Malicious software


Published on

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Malicious software

  1. 1. MALICIOUS  SOFTWARE   Raja  M.  Khurram  Shahzad   1!
  2. 2. Overview  — IntroducAon  — Virus  — Worm  — Other  Malicious  SoEware   o     Backdoor/Trapdoor   o     Logic  Bomb   o     Trojan  Horse  — DDoS  ANack   o     DDos  DescripAon   o     ConstrucAon  of  ANack   2!
  3. 3. Program DefiniAon  A  computer  program  tells  a  computer     what  to  do  and  how  to  do  it    •  Computer   viruses,   network   worms,     and   Trojan  Horse  are     computer  programs.       3!
  4. 4. Malicious  soEware  ?  •  Malicious  SoEware  (Malware)  is  a  soEware  that  is  included  or   inserted  in  a  system  for  harmful  purposes.    OR      •  A   Malware   is   a   set   of   instrucAons   that   run   on   your   computer   and  make  your  system  do  something  that  an  aNacker  wants  it   to  do.     4!
  5. 5. The  Malware  Zoo  •  Virus    •  Worms  •  Logic  Bomb  •  Trojan  horse  •  Zoombie  •  Scareware  •  Adware  •  Backdoor  /  Trapdoors   5!
  6. 6. Taxonomy  of  Malicious  Programs   Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities! 6!
  7. 7. What  it  is  good  for  ?  •  Steal  personal  informaAon  •  Delete  files  •  Click  fraud    •  Steal  soEware  serial  numbers   7!
  8. 8. What  to  Infect  •  Executable  •  Interpreted  file  •  Kernel  •  Service  •  Master  Boot  Record     8!
  9. 9. Virus  •  Self-­‐replicaAng   code,   aNaches   itself   to   another   program   and  executes  secretly  when  the  host  program  is  executed.  •  No  Hidden  acAon   –  Generally  tries  to  remain  undetected,  but  what  about  acAviAes,   such  as  deleted  files  ?   9!
  10. 10. Parts  of  a  Virus  •  Three  Parts   –  InfecAon   Mechanism:   The   means   by   which   a   virus   spreads,   enabling   it   to   replicate,   also   referred   as   InfecAon  Vector.     –  Trigger:  The  event  or  condiAon  that  determines  when   the  payload  is  acAvated  or  delivered.     –  Payload:   The   payload   may   involve   damage   or   may   involve  benign  but  NOTICEABLE  acAvity.    
  11. 11. Phases  –  Life  Cycle  •  Dormant  phase  -­‐  the  virus  is  idle  •  Propaga1on  phase  -­‐  the  virus  places  an  idenAcal  copy  of   itself  into  other  programs  •  Triggering  phase  –  the  virus  is  acAvated  to  perform  the   funcAon  for  which  it  was  intended  •  Execu1on  phase  –     the  funcAon  is  performed   11!
  12. 12. Virus  Structure   12!
  13. 13. OperaAon  rouAne  •  Operates   when   infected   code   executed   (execuAon   sequence)   –  Jump  to  Main  Virus  program   –  If  spread  (infecAon)  condiAon  then   {    For  target  files  :  if  not  infected,  then  alter  file  to  include  virus   }   –  Perform  malicious  acAon   –  Transfer  control  back   –  Execute  normal  program  •  If   the   infecAon   phase   is   rapid,   user   will   not   noAce   any   difference  between  the  execuAon  of  infected  program  and   uninfected  program.    
  14. 14. Types  of  Viruses  •  On  the  basis  of  target  •  Boot   Sector   Infector:   Infects   master   boot   record   /   boot   record   (boot   sector)  of  a  disk  and  spreads  when  a  system  is  booted  with  an  infected   disk  (original  DOS  viruses).  They  are  Memory-­‐resident  Virus.      •  File  Infector  :  Infects  executable  files,  they  are  also  called  Parasi1c  Virus   as  they  aNach  their  self  to  executable  files  as  part  of  their  code.    Runs   whenever  the  host  program  is  executed.    •  Macro   Virus   –Infects   files   with   macro   code   that   is   interpreted   by   the   relevant  applicaAon,  such  as  doc  or  excel  files.       14!
