Download as PDF, PPTX
![Where
malware
Lives:
Auto
start
• Folder
auto-‐start
• Win.ini
:
run=[backdoor]"
or
"load=[backdoor]".
• System.ini
:
shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys
• Init.d
48!](https://image.slidesharecdn.com/malicioussoftware-121211103119-phpapp02/85/Malicious-software-48-320.jpg)
More Related Content
Malicious software
- 1. MALICIOUS SOFTWARE Raja M. Khurram Shahzad 1!
- 2. Overview — IntroducAon — Virus — Worm — Other Malicious SoEware o Backdoor/Trapdoor o Logic Bomb o Trojan Horse — DDoS ANack o DDos DescripAon o ConstrucAon of ANack 2!
- 3. Program DefiniAon A computer program tells a computer what to do and how to do it • Computer viruses, network worms, and Trojan Horse are computer programs. 3!
- 4. Malicious soEware ? • Malicious SoEware (Malware) is a soEware that is included or inserted in a system for harmful purposes. OR • A Malware is a set of instrucAons that run on your computer and make your system do something that an aNacker wants it to do. 4!
- 5. The Malware Zoo • Virus • Worms • Logic Bomb • Trojan horse • Zoombie • Scareware • Adware • Backdoor / Trapdoors 5!
- 6. Taxonomy of Malicious Programs Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities! 6!
- 7. What it is good for ? • Steal personal informaAon • Delete files • Click fraud • Steal soEware serial numbers 7!
- 8. What to Infect • Executable • Interpreted file • Kernel • Service • Master Boot Record 8!
- 9. Virus • Self-‐replicaAng code, aNaches itself to another program and executes secretly when the host program is executed. • No Hidden acAon – Generally tries to remain undetected, but what about acAviAes, such as deleted files ? 9!
- 10. Parts of a Virus • Three Parts – InfecAon Mechanism: The means by which a virus spreads, enabling it to replicate, also referred as InfecAon Vector. – Trigger: The event or condiAon that determines when the payload is acAvated or delivered. – Payload: The payload may involve damage or may involve benign but NOTICEABLE acAvity.
- 11. Phases – Life Cycle • Dormant phase -‐ the virus is idle • Propaga1on phase -‐ the virus places an idenAcal copy of itself into other programs • Triggering phase – the virus is acAvated to perform the funcAon for which it was intended • Execu1on phase – the funcAon is performed 11!
- 12. Virus Structure 12!
- 13. OperaAon rouAne • Operates when infected code executed (execuAon sequence) – Jump to Main Virus program – If spread (infecAon) condiAon then { For target files : if not infected, then alter file to include virus } – Perform malicious acAon – Transfer control back – Execute normal program • If the infecAon phase is rapid, user will not noAce any difference between the execuAon of infected program and uninfected program.
- 14. Types of Viruses • On the basis of target • Boot Sector Infector: Infects master boot record / boot record (boot sector) of a disk and spreads when a system is booted with an infected disk (original DOS viruses). They are Memory-‐resident Virus. • File Infector : Infects executable files, they are also called Parasi1c Virus as they aNach their self to executable files as part of their code. Runs whenever the host program is executed. • Macro Virus –Infects files with macro code that is interpreted by the relevant applicaAon, such as doc or excel files. 14!
- 15. Types of Viruses • On the basis of concealment strategy • Encrypted Virus – A porAon of virus creates a random encrypAon key and encrypts the remainder of the virus. The key is stored with the virus. When the virus replicates, a different random key is generated. • Stealth Virus -‐ explicitly designed to hide from Virus Scanning programs. • Polymorphic Virus -‐ mutates with every new host to prevent signature detecAon, signature detecAon is useless. • Metamorphic Virus – Rewrites itself completely with every new host, may change their behavior and appearance. 15!
- 16. Recent addiAon: Email Virus • Moves around in e-‐mail messages, triggered when user opens aNachment • Do local damages on the user’s system • Propagates very quickly • Replicates itself by automaAcally mailing itself to dozens of people in the vicAm’s e-‐mail address book 16!
- 17. Examples of risky file types • The following file types should never be opened if… – .EXE – .PIF – .BAT – .VBS – .COM 17!
- 18. Viruses PropagaAon • Virus wriNen in some language e.g. C, C++, Assembly etc. • Inserted into another program – use tool called a “dropper” • Virus dormant unAl program executed – then infects other programs – eventually executes its “payload” 18!
