Lecture malicious software


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture malicious software

  2. 2. Overview  — Introduc:on  — Virus  — Worm  — Other  Malicious  SoAware   o     Backdoor/Trapdoor   o     Logic  Bomb   o     Trojan  Horse  — DDoS  AKack   o     DDos  Descrip:on   o     Construc:on  of  AKack   2!
  3. 3. Program Defini:on  A  computer  program  tells  a  computer     what  to  do  and  how  to  do  it    •  Computer   viruses,   network   worms,     and   Trojan  Horse  are     computer  programs.       3!
  4. 4. Malicious  soAware  ?  •  Malicious  SoAware  (Malware)  is  a  soAware  that  is  included  or   inserted  in  a  system  for  harmful  purposes.    OR      •  A   Malware   is   a   set   of   instruc:ons   that   run   on   your   computer   and  make  your  system  do  something  that  an  aKacker  wants  it   to  do.     4!
  5. 5. The  Malware  Zoo  •  Virus    •  Worms  •  Logic  Bomb  •  Trojan  horse  •  Zoombie  •  Scareware  •  Adware  •  Backdoor  /  Trapdoors   5!
  6. 6. Taxonomy  of  Malicious  Programs   Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities! 6!
  7. 7. What  it  is  good  for  ?  •  Steal  personal  informa:on  •  Delete  files  •  Click  fraud    •  Steal  soAware  serial  numbers   7!
  8. 8. What  to  Infect  •  Executable  •  Interpreted  file  •  Kernel  •  Service  •  Master  Boot  Record     8!
  9. 9. Virus  •  Self-­‐replica:ng   code,   aKaches   itself   to   another   program   and  executes  secretly  when  the  host  program  is  executed.  •  No  Hidden  ac:on   –  Generally  tries  to  remain  undetected,  but  what  about  ac:vi:es,   such  as  deleted  files  ?   9!
  10. 10. Parts  of  a  Virus  •  Three  Parts   –  Infec:on   Mechanism:   The   means   by   which   a   virus   spreads,   enabling   it   to   replicate,   also   referred   as   Infec:on  Vector.     –  Trigger:  The  event  or  condi:on  that  determines  when   the  payload  is  ac:vated  or  delivered.     –  Payload:   The   payload   may   involve   damage   or   may   involve  benign  but  NOTICEABLE  ac:vity.    
  11. 11. Phases  –  Life  Cycle  •  Dormant  phase  -­‐  the  virus  is  idle  •  Propaga1on  phase  -­‐  the  virus  places  an  iden:cal  copy  of   itself  into  other  programs  •  Triggering  phase  –  the  virus  is  ac:vated  to  perform  the   func:on  for  which  it  was  intended  •  Execu1on  phase  –     the  func:on  is  performed   11!
  12. 12. Virus  Structure   12!
  13. 13. Opera:on  rou:ne  •  Operates   when   infected   code   executed   (execu:on   sequence)   –  Jump  to  Main  Virus  program   –  If  spread  (infec:on)  condi:on  then   {    For  target  files  :  if  not  infected,  then  alter  file  to  include  virus   }   –  Perform  malicious  ac:on   –  Transfer  control  back   –  Execute  normal  program  •  If   the   infec:on   phase   is   rapid,   user   will   not   no:ce   any   difference  between  the  execu:on  of  infected  program  and   uninfected  program.    
  14. 14. Types  of  Viruses  •  On  the  basis  of  target  •  Boot   Sector   Infector:   Infects   master   boot   record   /   boot   record   (boot   sector)  of  a  disk  and  spreads  when  a  system  is  booted  with  an  infected   disk  (original  DOS  viruses).  They  are  Memory-­‐resident  Virus.      •  File  Infector  :  Infects  executable  files,  they  are  also  called  Parasi1c  Virus   as  they  aKach  their  self  to  executable  files  as  part  of  their  code.    Runs   whenever  the  host  program  is  executed.    •  Macro   Virus   –Infects   files   with   macro   code   that   is   interpreted   by   the   relevant  applica:on,  such  as  doc  or  excel  files.       14!
