lecture malicious software
TRANSCRIPT
1!
MALICIOUS SOFTWARE
Overview � Introduc:on � Virus � Worm
� Other Malicious SoAware o Backdoor/Trapdoor o Logic Bomb o Trojan Horse
� DDoS AKack o DDos Descrip:on o Construc:on of AKack
2!
Program Defini:on A computer program tells a computer
what to do and how to do it • Computer viruses, network worms, and Trojan Horse are
computer programs.
3!
Malicious soAware ?
• Malicious SoAware (Malware) is a soAware that is included or inserted in a system for harmful purposes.
OR • A Malware is a set of instruc:ons that run on your computer
and make your system do something that an aKacker wants it to do.
4!
The Malware Zoo • Virus
• Worms
• Logic Bomb
• Trojan horse • Zoombie
• Scareware • Adware • Backdoor / Trapdoors
5!
Taxonomy of Malicious Programs
6!
Need Host Program Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Zombies
Worms
Malicious Programs
Most current malicious code mixes all capabilities!
What it is good for ? • Steal personal informa:on
• Delete files
• Click fraud
• Steal soAware serial numbers
7!
What to Infect • Executable
• Interpreted file
• Kernel
• Service
• Master Boot Record
8!
Virus • Self-‐replica:ng code, aKaches itself to another program
and executes secretly when the host program is executed.
• No Hidden ac:on – Generally tries to remain undetected, but what about ac:vi:es,
such as deleted files ?
9!
Parts of a Virus • Three Parts
– Infec:on Mechanism: The means by which a virus spreads, enabling it to replicate, also referred as Infec:on Vector.
– Trigger: The event or condi:on that determines when the payload is ac:vated or delivered.
– Payload: The payload may involve damage or may involve benign but NOTICEABLE ac:vity.
Phases – Life Cycle • Dormant phase -‐ the virus is idle
• Propaga1on phase -‐ the virus places an iden:cal copy of itself into other programs
• Triggering phase – the virus is ac:vated to perform the func:on for which it was intended
• Execu1on phase – the func:on is performed
11!
Virus Structure
12!
Opera:on rou:ne • Operates when infected code executed (execu:on
sequence) – Jump to Main Virus program – If spread (infec:on) condi:on then
{ For target files : if not infected, then alter file to include virus
} – Perform malicious ac:on – Transfer control back – Execute normal program
• If the infec:on phase is rapid, user will not no:ce any difference between the execu:on of infected program and uninfected program.
Types of Viruses • On the basis of target
• Boot Sector Infector: Infects master boot record / boot record (boot sector) of a disk and spreads when a system is booted with an infected disk (original DOS viruses). They are Memory-‐resident Virus.
• File Infector : Infects executable files, they are also called Parasi1c Virus as they aKach their self to executable files as part of their code. Runs whenever the host program is executed.
• Macro Virus –Infects files with macro code that is interpreted by the relevant applica:on, such as doc or excel files.
14!
Types of Viruses • On the basis of concealment strategy
• Encrypted Virus – A por:on of virus creates a random encryp:on key and encrypts the remainder of the virus. The key is stored with the virus. When the virus replicates, a different random key is generated.
• Stealth Virus -‐ explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus -‐ mutates with every new host to prevent signature detec:on, signature detec:on is useless.
• Metamorphic Virus – Rewrites itself completely with every new host, may change their behavior and appearance.
15!
Recent addi:on: Email Virus
• Moves around in e-‐mail messages, triggered when user opens aKachment
• Do local damages on the user’s system • Propagates very quickly • Replicates itself by automa:cally mailing itself to dozens of people in the vic:m’s e-‐mail address book
16!
Examples of risky file types • The following file types should never be opened if…
– .EXE – .PIF – .BAT – .VBS – .COM
17!
Viruses Propaga:on • Virus wriKen in some language e.g. C, C++, Assembly
etc.
• Inserted into another program – use tool called a “dropper”
• Virus dormant un:l program executed – then infects other programs – eventually executes its “payload”
18!
Viruses Propaga:on
• An executable program • With a virus at the front (File size is increased) • With the virus at the end (File size is increased) • With a virus spread over free space within program
19!
Viruses Propaga:on
(a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code
20!
An:-‐virus • It is not possible to build a perfect virus/malware
detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type :
– Scanner – Real :me monitor
21!
An:-‐virus • Scanners
– First Genera:on, relied on signature. – Second Genera:on, relied on heuris:c rules or integrity
checking (e.g. checksum appended to a program).
• Real :me Monitors • Third Genera:on, memory resident and iden:fy virus by its
ac:ons (behaviour). • Fourth Genera:on, combina:on of different capabili:es.
22!
Worm
23!
A computer worm is a self-replicating computer virus. It uses a network to send copies of itself to other nodes and do so without any user intervention.!
Comparision of Worm Features
24!
1) Computer Virus: • Needs a host file
2) Network Worm: • No host (self-‐contained) • Copies itself • Executable
• Copies itself • Executable
3) Trojan Horse: • No host (self-‐contained) • Does not copy itself • Imposter Program
Worm: History • Runs independently
– Does not require a host program
• Propagates a fully working version of itself to other machines
� History ◦ Morris worm was one of the first worms distributed over Internet � Two examples
◦ Morris – 1998, ◦ Slammer – 2003
25!
Worm Opera:on • Worm has similar phases like a virus:
• Dormant (inac:ve; rest)
• Propaga:on • Search for other systems to infect • Establish connec:on to target remote system • Replicate self onto remote system
– Triggering
– Execu:on
26!
Morris Worm • Best known classic worm
• Released by Robert Morris in 1988
• Targeted Unix systems • Using several propaga:on techniques
• If any aKack succeeds then replicated self
27!
