Chapter 8

1,376 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,376
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Chapter 8

  1. 1. Chapter 8 The Art of Anti Malicious Software
  2. 2. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  3. 3. <ul><li>A computer virus is a piece of code hiding in a program that can automatically copy itself or embed a mutation of itself in other programs </li></ul><ul><ul><li>Cannot spread on their own </li></ul></ul><ul><ul><li>Often require a host program to live in </li></ul></ul><ul><ul><li>Infected program: a host program with virus </li></ul></ul><ul><ul><li>Uninfected program (healthy program): a program cleared of all viruses </li></ul></ul><ul><ul><li>Disinfected program: a program once infected but now cleared of viruses </li></ul></ul><ul><li>Specific to </li></ul><ul><ul><li>particular types of file systems, file formats, and operating systems </li></ul></ul><ul><ul><li>Particular types of architecture, CPU, languages, macros, scripts, debuggers, and every other form of programming or system environment </li></ul></ul>Viruses
  4. 4. Virus Types <ul><li>Classified based on host programs: </li></ul><ul><ul><li>Boot Virus: </li></ul></ul><ul><ul><ul><li>Infect the boot program in the boot sector </li></ul></ul></ul><ul><ul><ul><li>Use the boot sequence to activate itself </li></ul></ul></ul><ul><ul><ul><li>Modify the operating system to intercept disk access and infect other disks </li></ul></ul></ul><ul><ul><ul><li>May also infect an updatable BIOS of a PC computer </li></ul></ul></ul><ul><ul><li>File-System Virus: </li></ul></ul><ul><ul><ul><li>Overwrite table entries and spread itself through file systems </li></ul></ul></ul><ul><ul><ul><li>File system maintains a table of pointers pointing to the first cluster of a file </li></ul></ul></ul><ul><ul><li>File-Format Virus: </li></ul></ul><ul><ul><ul><li>Infect individual files </li></ul></ul></ul><ul><ul><li>Macro Virus: </li></ul></ul><ul><ul><ul><li>Infect documents containing macro codes </li></ul></ul></ul>
  5. 5. <ul><ul><li>Script Virus: </li></ul></ul><ul><ul><ul><li>Infect script files </li></ul></ul></ul><ul><ul><ul><li>Replicate themselves in the form of email attachments, office and Web documents </li></ul></ul></ul><ul><ul><li>Registry Virus: </li></ul></ul><ul><ul><ul><li>Infect Microsoft Windows registry </li></ul></ul></ul><ul><ul><li>Memory-Resident Virus: </li></ul></ul><ul><ul><ul><li>Infect programs loaded in the main memory for execution </li></ul></ul></ul><ul><li>Classified based on embedded forms: </li></ul><ul><ul><li>Stealth virus: </li></ul></ul><ul><ul><ul><li>Usually uses compression to mask itself </li></ul></ul></ul><ul><ul><li>Polymorphic virus: </li></ul></ul><ul><ul><ul><li>May change instruction orderings or encrypt itself into different forms </li></ul></ul></ul><ul><ul><li>Metamorphic virus: </li></ul></ul><ul><ul><ul><li>Can be rewritten automatically during transmission </li></ul></ul></ul>Virus Types (cont.)
