1 / 31

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Malware. Topic. Types of Malware Trojan Horses Viruses Worms Backdoors Rootkits Self-Protection Mechanisms. Payloads. Malware Interactions. Detecting Malware. Defending against Malware. The changing Malware environment. Types of Malware.

medea
Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 380: Securing Computer Systems Malware CIT 380: Securing Computer Systems

  2. Topic • Types of Malware • Trojan Horses • Viruses • Worms • Backdoors • Rootkits • Self-Protection Mechanisms. • Payloads. • Malware Interactions. • Detecting Malware. • Defending against Malware. • The changing Malware environment. CIT 380: Securing Computer Systems

  3. Types of Malware Trojan Horse Tricks user into executing malicious code. Virus When run by user, copies self into other files. Worm Copies self from computer to computer. Backdoors Leaves opening for attacker to gain access. Rootkits Hides attacker activities from system administrators. CIT 380: Securing Computer Systems

  4. What about Spyware? Malware by any other name… • Corporate malware. • Presents legal issues for anti-malware software. CIT 380: Securing Computer Systems

  5. Program with both an overt and covert effect Displays expected behavior when user executes. Covert effect (executed with user’s privileges) violates security policy. Attacker: cat >ls cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* ^D Victim: ls Trojan Horse CIT 380: Securing Computer Systems

  6. Postcard • http://www.nku.edu/~frank/cit380/docs/postcard.htm

  7. Viruses • “Programs that modify other programs on a computer, inserting copies of themselves.” (Page 736) • http://en.wikipedia.org/wiki/Virus_%28computing%29

  8. Worms • “Programs that propagate from computer to computer on a network, without necessarily modifying other programs on the target machines.” • http://en.wikipedia.org/wiki/Computer_worms

  9. Wildlist • http://www.wildlist.org/WildList/ • JS – Java Script • VBS – Visual Basic Script Virus or Worm • W32 – 32-bit malicious code that can infect all 32-bit Windows platforms

  10. Examples • W32.Areses.P@mm • http://www.sarc.com/avcenter/venc/data/w32.areses.p@mm.html • W32/Bagle@MM • http://vil.nai.com/vil/content/v_100965.htm • W32.Blaster.Worm • http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99&tabid=2 • http://www.microsoft.com/security/incident/blast.mspx

  11. Examples • W32.HLLW.Lovgate.C@mm • http://www.symantec.com/security_response/writeup.jsp?docid=2003-022411-2431-99 • W32.Mydoom.A@mm • http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99&tabid=1

  12. Examples • W32.Mytob.CU@mm • http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1124386,00.html • http://www.symantec.com/security_response/writeup.jsp?docid=2005-053015-4201-99

  13. Virus Self-replicating code • Propagating (replicating) Trojan horse. • Inserts (possibly evolved) copy into other files. Virus Pseudocode: If spread condition then Foreach target-file if not infected then copy virus to target-file Perform (malicious) action Execute normal code CIT 380: Securing Computer Systems

  14. Types of Viruses • Boot Sector • When system boots, code in boot sector executed. • Propagate by altering boot disk creation. • Uncommon today because of low use of boot floppies, but some Vista laptops shipped one. CIT 380: Securing Computer Systems

  15. Types of Viruses • Executable • Infects executable programs (e.g., COM, EXE). • Executes when infected program is run. • Virus usually runs first, then runs original code. • Dynamic Library • Infected dynamically linked libraries (DLLs.) • Executed when any program uses infected DLL. CIT 380: Securing Computer Systems

  16. Types of Viruses • Device Driver • Infects loadable device driver. • Executes in kernel mode. • Virtual Machine (.NET) • Infects .NET MSIL binaries. • Portable: compiled to native code by CLR. • Archive Infectors • Inserts Trojan horse into ZIP files. • Uses social engineering techniques to get user to run. CIT 380: Securing Computer Systems

  17. Types of Viruses • Macro Virus • Infects embedded interpreted code. • Needs interpreter like sh, MS Word macro. • Can infect executables or data files • Executables must invoke appropriate interpreter. • Most modern data formats support some type of scripting, including • Microsoft Office • Windows Help files • HTML: VBScript, JScript CIT 380: Securing Computer Systems

  18. Infection Methods • Overwriting • Overwrites program code with virus. • Breaks infected program. • Appending • Append virus code to executable. • Insert JMP at beginning of executable. • Prepending • Insert virus code at beginning of executable. • Shift original code to follow virus. CIT 380: Securing Computer Systems

  19. Infection Methods • Parasitic • Inserts virus code at beginning of executable. • Shifts beginning of program to end of file. • Cavity • Insert virus code into unused blocks of file. • Insert JMP at beginning of executable. • Fractionated Cavity • Fragment virus; inject into multiple cavities. • Loader reads fragments into continuous memory. CIT 380: Securing Computer Systems

  20. Infection Methods • Compressing • Compresses executable to make space. • Inserts virus and decompression code. • Fragmenting • Dynamically fragment virus. • Insert fragments by overwriting or shifting code. • Fragments JMP/CALL each other. • Companion • Infects COM file of same name as EXE file. • Infects alternate data stream of Win32 file. CIT 380: Securing Computer Systems

  21. In-Memory Strategies Direct Action • Virus runs only when infected code is run. Memory Resident • Remains active in memory after application terminates. • Interrupt hook (TSR) in DOS. • Kernel-mode rootkit techniques under modern OSes. • Can infect any program that runs after virus. • Example: Jerusalem Virus (Danube variant) • Multipartite TSR virus. • Infects all executables except command.com. • Also infects boot sector. • Deletes files on Friday the 13th. CIT 380: Securing Computer Systems

  22. Worms Copies self from one computer to another Self-replicating: No user action required unlike virus or Trojan horse programs. Spreads via network protocols ex: SMTP (email), fingerd, MS SQL CIT 380: Securing Computer Systems

  23. History of Worms CIT 380: Securing Computer Systems

  24. History of Worms CIT 380: Securing Computer Systems

  25. Worm Components • Vector • Propagation Engine • Target Selection • Scanning Engine • Payload CIT 380: Securing Computer Systems

  26. Vector Software to gain access to target host. Common vectors: • Buffer overflow exploits. • Network file sharing, both NFS/SMB and P2P. • Social-engineering via email or IM. • Weak passwords. • Parasitism: target backdoors and worm flaws. CIT 380: Securing Computer Systems

  27. Propagation Engine Transfers worm to host exploited by vector. • Small worms like Slammer included in vector. Worm Propagation Methods: • FTP • HTTP • SMB • TFTP CIT 380: Securing Computer Systems

  28. Remote Control Interface RCI allows creator to control infected hosts. Many worms do not have a RCI. May be a well-known backdoor program. Common remote control features: Start/stop infecting new targets. Download new vectors. Download new target selectors. Download new payloads. CIT 380: Securing Computer Systems

  29. Target Selection Selecting targets for potential infection. E-mail address harvesting • Address books. • Parse disk files. • Search news groups. Network share enumeration • Check for filesystems shared with other systems. . CIT 380: Securing Computer Systems

  30. Target Selection Network scanning • Target hosts on current network and connected nets. • Randomized scanning of Internet space. Web searching • Search Google for addresses or vulnerable software CIT 380: Securing Computer Systems

  31. Scanning Engine Check targets for vulnerabilities. • If vector small, scanning can be skipped. Scan for vulnerable services. • Like targeted nmap port scan. OS Check • Check for correct OS for vector to work. Version checking. • Check version of target software. • May customize vector based on information. CIT 380: Securing Computer Systems

More Related