Isys20261 lecture 05


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 05

  1. 1. Computer Security Management(ISYS20261)Lecture 5 - Host-based Attacks Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last Time:• CSI Computer Security Survey• Offers good overview• Three basic types of attacks: – Host-based Attacks – Network-based Attacks – Social Engineering• Host-based attacks: – Malicious Code – Malicious SoftwareComputer Security ManagementPage 2
  3. 3. Today• Malicious Code – Backdoors – Computer Viruses• Malicious Software (Malware) – Computer Worms – Trojan Horses (Trojans) – Rootkits – SpywareComputer Security ManagementPage 3
  4. 4. Backdoors (1)• Sometimes referred to as Trapdoor• Secret build-in method for (unauthorised) access to a system – Universal standard password – Secret admin account• Usually smuggled in by a third party – Programmer who wants to gain access to the system once it is put into operations – Espionage – Viruses and Trojans – etcComputer Security ManagementPage 4
  5. 5. Backdoors (2)• Can be inserted at any point in tool-chain – Source code – Compiler – Executable• Open source software less likely to contain a backdoor• Symmetric Backdoor – everybody who knows about the Backdoor can use it• Asymmetric Backdoor – can only be used by the attacker who plants it – Based on asymmetric cryptographyComputer Security ManagementPage 5
  6. 6. Finding backdoors• Code reviews – Only possible if the code is available (Open Source) – Similar to white box testing – Example: backdoor in Linux kernels source code• Disassembling and analysing of executables – Can be done for programs and libraries – Laborious and error proneComputer Security ManagementPage 6
  7. 7. Computer viruses (1)• Term was introduced in 1983 by Fred Cohen• Self-replicating code (viral code) that secretly embeds itself into a host program without permission or knowledge of the owner/user (infection)• If the infected program is executed, the virus is executed as well and tries to spread itself by infecting other programs• Sometimes a virus is modifying its own code before it infects other programs to avoid detection (no fixed signature, i.e. sequence of instructions) – Polymorphic virus re-encrypts itself with each infection – Metamorphic virus re-writes its own code with each infectionComputer Security ManagementPage 7
  8. 8. Computer viruses (2)• Viruses usually carry a payload, i.e. serve another (criminal) purpose – Installing malicious software on the computer – Deleting data and/or programs – Encryption of data (blackmailing!)• Different infection methods – Boot sectors – Executable files – Macros in documents – Scripts on web pagesComputer Security ManagementPage 8
  9. 9. Boot sector viruses• Oldest type of computer viruses• Does not infect an executable but the boot sector of a floppy disk or the Master Boot Record (MBR) of a hard disk• MBRs and boot sectors contain a Boot Loader program that is executed after the computer is switched on to load the operating system – Boot virus embeds itself into the Boot Loader – It is executed when the BIOS tries to run the Boot Loader – It then tries to infect the MBRs of installed hard drives before it carries out a destructive action or before it loads the OS• Today extinct – Can easily be found by anti-virus software – The virus is very limited in memory (444 Bytes!)Computer Security ManagementPage 9
  10. 10. File viruses (1)• Embeds itself into an executable program file• Different infection methods – Overwriting viruses – Companion viruses – Parasitic virusesComputer Security ManagementPage 10
  11. 11. File viruses (2)• Overwriting virus: – Virus completely replaces the code of the infected program – Easy to detect since the original program does not work anymore – File size changed, can be detected by integrity-checking software• Companion virus: – infects an .EXE file by creating a matching file with a .COM extension that contains the viral code and puts it into the same directory – The OS gives preferences to .COM files over .EXE files and hence the viral code is executed when the user starts the program – It then carries out the spread routine before executing the original .EXE file – Size of original file is not changedComputer Security ManagementPage 11
  12. 12. File viruses (3)• Parasitic viruses modify the code of the infected file• The infected file remains partially or fully functional• Different types: – Prepender – Appender – Entry Point Obscuring (inserting) – Cavity filler• Stealth virus: – Tries to hide its existence – Example: parasitic virus that intercepts system calls that return the size of a file to fool integrity-checking softwareComputer Security ManagementPage 12
  13. 13. File viruses (4)• Prepender virus: – Places its code at the beginning of the file it infects – Viral code is executed first when the infected file is executed – File size increased, can be detected by integrity-checking software• Appender virus: – Places its code at the end of the file it infects – Adjusting the files entry point to cause its code to be executed before that of the original file – File size increased, can be detected by integrity-checking softwareComputer Security ManagementPage 13
  14. 14. File viruses (5)• Entry Point Obscuring: – Places its code in the middle of the files it infects – May move a section of the original code to the end of the file, or simply push the code aside to make space for its own code – File size increased, can be detected by integrity-checking software• Cavity filler: – virus which seeks out unused space within the files it infects – inserting its code into these gaps to avoid changing the size of the file – not alerting integrity-checking software to its presenceComputer Security ManagementPage 14
