1

Network Security Fundamentals

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2013

Network Security Fundamentals

Module 5 Viruses & Worms, Botnets,

Today’s Threats

Viruses & Worms

2

Viruses

•  Program that copies itself to other programs   In the same directory   In a fixed directory

•  Virus spreads by the copying of files   By users, typically

•  When program invoked   Virus executes first

 Copies itself to other programs  Optionally, performs some malicious action

  Then executes host program •  Example:

  W97M.Marker

4 04/13 cja 2013

Worms

•  Viruses that use network to replicate •  No dependence on copying files •  Worm generates its own targets

  Via self-stored data   Via host-stored data   Randomly   Combinations thereof

•  Example:   Blaster

5 04/13 cja 2013

Types of Viruses

•  Boot sector •  Executable infector •  Multipartite •  TSR •  Stealth •  Encrypted •  Polymorphic •  Metamorphic

6 04/13 cja 2013

3

Macro Viruses

•  Virus instructions are interpreted   Platform independent

•  Infect common applications  Microsoft Excel, …

•  Easily spread •  Easily defeated

  Prohibit automatic execution of code

7 04/13 cja 2013

Virus distribution

•  Sophos study (2002)   26.1% macro viruses   26.1% Trojan horses   19.2% executable viruses   6.8% script viruses   21.8% other (Unix, boot sector, worms, file,

Macintosh, multipartite)

8 04/13 cja 2013

Malicious code types, 2010

9

Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011

04/13 cja 2013

4

Malicious Code Types, 2012

02/13 10

Figure B11: Propagation Mechanisms Source: Symantec Internet Security Threat Report, Vol. 17, April 2012

cja 2013

Antiviral approaches

•  Detection   Scan for virus code “signatures”   More difficult for encrypting viruses

 Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically

 Metamorphic - harder •  Identification

  Vendor databases •  Removal

  Quarantine  render harmless by encryption or compression  copy to quarantine area

  Delete

11 04/13 cja 2013

12

U-M Anti-virus

•  http://safecomputing.umich.edu/antivirus/ •  Free Microsoft Security Essentials for personally-owned Windows

machines •  Microsoft Forefront Endpoint Protection for university owned

Windows machines   32- and 64-bit versions

•  Free Sophos Anti-Virus for Mac OS X machines   All versions of OS X up to and including 10.7 (Lion)

•  Good, concise security recommendations   http://www.safecomputing.umich.edu/tools/security_shorts.html"  http://www.safecomputing.umich.edu/MDS/   http://www.safecomputing.umich.edu/students.php

•  More information   http://www.safecomputing.umich.edu/

04/13 cja 2013

5

Spyware

•  Generic name for software that tracks users’ behavior •  Wide range of activities

  Keystroke loggers   Tracking cookies   File inspectors   Location awareness   Remote video & audio recording

•  Store-and-forward   As hard to detect remotely as botnets are

13 04/13 cja 2013

Spyware

•  Detection and removal tools   Windows Defender (née Microsoft AntiSpyware)

 http://www.microsoft.com/athome/security/spyware/software/default.mspx

  Lavasoft Ad-Aware  http://www.lavasoftusa.net/

  Spybot Search&Destroy  http://www.safer-networking.org/

14 04/13 cja 2013

Botnets

6

Botnets

•  Malware installed on victim machines listens for transmitted instructions   Attack other machines   Transmit spam   Participate in DDOS attacks   Crack passwords   …

•  Installed via well-known vectors •  Communicate with command and control host(s) via

anonymous message services   Typically irc   Typically encrypted   Typically silent, so hard to find

16 04/13 cja 2013

17

Botnets

•  One of the major threats   Large increase in 4Q2006 spam traffic  30-450% increase

  Very large botnets  1.5 x 106 bots in Dutch botnet (2005)  5 x 106 bots in Conficker (2009)

»  Encrypted & authenticated »  Some recent progress in detection

 2 x 106 bots in CoreFlood (2011) » Operating for 8+ years

04/13 cja 2013

Microsoft Security Intelligence Report 1H2011

04/13 18 http://www.microsoft.com/security/sir/default.aspx cja 2013

7

Microsoft Security Intelligence Report 1H2012

04/13 19 http://www.microsoft.com/security/sir/default.aspx cja 2013

Super botnets

•  1Q2013 DDOS attacks   48 Gbps average (130 Gbps peak)  Up from 6 Gbps 1Q2012

•  Attackers targeting Web servers  Much more bandwidth  Wordpress, Joomla, other DIY

04/13 cja 2013 20

Source: Prolexic Quarterly Global Ddos Attack Report, Q1 2013

Today’s Threats

8

Attack Toolkits, 2011

10/12 cja 2012 22

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

Total vulnerabilities, 2011

10/12 cja 2012 23

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

Web Browser Vulnerabilities, 2011

10/12 cja 2012 24

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

9

Web Browser Vulnerabilities, 2010

10/12 cja 2012 25

Source: Symantec Global Internet Security Threat Report, Vol. 16, April 2011

26

Today’s threats

•  In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

27

Today’s threats

•  We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executive Assistants, and Media/Public Relations.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

10

28

Today’s threats

•  High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL.

•  . 10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

29

Today’s threats

•  Gartner predicts sales of smartphones to end users will reach 461.5 million in 2011 and rise to 645 million in 2012. [M]obile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card may go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

30

Today’s threats

•  More than 232.4 million identities were exposed overall during 2011. [B]reaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011. The most frequent cause of data breaches was theft or loss of a computer or other medium, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed.

10/12 cja 2012

Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012

11

References

•  http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

•  http://www.symantec.com/threatreport/   Symantec Internet Security Threat Report, Volume 17, April 2012

•  http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

•  http://arstechnica.com/security/2013/04/fueled-by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/

04/13 31 cja 2013