  15. 15. Types  of  Viruses  •  On  the  basis  of  concealment  strategy  •  Encrypted  Virus  –  A  porAon  of  virus  creates  a  random  encrypAon  key  and   encrypts   the   remainder   of   the   virus.   The   key   is   stored   with   the   virus.   When  the  virus  replicates,  a  different  random  key  is  generated.    •  Stealth  Virus  -­‐  explicitly  designed  to  hide  from  Virus  Scanning  programs.  •  Polymorphic  Virus  -­‐  mutates  with  every  new  host  to  prevent  signature   detecAon,  signature  detecAon  is  useless.    •  Metamorphic  Virus  –  Rewrites  itself  completely  with  every  new  host,  may   change  their  behavior  and  appearance.         15!
  16. 16. Recent  addiAon:    Email  Virus  •  Moves   around   in   e-­‐mail   messages,   triggered   when   user   opens  aNachment  •  Do  local  damages  on  the  user’s  system  •  Propagates  very  quickly  •  Replicates  itself  by  automaAcally  mailing  itself  to  dozens      of  people  in  the  vicAm’s     e-­‐mail  address  book     16!
  17. 17. Examples  of  risky  file  types  •  The  following  file  types  should  never  be  opened  if…   –  .EXE   –  .PIF   –  .BAT   –  .VBS   –  .COM   17!
  18. 18. Viruses  PropagaAon  •  Virus  wriNen  in  some  language  e.g.  C,  C++,  Assembly   etc.  •  Inserted  into  another  program   –  use  tool  called  a  “dropper”  •  Virus  dormant  unAl  program  executed   –  then  infects  other  programs   –  eventually  executes  its  “payload”   18!
  19. 19. Viruses  PropagaAon  •  An  executable  program  •  With  a  virus  at  the  front  (File  size  is  increased)  •  With  the  virus  at  the  end  (File  size  is  increased)  •  With  a  virus  spread  over  free  space  within  program     19!
  20. 20. Viruses  PropagaAon  (a)  A  program  (b)  Infected    program  (c)  Compressed  infected  program  (d)  Encrypted  virus  (e)  Compressed  virus  with  encrypted  compression  code   20!
  21. 21. AnA-­‐virus  •  It   is   not   possible   to   build   a   perfect   virus/malware   detector.  •  Analyze  system  behavior  •  Analyze  binary  to  decide  if  it  a  virus  •  Type  :   –  Scanner   –  Real  Ame  monitor   21!
  22. 22. AnA-­‐virus  •  Scanners   –  First  GeneraAon,  relied  on  signature.     –  Second   GeneraAon,   relied   on   heurisAc   rules   or   integrity   checking  (e.g.  checksum  appended  to  a  program).  •  Real  Ame  Monitors   •  Third   GeneraAon,   memory   resident   and   idenAfy   virus   by   its   acAons  (behaviour).   •  Fourth  GeneraAon,  combinaAon  of  different  capabiliAes.     22!
  23. 23. Worm  A computer worm is a self-replicating computervirus. It uses a network to send copies of itself toother nodes and do so without any userintervention.! 23!
  24. 24. Comparision  of  Worm  Features   1)    Computer  Virus:   • Needs  a  host  file   • Copies  itself   • Executable   2)    Network  Worm:   • No  host  (self-­‐contained)     • Copies  itself       • Executable   3)    Trojan  Horse:   •   No  host  (self-­‐contained)   • Does  not  copy  itself   • Imposter  Program   24!
  25. 25. Worm:  History  •  Runs  independently     –  Does  not  require  a  host  program  •  Propagates  a  fully  working  version  of  itself  to  other  machines  —  History   ◦  Morris  worm  was  one  of  the  first  worms  distributed  over  Internet   —  Two  examples     ◦  Morris  –  1998,   ◦  Slammer  –  2003   25!
  26. 26. Worm  OperaAon  •  Worm  has  similar  phases  like  a  virus:   •  Dormant  (inacAve;    rest)   •  PropagaAon   •  Search  for  other  systems  to  infect   •  Establish  connecAon  to  target  remote  system   •  Replicate  self  onto     remote  system   –  Triggering   –  ExecuAon   26!