  15. 15. Types  of  Viruses  •  On  the  basis  of  concealment  strategy  •  Encrypted  Virus  –  A  por:on  of  virus  creates  a  random  encryp:on  key  and   encrypts   the   remainder   of   the   virus.   The   key   is   stored   with   the   virus.   When  the  virus  replicates,  a  different  random  key  is  generated.    •  Stealth  Virus  -­‐  explicitly  designed  to  hide  from  Virus  Scanning  programs.  •  Polymorphic  Virus  -­‐  mutates  with  every  new  host  to  prevent  signature   detec:on,  signature  detec:on  is  useless.    •  Metamorphic  Virus  –  Rewrites  itself  completely  with  every  new  host,  may   change  their  behavior  and  appearance.         15!
  16. 16. Recent  addi:on:    Email  Virus  •  Moves   around   in   e-­‐mail   messages,   triggered   when   user   opens  aKachment  •  Do  local  damages  on  the  user’s  system  •  Propagates  very  quickly  •  Replicates  itself  by  automa:cally  mailing  itself  to  dozens      of  people  in  the  vic:m’s     e-­‐mail  address  book     16!
  17. 17. Examples  of  risky  file  types  •  The  following  file  types  should  never  be  opened  if…   –  .EXE   –  .PIF   –  .BAT   –  .VBS   –  .COM   17!
  18. 18. Viruses  Propaga:on  •  Virus  wriKen  in  some  language  e.g.  C,  C++,  Assembly   etc.  •  Inserted  into  another  program   –  use  tool  called  a  “dropper”  •  Virus  dormant  un:l  program  executed   –  then  infects  other  programs   –  eventually  executes  its  “payload”   18!
  19. 19. Viruses  Propaga:on  •  An  executable  program  •  With  a  virus  at  the  front  (File  size  is  increased)  •  With  the  virus  at  the  end  (File  size  is  increased)  •  With  a  virus  spread  over  free  space  within  program     19!
  20. 20. Viruses  Propaga:on  (a)  A  program  (b)  Infected    program  (c)  Compressed  infected  program  (d)  Encrypted  virus  (e)  Compressed  virus  with  encrypted  compression  code   20!
  21. 21. An:-­‐virus  •  It   is   not   possible   to   build   a   perfect   virus/malware   detector.  •  Analyze  system  behavior  •  Analyze  binary  to  decide  if  it  a  virus  •  Type  :   –  Scanner   –  Real  :me  monitor   21!
  22. 22. An:-­‐virus  •  Scanners   –  First  Genera:on,  relied  on  signature.     –  Second   Genera:on,   relied   on   heuris:c   rules   or   integrity   checking  (e.g.  checksum  appended  to  a  program).  •  Real  :me  Monitors   •  Third   Genera:on,   memory   resident   and   iden:fy   virus   by   its   ac:ons  (behaviour).   •  Fourth  Genera:on,  combina:on  of  different  capabili:es.     22!
  23. 23. Worm  A computer worm is a self-replicating computervirus. It uses a network to send copies of itself toother nodes and do so without any userintervention.! 23!
  24. 24. Comparision  of  Worm  Features   1)    Computer  Virus:   • Needs  a  host  file   • Copies  itself   • Executable   2)    Network  Worm:   • No  host  (self-­‐contained)     • Copies  itself       • Executable   3)    Trojan  Horse:   •   No  host  (self-­‐contained)   • Does  not  copy  itself   • Imposter  Program   24!
  25. 25. Worm:  History  •  Runs  independently     –  Does  not  require  a  host  program  •  Propagates  a  fully  working  version  of  itself  to  other  machines  —  History   ◦  Morris  worm  was  one  of  the  first  worms  distributed  over  Internet   —  Two  examples     ◦  Morris  –  1998,   ◦  Slammer  –  2003   25!
  26. 26. Worm  Opera:on  •  Worm  has  similar  phases  like  a  virus:   •  Dormant  (inac:ve;    rest)   •  Propaga:on   •  Search  for  other  systems  to  infect   •  Establish  connec:on  to  target  remote  system   •  Replicate  self  onto     remote  system   –  Triggering   –  Execu:on   26!
  27. 27. Morris  Worm  •  Best  known  classic  worm  •  Released  by  Robert  Morris  in  1988  •  Targeted  Unix  systems  •  Using  several  propaga:on  techniques  •  If  any  aKack  succeeds  then  replicated  self   27!
