Lecture malicious software
Upcoming SlideShare
Loading in...5

Lecture malicious software






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Lecture malicious software Lecture malicious software Presentation Transcript

  • Overview  — Introduc:on  — Virus  — Worm  — Other  Malicious  SoAware   o     Backdoor/Trapdoor   o     Logic  Bomb   o     Trojan  Horse  — DDoS  AKack   o     DDos  Descrip:on   o     Construc:on  of  AKack   2!
  • Program Defini:on  A  computer  program  tells  a  computer     what  to  do  and  how  to  do  it    •  Computer   viruses,   network   worms,     and   Trojan  Horse  are     computer  programs.       3! View slide
  • Malicious  soAware  ?  •  Malicious  SoAware  (Malware)  is  a  soAware  that  is  included  or   inserted  in  a  system  for  harmful  purposes.    OR      •  A   Malware   is   a   set   of   instruc:ons   that   run   on   your   computer   and  make  your  system  do  something  that  an  aKacker  wants  it   to  do.     4! View slide
  • The  Malware  Zoo  •  Virus    •  Worms  •  Logic  Bomb  •  Trojan  horse  •  Zoombie  •  Scareware  •  Adware  •  Backdoor  /  Trapdoors   5!
  • Taxonomy  of  Malicious  Programs   Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities! 6!
  • What  it  is  good  for  ?  •  Steal  personal  informa:on  •  Delete  files  •  Click  fraud    •  Steal  soAware  serial  numbers   7!
  • What  to  Infect  •  Executable  •  Interpreted  file  •  Kernel  •  Service  •  Master  Boot  Record     8!
  • Virus  •  Self-­‐replica:ng   code,   aKaches   itself   to   another   program   and  executes  secretly  when  the  host  program  is  executed.  •  No  Hidden  ac:on   –  Generally  tries  to  remain  undetected,  but  what  about  ac:vi:es,   such  as  deleted  files  ?   9!
  • Parts  of  a  Virus  •  Three  Parts   –  Infec:on   Mechanism:   The   means   by   which   a   virus   spreads,   enabling   it   to   replicate,   also   referred   as   Infec:on  Vector.     –  Trigger:  The  event  or  condi:on  that  determines  when   the  payload  is  ac:vated  or  delivered.     –  Payload:   The   payload   may   involve   damage   or   may   involve  benign  but  NOTICEABLE  ac:vity.    
  • Phases  –  Life  Cycle  •  Dormant  phase  -­‐  the  virus  is  idle  •  Propaga1on  phase  -­‐  the  virus  places  an  iden:cal  copy  of   itself  into  other  programs  •  Triggering  phase  –  the  virus  is  ac:vated  to  perform  the   func:on  for  which  it  was  intended  •  Execu1on  phase  –     the  func:on  is  performed   11!
  • Virus  Structure   12!
  • Opera:on  rou:ne  •  Operates   when   infected   code   executed   (execu:on   sequence)   –  Jump  to  Main  Virus  program   –  If  spread  (infec:on)  condi:on  then   {    For  target  files  :  if  not  infected,  then  alter  file  to  include  virus   }   –  Perform  malicious  ac:on   –  Transfer  control  back   –  Execute  normal  program  •  If   the   infec:on   phase   is   rapid,   user   will   not   no:ce   any   difference  between  the  execu:on  of  infected  program  and   uninfected  program.    
  • Types  of  Viruses  •  On  the  basis  of  target  •  Boot   Sector   Infector:   Infects   master   boot   record   /   boot   record   (boot   sector)  of  a  disk  and  spreads  when  a  system  is  booted  with  an  infected   disk  (original  DOS  viruses).  They  are  Memory-­‐resident  Virus.      •  File  Infector  :  Infects  executable  files,  they  are  also  called  Parasi1c  Virus   as  they  aKach  their  self  to  executable  files  as  part  of  their  code.    Runs   whenever  the  host  program  is  executed.    •  Macro   Virus   –Infects   files   with   macro   code   that   is   interpreted   by   the   relevant  applica:on,  such  as  doc  or  excel  files.       14!
