Post on 18-Dec-2015
MALWARE
Tomas Kegel SørensenEsben B. Larsen
Christoph Froeschel Magnus Koch
ITU Copenhagen 07.11.2008
AGENDA
• PART I: INTRODUCTION TO MALWARE• PART II: MOBILE MALICIOUS CODE• PART III: PURPOSE OF MALWARE• PART IV: AVOIDING MALWARE
PART I: INTRODUCTION TO MALWARE
WHAT IS MALWARE?
• Malware is a contraction of mal-ious soft-ware• Malware refers to various types of software
that can cause problems, damage, disrupt a computer
• Installed without user knowledge or approval
DEFINITIONS OF COMMON ATTACKS• Virus- is a program that copies itself into other
programs. Viruses infect host files associated with applications.
- typically, user interaction is required for propagation, such as running a program or opening a document file.
DEFINITION OF COMMON ATTACKS
• Worm - is a program that copies itself over computer
networks, infection machines in remote locations.
- typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems.
- Expontiel growth
Definitions of common attacks
•Warhead : Penetrate the target - Browers That surf infected webservers- Outlook E-mail- Windows File Sharing- Backdoors from previous worms•Propagation Engine : Moves the body to the destination-Files sharing programs such as FTP, HTTP and SMB- Mail programs•TSA : Looking for new victims to attack- Recieved or send emails- Ip adresses that is similar to victim•Scanning Engine : Fire warheads against the new victims•Payload : What it does to the target-Nothing called null payload worms-Opening up Backdoors-Planting a zombie-Performing a Mathematical Operation
DEFINITIONS OF COMMON ATTACKS
• Trojan horse - is a program that seems to do something usefull
or interesting, but actually runs malicious code behind the scene.
- Eg. Screen savers
- a common use is a ”trap door” that enables a malious code adversary discreet acces to the machine at a future date.
DEFINITIONS OF COMMON ATTACKS
• Time bombs or logic bombs - are programs that hibernates until at
specified event happends or until a condition is true.
- effective when coupled to a virus
TAXONOMY OF MALWARE
MaliciousPrograms
Need Host Program Independent
Viruses Logic Boms TrojanHorses
Worms
COMBINING MALWARE
• Worms and viruses is the transport mechanism for malicious code
• Trojan horses and time/logic bombs is the malicious code.
PART II: MALICIOUS MOBILE CODE
MALICIOUS MOBILE CODE
• Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention
• Malicious mobile code is mobile code that makes your system do something that you do not want it to do.
MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES
• Monitoring your browsing activities• Obtaining unauthorized access to your file
system• Infecting your machine with a Trojan horse• Hijacking your Web browser
MOBILE CODE EXAMPLES
- Browser Scripts- ActiveX Controls- Java Applets- Mobile Code in E-mail Clients
BROWSER SCRIPTS
• <script type="text/javascript"> <-- a • function do_something() {• // Code for this function would go here. • }• </script> <-- b
• (a)Script begins
• (b)Script ends
ACTIVEX CONTROLS
• A software component based on Microsoft's ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic.
• The first time a control is accepted it is downloaded to your computer and registered.
AUTHENTICATION THROUGH CODE SIGNING
JAVA APPLETS
• Java applets are relatively lightweight programs designed to be transmitted across the Internet
• Java Applet Security Model– Java applet security model forces downloaded Java
applets to run within a highly restrictive sandbox. • Exploit bugs in the implementation of the JRE
to allow an un trusted applet to escape from its sandbox.– program called Brown Orifice
MOBILE CODE IN E-MAIL CLIENTS
• The majority of modern e-mail clients contains some form of Web browser functionality to display HTML.
• Turn off support for mobile code in your e-mail client if you don't use this functionality.
CONCLUSION• Do not execute ActiveX controls, whether signed or
not signed, unless you trust their author with access to your system.
• Do not execute signed Java applets unless you trust their author with access to your system.
• Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access.
• Disable support for mobile code that you do not require in your browser and e-mail software.