  27. 27. Morris  Worm  •  Best  known  classic  worm  •  Released  by  Robert  Morris  in  1988  •  Targeted  Unix  systems  •  Using  several  propagaAon  techniques  •  If  any  aNack  succeeds  then  replicated  self   27!
  28. 28. Slammer  (Sapphire)  Worm  •  When   •  Jan  25  2003  •  How   •  Exploit  Buffer-­‐overflow  with  MS  SQL  •  Random  Scanning   •  Randomly  select  IP  addresses  •  Cost   •  Caused  ~  $2.6  Billion  in  damage     28!
  29. 29. Slammer  Scale  The  diameter  of  each  circle  is  a  funcAon  of  the  number  of  infected  machines,  so  large   circles   visually   under   represent   the   number   of   infected   cases   in   order   to  minimize  overlap  with  adjacent  locaAons     29!
  30. 30. The  worm  itself  …  —  System  load   ◦  InfecAon  generates  a  number  of  processes   ◦  Password  cracking  uses  lots  of  resources   ◦  Thousands  of  systems  were  shut  down  •  Tries  to  infect  as  many  other  hosts  as  possible   –  When  worm  successfully  connects,  leaves  a  child  to  conAnue  the  infecAon   while  the  parent  keeps  trying  new  hosts   –  find  targets  using  several  mechanisms:  netstat  -­‐r  -­‐n‘,  /etc/hosts,    •  Worm  DO  NOT:   –  Delete   systems   files,   modify   exisAng   files,   install   Trojan   horses,   record   or   transmit  decrypted  passwords,  capture  super  user  privileges   30!
  31. 31. Backdoor  or  Trapdoor  —  Secret  entry  point  into  a  program  —  Allows  those  who  know  access  by  passing  usual  security   procedures  —  Remains  hidden  to  casual  inspecAon  —  Can  be  a  new  program  to  be  installed  —  Can  modify  an  exisAng  program  —  Trap  doors  can  provide  access  to  a  system  for   unauthorized  procedures  —  Very  hard  to  block  in  O/S   31!
  32. 32. Trap  Door  Example  (a)  Normal  code.    (b)  Code  with  a  trapdoor  inserted   32!
  33. 33. Logic  Bomb  •  One  of  oldest  types  of  malicious  soEware  •  Piece  of  code  that  executes  itself  when  pre-­‐defined  condiAons  are   met  •  Logic  Bombs  that  execute  on  certain  days  are  known  as  Time   Bombs  •  AcAvated  when  specified  condiAons  met   –  E.g.,  presence/absence  of  some  file   –  parAcular  date/Ame   –  parAcular  user  •  When  triggered  typically  damage  system   –  modify/delete  files/disks,  halt  machine,  etc.   33!
  34. 34. Tracing  Logic  Bombs  •  Searching - Even the most experienced programmers have trouble erasing all traces of their code•  Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/ operating system interface, and the communications functions inside and outside the computer•  Example of benign logical fun – –  Type zerg rush in google   34!
  35. 35. Trojan  Horse   35!
  36. 36. Trojan  Horse  •  Trojan  horse  is  a  malicious  program    that  is  designed  as   authenAc,    real  and  genuine  soEware.      •  Like  the  giE  horse  leE  outside  the  gates  of  Troy  by  the   Greeks,   Trojan   Horses   appear   to   be   useful   or   interesAng   to   an   unsuspecAng   user,   but   are   actually   harmful.   36!
  37. 37. Trojan  Percentage   37!
  38. 38. What  Trojans  can  do  ?  •  Erase  or  overwrite  data  on  a  computer  •  Spread  other  viruses  or  install  a  backdoor.  In  this  case  the   Trojan  horse  is  called  a  dropper.  •  Sevng  up  networks  of  zombie  computers  in  order  to  launch   DDoS  aNacks  or  send  Spam.  •  Logging  keystrokes  to  steal  informaAon  such  as  passwords   and  credit  card  numbers  (known  as  a  key  logger)  •  Phish  for  bank  or  other  account  details,  which  can  be  used  for   criminal  acAviAes.  •  Or  simply  to  destroy  data  •  Mail  the  password  file.     38!