- 19. Viruses PropagaAon • An executable program • With a virus at the front (File size is increased) • With the virus at the end (File size is increased) • With a virus spread over free space within program 19!
- 20. Viruses PropagaAon (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code 20!
- 21. AnA-‐virus • It is not possible to build a perfect virus/malware detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type : – Scanner – Real Ame monitor 21!
- 22. AnA-‐virus • Scanners – First GeneraAon, relied on signature. – Second GeneraAon, relied on heurisAc rules or integrity checking (e.g. checksum appended to a program). • Real Ame Monitors • Third GeneraAon, memory resident and idenAfy virus by its acAons (behaviour). • Fourth GeneraAon, combinaAon of different capabiliAes. 22!
- 23. Worm A computerworm is a self-replicating computer virus. It uses a network to send copies of itself to other nodes and do so without any user intervention.! 23!
- 24. Comparision of Worm Features 1) Computer Virus: • Needs a host file • Copies itself • Executable 2) Network Worm: • No host (self-‐contained) • Copies itself • Executable 3) Trojan Horse: • No host (self-‐contained) • Does not copy itself • Imposter Program 24!
- 25. Worm: History • Runs independently – Does not require a host program • Propagates a fully working version of itself to other machines — History ◦ Morris worm was one of the first worms distributed over Internet — Two examples ◦ Morris – 1998, ◦ Slammer – 2003 25!
- 26. Worm OperaAon • Worm has similar phases like a virus: • Dormant (inacAve; rest) • PropagaAon • Search for other systems to infect • Establish connecAon to target remote system • Replicate self onto remote system – Triggering – ExecuAon 26!
- 27. Morris Worm • Best known classic worm • Released by Robert Morris in 1988 • Targeted Unix systems • Using several propagaAon techniques • If any aNack succeeds then replicated self 27!
- 28. Slammer (Sapphire) Worm • When • Jan 25 2003 • How • Exploit Buffer-‐overflow with MS SQL • Random Scanning • Randomly select IP addresses • Cost • Caused ~ $2.6 Billion in damage 28!
- 29. Slammer Scale The diameter of each circle is a funcAon of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent locaAons 29!
- 30. The worm itself … — System load ◦ InfecAon generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down • Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to conAnue the infecAon while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -‐r -‐n‘, /etc/hosts, • Worm DO NOT: – Delete system's files, modify exisAng files, install Trojan horses, record or transmit decrypted passwords, capture super user privileges 30!
- 31. Backdoor or Trapdoor — Secret entry point into a program — Allows those who know access by passing usual security procedures — Remains hidden to casual inspecAon — Can be a new program to be installed — Can modify an exisAng program — Trap doors can provide access to a system for unauthorized procedures — Very hard to block in O/S 31!
- 32. Trap Door Example (a) Normal code. (b) Code with a trapdoor inserted 32!
- 33. Logic Bomb • One of oldest types of malicious soEware • Piece of code that executes itself when pre-‐defined condiAons are met • Logic Bombs that execute on certain days are known as Time Bombs • AcAvated when specified condiAons met – E.g., presence/absence of some file – parAcular date/Ame – parAcular user • When triggered typically damage system – modify/delete files/disks, halt machine, etc. 33!
- 34. Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble erasing all traces of their code • Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/ operating system interface, and the communications functions inside and outside the computer • Example of benign logical fun – http://googletricks.com/top-25-fun-google-tricks/ – Type zerg rush in google 34!
- 35. Trojan Horse 35!
- 36. Trojan Horse • Trojan horse is a malicious program that is designed as authenAc, real and genuine soEware. • Like the giE horse leE outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesAng to an unsuspecAng user, but are actually harmful. 36!
- 37.
- 38. What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the Trojan horse is called a 'dropper'. • Sevng up networks of zombie computers in order to launch DDoS aNacks or send Spam. • Logging keystrokes to steal informaAon such as passwords and credit card numbers (known as a key logger) • Phish for bank or other account details, which can be used for criminal acAviAes. • Or simply to destroy data • Mail the password file. 38!
- 39. How can you be infected ? • Websites: You can be infected by visiAng a rogue website. Internet Explorer is most oEen targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potenAal of receiving a Trojan horse. • Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger. • E-‐mail: ANachments on e-‐mail messages may contain Trojans. Trojan horses via SMTP. 39!
- 40. Sample Delivery • ANacker will aNach the Trojan to an e-‐mail with an enAcing header. • The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. 40!
