malcode

Infection Completed

morris worm robert morris in 1988
Morris Worm (Robert Morris in 1988)
  • To propagate, worm’s first task was to discover other hosts known to first infected host that would allow entry from this host
    • Exemained system tables that declare which other machines were trusted by this host, users’ mail forwarding files, remote access control tables, reports from services that reported the status of net connections
  • For each discovered host, various attacks on UNIX systems
    • Cracking password file to use login/password to logon to other systems
    • Exploiting a bug in the finger protocol
    • Exploiting a bug in sendmail
  • If any of the three above succeeded have remote shell access
    • Sent bootstrap program to the compromised machine’s operating system
    • The bootstrap program called back the parent program and downloaded the reminder of the worm to to copy it over
  • About 4000 of the Internet’s approximately 60,000 (at that time) hosts were infectedwithin 16 hours of the worm’s deployment
code red july 2001
Code Red (July 2001)
  • The Code Red worm spreads via a buffer overflow in the Microsoft Internet Information Server’s (IIS) Indexing Services
    • Infection begins by issuing HTTP GETcommand to a vulnerable IIS system
  • The worm probes random IP addresses to spread to other hosts
  • During a certain period of time, it only spreads
  • It then initiates a denial-of-service attack against a government Web site by flooding the site with packets from numerous hosts
  • Code Red I v2 infected nearly 360,000 servers in 14 hours
    • Caused problems to infected servers
    • But more importantly, consumed a significant amount of Internet capacity
  • Code Red II is a variant that also targets Microsoft IIS
    • It also installs a backdoor, allowin a hacker to remotely execute commands on victim computers
the spread of code red v2

http://www.caida.org/research/security/code-red/coderedv2_analysis.xmlhttp://www.caida.org/research/security/code-red/coderedv2_analysis.xml

The Spread of Code-Red v2
sql slammer january 2003
SQL Slammer (January 2003)
  • Exploited buffer overflow in Microsoft SQL server
    • A single short (400 bytes) packet to UDP port 1434 was sufficient
  • The worminfected more than 90 percent of vulnerablehosts within 10 minutes
    • Causing significant disruption tofinancial, transportation, and government institutions and precluding any human-based response
    • No malicious content, but simply overloaded networks
  • The worm’s spreading strategy uses random scanning
    • Itrandomly selects IP addresses, eventually finding and infectingall susceptible hosts
  • Slammer spread nearly two orders of magnitudefaster than Code Red, yet it infected fewer machines
    • The fastest computer worm in history (full scanning rate of 55 million scans per second after only 3 minutes)
the spread of sql slammer
The Spread of SQL Slammer
  • Faster than Code Red (CR)
    • Slammer is bandwith-limited (its scanner is only only 400 bytes long, a single UDP packet could exploit the SQL server’s vulnerability)
    • CR is latency-limited (its scanner does TCP handshake and therefore has to wait to receive SYN/ACK packet from target)
    • However Slammer’s author made several mistakes in the random number generator (many active IP addresses simply skipped – fewer infections)

Saturated network with its scans

Code Red v2

Slammer

why modelling
Why Modelling?
  • Worms spread at an exponential rate
    • E.g., 10M hosts in < 5 minutes
    • Hard to deal with manual intervention
    • How to protect our systems? What are possible effects?
  • To be able to defend against future worms, we need to understand
    • Worms propagation patterns
    • The impact of human countermeasures (like patching the computer systems, firewalls, disconnecting devices from the network, etc.) on worm propagation
    • The impact of network traffic (recall the Slammer worm)
worm propagation modelling
Worm Propagation Modelling
  • Simple Epidemic Model
    • Uses the time model of Infectious diseases to model Worm propagation
    • Three possible states – Susceptible, Infected, Quarantined/Removed
  • “Infectious” hosts: continuously infect others
  • “Removed” hosts in epidemic area
    • Recover and immune to the virus
    • Dead because of the disease
  • “Removed” hosts in computer area:
    • Patched computers that are clean and immune to the worm
    • Computers that are shut down or cut off from worm’s circulation
simple epidemic model

infectious

removed

susceptible

Simple Epidemic Model
  • Assumptions
    • The population size (#hosts) is large
    • Any host has equal probability to contact any other hosts in system
    • Number of contacts is proportional to #infectious X #susceptible

Susceptible (S)

Infectious (I)

contact

classical simple epidemic model

infectious

susceptible

Classical Simple Epidemic Model
  • State transition
    • N - population of hosts
    • S(t) - susceptible hosts; I(t) - infectious hosts at time t
classical general epidemic model sir

infectious

removed

susceptible

Classical General Epidemic Model (SIR)
  • State transition
    • N - population of hosts
    • S(t) - susceptible hosts
    • I(t) - infectious hosts
    • R(t) - removed from infectious at rate γ
are the two sir models adequate

infectious

removed

susceptible

Are the Two SIR Models Adequate?
  • The classical and general SIR models are not perfectly suitable as human countermeasures will remove both suceptible and infectious hosts from circulation
  • Human countermeasures include
    • Clean and patch: download cleaning program, patches
    • Filter: put filters on firewalls, gateways
    • Disconnect computers (as in the case of Code Red worm)
  • Also, the infection rate is decreased because of the large amount of scan-traffic (e.g., the SQL Slammer worm)
  • State transition
two factor worm model
Two Factor Worm Model
  • Human countermeasures and decreased infection rate 
    • N - population of hosts
    • S(t) - susceptible hosts
    • I(t) - infectious hosts, J(t)=I(t)+R(t) - infected hosts
    • R(t) - removed from infectious hosts at rate γ
    • Q(t) - removal from susceptibleat rate μ
two factor worm model1
Two Factor Worm Model
  • Human countermeasures and decreased infection rate 

