Professional Documents
Culture Documents
Outline
z Introduce types of malicious software
E.g. backdoor, logic bomb, trojan horse, mobile
z Discuss
Virus types and countermeasures Worm types and countermeasures Bots Rootkits
Malicious Software
Introduction
z Programs that exploit vulnerabilities in computing systems are referred to as malicious software, or malware. z They can be divided into two categories:
Program fragments that need a host program
e.g. viruses, logic bombs, and backdoors
z They are perhaps the most sophisticated types of threats to computer systems.
Some of them have even replicating nature.
e.g. viruses, worms
Malware Terminology
Although there is a lack of universal agreement on terminology, due to overlapping categories, the following can serve as a useful guide:
z z z z z z z z z z z Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot
Viruses
A virus is a piece of software that can "infect" other programs by modifying them. Modification includes:
z Copying itself (the virus) in to the program. z Secretly executing when host program runs.
Virus Structure
A computer virus has three components:
z Infection mechanism - enables replication z Trigger - event that makes payload activate z Payload - what it does, malicious or benign
Compression Virus
Done to prevent virus detection.
z When infected file P1 is launched, it
1. Compress uninfected file P2 into P2 2. Prepend virus CV into P2 3. Decompress P1 into P1 4. Launch P1
Virus Classification
Boot Sector
z Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
File Infector
z Infects files that the operating system or shell consider to be executable.
Macro Virus
z Infects files with macro code that is interpreted by an application.
Encrypted Virus
z The virus creates a random encryption key, stored with the virus, and encrypts the remainder of the virus.
Stealth Virus
z Hide itself from detection by antivirus software.
Polymorphic Virus
z Mutates with every infection, making detection by the signature" of the virus impossible.
Metamorphic Virus
z Mutates and rewrites itself completely at each iteration.
Macro Virus
They became very common in mid-1990s.
z They are platform independent. z They infect documents. z They easily spread (via email).
However,
z More recent releases of the Office applications include protection. z They are also recognized by many anti-virus programs now.
E-Mail Viruses
These are more recent developments. The first rapidly spreading versions made use of a Microsoft Word macro embedded in an attachment
z e.g. Melissa
exploits MS Word macro in attached doc if attachment opened, macro activates sends email to all on users address list and does local damage
At the end of 1999, a more powerful version of the e-mail virus appeared.
z This newer version can be activated merely by opening an e-mail that contains the virus rather than opening an attachment. z Hence, they propagate much faster (e.g. in few hours).
This makes it very difficult for antivirus software to respond before much damage is done.
10
Virus Countermeasures
Ideal solution
z Prevention, but it is difficult.
Realistic Approach:
z Detection
Determine that it has occurred and locate the virus.
z Identification
Once detected, identify the specific virus that has infected a program.
z Removal
Once identified, remove all traces of the virus from the infected program and restore it to its original state.
z If detected but cant identify or remove, then we must discard and replace infected program.
11
Anti-Virus Evolution
Viruses & antivirus technology have both evolved.
z Early viruses were simple code and easily removed. z Recent viruses are more complex and more challenging.
z Second heuristics
They use heuristic rules such as
Looking for fragments of code that are often associated with viruses. Integrity checking, using a hash function rather than a simpler checksum.
12
Generic Decryption
More sophisticated antivirus products runs executable files through GD scanner consisting of the following modules:
z CPU emulator
A software-based virtual computer that interprets instructions.
z Virus scanner
Scans the target code looking for known virus signatures.
z Emulation control
Manage the process, i.e. controls the execution of the target code.