  • Types  of  Viruses  •  On  the  basis  of  concealment  strategy  •  Encrypted  Virus  –  A  por:on  of  virus  creates  a  random  encryp:on  key  and   encrypts   the   remainder   of   the   virus.   The   key   is   stored   with   the   virus.   When  the  virus  replicates,  a  different  random  key  is  generated.    •  Stealth  Virus  -­‐  explicitly  designed  to  hide  from  Virus  Scanning  programs.  •  Polymorphic  Virus  -­‐  mutates  with  every  new  host  to  prevent  signature   detec:on,  signature  detec:on  is  useless.    •  Metamorphic  Virus  –  Rewrites  itself  completely  with  every  new  host,  may   change  their  behavior  and  appearance.         15!
  • Recent  addi:on:    Email  Virus  •  Moves   around   in   e-­‐mail   messages,   triggered   when   user   opens  aKachment  •  Do  local  damages  on  the  user’s  system  •  Propagates  very  quickly  •  Replicates  itself  by  automa:cally  mailing  itself  to  dozens      of  people  in  the  vic:m’s     e-­‐mail  address  book     16!
  • Examples  of  risky  file  types  •  The  following  file  types  should  never  be  opened  if…   –  .EXE   –  .PIF   –  .BAT   –  .VBS   –  .COM   17!
  • Viruses  Propaga:on  •  Virus  wriKen  in  some  language  e.g.  C,  C++,  Assembly   etc.  •  Inserted  into  another  program   –  use  tool  called  a  “dropper”  •  Virus  dormant  un:l  program  executed   –  then  infects  other  programs   –  eventually  executes  its  “payload”   18!
  • Viruses  Propaga:on  •  An  executable  program  •  With  a  virus  at  the  front  (File  size  is  increased)  •  With  the  virus  at  the  end  (File  size  is  increased)  •  With  a  virus  spread  over  free  space  within  program     19!
  • Viruses  Propaga:on  (a)  A  program  (b)  Infected    program  (c)  Compressed  infected  program  (d)  Encrypted  virus  (e)  Compressed  virus  with  encrypted  compression  code   20!
  • An:-­‐virus  •  It   is   not   possible   to   build   a   perfect   virus/malware   detector.  •  Analyze  system  behavior  •  Analyze  binary  to  decide  if  it  a  virus  •  Type  :   –  Scanner   –  Real  :me  monitor   21!
  • An:-­‐virus  •  Scanners   –  First  Genera:on,  relied  on  signature.     –  Second   Genera:on,   relied   on   heuris:c   rules   or   integrity   checking  (e.g.  checksum  appended  to  a  program).  •  Real  :me  Monitors   •  Third   Genera:on,   memory   resident   and   iden:fy   virus   by   its   ac:ons  (behaviour).   •  Fourth  Genera:on,  combina:on  of  different  capabili:es.     22!
  • Worm  A computer worm is a self-replicating computervirus. It uses a network to send copies of itself toother nodes and do so without any userintervention.! 23!
  • Comparision  of  Worm  Features   1)    Computer  Virus:   • Needs  a  host  file   • Copies  itself   • Executable   2)    Network  Worm:   • No  host  (self-­‐contained)     • Copies  itself       • Executable   3)    Trojan  Horse:   •   No  host  (self-­‐contained)   • Does  not  copy  itself   • Imposter  Program   24!
  • Worm:  History  •  Runs  independently     –  Does  not  require  a  host  program  •  Propagates  a  fully  working  version  of  itself  to  other  machines  —  History   ◦  Morris  worm  was  one  of  the  first  worms  distributed  over  Internet   —  Two  examples     ◦  Morris  –  1998,   ◦  Slammer  –  2003   25!
  • Worm  Opera:on  •  Worm  has  similar  phases  like  a  virus:   •  Dormant  (inac:ve;    rest)   •  Propaga:on   •  Search  for  other  systems  to  infect   •  Establish  connec:on  to  target  remote  system   •  Replicate  self  onto     remote  system   –  Triggering   –  Execu:on   26!