  39. 39. How  can  you  be  infected  ?  •  Websites:  You  can  be  infected  by  visiAng  a  rogue  website.   Internet   Explorer   is   most   oEen   targeted   by   makers   of   Trojans  and  other  pests.  Even  using  a  secure  web  browser,   such  as  Mozillas  Firefox,  if  Java  is  enabled,  your  computer   has  the  potenAal  of  receiving  a  Trojan  horse.  •  Instant   message:   Many   get   infected   through   files   sent   through  various  messengers.  This  is  due  to  an  extreme  lack   of   security   in   some   instant   messengers,   such   of   AOLs   instant  messenger.  •  E-­‐mail:   ANachments   on   e-­‐mail   messages   may   contain   Trojans.    Trojan  horses  via  SMTP.   39!
  40. 40. Sample  Delivery  •  ANacker  will  aNach  the  Trojan  to  an  e-­‐mail  with  an  enAcing   header.    •  The   Trojan   horse   is   typically   a   Windows   executable   program   file,   and   must   have   an   executable   file   extension   such   as   .exe,   .com,   .scr,   .bat,   or   .pif.   Since   Windows   is   configured   by   default   to   hide   extensions   from   a   user,   the   Trojan   horses   extension   might   be   "masked"   by   giving   it   a   name   such   as   Readme.txt.exe.   With   file   extensions   hidden,   the   user   would   only   see   Readme.txt   and   could   mistake  it  for  a  harmless  text  file.     40!
  41. 41. Where  They  Live  ?  (1)  •  Autostart  Folder   The  Autostart  folder  is  located  in  C:WindowsStart  MenuPrograms startup  and  as  its  name  suggests,  automaAcally  starts  everything  placed   there.    •  Win.ini   Windows  system  file  using  load=Trojan.exe  and  run=Trojan.exe  to  execute   the  Trojan    •  System.ini   Using  Shell=Explorer.exe  trojan.exe  results  in  execuAon  of  every  file  aEer   Explorer.exe    •  Wininit.ini   Setup-­‐Programs  use  it  mostly;  once  run,  its  being  auto-­‐deleted,  which  is   very  handy  for  Trojans  to  restart     41!
  42. 42. Where  They  Live  ?  (2)  •  Winstart.bat   AcAng  as  a  normal  bat  file  trojan  is  added  as  @trojan.exe  to  hide  its   execuAon  from  the  user    •  Autoexec.bat   Its  a  DOS  auto-­‐starAng  file  and  its  used  as  auto-­‐starAng  method  like  this  -­‐>   c:Trojan.exe    •  Config.sys   Could  also  be  used  as  an  auto-­‐starAng  method  for  Trojans    •  Explorer  Startup   Is  an  auto-­‐starAng  method  for  Windows95,  98,  ME,  XP  and  if  c: explorer.exe  exists,  it  will  be  started  instead  of  the  usual  c:Windows Explorer.exe,  which  is  the  common  path  to  the  file.   42!
  43. 43. What  the  aNacker  wants?  •  Credit  Card  InformaAon  (oEen  used  for  domain     registraAon,  shopping  with  your  credit  card)    •  Any   accounAng   data   (E-­‐mail   passwords,   Login   passwords,   Web  Services  passwords,  etc.)    •  Email  Addresses  (Might  be  used  for  spamming,  as  explained   above)      •  Work   Projects   (Steal   your   presentaAons   and   work   related   papers)        •  School  work  (steal  your  papers  and  publish  them  with  his/ her  name  on  it)   43!
  44. 44. Stopping  the  Trojan  …  The  Horse  must  be  “invited  in”  ….   How  does  it  get  in?   By:   Downloading  a  file   Installing  a  program   Opening  an  aNachment   Opening  bogus  Web  pages   Copying  a  file  from  someone  else   44!
  45. 45. Zombie  •  The   program   which   secretly   takes   over   another   networked   computer     and   force   it   to   run   under   a   common  command  and  control  infrastructure.  •  Uses  it  to  indirectly  launch  aNacks,  e.g.,  DDoS,  phishing,   spamming,  cracking    •  Difficult  to  trace  zombie’s  creator)  •  Infected  computers  —  mostly  Windows  machines  —  are   now  the  major  delivery  method  of  spam.  •  Zombies  have  been  used  extensively  to  send  e-­‐mail   spam;  between  50%  to  80%  of  all  spam  worldwide  is  now   sent  by  zombie  computers.     45!