β(t)S(t) <γ: the number of removed infectious hosts in

a unit time is greater than the number of newly generated

infectious hosts at the same time

characteristics of worm spread ing
Characteristics of Worm Spreading
  • Worm growth: slowstart, fast spread phase, slow decay
  • Speed-ups with more advanced probing techniques
probing techniques examples
Probing Techniques (Examples)
  • Random Scanning
  • Local Subnet Scanning
  • Routing Worm
  • Pre-generated Hit List
  • Topological
probing techniques random scanning
Probing Techniques: Random Scanning
  • 32 bit number is randomly generated and used as the IP address
    • Aside: IPv6 worms will be different …
  • E.g., Slammer and Code Red I
  • Hits black-holed IP space frequently
    • Only 28.6% of IP space is allocated
    • Aside: can track worms by monitoring unused addresses
      • Honeypots
probing techniques subnet scanning
Probing Techniques: Subnet Scanning
  • Generate last 1, 2, or 3 bytes of IP address randomly
  • Code Red II and Blaster
  • Some scans must be completely random to infect the whole Internet
probing techniques routing worm
Probing Techniques: Routing Worm
  • BGP information can tell which IP address blocks are allocated
  • This information is publicly available
    • http://www.routeviews.org/
    • http://www.ripe.net/ris/
probing techniques topological
Probing Techniques: Topological
  • Uses info on the infected host to find the next target
    • Morris Worm used /etc/hosts , .rhosts
    • Email address books
    • P2P software usually store info about peers that each host connects to
probing techniques hit list
Probing Techniques: Hit List
  • Hit list of vulnerable machines is sent with payload
    • Determined before worm launch by scanning
  • Gives the worm a boost in the slow start phase
  • Skips the phase that follows the exponential model
    • Infection rate looks linear in the rapid propagation phase
  • Can avoid detection by the early detection systems
warhol hit list permutation scanning
Warhol: Hit List + Permutation Scanning
  • Infection time estimated to about 15 minutes
  • Andy Warhol: “In the future, everybody will have 15 minutes of fame.”

Conventional (Code Red-like ) worm capable of 10 scans/second

Fast scanning worm capable of 100 scans/second

Warhol worm capable of 100 scans/second using a 10,000 entry hit-list

No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

slide39

1. Reduce # of susceptible hosts

(prevention)

2. Reduce rate of infection

(suppression)

3. Reduce # of infected hosts

(containment)

How to Mitigate the Worm Threat?

  • S(0) = N
  •  =  / M
  • probe rate of worm

Mtotal population (e.g. 232for IPv4)

“removal” rate

mitigating the worm threat
Mitigating the Worm Threat
  • Prevention
    • This aims to reduce the size of the vulnerable population
    • Secure programming, applying software updates, AV protection
    • Patching
      • Generally, patches take days to release – only now that relatively reliable distribution networks for patches are springing up
  • Containment and suppression (the easiest)
    • Firewalls, Content Filtering, Automated Routing Blacklists, disconnecting infected machines
worm countermeasures1
Worm Countermeasures
  • Overlaps with anti-virus techniques
  • Once worm on system A/V can detect it
  • Worms also cause significant net activity
    • Scanning for other targets (scan rates 10-10000 scans/second)
  • Worm defense approaches include:
    • Signature-based worm scan filtering
      • Generates a worm scan signature to prevent worm scans from entering a network/host
    • Filter-based worm containment
      • Focuses on a worm content rather than a scan signature
    • Payload-classification-based worm containment
      • Packet based checks
    • Threshold random walk scan detection
      • Exploits randomness in picking destinations to connect to (to detect scanning)
    • Rate limiting and rate halting
      • Limit or block outgoing traffic when a given threshold exceeded (for fast worms)
reaction time matters
Reaction Time Matters
  • Worm containment mechanisms should be automated

Conventional (Code Red-like ) worm capable of 10 scans/second

Fast scanning worm capable of 100 scans/second

Warhol worm capable of 100 scans/second using a 10,000 entry hit-list

SQL Slammer 30,000 scans/second per machine (on 100 Mbps link)

No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

closing words
Closing Words
  • Worms pose an ongoing threat of use in attack on a variety of sites and infrastructures
    • The SQL Slammer affected ATMs, 911 services, caused cancelled flights, etc.
  • Worms represent and extremely serious threat to the safety of the Internet
  • Warhol and flash-like worms can infect/affect the whole Internet in the matter of minutes/seconds
    • The need for automated response/containment mechanisms
  • Threat awareness important (reduces sussceptible)
    • Esspecially for software designers and programmers