  6. 6. Virus Infection Schemes <ul><li>Overwrite a segment of an existing program </li></ul><ul><li>Insert itself at the beginning, in the middle, or at the end of an uninfected host program </li></ul><ul><li>Break itself into segments and insert each segment in a different location of host program </li></ul><ul><li>Virus has the same access rights as the host program </li></ul>
  7. 7. Virus Infection Schemes (Diagram)
  8. 8. Virus Structure <ul><li>Consists of 4 main subroutines </li></ul><ul><ul><li>Infect </li></ul></ul><ul><ul><ul><li>Search for host programs and check if infected </li></ul></ul></ul><ul><ul><li>Infection-Condition </li></ul></ul><ul><ul><ul><li>Check for certain conditions to launch infect subroutine </li></ul></ul></ul><ul><ul><li>Break-Out </li></ul></ul><ul><ul><ul><li>Carry out the actual damage work </li></ul></ul></ul><ul><ul><li>Breakout-Condition </li></ul></ul><ul><ul><ul><li>Check for certain conditions to launch breakout subroutine </li></ul></ul></ul>
  9. 9. Compressor Viruses <ul><li>An infected host file will often show a change in size before and after infection </li></ul><ul><li>Compressor viruses attempt to hide that change </li></ul><ul><ul><li>Compress the host file during the infection period </li></ul></ul><ul><ul><li>Decompress the host file during the breakout period </li></ul></ul><ul><ul><li>May add padding if the compressed host + viral code is smaller than the original size </li></ul></ul>
  10. 10. Viruses Disseminations <ul><li>Spread through portable storage devices (traditional): </li></ul><ul><ul><li>floppy disks, CDs, flash memory sticks </li></ul></ul><ul><li>Spread through email attachments, downloaded programs (contemporary): </li></ul><ul><ul><li>Email is a significant vector because many email programs and users usually blindly open attachments </li></ul></ul>
  11. 11. Win32 Virus Infection Dissection <ul><li>Win32 viruses exploit Microsoft’s Portable Executable (PE) format for infection </li></ul><ul><li>A PE file contains: </li></ul><ul><ul><li>PE sections: </li></ul></ul><ul><ul><ul><li>Modules of code, data, resources, import tables, and export tables </li></ul></ul></ul><ul><ul><li>PE headers: </li></ul></ul><ul><ul><ul><li>Provide crucial information of executable image </li></ul></ul></ul><ul><ul><ul><li>Natural targets of Win32 viruses </li></ul></ul></ul>
  12. 12. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  13. 13. Worms <ul><li>A worm is a standalone program that can replicate itself and spread through networks </li></ul><ul><ul><li>May be viewed as network viruses </li></ul></ul><ul><li>Can execute itself automatically on a remote host </li></ul><ul><ul><li>May still need a host file for spreading </li></ul></ul><ul><li>Most worms consist of </li></ul><ul><ul><li>Target locator subroutine: find new targets </li></ul></ul><ul><ul><li>Infection propagator subroutine: transfer itself to a new computer </li></ul></ul>
  14. 14. Common Worm Types <ul><li>Mass Mailers </li></ul><ul><ul><li>Usually attach “@mm” after the worm’s name </li></ul></ul><ul><ul><li>Reproduces themselves through email attachments </li></ul></ul><ul><li>Rabbits </li></ul><ul><ul><li>Rapidly replicate themselves until the system crashes due to the resource load </li></ul></ul><ul><ul><li>Often hidden in a file directory or disguised with normal file names </li></ul></ul>
  15. 15. Worm Examples <ul><li>Morris worm </li></ul><ul><ul><li>Exploit implementation flaws of sendmail, finger and rsh/rexec </li></ul></ul><ul><ul><li>To infect other computers AQAP </li></ul></ul><ul><li>Melissa worm </li></ul><ul><ul><li>A macro virus targeted at Microsoft products </li></ul></ul><ul><ul><li>Spread via email attachments </li></ul></ul><ul><ul><li>Spread fast, creating a huge amount of email traffic </li></ul></ul>
  16. 16. Email Attachments <ul><li>Email attachments can be classified (roughly) into 3 categories </li></ul><ul><ul><li>Safe </li></ul></ul><ul><ul><ul><li>Non-executable, no macros </li></ul></ul></ul><ul><ul><li>To-Be-Cautious </li></ul></ul><ul><ul><ul><li>Contain macros or executable codes, depend on the sender </li></ul></ul></ul><ul><ul><li>Perilous </li></ul></ul><ul><ul><ul><li>Should not be opened at all </li></ul></ul></ul>
  17. 17. The Code Red Worm <ul><li>Released in July 2001, it infected about 300K computers within the first 24 hours of its release </li></ul><ul><li>It exploited a buffer overflow in Microsoft’s IIS </li></ul><ul><li>It arrived as a GET /default.ida request (with 224 N’s) </li></ul><ul><li>This request starts the worm code execution </li></ul>
