1 / 47

Viruses, Worms, Zombies, and other Beasties

Viruses, Worms, Zombies, and other Beasties. (Based on Susan Whittemore , Sanjeev Arora, Alex Halderman , and Steve Shenfield ). The Threat Landscape. Impact: Competitive advantage, trade secret disclosure, operational disruption, brand and reputation

jbiggs
Download Presentation

Viruses, Worms, Zombies, and other Beasties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses, Worms, Zombies, and other Beasties (Based on Susan Whittemore, Sanjeev Arora, Alex Halderman, and Steve Shenfield)

  2. The Threat Landscape • Impact: Competitive advantage, trade secret disclosure, operational disruption, brand and reputation • Motivation: Personal advantage, monetary gain, professional revenge, patriotism • 2017 Outlook: More organizations will implement insider threat mitigation programs and processes • Impact: Costly regulatory inquiries and penalties, consumer and shareholder lawsuits, loss of consumer confidence • Motivation: Financial gain • 2017 Outlook: Cyber-extortion will continue to rise • Impact: Disruption of business activities, brand and reputation, loss of consumer confidence • Motivation: Negatively impact reputation, drive attention to a cause, pressure for change • 2017 Outlook: Expected to escalate attack methods with high-profile data breaches • Impact: loss of competitive advantage, disruption to critical infrastructure • Motivation: Economic, political, and/or military advantage • 2017 Outlook: Will continue to strengthen their defensive and offensive cyber skills

  3. CybersecurityThe cost and risks of cyber attacks are increasing • Cyber Threat Landscape • Cybersecurity events and costs are increasing: • 79% of survey respondents detected a security incident in the past 12 months1 • Average total cost of a data breach increased 23% over the past two years2 • Average cost paid for each lost / stolen record increased 6%1 • Industry Outlook • Data breaches are expected to reach $2.1 trillion globally by 20193 • 76% of survey respondents1 were more concerned about cybersecurity threats than in previous 12 months: • Increase from 59% in 2014 • Reputational Risk • An IT security breach can have serious implications in how a company is perceived: • 46% of companies suffered damage to reputation & brand value due to a security breach4 • 19% of companies suffered damage to reputation & brand value due to a third-party security breach or IT system failure4 • The risk of losing customer trust is significant and rising: • 82% of customers would consider leaving an institution that suffered a data breach5 Source: 1U.S. State of Cybercrime Survey, 2Ponemon Institute, 3Juniper Research , 4Forbes

  4. 1 million cybersecurity job openings globally in 2016* 4 *Cisco, 2016; 1Information System Security Certification Consortium, 2015;PricewaterhouseCoopers, 2015; Burning Glass, 2015; ISC2, 2015; Cybersecurity Ventures, 2016

  5. Encryption Encryption strongly protects data en route You Amazon.com Today’s story: Attacker can compromise your computerwithout breaking encryption.

  6. Encrypted ≠ Secure Break into your computer and “sniff” keystrokes as you type You Amazon.com

  7. Spoofing Attacks Attacker impersonates the merchant (“spoofing”) Your data is encrypted… …all the way to the bad guy! Amaz0n.com’s key Amaz0n.com You

  8. Breaking into a Computer What does it mean? How is it done? Can we prevent it?

  9. What’s at Stake? Kinds of damage caused by insecurity • Nuisance: spam, … • Data erased, corrupted, or held hostage • Valuable information stolen(credit card numbers, trade secrets, etc.) • Services made unavailable (email and web site outages, lost business) Other fears: cybercrime, terrorism, etc.

