Lecture 12 malicious software


Published on

Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

Published in: Technology
1 Comment
  • please send me this slides in my email huda.abdi63@gmail.com
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Payload: The essential data that is being carried within a packet or other transmission unit. The payload does not include the "overhead" data required to get the packet to its destination.
  • Lecture 12 malicious software

    2. 2. OverviewIntroductionTypes of Malicious Software o Backdoor/Trapdoor o Logic Bomb o Trojan HorseVirus o Nature of viruses o Types of virusesVirus Countermeasures o Anti-virus approach o Anti-virus technique WormDDoS Attack o DDos Description o Construction of Attack 2
    3. 3. Program DefinitionA computer programTells a computer what to do and how to do it.Computer viruses, network worms, Trojan Horse These are computer programs. 3
    4. 4. Malicious software ? Malicious Software (Malware) is a software that is included or inserted in a system for harmful purposes.ORA Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. 4
    5. 5. The Malware Zoo• Backdoor• Logic Bomb• Trojan horse• Virus• Worm• Scareware• Adware 5
    6. 6. Taxonomy of Malicious Programs Malicious Programs Need Host Program IndependentTrapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities 6
    7. 7. MotivationWhy do malicious codes occur? 7
    8. 8. What it is good for ?• Steal personal information• Delete files• Click fraud ?• Steal software serial numbers 8
    9. 9. What to Infect• Executable• Interpreted file• Kernel• Service• MBR 9
    10. 10. Auto start• Folder auto-start• Win.ini : run=[backdoor]" or "load=[backdoor]".• System.ini : shell=”myexplorer.exe”• Autoexec.bat• Config.sys• Init.d 10
    11. 11. Auto start• Assign know extension (.doc) to the malware• Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun• Add a task in the task scheduler• Run as service 11
    12. 12. Setting it up to the entire web 1.3% of the incoming search queries to Google returned at a least one malware site Visit sites with an army of browsers in VMs, check for changes to local system Indicate potentially harmful sites in search results
    13. 13. Shared folder 13
    14. 14. Email propagation 14
    15. 15. Email again 15
    16. 16. Fake page ! 16
    17. 17. P2P Files• 35.5% malwares 17
    18. 18. Backdoor or Trapdoor secret entry point into a program allows those who know access by passing usual security procedures Remains hidden to casual inspection Can be a new program to be installed Can modify an existing program Trap Doors can provide access to a system for unauthorized procedures very hard to block in O/S 18
    19. 19. Trap Door Example(a) Normal code.(b) Code with a trapdoor inserted 19
    20. 20. Logic Bomb• One of oldest types of malicious software• Piece of code that executes itself when pre-defined conditions are met• Logic Bombs that execute on certain days are known as Time Bombs• Activated when specified conditions met – E.g., presence/absence of some file – particular date/time – particular user• When triggered typically damage system – modify/delete files/disks, halt machine, etc. 20
    21. 21. Tracing Logic Bombs• Searching - Even the most experienced programmers have trouble erasing all traces of their code• Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer• Tools for data recovery, duplication and verification 21
    22. 22. Trojan Horse 22
    23. 23. Trojan Horse• Trojan horse is a malicious program that is designed as authentic, real and genuine software.• Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful. 23
    24. 24. Trojan Percentage 24
    25. 25. What Trojans can do ?• Erase or overwrite data on a computer• Spread other viruses or install a backdoor. In this case the Trojan horse is called a dropper.• Setting up networks of zombie computers in order to launch DDoS attacks or send Spam.• Logging keystrokes to steal information such as passwords and credit card numbers (known as a key logger)• Phish for bank or other account details, which can be used for criminal activities.• Or simply to destroy data• Mail the password file. 25
    26. 26. How can you be infected ?• Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozillas Firefox, if Java is enabled, your computer has the potential of receiving a Trojan horse.• Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOLs instant messenger.• E-mail: Attachments on e-mail messages may contain Trojans. Trojan horses via SMTP. 26