  18. 18. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  19. 19. Virus Defense <ul><li>Prevention: Block viruses from getting into a healthy system </li></ul><ul><ul><ul><li>Install software patches in time </li></ul></ul></ul><ul><ul><ul><li>Do not download software from untrusted Web sites </li></ul></ul></ul><ul><ul><ul><li>Do not open “To-Be-Cautious” email attachments from unknown senders </li></ul></ul></ul><ul><ul><ul><li>Do not open perilous email attachments </li></ul></ul></ul><ul><li>Restoration: Disinfect infected systems </li></ul><ul><ul><ul><li>Scan files with a virus scanner </li></ul></ul></ul><ul><ul><ul><li>Keep a backup of system and user files </li></ul></ul></ul>
  20. 20. Standard Scanning Methods <ul><li>Basic Scanning </li></ul><ul><ul><li>Search for signatures of known viruses in hostable files </li></ul></ul><ul><ul><li>Check the size of system files </li></ul></ul><ul><li>Heuristic Scanning </li></ul><ul><ul><li>Search for suspicious code fragments in executable files </li></ul></ul><ul><li>ICV Scanning </li></ul><ul><ul><li>Compute ICV for each uninfected executable file then check against that value later on </li></ul></ul><ul><li>Behavior Monitoring </li></ul><ul><ul><li>Evaluate the behavior of executing programs </li></ul></ul>
  21. 21. Some Common Anti-Virus Software Products <ul><li>McAfee VirusScan </li></ul><ul><ul><li>http:// www.mcafee.com </li></ul></ul><ul><li>Norton AntiVirus </li></ul><ul><ul><li>http:// www.symantec.com </li></ul></ul><ul><li>Avast! AntiVirus </li></ul><ul><ul><li>http:// www.avast.com </li></ul></ul><ul><li>AVG </li></ul><ul><ul><li>http:// www.grisoft.com </li></ul></ul><ul><li>… </li></ul>
  22. 22. Virus Emulator <ul><li>Isolated hardware and software to evaluate suspicious programs </li></ul><ul><ul><li>May create a large amount of computational overhead </li></ul></ul><ul><ul><li>Helps to prevent suspicious programs from causing damage to critical systems </li></ul></ul>
  23. 23. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  24. 24. Trojan Horses <ul><li>A program that appears to have some useful functions but contains a malicious payload (a.k.a. warrior code) </li></ul><ul><ul><li>Cannot replicate itself automatically </li></ul></ul><ul><ul><li>Require direct user intervention to run </li></ul></ul><ul><li>May inflict following types of damages: </li></ul><ul><ul><li>Install backdoor or Zombieware for DDoS attack </li></ul></ul><ul><ul><li>Install spyware </li></ul></ul><ul><ul><li>Look for users’ bank account numbers and private info. </li></ul></ul><ul><ul><li>Install viruses or other malicious code to other hosts </li></ul></ul><ul><ul><li>Modify or delete user files </li></ul></ul>
  25. 25. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  26. 26. Hoaxes <ul><li>Hoaxes trick users to do something they would normally not do. </li></ul><ul><li>Often in the form of email messages </li></ul><ul><li>Example: “You’ve Got Virus!” hoax </li></ul><ul><li>The countermeasure of hoaxes is to ignore them </li></ul><ul><ul><li>There is no free lunch !! </li></ul></ul>
  27. 27. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  28. 28. Peer-to-Peer Security <ul><li>Client-server topology: </li></ul><ul><li>A small number of servers provide services to a large number of clients </li></ul><ul><li>P2P topology: </li></ul><ul><li>Ad hoc network, each computer acts both as a client and a server </li></ul>
  29. 29. Peer-to-Peer Security <ul><li>Security vulnerabilities: </li></ul><ul><ul><li>Copyright infringement </li></ul></ul><ul><ul><li>Consume too much bandwidth and local disk storage  DoS attack </li></ul></ul><ul><ul><li>P2P application opens a specific port to share files with unknown users, which may opens a door for Trojan horses, viruses, malicious software </li></ul></ul><ul><li>Security measures: </li></ul><ul><ul><li>Install only official P2P software </li></ul></ul><ul><ul><li>Scan the downloaded file before opening it </li></ul></ul><ul><ul><li>Disallow P2P software in company </li></ul></ul>