  28. 28. Slammer  (Sapphire)  Worm  •  When   •  Jan  25  2003  •  How   •  Exploit  Buffer-­‐overflow  with  MS  SQL  •  Random  Scanning   •  Randomly  select  IP  addresses  •  Cost   •  Caused  ~  $2.6  Billion  in  damage     28!
  29. 29. Slammer  Scale  The  diameter  of  each  circle  is  a  func:on  of  the  number  of  infected  machines,  so  large   circles   visually   under   represent   the   number   of   infected   cases   in   order   to  minimize  overlap  with  adjacent  loca:ons     29!
  30. 30. The  worm  itself  …  —  System  load   ◦  Infec:on  generates  a  number  of  processes   ◦  Password  cracking  uses  lots  of  resources   ◦  Thousands  of  systems  were  shut  down  •  Tries  to  infect  as  many  other  hosts  as  possible   –  When  worm  successfully  connects,  leaves  a  child  to  con:nue  the  infec:on   while  the  parent  keeps  trying  new  hosts   –  find  targets  using  several  mechanisms:  netstat  -­‐r  -­‐n‘,  /etc/hosts,    •  Worm  DO  NOT:   –  Delete   systems   files,   modify   exis:ng   files,   install   Trojan   horses,   record   or   transmit  decrypted  passwords,  capture  super  user  privileges   30!
  31. 31. Backdoor  or  Trapdoor  —  Secret  entry  point  into  a  program  —  Allows  those  who  know  access  by  passing  usual  security   procedures  —  Remains  hidden  to  casual  inspec:on  —  Can  be  a  new  program  to  be  installed  —  Can  modify  an  exis:ng  program  —  Trap  doors  can  provide  access  to  a  system  for   unauthorized  procedures  —  Very  hard  to  block  in  O/S   31!
  32. 32. Trap  Door  Example  (a)  Normal  code.    (b)  Code  with  a  trapdoor  inserted   32!
  33. 33. Logic  Bomb  •  One  of  oldest  types  of  malicious  soAware  •  Piece  of  code  that  executes  itself  when  pre-­‐defined  condi:ons  are   met  •  Logic  Bombs  that  execute  on  certain  days  are  known  as  Time   Bombs  •  Ac:vated  when  specified  condi:ons  met   –  E.g.,  presence/absence  of  some  file   –  par:cular  date/:me   –  par:cular  user  •  When  triggered  typically  damage  system   –  modify/delete  files/disks,  halt  machine,  etc.   33!
  34. 34. Tracing  Logic  Bombs  •  Searching - Even the most experienced programmers have trouble erasing all traces of their code•  Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/ operating system interface, and the communications functions inside and outside the computer•  Example of benign logical fun –  http://googletricks.com/top-25-fun-google-tricks/ –  Type zerg rush in google   34!
  35. 35. Trojan  Horse   35!
  36. 36. Trojan  Horse  •  Trojan  horse  is  a  malicious  program    that  is  designed  as   authen:c,    real  and  genuine  soAware.      •  Like  the  giA  horse  leA  outside  the  gates  of  Troy  by  the   Greeks,   Trojan   Horses   appear   to   be   useful   or   interes:ng   to   an   unsuspec:ng   user,   but   are   actually   harmful.   36!
  37. 37. Trojan  Percentage   37!
  38. 38. What  Trojans  can  do  ?  •  Erase  or  overwrite  data  on  a  computer  •  Spread  other  viruses  or  install  a  backdoor.  In  this  case  the   Trojan  horse  is  called  a  dropper.  •  Sevng  up  networks  of  zombie  computers  in  order  to  launch   DDoS  aKacks  or  send  Spam.  •  Logging  keystrokes  to  steal  informa:on  such  as  passwords   and  credit  card  numbers  (known  as  a  key  logger)  •  Phish  for  bank  or  other  account  details,  which  can  be  used  for   criminal  ac:vi:es.  •  Or  simply  to  destroy  data  •  Mail  the  password  file.     38!