    27. 27. Sample Delivery• Attacker will attach the Trojan to an e-mail with an enticing header.• The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horses extension might be "masked" by giving it a name such as Readme.txt.exe. With file extensions hidden, the user would only see Readme.txt and could mistake it for a harmless text file. 27
    28. 28. Where They Live ? (1)• Autostart Folder The Autostart folder is located in C:WindowsStart MenuProgramsstartup and as its name suggests, automatically starts everything placed there.• Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan• System.ini Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe• Wininit.ini Setup-Programs use it mostly; once run, its being auto-deleted, which is very handy for Trojans to restart 28
    29. 29. Where They Live ? (2)• Winstart.bat Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user• Autoexec.bat Its a DOS auto-starting file and its used as auto-starting method like this -> c:Trojan.exe• Config.sys Could also be used as an auto-starting method for Trojans• Explorer Startup Is an auto-starting method for Windows95, 98, ME, XP and if c:explorer.exe exists, it will be started instead of the usual c:WindowsExplorer.exe, which is the common path to the file. 29
    30. 30. What the attacker wants?• Credit Card Information (often used for domain registration, shopping with your credit card)• Any accounting data (E-mail passwords, Login passwords, Web Services passwords, etc.)• Email Addresses (Might be used for spamming, as explained above)• Work Projects (Steal your presentations and work related papers)• School work (steal your papers and publish them with his/her name on it) 30
    31. 31. Stopping the Trojan …The Horse must be “invited in” …. How does it get in? By: Downloading a file Installing a program Opening an attachment Opening bogus Web pages Copying a file from someone else 31
    32. 32. Virus• Self-replicating code• attaches itself to another program and executes secretly when the host program is executed.• No hidden action – Generally tries to remain undetected• Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program 32
    33. 33. Virus Structure 33
    34. 34. Types of Viruses• Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.• Memory-resident Virus - Lodges in main memory as part of the residual operating system.• Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).• Stealth Virus - explicitly designed to hide from Virus Scanning programs.• Polymorphic Virus - mutates with every new host to prevent signature detection.Application then runs normally 34
    35. 35. Virus Phases• Dormant phase - the virus is idle• Propagation phase - the virus places an identical copy of itself into other programs• Triggering phase – the virus is activated to perform the function for which it was intended• Execution phase – the function is performed 35
    36. 36. Email Virus• Moves around in e-mail messages• Triggered when user opens attachment• hence propagates very quickly• Replicates itself by automatically mailing itself to dozensof people in the victim’s e-mail address book 36
    37. 37. Examples of risky file types• The following file types should never be opened if… – .EXE – .PIF – .BAT – .VBS – .COM 37
    38. 38. How Viruses Work (1)• Virus written in some language e.g. C, C++, Assembly etc.• Inserted into another program – use tool called a “dropper”• Virus dormant until program executed – then infects other programs – eventually executes its “payload” 38
    39. 39. How Viruses Work (2)• An executable program• With a virus at the front• With the virus at the end• With a virus spread over free space within program 39
    40. 40. Anti-virus• It is not possible to build a perfect virus/ malware detector.• Analyze system behavior• Analyze binary to decide if it a virus• Type : – Scanner – Real time monitor 40
    41. 41. Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code 41
    42. 42. Popular FallaciesIf I never log off then my computer can never get a virusIf I lock my office door then my computer can never get a virus Microsoft will protect me 42
    43. 43. And a Few MoreI got this disc from my (boss, friend) so it must be okayYou cannot get a virus by opening an attachment from someone you knowBut I only downloaded one fileMy friend who knows a lot about computers showed me this really cool site… 43
    44. 44. Zombie• The program which secretly takes over another networked computer and force it to run under a common command and control infrastructure.• then uses it to indirectly launch attacks  E.g., DDoS, phishing, spamming, cracking (difficult to trace zombie’s creator)• Infected computers — mostly Windows machines — are now the major delivery method of spam.• Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers. 44