- 41. Where They Live ? (1) • Autostart Folder The Autostart folder is located in C:WindowsStart MenuPrograms startup and as its name suggests, automaAcally starts everything placed there. • Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan • System.ini Using Shell=Explorer.exe trojan.exe results in execuAon of every file aEer Explorer.exe • Wininit.ini Setup-‐Programs use it mostly; once run, it's being auto-‐deleted, which is very handy for Trojans to restart 41!
- 42. Where They Live ? (2) • Winstart.bat AcAng as a normal bat file trojan is added as @trojan.exe to hide its execuAon from the user • Autoexec.bat It's a DOS auto-‐starAng file and it's used as auto-‐starAng method like this -‐> c:Trojan.exe • Config.sys Could also be used as an auto-‐starAng method for Trojans • Explorer Startup Is an auto-‐starAng method for Windows95, 98, ME, XP and if c: explorer.exe exists, it will be started instead of the usual c:Windows Explorer.exe, which is the common path to the file. 42!
- 43. What the aNacker wants? • Credit Card InformaAon (oEen used for domain registraAon, shopping with your credit card) • Any accounAng data (E-‐mail passwords, Login passwords, Web Services passwords, etc.) • Email Addresses (Might be used for spamming, as explained above) • Work Projects (Steal your presentaAons and work related papers) • School work (steal your papers and publish them with his/ her name on it) 43!
- 44. Stopping the Trojan … The Horse must be “invited in” …. How does it get in? By: Downloading a file Installing a program Opening an aNachment Opening bogus Web pages Copying a file from someone else 44!
- 45. Zombie • The program which secretly takes over another networked computer and force it to run under a common command and control infrastructure. • Uses it to indirectly launch aNacks, e.g., DDoS, phishing, spamming, cracking • Difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are now the major delivery method of spam. • Zombies have been used extensively to send e-‐mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers. 45!
- 46. Adware 46!
- 47. Scareware / Rouge/ Fake anAvirus 47!
- 48. Where malware Lives: Auto start • Folder auto-‐start • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Autoexec.bat • Config.sys • Init.d 48!
- 49. Auto start • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicroso= Windows CurrentVersionRun • Add a task in the task scheduler • Run as service 49!
- 50. Web — 1.3% of the incoming search queries to Google returned at a least one malware site — Visit sites with an army of browsers in VMs, check for changes to local system — Indicate potenAally harmful sites in search results
- 51. Web: Fake page 51!
- 52. Shared folder 52!
- 53. Email 53!
- 54. Email again 54!
- 55. P2P Files • 35.5% malwares 55!
- 56. Typical Symptoms • File deleAon • File corrupAon • Visual effects • Pop-‐Ups • Computer crashes • Slow ConnecAon • Spam Relaying 56!
- 57. Distributed Denial ofService • A denial-‐of-‐service aKack is an aNack that causes a loss of service to users, typically the loss of network connecAvity. • CPU, memory, network connecAvity, network bandwidth, baNery energy • Hard to address, especially in distributed form 57!
- 58. DDoS Mechanism • Goal: make a service unusable. • How: overload a server, router, network link, by flooding with useless traffic • Focus: bandwidth aNacks, using large numbers of “zombies” 58!
- 59. How it works? • The flood of incoming messages to the target system essenAally forces it to shut down, thereby denying service to the system to legiAmate users. • VicAm's IP address. • VicAm's port number. • ANacking packet size. • ANacking inter-‐packet delay. • DuraAon of aNack. 59!
- 60. Example 1 • Ping-‐of-‐death – IP packet with a size larger than 65,536 bytes is illegal by standard – Many operaAng system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted. – Routers forward each packet independently. – Routers don’t know about connecAons. – Complexity is in end hosts; routers are simple. 60!
- 61.
- 62. Example 2 • TCP handshake • SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the vicAm – The host vicAm must allocate new data structures to each SYN request – legiAmate connecAons are denied while the vicAm machine is waiAng to complete bogus "half-‐open" connecAons – Not a bandwidth consumpAon aNack • IP Spoofing 62!
- 63. Example 2 63!
- 64. From DoS to DDoS 64!
- 65. From DoS to DDoS 65!
- 66.
- 67. DDoS Countermeasures • Three broad lines of defense: 1. aNack prevenAon & preempAon (before) 2. aNack detecAon & filtering (during) 3. aNack source trace back & idenAficaAon (aEer) 67!