  39. 39. How  can  you  be  infected  ?  •  Websites:  You  can  be  infected  by  visi:ng  a  rogue  website.   Internet   Explorer   is   most   oAen   targeted   by   makers   of   Trojans  and  other  pests.  Even  using  a  secure  web  browser,   such  as  Mozillas  Firefox,  if  Java  is  enabled,  your  computer   has  the  poten:al  of  receiving  a  Trojan  horse.  •  Instant   message:   Many   get   infected   through   files   sent   through  various  messengers.  This  is  due  to  an  extreme  lack   of   security   in   some   instant   messengers,   such   of   AOLs   instant  messenger.  •  E-­‐mail:   AKachments   on   e-­‐mail   messages   may   contain   Trojans.    Trojan  horses  via  SMTP.   39!
  40. 40. Sample  Delivery  •  AKacker  will  aKach  the  Trojan  to  an  e-­‐mail  with  an  en:cing   header.    •  The   Trojan   horse   is   typically   a   Windows   executable   program   file,   and   must   have   an   executable   file   extension   such   as   .exe,   .com,   .scr,   .bat,   or   .pif.   Since   Windows   is   configured   by   default   to   hide   extensions   from   a   user,   the   Trojan   horses   extension   might   be   "masked"   by   giving   it   a   name   such   as   Readme.txt.exe.   With   file   extensions   hidden,   the   user   would   only   see   Readme.txt   and   could   mistake  it  for  a  harmless  text  file.     40!
  41. 41. Where  They  Live  ?  (1)  •  Autostart  Folder   The  Autostart  folder  is  located  in  C:WindowsStart  MenuPrograms startup  and  as  its  name  suggests,  automa:cally  starts  everything  placed   there.    •  Win.ini   Windows  system  file  using  load=Trojan.exe  and  run=Trojan.exe  to  execute   the  Trojan    •  System.ini   Using  Shell=Explorer.exe  trojan.exe  results  in  execu:on  of  every  file  aAer   Explorer.exe    •  Wininit.ini   Setup-­‐Programs  use  it  mostly;  once  run,  its  being  auto-­‐deleted,  which  is   very  handy  for  Trojans  to  restart     41!
  42. 42. Where  They  Live  ?  (2)  •  Winstart.bat   Ac:ng  as  a  normal  bat  file  trojan  is  added  as  @trojan.exe  to  hide  its   execu:on  from  the  user    •  Autoexec.bat   Its  a  DOS  auto-­‐star:ng  file  and  its  used  as  auto-­‐star:ng  method  like  this  -­‐>   c:Trojan.exe    •  Config.sys   Could  also  be  used  as  an  auto-­‐star:ng  method  for  Trojans    •  Explorer  Startup   Is  an  auto-­‐star:ng  method  for  Windows95,  98,  ME,  XP  and  if  c: explorer.exe  exists,  it  will  be  started  instead  of  the  usual  c:Windows Explorer.exe,  which  is  the  common  path  to  the  file.   42!
  43. 43. What  the  aKacker  wants?  •  Credit  Card  Informa:on  (oAen  used  for  domain     registra:on,  shopping  with  your  credit  card)    •  Any   accoun:ng   data   (E-­‐mail   passwords,   Login   passwords,   Web  Services  passwords,  etc.)    •  Email  Addresses  (Might  be  used  for  spamming,  as  explained   above)      •  Work   Projects   (Steal   your   presenta:ons   and   work   related   papers)        •  School  work  (steal  your  papers  and  publish  them  with  his/ her  name  on  it)   43!
  44. 44. Stopping  the  Trojan  …  The  Horse  must  be  “invited  in”  ….   How  does  it  get  in?   By:   Downloading  a  file   Installing  a  program   Opening  an  aKachment   Opening  bogus  Web  pages   Copying  a  file  from  someone  else   44!
  45. 45. Zombie  •  The   program   which   secretly   takes   over   another   networked   computer     and   force   it   to   run   under   a   common  command  and  control  infrastructure.  •  Uses  it  to  indirectly  launch  aKacks,  e.g.,  DDoS,  phishing,   spamming,  cracking    •  Difficult  to  trace  zombie’s  creator)  •  Infected  computers  —  mostly  Windows  machines  —  are   now  the  major  delivery  method  of  spam.  •  Zombies  have  been  used  extensively  to  send  e-­‐mail   spam;  between  50%  to  80%  of  all  spam  worldwide  is  now   sent  by  zombie  computers.     45!
