Malicious Softwarehomepage.lnu.se/staff/oflmsi/DA2422/Chapter 10.pdf · 09-09-30 6 11 Viruses a...
Transcript of Malicious Softwarehomepage.lnu.se/staff/oflmsi/DA2422/Chapter 10.pdf · 09-09-30 6 11 Viruses a...
09-09-30
1
1
Ola Flygt Växjö University, Sweden
http://w3.msi.vxu.se/users/ofl/ [email protected] +46 470 70 86 49
Malicious Software
2
Outline
Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques DDoS attacks and countermeasures
09-09-30
2
3
Viruses and ”Malicious Programs”
• Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).
• Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
4
Taxonomy of Malicious Programs
09-09-30
3
5
Backdoor or Trapdoor
secret entry point into a program allows those who know access bypassing
usual security procedures have been commonly used by developers a threat when left in production programs
allowing exploited by attackers very hard to block in OS
6
Logic Bomb
one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met
E.g., presence/absence of some file particular date/time particular user
when triggered typically damage system modify/delete files/disks, halt machine, etc.
09-09-30
4
7
Trojan Horse program with hidden side-effects which is usually superficially attractive
E.g., game, s/w upgrade, etc.
when run performs some additional tasks allows attacker to indirectly gain access they do not have
directly
often used to propagate a virus/worm or install a backdoor
or simply to destroy data Mail the password file.
8
Zombie
program which secretly takes over another networked computer
then uses it to indirectly launch attacks (difficult to trace zombie’s creator) often used to launch distributed denial of
service (DDoS) attacks exploits known flaws in network systems
09-09-30
5
9
Bacteria
A “Bacteria” replicates until it fills all disk space, or CPU cycles.
10
Worms
A program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).
Similar to virus, but spreads across the network instead of between files.
09-09-30
6
11
Viruses
a piece of self-replicating code attached to some other code
attaches itself to another program and executes secretly when the host program is executed.
propagates itself & carries a payload carries code to make copies of itself as well as code to perform some covert task
12
Virus Phases
Dormant phase - the virus is idle Propagation phase - the virus places an
identical copy of itself into other programs Triggering phase – the virus is activated to
perform the function for which it was intended
Execution phase – the function is performed
Details usually machine/OS specific exploiting features/weaknesses
09-09-30
7
13
Virus Structure program V :=
{goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next:
}
14
Types of Viruses Parasitic Virus - attaches itself to executable files as part of
their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of
the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and
spreads when the operating system boots up (original DOS viruses).
Stealth Virus - explicitly designed to hide from Virus Scanning programs.
Polymorphic Virus - mutates with every new host to prevent signature detection.
Metamorphic virus - mutates with every infection, but rewrites itself completely every time. Making it extremely difficult to detect.
09-09-30
8
15
A Compression Virus
16
Macro Viruses
• Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).
Platform independent. Infect documents, delete files, generate
email and edit letters.
09-09-30
9
17
Email Virus spread using email with attachment
containing a macro virus triggered when user opens attachment or worse even when mail viewed by
using scripting features in mail agent hence propagates very quickly usually targeted at Microsoft Outlook
mail agent & Word/Excel documents
18
Worms replicating but not infecting program (does not attach itself to a program) typically spreads over a network
Morris Internet Worm in 1988 using users distributed privileges or by exploiting
system vulnerabilities worms perform unwanted functions widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS major issue is lack of security of permanently
connected systems, esp PC's
09-09-30
10
19
Worm Operation
worm has phases like those of viruses: dormant propagation
search for other systems to infect establish connection to target remote system replicate self onto remote system
triggering execution
20
Morris Worm
One of the best known classic worms released by Robert Morris in 1988 targeted Unix systems using several propagation techniques
simple password cracking of local pw file exploit bug in finger daemon exploit debug trapdoor in sendmail daemon
if any attack succeeds then replicated self
09-09-30
11
21
Malicious Software Protection
Have well-known virus protection and anti spybot programs etc., configured to scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknown sources (e.g., PS files, HyperCard files, MS Office documents.
Avoid the most common operating systems and email programs, if possible.
22
Malicious Software Protection
Best countermeasure is prevention (do not allow a virus to get into the system in the first place.)
But in general not possible Hence need to do one or more of:
detection - of viruses in infected system identification - of specific infecting virus removal - restoring system to clean state
09-09-30
12
23
Antivirus Approaches 1st Generation, Scanners: searched files for any of a library
of known virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behaviour (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques above. Scanning & activity traps, access controls etc.
24
Advanced Antivirus Techniques
Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run
each interpretation?
Digital Immune System Next page
09-09-30
13
25
Digital Immune System
26
Behavior-Blocking Software
integrated with host OS monitors program behavior in real-time
Eg. file access, disk format, executable mods, system settings changes, network access
for possibly malicious actions if detected can block and/or terminate
has advantage over scanners but malicious code runs before detection
09-09-30
14
27
Distributed Denial of Service Attacks (DDoS)
Distributed Denial of Service (DDoS) attacks form a significant security threat
making networked systems unavailable by flooding with useless traffic using large numbers of “zombies” growing sophistication of attacks defense technologies struggling to cope
28
Distributed Denial of Service Attacks (DDoS)
09-09-30
15
29
Direct DDoS attack
30
Reflector DDoS Attack
09-09-30
16
31
DDoS Countermeasures
three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source traceback & identification
(after)
huge range of attack possibilities hence evolving countermeasures
32
Summary have considered:
various malicious programs trapdoor, logic bomb, trojan horse,
zombie viruses worms countermeasures distributed denial of service attacks