Lets virus decrypt itself in interpreter Periodically scan for virus signatures Issue is long to interpret and scan
z tradeoff chance of detection vs. time delay
(C) Davar Pishva, 2013
13
This system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a new virus enters an organization,
z the immune system automatically captures it, z analyzes it, z adds detection and shielding for it, z removes it, and z passes information about that virus to other systems.
more
(C) Davar Pishva, 2013
14
15
Behavior-Blocking Software
This software integrates with the operating system of a host computer and monitors program behavior in realtime for malicious actions. It blocks potentially malicious actions before they can affect the system. Monitored behaviors can include:
z Attempts to open, view, delete, and/or modify files; z Attempts to format disk drives and other unrecoverable disk operations; z Modifications to the logic of executable files or macros; z Modification of critical system settings, such as start-up settings; z Scripting of e-mail and instant messaging clients to send executable content; and z Initiation of network communications.
Security and Information System Management
more
(C) Davar Pishva, 2013
16
17
Worms
It is a program that can replicate itself and send copies from computer to computer across network connections
z using email, remote exec, remote login
In a multiprogramming system, it may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. The concept of a computer worm was introduced in John Brunners 1975 SF novel The Shockwave Rider. The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s.
18
Morris Worm
This is one of best known worms. It was released by Robert Morris in 1988. It was designed to spread on UNIX systems and used a number of different techniques for propagation.
z cracking password file to use login/password to logon to other systems z exploiting a bug in the finger protocol z exploiting a bug in sendmail
19
z Fast Spread
Growth is almost linear, but the rate of infection is rapid.
z Slow Finish
Exponentially decaying, as the worm seeks out those remaining hosts that are difficult to identify.
20
SQL Slammer
z Early 2003, attacks MS SQL Server, by exploiting its buffer overflow vulnerability. z Extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes.
Mydoom
z mass-mailing e-mail worm that appeared in 2004 z installed remote access backdoor in infected systems.
It replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.
21
Worm Technology
Multiplatform
z Not limited to Windows platform.
Multi-exploit
z Penetrate systems in a variety of ways.
Ultrafast spreading
z E.g., by means of prior Internet scan to accumulate Internet addresses of vulnerable machines.
Polymorphic
z Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques.
Metamorphic
z Worm with changing appearance and behavior.
Transport vehicles
z Used for spreading other distributed attack tools, such as distributed denial of service bots.
Zero-day exploit
z Worm that exploit an unknown vulnerability which is only discovered by the general network community when the worm is launched.
(C) Davar Pishva, 2013
22
Worm Countermeasures
Overlaps with anti-virus techniques
z Once resident on a system A/V can detect them.
They also cause significant net activity, hence detectable.
23
An agent which monitors outgoing activity for a fixed window of time to see if outgoing connections exceed a threshold.
more
24
25
It is designed to catch the source of a worm attack by monitoring outgoing traffic for signs of scanning etc. Worm monitors can act in the manner of intrusion detection systems and generate alerts to a central administrative system. It is also possible to implement a system that attempts to react in real time to a worm attack, so as to counter zero-day exploits effectively. An example of a worm countermeasure architecture is shown in the next slide:
more
(C) Davar Pishva, 2013
26
27
Bots
A bot (robot), also known as a zombie or drone, is a program that secretly takes over hundreds or thousands of Internet-attached computer.
z It uses those computers to launch attacks that are difficult to trace to the bot's creator. z The collection of bots is referred to as a botnet.
Characteristics:
z remote control facility
via IRC (Internet relay chat) or HTTP etc
z spreading mechanism
attack software, vulnerability, scanning strategy
28
Rootkits
It is a set of programs installed for administrator access It can do malicious and stealthy changes to host O/S It may hide its existence
z subverting report mechanisms on processes, files, registry entries etc
It may be:
z persistent or memory-based z user or kernel mode
It can be installed by user via trojan or intruder on system Range of countermeasures are needed.
(C) Davar Pishva, 2013
29
The attacker overwrites selected legitimate system call routines with malicious code.
The system call table is not changed
If a kernel-level rootkit is detected, by any means, the only secure and reliable way to recover is to do an entire new OS install on the infected machine.
(C) Davar Pishva, 2013
The attacker redirects references to the entire system call table to a new table in a new kernel memory location.
more
Security and Information System Management 30
31
z Discussed
Virus types and countermeasures Worm types and countermeasures Bots Rootkits
32