Malicious Code

24
Malicious Code Brian E. Brzezicki

description

Malicious Code. Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11). Malicious Code. - PowerPoint PPT Presentation

Transcript of Malicious Code

Page 1: Malicious Code

Malicious Code

Brian E. Brzezicki

Page 2: Malicious Code

Malicious Code(from Chapter 13 and 11)

Page 3: Malicious Code

Malicious CodeOnce upon a time hackers tried to exploit technical

flaws in systems. While that still happens today, hackers are increasingly trying to “trick” people into running malicious code.. Which then tries to take control of a system (or help a hacker steal passwords and resources)

Page 4: Malicious Code

Malicious CodeSoftware that has been designed to do bad things. Some

types that we will talk about in the next couple slides are• Viruses– Program– Boot Sector– Macro

• Trojan Horses• Worms• Logic Bombs• Spyware

Page 5: Malicious Code

Viruses

Page 6: Malicious Code

Viruses (410)The “original” malware. Can someone tell me how a

virus works?

Traits – • Requires human intervention to spread and attack

Page 7: Malicious Code

Program Virus (410)This is the kind of virus we just discussed. Infects

other executable software with it’s own virus code.

Examples of Executable code is• Web browser• Spreadsheet program• Word processor• Anything that you “run” and it does something

Page 8: Malicious Code

Boot Sector Virus (410)Specifically try to attack the boot sector of hard

drives and floppy drives.

Page 9: Malicious Code

Macro Virus (410)Viruses used to effect ONLY executable code (not

data such as wordprocessors or images). Another type of “virus” actually embeds itself into data files and tells the reading program to do commands on it’s behalf)

• Uses Macros… what’s a Macro?

Page 10: Malicious Code

Advanced Viruses

Stealth Virus – tried to evade anti-virus software by various methods

Polymorphic Virus – actually evolves and changes it’s code as it spreads. This defeats signature checking

Page 11: Malicious Code

Anti-Virus Contermeasures (ch 11…pg 307)

Anti-Virus software attempt to detect and stop viri from infecting our computers.

2 Main types (talk about each in next slides)• Signature Based• Heuristic

Page 12: Malicious Code

Signature (ch 11. 308)Viri is software, which is nothing but a set of

computer instructions that “does something”. Viri generally do some bad action and also replicate. The code that each virus uses to do harm and replicate can be isolated. This is called a signature.

Anti Virus product that use signatures have a database of known virus signature and they scan files against this signature database

(more)

Page 13: Malicious Code

Signature based anti-virus (ch 11. 308)

Advantages• Signatures in known database• Easy operation, few false positives

Disadvantages• Must subscribe to anti-virus database service• Must constantly update virus signature database• Cannot protect against unseen/new viri

Page 14: Malicious Code

Heuristic Anti-Virus (ch 11. 308)

Looks for suspicious behavior. May “sandbox” code and run in a virtual environment.

Advantages• Can catch new viriDisadvantages• Higher rate of false positives

Page 15: Malicious Code

Virus Countermeasures (411)Countermeasures• Never run code if you don’t know what or where

that executable has been ;)• Run anti-virus software on all workstations and

major servers that accept incoming data to users (email, instant messaging, web proxies)

Page 16: Malicious Code

Trojan (horse)

Page 17: Malicious Code

Trojan (412)Like the Trojan Horse, a Trojan program seems like a “gift”.

Seems to be some useful program, and it even might do something useful… however inside there is code to do bad things. Can do really anything.

Countermeasures• User Education• Don’t run software that you are not familiar with and

that you don’t have “real distribution” media for.• Software Signing• Anti-virus software to detect known Trojans

Page 18: Malicious Code

Worms (414)Once Run a worm usually does something bad, but

then tried to actively spread. Unlike a virus that simply copies itself into other executables. A worm “self-propagates” and tried to spread in any way possible. It might try to scan networks for known security weaknesses and “hack” machines as a method of spreading. Another example is via email.

(more)

Page 19: Malicious Code

Famous Worm Attacks (415)Morris Worm – First known worm• Simply spread didn’t do anything else• Did eat up a lot of CPU and network bandwidth, brought

internet to a halt in 1988.• Did password guessing and auto-hackingCode Red• Attacked IIS, using a buffer overflow, targeted other IIS

serversNimba• 5 methods of propagation• Email, network shares, compromised web sites, IIS

holes, and backdoors from other worms.

Page 20: Malicious Code

Worm CountermeasuresCounter measures• Remove un-necessary services• Patch OS and applications• Beware of email

Page 21: Malicious Code

Hoaxes (37)Chain letters, fake virus reports

Does not necessarily pose a threat but• Wastes employee time and productivity• Causes confusion, FUD• Could cause users to modify settings• Wastes network resources as messages are spread.• Wastes IT/helpdesk time.

Countermeasures• User education• Centralized information base and IT communication

Page 22: Malicious Code

Logic Bombs (413)What is a Logic Bomb… anyone?

Countermeasures• Inventory all software and keep checksums.

(tripwire)

Page 23: Malicious Code

Spy Ware (412)

We already talked about spyware previously. Anyone care to refresh us?

Page 24: Malicious Code

Malicious Code reviewQ. How does a virus replicate?

Q. How is a virus different than a worm?

Q. Why are worms difficult to detect?

Q. What is a Logic Bomb.? What is a way a logic bomb usually gets on a system?