  46. 46. Adware   46!
  47. 47. Scareware  /  Rouge/   Fake  anAvirus   47!
  48. 48. Where  malware  Lives:  Auto  start  •  Folder  auto-­‐start    •  Win.ini  :  run=[backdoor]"  or  "load=[backdoor]".  •  System.ini  :  shell=”myexplorer.exe”  •  Autoexec.bat  •  Config.sys  •  Init.d   48!
  49. 49. Auto  start  •  Assign  know  extension  (.doc)  to  the  malware  •  Add  a  Registry  key  such  as  HKCUSOFTWAREMicroso= Windows  CurrentVersionRun  •  Add  a  task  in  the  task  scheduler  •  Run  as  service   49!
  50. 50. Web  —  1.3%  of  the  incoming  search  queries  to  Google  returned  at  a   least  one  malware  site  —  Visit  sites  with  an  army  of  browsers  in  VMs,  check  for  changes   to  local  system  —  Indicate  potenAally  harmful  sites  in  search  results  
  51. 51. Web:  Fake  page   51!
  52. 52. Shared  folder   52!
  53. 53. Email   53!
  54. 54. Email  again   54!
  55. 55. P2P  Files  •  35.5%  malwares     55!
  56. 56. Typical  Symptoms  •  File  deleAon  •  File  corrupAon  •  Visual  effects  •  Pop-­‐Ups  •  Computer  crashes  •  Slow  ConnecAon  •  Spam  Relaying   56!
  57. 57. Distributed Denial of Service•  A  denial-­‐of-­‐service  aKack  is  an  aNack  that  causes  a  loss   of   service   to   users,   typically   the   loss   of   network   connecAvity.  •  CPU,   memory,   network   connecAvity,   network   bandwidth,  baNery  energy  •  Hard  to  address,  especially  in  distributed  form   57!
  58. 58. DDoS  Mechanism  •  Goal:  make  a  service  unusable.  •  How:   overload   a   server,   router,   network   link,   by   flooding  with  useless  traffic  •  Focus:   bandwidth   aNacks,   using   large   numbers   of   “zombies”       58!
  59. 59. How  it  works?  •  The   flood   of   incoming   messages   to   the   target   system   essenAally   forces   it   to   shut   down,   thereby   denying   service  to  the  system  to  legiAmate  users.    •  VicAms  IP  address.    •  VicAms  port  number.    •  ANacking  packet  size.    •  ANacking  inter-­‐packet  delay.    •  DuraAon  of  aNack.       59!
  60. 60. Example  1  •  Ping-­‐of-­‐death   –  IP  packet  with  a  size  larger  than  65,536  bytes  is  illegal  by  standard   –  Many  operaAng  system  did  not  know  what  to  do  when  they  received   an  oversized  packet,  so  they  froze,  crashed  or  rebooted.   –  Routers  forward  each  packet  independently.   –  Routers  don’t  know  about  connecAons.   –  Complexity  is  in  end  hosts;  routers  are  simple.   60!
  61. 61. Example  1  
  62. 62. Example  2  •  TCP  handshake  •  SYN  Flood   –  A  stream  of  TCP  SYN  packets  directed  to  a  listening  TCP  port  at  the   vicAm   –  The  host  vicAm  must  allocate  new  data  structures  to  each  SYN  request   –  legiAmate  connecAons  are  denied  while  the  vicAm  machine  is  waiAng     to  complete  bogus  "half-­‐open"  connecAons   –  Not  a  bandwidth  consumpAon  aNack  •  IP  Spoofing   62!
  63. 63. Example  2   63!
  64. 64. From  DoS  to  DDoS   64!
  65. 65. From  DoS  to  DDoS   65!
  66. 66. Distributed  DoS  ANack   66!
  67. 67. DDoS  Countermeasures  •  Three  broad  lines  of  defense:   1.  aNack  prevenAon  &  preempAon  (before)   2.  aNack  detecAon  &  filtering  (during)   3.  aNack  source  trace  back  &  idenAficaAon  (aEer)   67!