  10. Main themes of today’s lecture Self-reproducing programs: viruses, worms, zombies Other threats to computer security Internet = Today’s Wild West There is no silver bullet against cyber crime, but follow good security practices

  11. Breaking into a Computer What? • Run unauthorized software How? • Trick the user into running bad software(“social engineering”) • Exploit software bugs to run bad software without the user’s help

  12. Example of “social engineering”: Trojan Horse CoolScreenSaver.exe

  13. Viruses and Worms Automated ways of breaking in; Use self-replicating programs (Recall self-replicating programs: Print the following line twice, the second time in quotes. “Print the following line twice, the second time in quotes.” )

  14. Computer Viruses Self-replicating programs that spread by infecting other programs or data files Cool Screen Saver Solitaire Notepad Paint Payload Payload Payload Payload Must fool users into opening the infected file

  15. Email Viruses • Infected program, screen saver, or Word document launches virus when opened • Use social engineering to entice you to open the virus attachment • Self-spreading: after you open it, automatically emails copies to everyone in your address book • Other forms of social engineering: downloadable software/games, P2P software, etc.

  16. The Melissa Virus (1999) • Social engineering: Email says attachment contains porn site passwords • Self-spreading: Random 50 people from address book • Traffic forced shutdown of many email servers • $80 million damage • 20 months and $5000 fine David L. SmithAberdeen, NJ

  17. Computer Worms Self-replicating programs like viruses, except exploit security holes in OS (e.g., bugs in networking software) to spread on their own without human intervention Payload Payload Payload Payload Payload Payload Payload

  18. “Can we just develop software to detect a virus/worm?” [Adleman’88] This task is undecidable.(so no software can work with 100% guarantee) Current methods: (i) Look for snippets of known virusprograms on harddrive (ii) maintain log of activities such as network requests, read/writes to hard-drive and look for “suspicious” trends (iii) look for changes to OS code. No real guarantee

  19. A losing battle? Constant battle between attackers and defenders Example: • Anti-virus software finds “signature” of known virus • Attacker response: Polymorphic virus – to thwart detection, change code when reproduced • Anti-virus software adapts to find some kinds of polymorphism • But an infinite number of ways to permute viruses available to attackers

  20. memory address: 100000 1 2 6 0 0 Example of how worms spread: Buffer Overflow bug From: COS 116 StaffSubject: Welcome Students! Return address Space reserved for email subject Memory … W e l c o m e S t u d e n t s ! 1 2 6 0 0 Buffer overflow bug: Programmer forgot to insert check for whether email subject is too big to fit in memory “buffer” From: Bad GuySubject: <evil code . . . . . . . . . . . . . . . . . >100000 … < e v i l c o d e . . . . . . . . . . . . . > 1 0 0 0 0

  21. The Morris Worm (1988) • First Internet worm • Created by student at Cornell • Exploited holes in email servers, other programs • Infected ~10% of the net • Spawned multiple copies, crippling infected servers • Sentenced to 3 years probation, $10,000 fine, 400 hours community service Robert Tappan Morris

  22. The Slammer Worm (2003) • Fastest spreading worm to date • Only 376 bytes—Exploited buffer overflow in Microsoft database server products • Spread by sending infection packets to random servers as fast as possible, hundreds per second • Infected 90% of vulnerable systems within 10 minutes! 200,000 servers • No destructive payload, but packet volume shut down large portions of the Internet for hours • 911 systems, airlines, ATMs — $1 billion damage! • Patch already available months previously, but not widely installed

  23. Why do people write worms and viruses? Sometimes because they are curious / misfits / anarchists / bored…

  24. Main reason: Botnets • Virus/worm payload:Install bot program on target computer • Bot makes target a zombie, remotely controlled by attacker • Many zombies harnessed into armies called botnets – often 100,000s of PCs

  25. Zombies Bot program runs silently in the background, awaiting instructions from the attacker Attacker’sProgram Bot

  26. Why go to the trouble of creating a botnet?

  27. Reason 1: DDOS Attacks “Distributed Denial of Service” Objective: Overwhelm target site with traffic. Example: Wikileaks incidents 2010 “Attack www.store.com”

  28. Reason 2: Sending Spam Messages are hard to filter because there are thousands of senders “Forward this message: Subject: Viagra! …”