  • Morris  Worm  •  Best  known  classic  worm  •  Released  by  Robert  Morris  in  1988  •  Targeted  Unix  systems  •  Using  several  propaga:on  techniques  •  If  any  aKack  succeeds  then  replicated  self   27!
  • Slammer  (Sapphire)  Worm  •  When   •  Jan  25  2003  •  How   •  Exploit  Buffer-­‐overflow  with  MS  SQL  •  Random  Scanning   •  Randomly  select  IP  addresses  •  Cost   •  Caused  ~  $2.6  Billion  in  damage     28!
  • Slammer  Scale  The  diameter  of  each  circle  is  a  func:on  of  the  number  of  infected  machines,  so  large   circles   visually   under   represent   the   number   of   infected   cases   in   order   to  minimize  overlap  with  adjacent  loca:ons     29!
  • The  worm  itself  …  —  System  load   ◦  Infec:on  generates  a  number  of  processes   ◦  Password  cracking  uses  lots  of  resources   ◦  Thousands  of  systems  were  shut  down  •  Tries  to  infect  as  many  other  hosts  as  possible   –  When  worm  successfully  connects,  leaves  a  child  to  con:nue  the  infec:on   while  the  parent  keeps  trying  new  hosts   –  find  targets  using  several  mechanisms:  netstat  -­‐r  -­‐n‘,  /etc/hosts,    •  Worm  DO  NOT:   –  Delete   systems   files,   modify   exis:ng   files,   install   Trojan   horses,   record   or   transmit  decrypted  passwords,  capture  super  user  privileges   30!
  • Backdoor  or  Trapdoor  —  Secret  entry  point  into  a  program  —  Allows  those  who  know  access  by  passing  usual  security   procedures  —  Remains  hidden  to  casual  inspec:on  —  Can  be  a  new  program  to  be  installed  —  Can  modify  an  exis:ng  program  —  Trap  doors  can  provide  access  to  a  system  for   unauthorized  procedures  —  Very  hard  to  block  in  O/S   31!
  • Trap  Door  Example  (a)  Normal  code.    (b)  Code  with  a  trapdoor  inserted   32!
  • Logic  Bomb  •  One  of  oldest  types  of  malicious  soAware  •  Piece  of  code  that  executes  itself  when  pre-­‐defined  condi:ons  are   met  •  Logic  Bombs  that  execute  on  certain  days  are  known  as  Time   Bombs  •  Ac:vated  when  specified  condi:ons  met   –  E.g.,  presence/absence  of  some  file   –  par:cular  date/:me   –  par:cular  user  •  When  triggered  typically  damage  system   –  modify/delete  files/disks,  halt  machine,  etc.   33!
  • Tracing  Logic  Bombs  •  Searching - Even the most experienced programmers have trouble erasing all traces of their code•  Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/ operating system interface, and the communications functions inside and outside the computer•  Example of benign logical fun –  http://googletricks.com/top-25-fun-google-tricks/ –  Type zerg rush in google   34!
  • Trojan  Horse   35!
  • Trojan  Horse  •  Trojan  horse  is  a  malicious  program    that  is  designed  as   authen:c,    real  and  genuine  soAware.      •  Like  the  giA  horse  leA  outside  the  gates  of  Troy  by  the   Greeks,   Trojan   Horses   appear   to   be   useful   or   interes:ng   to   an   unsuspec:ng   user,   but   are   actually   harmful.   36!
  • Trojan  Percentage   37!
  • What  Trojans  can  do  ?  •  Erase  or  overwrite  data  on  a  computer  •  Spread  other  viruses  or  install  a  backdoor.  In  this  case  the   Trojan  horse  is  called  a  dropper.  •  Sevng  up  networks  of  zombie  computers  in  order  to  launch   DDoS  aKacks  or  send  Spam.  •  Logging  keystrokes  to  steal  informa:on  such  as  passwords   and  credit  card  numbers  (known  as  a  key  logger)  •  Phish  for  bank  or  other  account  details,  which  can  be  used  for   criminal  ac:vi:es.  •  Or  simply  to  destroy  data  •  Mail  the  password  file.     38!