  46. 46. Adware   46!
  47. 47. Scareware  /  Rouge/   Fake  an:virus   47!
  48. 48. Where  malware  Lives:  Auto  start  •  Folder  auto-­‐start    •  Win.ini  :  run=[backdoor]"  or  "load=[backdoor]".  •  System.ini  :  shell=”myexplorer.exe”  •  Autoexec.bat  •  Config.sys  •  Init.d   48!
  49. 49. Auto  start  •  Assign  know  extension  (.doc)  to  the  malware  •  Add  a  Registry  key  such  as  HKCUSOFTWAREMicroso= Windows  CurrentVersionRun  •  Add  a  task  in  the  task  scheduler  •  Run  as  service   49!
  50. 50. Web  —  1.3%  of  the  incoming  search  queries  to  Google  returned  at  a   least  one  malware  site  —  Visit  sites  with  an  army  of  browsers  in  VMs,  check  for  changes   to  local  system  —  Indicate  poten:ally  harmful  sites  in  search  results  
  51. 51. Web:  Fake  page   51!
  52. 52. Shared  folder   52!
  53. 53. Email   53!
  54. 54. Email  again   54!
  55. 55. P2P  Files  •  35.5%  malwares     55!
  56. 56. Typical  Symptoms  •  File  dele:on  •  File  corrup:on  •  Visual  effects  •  Pop-­‐Ups  •  Computer  crashes  •  Slow  Connec:on  •  Spam  Relaying   56!
  57. 57. Distributed Denial of Service•  A  denial-­‐of-­‐service  aKack  is  an  aKack  that  causes  a  loss   of   service   to   users,   typically   the   loss   of   network   connec:vity.  •  CPU,   memory,   network   connec:vity,   network   bandwidth,  baKery  energy  •  Hard  to  address,  especially  in  distributed  form   57!
  58. 58. DDoS  Mechanism  •  Goal:  make  a  service  unusable.  •  How:   overload   a   server,   router,   network   link,   by   flooding  with  useless  traffic  •  Focus:   bandwidth   aKacks,   using   large   numbers   of   “zombies”       58!
  59. 59. How  it  works?  •  The   flood   of   incoming   messages   to   the   target   system   essen:ally   forces   it   to   shut   down,   thereby   denying   service  to  the  system  to  legi:mate  users.    •  Vic:ms  IP  address.    •  Vic:ms  port  number.    •  AKacking  packet  size.    •  AKacking  inter-­‐packet  delay.    •  Dura:on  of  aKack.       59!
  60. 60. Example  1  •  Ping-­‐of-­‐death   –  IP  packet  with  a  size  larger  than  65,536  bytes  is  illegal  by  standard   –  Many  opera:ng  system  did  not  know  what  to  do  when  they  received   an  oversized  packet,  so  they  froze,  crashed  or  rebooted.   –  Routers  forward  each  packet  independently.   –  Routers  don’t  know  about  connec:ons.   –  Complexity  is  in  end  hosts;  routers  are  simple.   60!
  61. 61. Example  1  
  62. 62. Example  2  •  TCP  handshake  •  SYN  Flood   –  A  stream  of  TCP  SYN  packets  directed  to  a  listening  TCP  port  at  the   vic:m   –  The  host  vic:m  must  allocate  new  data  structures  to  each  SYN  request   –  legi:mate  connec:ons  are  denied  while  the  vic:m  machine  is  wai:ng     to  complete  bogus  "half-­‐open"  connec:ons   –  Not  a  bandwidth  consump:on  aKack  •  IP  Spoofing   62!
  63. 63. Example  2   63!
  64. 64. From  DoS  to  DDoS   64!
  65. 65. From  DoS  to  DDoS   65!
  66. 66. Distributed  DoS  AKack   66!
  67. 67. DDoS  Countermeasures  •  Three  broad  lines  of  defense:   1.  aKack  preven:on  &  preemp:on  (before)   2.  aKack  detec:on  &  filtering  (during)   3.  aKack  source  trace  back  &  iden:fica:on  (aAer)   67!