  29. Other reasons • Click fraud. • Commit other cybercrime that is hard to trace

  30. Storm Botnet • Created via email scam in 2007 • spread to a million computers • Owners unknown (believed to be Russian) • Used for DoS and Email spams, available for “rent” • Fiendishly clever design • distributed control, similar to Kazaa, Gnutella • rapidly morphing code; morphs every hour or so • seems to detect attempts to track/contain it and “punishes” its pursuers

  31. And if you weren’t scared enough already…

  32. Spyware/Adware • Hidden but not self-replicating • Tracks web activity for marketing, shows popup ads, etc. • Usually written by businesses: Legal gray area

  33. International warfare by other means Stuxnet: Computer worm allegedly created by US and Israeli intelligence to target Iranian nuclearprocessing faciltiies.

  34. Attackers are Adaptive Defenders must continually adapt to keep up

  35. Can we stop computer crime? Probably not! • Wild West nature of the Internet • Software will always have bugs • Rapid exponential spread of attacks But we can take steps to reduce risks…

  36. Protecting Your Computer Six easy things you can do… • Keep your software up-to-date • Use safe programs to surf the ‘net • Run anti-virus and anti-spyware regularly • Add an external firewall • Back up your data • Learn to be “street smart” online

  37. Learn Online “Street Smarts” • Be aware of your surroundings • Is the web site being spoofed? • Don’t accept candy from strangers • How do you know an attachment or download isn’t a virus, Trojan, or spyware? • Don’t believe everything you read • Email may contain viruses or phishing attack – remember, bad guys can forge email from your friends

  38. First Line of Defense • For Users • Install system security mechanisms • Protect yourself from being a zombie • For Businesses • Security companies can guard a client’s network • ex) Prolexis Technologies

  39. System Security Mechanisms • Firewalls • Switches & Routers • Blackholing • Sinkholing • Clean Pipes • Intrusion Prevention Systems (IPS)

  40. Defenses Firewalls Pros • Will prevent simple flood attacks • ex) SYN flood • Able to allow or deny protocols, ports, or IP addresses Cons • Unable to prevent more complex attacks

  41. Defenses Switches & Routers Pros • Both have the ability to limit data rate • Both have network Access Control Lists • ACLs are custom router filters • Able to filter both inbound and outbound traffic Cons • Most can be easily overwhelmed

  42. Routing Technique 1 Blackholing • Attempts to mitigate the impact of an attack • Redirects traffic from attacked DNS or IP address to a “black hole” • Then all traffic will be dropped • Must know IP address of attacker or else legitimate traffic will be dropped as well

  43. Routing Technique 2 Sinkholing • Routes suspicious traffic to a valid IP address where it can be analyzed • Capturing traffic and analyzing it can be done with a sniffer • Traffic found to be malicious is rejected Cons • Unable to react to severe attacks as effectively as blackholing

  44. Defenses Continue Clean Pipes • Best used when deployed inside Internet Service Providers (ISPs) • When an attack occurs, traffic is diverted to a cleaning center in the ISP • Here the traffic is “cleaned” by specialized filtering devices and malicious activity is removed • Only legitimate traffic is passed to the destination

  45. A Final Defense Intrusion Prevention System(IPS) • Monitors network traffic for malicious activity • Scans both inbound and outbound • Searches for suspicious patterns known as signatures or rules • System logs malicious activity and will attempt to stop it

  46. Sources • http://cisco.com/web/about/ac123/ac147/archived_issued/ipj_7-4/dos_attacks.html • http://docs.google.com/viewer?a=v&q=cache:Gs5vmKHFfpUJ:pathmaker.biz/whitepapers/CSISurvey2009.pdf • http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf • www.tik.ee.ethz.ch/~ddosvax/talks/ddos_td.pdf • http://en.wikipedia.org/wiki/Denial-of-service_attack • http://www.csoroundtable.org/knowledge/there-business-case-it-security • http://en.wikipedia.org/wiki/Intrusion_prevention_system • http://csdl2.computer.org/comp/mags/ic/2009/06/mic2009060010.pdf

More Related