  • How  can  you  be  infected  ?  •  Websites:  You  can  be  infected  by  visi:ng  a  rogue  website.   Internet   Explorer   is   most   oAen   targeted   by   makers   of   Trojans  and  other  pests.  Even  using  a  secure  web  browser,   such  as  Mozillas  Firefox,  if  Java  is  enabled,  your  computer   has  the  poten:al  of  receiving  a  Trojan  horse.  •  Instant   message:   Many   get   infected   through   files   sent   through  various  messengers.  This  is  due  to  an  extreme  lack   of   security   in   some   instant   messengers,   such   of   AOLs   instant  messenger.  •  E-­‐mail:   AKachments   on   e-­‐mail   messages   may   contain   Trojans.    Trojan  horses  via  SMTP.   39!
  • Sample  Delivery  •  AKacker  will  aKach  the  Trojan  to  an  e-­‐mail  with  an  en:cing   header.    •  The   Trojan   horse   is   typically   a   Windows   executable   program   file,   and   must   have   an   executable   file   extension   such   as   .exe,   .com,   .scr,   .bat,   or   .pif.   Since   Windows   is   configured   by   default   to   hide   extensions   from   a   user,   the   Trojan   horses   extension   might   be   "masked"   by   giving   it   a   name   such   as   Readme.txt.exe.   With   file   extensions   hidden,   the   user   would   only   see   Readme.txt   and   could   mistake  it  for  a  harmless  text  file.     40!
  • Where  They  Live  ?  (1)  •  Autostart  Folder   The  Autostart  folder  is  located  in  C:WindowsStart  MenuPrograms startup  and  as  its  name  suggests,  automa:cally  starts  everything  placed   there.    •  Win.ini   Windows  system  file  using  load=Trojan.exe  and  run=Trojan.exe  to  execute   the  Trojan    •  System.ini   Using  Shell=Explorer.exe  trojan.exe  results  in  execu:on  of  every  file  aAer   Explorer.exe    •  Wininit.ini   Setup-­‐Programs  use  it  mostly;  once  run,  its  being  auto-­‐deleted,  which  is   very  handy  for  Trojans  to  restart     41!
  • Where  They  Live  ?  (2)  •  Winstart.bat   Ac:ng  as  a  normal  bat  file  trojan  is  added  as  @trojan.exe  to  hide  its   execu:on  from  the  user    •  Autoexec.bat   Its  a  DOS  auto-­‐star:ng  file  and  its  used  as  auto-­‐star:ng  method  like  this  -­‐>   c:Trojan.exe    •  Config.sys   Could  also  be  used  as  an  auto-­‐star:ng  method  for  Trojans    •  Explorer  Startup   Is  an  auto-­‐star:ng  method  for  Windows95,  98,  ME,  XP  and  if  c: explorer.exe  exists,  it  will  be  started  instead  of  the  usual  c:Windows Explorer.exe,  which  is  the  common  path  to  the  file.   42!
  • What  the  aKacker  wants?  •  Credit  Card  Informa:on  (oAen  used  for  domain     registra:on,  shopping  with  your  credit  card)    •  Any   accoun:ng   data   (E-­‐mail   passwords,   Login   passwords,   Web  Services  passwords,  etc.)    •  Email  Addresses  (Might  be  used  for  spamming,  as  explained   above)      •  Work   Projects   (Steal   your   presenta:ons   and   work   related   papers)        •  School  work  (steal  your  papers  and  publish  them  with  his/ her  name  on  it)   43!
  • Stopping  the  Trojan  …  The  Horse  must  be  “invited  in”  ….   How  does  it  get  in?   By:   Downloading  a  file   Installing  a  program   Opening  an  aKachment   Opening  bogus  Web  pages   Copying  a  file  from  someone  else   44!
  • Zombie  •  The   program   which   secretly   takes   over   another   networked   computer     and   force   it   to   run   under   a   common  command  and  control  infrastructure.  •  Uses  it  to  indirectly  launch  aKacks,  e.g.,  DDoS,  phishing,   spamming,  cracking    •  Difficult  to  trace  zombie’s  creator)  •  Infected  computers  —  mostly  Windows  machines  —  are   now  the  major  delivery  method  of  spam.  •  Zombies  have  been  used  extensively  to  send  e-­‐mail   spam;  between  50%  to  80%  of  all  spam  worldwide  is  now   sent  by  zombie  computers.     45!