  15. 15. Macro viruses• Relies on application programs that use documents with embedded macros, e.g. MS Word, MS Excel, etc• Viral code is programmed as a macro and embedded in an infected document• If an infected document is opened in the application program, the macro is executed• The macro tries to locate other documents of that type and embeds copies of itself into the documents foundComputer Security ManagementPage 15
  16. 16. Script viruses• Very similar to macro viruses• Uses web applications and script languages, e.g. JavaScript• Normally, scripts are embedded in HTMP web pages to provide additional functionality, e.g. dynamic web pages, guest books, etc• Script virus embeds itself into HTML page• Most browsers execute embedded scripts automatically!• If executed, it tries to spread or carries out its payloadComputer Security ManagementPage 16
  17. 17. How to protect against computer viruses• Use anti-virus software with up-to-date signature database• Install software patches immediately (OS and applications)• Disable macros in applications unless you really need them• Disable scripting in web browsersComputer Security ManagementPage 17
  18. 18. Computer Worms• Self-replicating computer program that secretly copies itself to other computers without permission or knowledge of the owner/user (infection)• It uses a network to send copies of itself to other nodes (computers)• It may do so without any user intervention but sometimes some user action is required (email worms)• Unlike viruses, worms do not need to attach themselves to an existing program• Worms always consume network bandwidth and might carry a payload, e.g. to install backdoors on infected machinesComputer Security ManagementPage 18
  19. 19. How to protect against computer worms• Use a firewall• Install software patches immediately (OS and applications)• Do not open unexpected emails or run unknown email attachmentsComputer Security ManagementPage 19
  20. 20. Trojan Horses (Trojans)• Malicious software (malware) that appears to perform a desirable function but also performs undisclosed malicious functions• Term is derived from the classical story of the Trojan Horse• Always requires some user action to install• Trojans usually installs malware (payload) to – Gain unauthorised remote access (backdoors) – Destruct data – Download even more malware (spyware) – Disable security software – Start denial-of-service attacks• Once the malware is installed, deleting the Trojan does not help!Computer Security ManagementPage 20
  21. 21. How to protect against Trojans• Do not install software from an unknown source• Do not run attachments from unexpected emails• Use anti-virus software with up-to-date signature databaseComputer Security ManagementPage 21
  22. 22. Rootkits (1)• Malicious program that hides malicious files or folders from normal sight• Often used by malware to conceal its presence and activities• The term rootkit applied originally to the UNIX-based operating systems• It is a collection of tools to enable a user to obtain root (administrator-level) access to a system and to conceal any changes they might make• Such tools often included malicious versions of standard system monitoring programs which would hide the rootkit operators activities• More recently: malware using stealth techniquesComputer Security ManagementPage 22
  23. 23. Rootkits (2)• Rootkits can operate at a number of levels• Application level – replacing or adjusting the settings of system software to prevent the display of certain information• Operating system level – hooking certain system functions – inserting modules or drivers into the operating system kernel• Firmware level/virtualisation level – firmware and/or virtual machines are activated before the operating system and thus even harder to detect while the system is runningComputer Security ManagementPage 23
  24. 24. Rootkits (3)• Example: in 2005, Sony BMG caused a scandal by including a rootkit on music CDs, in an attempt to enforce DRM; it allowed anyone who knew about the rootkit to gain administrator rights on an infected machine• Rootkit binaries are easy to detect using anti-virus software• However, once they run they are hidden and hence very difficult to detect• Might be detected using anti-spyware software• Detection based on analysis of the behaviour of a system• Rootkits are difficult to remove once detected!Computer Security ManagementPage 24
  25. 25. Spyware/Adware• Software that collects private information or monitors user behaviour secretly• The term spyware essentially covers any software that gathers information and passes it to a third party without adequate permission from the owner of the data• Examples – Keylogger: monitors the keys pressed and thus records any sensitive data, such as passwords, entered by the user – Password stealer: steals user data such as login IDs/passwords – Packet analyser (sniffer): intercepts and logs traffic passing over a digital network – Cookies: allows the identification of a computer/user, e.g. for tracking etc• Adware: software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed ( privacy-invasive software)Computer Security ManagementPage 25
  26. 26. Summary• Host-based attacks are carried out using malicious code and software – Code: Backdoors and viruses – Software: Worms, trojans, rootkits, spyware, …• The sophistication increases all the time which led to an arms race between the developers of malicious software and security software• The baddies are usually one step ahead• They are professionals, highly trained and educated• Usually linked to organised crimeComputer Security ManagementPage 26