  30. 30. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  31. 31. Web Security <ul><li>Basic types of Web documents: </li></ul><ul><li>Static documents: </li></ul><ul><ul><li>A Web document without executable codes </li></ul></ul><ul><ul><li>Safe to download </li></ul></ul><ul><li>Dynamic documents: </li></ul><ul><ul><li>A Web document containing executable codes </li></ul></ul><ul><ul><li>CGI executed on the server computer </li></ul></ul><ul><ul><li>Download resulting document to client </li></ul></ul><ul><li>Active documents: </li></ul><ul><ul><li>Also contain executable codes, but run on the client computer </li></ul></ul><ul><ul><li>Download entire document to client for execution </li></ul></ul>
  32. 32. Security of Web Documents <ul><li>Server-side: </li></ul><ul><ul><li>May be attacked by exploiting loopholes in dynamic documents and Web server programs </li></ul></ul><ul><ul><li>Security measures: </li></ul></ul><ul><ul><ul><li>Update to newest version of Web server programs </li></ul></ul></ul><ul><ul><ul><li>Manage rigorously CGI programs and their directories </li></ul></ul></ul><ul><ul><ul><li>Only designated person can post CGI at Web server </li></ul></ul></ul><ul><li>Client-side: </li></ul><ul><ul><li>May be attacked by exploiting loopholes in active documents and Web browser programs </li></ul></ul><ul><ul><li>Security measures: </li></ul></ul><ul><ul><ul><li>Install browser patches </li></ul></ul></ul><ul><ul><ul><li>Disable JavaScript of browser </li></ul></ul></ul><ul><ul><ul><li>Disable Java applets of browser </li></ul></ul></ul>
  33. 33. Cookies <ul><li>Web browser is stateless </li></ul><ul><ul><li>A new connection with a Web server for each URL request </li></ul></ul><ul><ul><li>Different, unrelated TCP connections have to be established for subsequent pages </li></ul></ul><ul><li>Cookie stores the user information and passes it to the user’s browser </li></ul><ul><li>Browser sends the cookie along with user’s request for visiting subsequent pages </li></ul><ul><li>Server: must ensure cookies not be used for malicious purposes </li></ul><ul><li>Client: remove stored cookies frequently </li></ul>
  34. 34. Spyware <ul><li>Malicious software installed as a plugin module in Web browser without user’s consent </li></ul><ul><li>Spyware may </li></ul><ul><ul><li>Collect user’s information and send to the attacker </li></ul></ul><ul><ul><li>Monitor user’s Web surfing activities and pop up ad </li></ul></ul><ul><ul><li>Modify default settings of browser and redirect to a certain Webpage </li></ul></ul><ul><li>Countermeasures of spyware: </li></ul><ul><ul><li>Set up a firewall to prevent attackers from embedding spyware </li></ul></ul><ul><ul><li>Install software patches in time </li></ul></ul><ul><ul><li>Install anti-spyware software </li></ul></ul>
  35. 35. AJAX Security <ul><li>Asynchronous JavaScript and XML (AJAX) </li></ul><ul><li>AJAX achieves asynchronous interactions to make smooth surfing </li></ul><ul><li>Examples: Google Maps </li></ul><ul><li>Face the same security problems as traditional Web applications </li></ul><ul><li>Cross-site scripting attack </li></ul><ul><li>Silent calls and cookies </li></ul>
  36. 36. Safe Web Surfing <ul><li>Download software only from trusted Web sites </li></ul><ul><li>Do not click any button on a popup window </li></ul><ul><li>Read privacy statements, license statements and security warnings to find out the risks you may take if you install and run the software </li></ul><ul><li>Do not visit other sites with different addresses from the password-protected site </li></ul><ul><li>Do not visit suspicious Web sites </li></ul>
  37. 37. Chapter 8 Outline <ul><li>8.1 Viruses </li></ul><ul><li>8.2 Worms </li></ul><ul><li>8.3 Virus Defense </li></ul><ul><li>8.4 Trojan Horses </li></ul><ul><li>8.5 Hoaxes </li></ul><ul><li>8.6 Peer-to-Peer Security </li></ul><ul><li>8.7 Web Security </li></ul><ul><li>8.8 Distributed Denial of Service Attacks </li></ul>
  38. 38. <ul><ul><li>Master-slave DDoS attack </li></ul></ul>
  39. 39. Master-Slave-Reflector DDoS Attack
  40. 40. DDoS Attack Countermeasures <ul><li>Reduce the number of vulnerable computers </li></ul><ul><ul><li>Improve security management of networked computers </li></ul></ul><ul><ul><li>Set up a backup system </li></ul></ul><ul><ul><li>Distribute resources appropriately </li></ul></ul><ul><ul><li>Construct a DDoS monitoring and responding system </li></ul></ul><ul><ul><li>Keep a complete system log to help trace sources </li></ul></ul><ul><li>Make it hard for attackers to find vulnerable computers </li></ul><ul><ul><li>Close all unnecessary ports to defy IP scans </li></ul></ul><ul><ul><li>Disconnect network connection when user’s computer is no longer in use </li></ul></ul><ul><ul><li>Detect and remove zombieware </li></ul></ul>

×