    45. 45. WormA computer worm is a self-replicatingcomputer program. It uses a network to sendcopies of itself to other nodes and do sowithout any user intervention. 45
    46. 46. Comparision of Worm Features 1) Computer Virus: •Needs a host file •Copies itself •Executable 2) Network Worm: •No host (self-contained) •Copies itself •Executable 3) Trojan Horse: • No host (self-contained) •Does not copy itself •Imposter Program 46
    47. 47. Worm: History• Runs independently – Does not require a host program• Propagates a fully working version of itself to other machines History ◦ Morris worm was one of the first worms distributed over Internet Two examples ◦ Morris – 1998, ◦ Slammer – 2003 47
    48. 48. Worm Operation• worm has phases like those of viruses: – Dormant (inactive; rest) – propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system – triggering – execution 48
    49. 49. Morris Worm• best known classic worm• released by Robert Morris in 1988• targeted Unix systems• using several propagation techniques• if any attack succeeds then replicated self 49
    50. 50. Slammer (Sapphire) Worm• When • Jan 25 2003• How • Exploit Buffer-overflow with MS SQL• Scale • At least 74,000 hosts• Random Scanning • Randomly select IP addresses• Cost • Caused ~ $2.6 Billion in damage 50
    51. 51. Slammer ScaleThe diameter of each circle is a function of the number of infected machines, so largecircles visually under represent the number of infected cases in order to minimize overlapwith adjacent locations 51
    52. 52. The worm itself … System load ◦ Infection generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down• Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to continue the infection while the parent keeps trying new hosts – find targets using several mechanisms: netstat -r -n‘, /etc/hosts, …• Worm did not: – Delete systems files, modify existing files, install Trojan horses, record or transmit decrypted passwords, capture super user privileges 52
    53. 53. Adware 53
    54. 54. Scareware / Rouge/ Fake antivirus 54
    55. 55. Typical Symptoms• File deletion• File corruption• Visual effects• Pop-Ups• Computer crashes• Slow Connection• Spam Relaying 55
    56. 56. No Sure Protection!• Most attacks come from the INSIDE• Keep secured logs of all code modifications• Keep back-ups of all vital system information• Install anti-virus software on computers (keep it current)• Assume every disc, CD, etc is suspect, no matter who gave it to you 56
    57. 57. Distributed Denial of Service• A denial-of-service attack is an attack that causes a loss of service to users, typically the loss of network connectivity.• CPU, memory, network connectivity, network bandwidth, battery energy• Hard to address, especially in distributed form 57
    58. 58. DDoS Mechanism• Goal: make a service unusable.• How: overload a server, router, network link, by flooding with useless traffic• Focus: bandwidth attacks, using large numbers of “zombies” 58
    59. 59. How it works?• The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.• Victims IP address.• Victims port number.• Attacking packet size.• Attacking inter-packet delay.• Duration of attack. 59
    60. 60. Example 1• Ping-of-death – IP packet with a size larger than 65,536 bytes is illegal by standard – Many operating system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted. – Routers forward each packet independently. – Routers don’t know about connections. – Complexity is in end hosts; routers are simple. 60
    61. 61. Example 1
    62. 62. Example 2• TCP handshake• SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the victim – The host victim must allocate new data structures to each SYN request – legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections – Not a bandwidth consumption attack• IP Spoofing 62
    63. 63. From DoS to DDoS 63
    64. 64. From DoS to DDoS 64
    65. 65. How Internet Looks Like? 65
    66. 66. How Internet Looks Like? 66
    67. 67. Distributed Reflection DoS Attack 67
    68. 68. DDoS Countermeasures• Three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source trace back & identification (after) 68
    69. 69. Summary• have considered: – various malicious programs – trapdoor, logic bomb, Trojan horse, zombie – viruses – worms – countermeasures – distributed denial of service attacks 69
    70. 70. Q&A 70