PART III: PURPOSE OF MALWARE
INCREASING MALWARE THREAT
CHANGE OF PERSPECTIVE I
• Hacker wanted to show they canMorris Worm in 1988
• Malware used to be destructive ”I Love You” Virus – deleted files send and
forwarded itself to contacts in outlook (2000)• Today Malware is not destructive anymore – it
works silent on a PC
IT’S BUSINESS
• ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM)
• ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (Torsten Holz, University of Mannheim)
BOTNETS FOR RENT
• Hacker groups rent out their botnets• Reports suggest that botnets can be rented for
$100/hour• Pay-as-you go scheme – cybercrime made
easy!
RETURN ON INVESTMENT
• Crime syndicates blackmail gambling sites/online shops
• They demand up to 50.000$• Stealing personal information (credit cards,
bank accounts)
BEYOND TRADITIONAL CRIME I
• The Sony RootKit scandal automatically installing software on PCs Sony wanted an improved copy protection …but introduced new security holes on
computers with a Windows OS
BEYOND TRADITIONAL CRIME II
• Remote Forensic Software Government installs spyware on computers of
”suspected” persons FBI uses a tool called ”Magic Lantern”Use key loggers in order to get sensitive
information Conflicts with the legislation
FUTURE TRENDS
• Cybercrimes in virtual worlds• Increase in botnets• Mobile Devices• Virtual Machine RootKit (Blue Pill)
SUM UP
• High Risk• Focus is on ”business” - earning money is
important• Malware gets smarter and thus hard to detect• Magnus will now talk about avoiding malware
PART IV: AVOIDING MALWARE
STRATEGY
1: User Education & restricted user privileges.2: Avoiding common software “packages”3: Anti-virus software (locally and at network
gateways.)
1 USER EDUCATIONMETHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts (Configuration
Hardening).
PROBLEMS• Most users are not willing to spend time learning security.• Even expert users are not immune to unexpected attacks
(Bubble Boy).
BUBBLE BOY - 1999
1 USER EDUCATION
METHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts.
(Configuration Hardening)
PROBLEMS• Most users are not willing to spend time learning
security.• Even expert users are not immune to unexpected
attacks.
2 AVOID COMMON SOFTWAREEXAMPLES• The “Microsoft Word” – “Outlook” combination.• The “Wordpress” cms system.
METHOD• Avoid common software, or at least include less popular
software somewhere in your workflow.
PROBLEM• What is common software?• How can you be sure that security issues will be identified
and addressed when using less common software?
3 ANTI-VIRUS SOFTWARE
METHOD• Scan all incoming files for malware.
PROBLEMS• New malware emerges.• Malware-authors camouflage already known
threats.
• Scan locally or use Secure Web Gateways.
MALWARE SIGNATURES
• The fingerprints of malware (also called dat files)• Performance improvements– Fingerprints are matched to certain file types.– Depending on the file type different areas are
scanned.
3 ANTI-VIRUS SOFTWARE
METHOD• Scan all incoming files for malware.
PROBLEMS• New malware emerges.• Malware-authors camouflage already known
threats.
NEW MALWARE
• Can actually be new malware, or camouflaged versions of old threats.
• Polymorphism (obfuscated code)– Changed variable names.– Changed order of the instructions in the malware
program.– Encryption.– Metamorphism.
HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE
• Generic Signatures.– Often broken up and containing “wildcard areas”.– Not god for totally new malware.
• Emulation.• Heuristics.
HEURISTICS
• Establish a database of typical malware traits.– Attempts to access the boot sector.– to locate all documents in a current directory.– to write to an EXE file.– to delete hard drive contents.
CURRENT THREAT PATTERNS
• Classic & server-side polymorphism • 10.000+ new strains per day.• Each victim potentially attacked by a different strain. • Today a signature protects < 20 users. Earlier > 100.000• Blacklisting strategy increasingly ineffective.
SOLUTIONS (ACCORDING TO SYMANTEC)
• Whitelisting signatures for non-malware.• Reputation based approach.
THE END