  • Adware   46!
  • Scareware  /  Rouge/   Fake  an:virus   47!
  • Where  malware  Lives:  Auto  start  •  Folder  auto-­‐start    •  Win.ini  :  run=[backdoor]"  or  "load=[backdoor]".  •  System.ini  :  shell=”myexplorer.exe”  •  Autoexec.bat  •  Config.sys  •  Init.d   48!
  • Auto  start  •  Assign  know  extension  (.doc)  to  the  malware  •  Add  a  Registry  key  such  as  HKCUSOFTWAREMicroso= Windows  CurrentVersionRun  •  Add  a  task  in  the  task  scheduler  •  Run  as  service   49!
  • Web  —  1.3%  of  the  incoming  search  queries  to  Google  returned  at  a   least  one  malware  site  —  Visit  sites  with  an  army  of  browsers  in  VMs,  check  for  changes   to  local  system  —  Indicate  poten:ally  harmful  sites  in  search  results  
  • Web:  Fake  page   51!
  • Shared  folder   52!
  • Email   53!
  • Email  again   54!
  • P2P  Files  •  35.5%  malwares     55!
  • Typical  Symptoms  •  File  dele:on  •  File  corrup:on  •  Visual  effects  •  Pop-­‐Ups  •  Computer  crashes  •  Slow  Connec:on  •  Spam  Relaying   56!
  • Distributed Denial of Service•  A  denial-­‐of-­‐service  aKack  is  an  aKack  that  causes  a  loss   of   service   to   users,   typically   the   loss   of   network   connec:vity.  •  CPU,   memory,   network   connec:vity,   network   bandwidth,  baKery  energy  •  Hard  to  address,  especially  in  distributed  form   57!
  • DDoS  Mechanism  •  Goal:  make  a  service  unusable.  •  How:   overload   a   server,   router,   network   link,   by   flooding  with  useless  traffic  •  Focus:   bandwidth   aKacks,   using   large   numbers   of   “zombies”       58!
  • How  it  works?  •  The   flood   of   incoming   messages   to   the   target   system   essen:ally   forces   it   to   shut   down,   thereby   denying   service  to  the  system  to  legi:mate  users.    •  Vic:ms  IP  address.    •  Vic:ms  port  number.    •  AKacking  packet  size.    •  AKacking  inter-­‐packet  delay.    •  Dura:on  of  aKack.       59!
  • Example  1  •  Ping-­‐of-­‐death   –  IP  packet  with  a  size  larger  than  65,536  bytes  is  illegal  by  standard   –  Many  opera:ng  system  did  not  know  what  to  do  when  they  received   an  oversized  packet,  so  they  froze,  crashed  or  rebooted.   –  Routers  forward  each  packet  independently.   –  Routers  don’t  know  about  connec:ons.   –  Complexity  is  in  end  hosts;  routers  are  simple.   60!
  • Example  1  
  • Example  2  •  TCP  handshake  •  SYN  Flood   –  A  stream  of  TCP  SYN  packets  directed  to  a  listening  TCP  port  at  the   vic:m   –  The  host  vic:m  must  allocate  new  data  structures  to  each  SYN  request   –  legi:mate  connec:ons  are  denied  while  the  vic:m  machine  is  wai:ng     to  complete  bogus  "half-­‐open"  connec:ons   –  Not  a  bandwidth  consump:on  aKack  •  IP  Spoofing   62!
  • Example  2   63!
  • From  DoS  to  DDoS   64!
  • From  DoS  to  DDoS   65!
  • Distributed  DoS  AKack   66!
  • DDoS  Countermeasures  •  Three  broad  lines  of  defense:   1.  aKack  preven:on  &  preemp:on  (before)   2.  aKack  detec:on  &  filtering  (during)   3.  aKack  source  trace  back  &  iden:fica:on  (aAer)   67!