Slammer (Sapphire) Worm • When
• Jan 25 2003
• How • Exploit Buffer-‐overflow with MS SQL
• Random Scanning • Randomly select IP addresses
• Cost • Caused ~ $2.6 Billion in damage
28!
Slammer Scale
29!
The diameter of each circle is a func:on of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent loca:ons
The worm itself … � System load ◦ Infec:on generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down
• Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to con:nue the infec:on
while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -‐r -‐n‘, /etc/hosts,
• Worm DO NOT: – Delete system's files, modify exis:ng files, install Trojan horses, record or
transmit decrypted passwords, capture super user privileges
30!
Backdoor or Trapdoor � Secret entry point into a program � Allows those who know access by passing usual security procedures
� Remains hidden to casual inspec:on � Can be a new program to be installed � Can modify an exis:ng program � Trap doors can provide access to a system for unauthorized procedures
� Very hard to block in O/S
31!
Trap Door Example
(a) Normal code. (b) Code with a trapdoor inserted
32!
Logic Bomb • One of oldest types of malicious soAware • Piece of code that executes itself when pre-‐defined condi:ons are
met • Logic Bombs that execute on certain days are known as Time
Bombs • Ac:vated when specified condi:ons met
– E.g., presence/absence of some file – par:cular date/:me – par:cular user
• When triggered typically damage system – modify/delete files/disks, halt machine, etc.
33!
Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer
• Example of benign logical fun – http://googletricks.com/top-25-fun-google-tricks/ – Type zerg rush in google
34!
Trojan Horse
35!
Trojan Horse • Trojan horse is a malicious program that is designed as
authen:c, real and genuine soAware. • Like the giA horse leA outside the gates of Troy by the
Greeks, Trojan Horses appear to be useful or interes:ng to an unsuspec:ng user, but are actually harmful.
36!
Trojan Percentage
37!
What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the
Trojan horse is called a 'dropper'. • Sevng up networks of zombie computers in order to launch
DDoS aKacks or send Spam.
• Logging keystrokes to steal informa:on such as passwords and credit card numbers (known as a key logger)
• Phish for bank or other account details, which can be used for criminal ac:vi:es.
• Or simply to destroy data • Mail the password file.
38!
How can you be infected ? • Websites: You can be infected by visi:ng a rogue website.
Internet Explorer is most oAen targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the poten:al of receiving a Trojan horse.
• Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger.
• E-‐mail: AKachments on e-‐mail messages may contain Trojans. Trojan horses via SMTP.
39!
Sample Delivery • AKacker will aKach the Trojan to an e-‐mail with an en:cing
header. • The Trojan horse is typically a Windows executable
program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file.
40!
Where They Live ? (1) • Autostart Folder
The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automa:cally starts everything placed there.
• Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan
• System.ini Using Shell=Explorer.exe trojan.exe results in execu:on of every file aAer Explorer.exe
• Wininit.ini Setup-‐Programs use it mostly; once run, it's being auto-‐deleted, which is very handy for Trojans to restart
41!
Where They Live ? (2) • Winstart.bat
Ac:ng as a normal bat file trojan is added as @trojan.exe to hide its execu:on from the user
• Autoexec.bat It's a DOS auto-‐star:ng file and it's used as auto-‐star:ng method like this -‐> c:\Trojan.exe
• Config.sys Could also be used as an auto-‐star:ng method for Trojans
• Explorer Startup Is an auto-‐star:ng method for Windows95, 98, ME, XP and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
42!
What the aKacker wants? • Credit Card Informa:on (oAen used for domain
registra:on, shopping with your credit card)
• Any accoun:ng data (E-‐mail passwords, Login passwords, Web Services passwords, etc.)
• Email Addresses (Might be used for spamming, as explained above)
• Work Projects (Steal your presenta:ons and work related papers)
• School work (steal your papers and publish them with his/her name on it)
43!
Stopping the Trojan …
The Horse must be “invited in” ….
44!
How does it get in? Downloading a file
By:
Installing a program Opening an aKachment
Opening bogus Web pages
Copying a file from someone else
Zombie • The program which secretly takes over another
networked computer and force it to run under a common command and control infrastructure.
• Uses it to indirectly launch aKacks, e.g., DDoS, phishing, spamming, cracking
• Difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are
now the major delivery method of spam.
• Zombies have been used extensively to send e-‐mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers.
45!
Adware
46!
Scareware / Rouge/ Fake an:virus
47!
Where malware Lives: Auto start • Folder auto-‐start
• Win.ini : run=[backdoor]" or "load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys • Init.d
48!
Auto start • Assign know extension (.doc) to the malware
• Add a Registry key such as HKCU\SOFTWARE\Microso=\Windows \CurrentVersion\Run
• Add a task in the task scheduler
• Run as service
49!
Web � 1.3% of the incoming search queries to Google returned at a least one malware site
� Visit sites with an army of browsers in VMs, check for changes to local system
� Indicate poten:ally harmful sites in search results
Web: Fake page
51!
Shared folder
52!
53!
Email again
54!
P2P Files
• 35.5% malwares
55!
Typical Symptoms • File dele:on • File corrup:on • Visual effects • Pop-‐Ups • Computer crashes • Slow Connec:on • Spam Relaying
56!
Distributed Denial of Service • A denial-‐of-‐service aKack is an aKack that causes a loss
of service to users, typically the loss of network connec:vity.
• CPU, memory, network connec:vity, network bandwidth, baKery energy
• Hard to address, especially in distributed form
57!
DDoS Mechanism • Goal: make a service unusable.
• How: overload a server, router, network link, by flooding with useless traffic
• Focus: bandwidth aKacks, using large numbers of “zombies”
58!
How it works? • The flood of incoming messages to the target system
essen:ally forces it to shut down, thereby denying service to the system to legi:mate users.
• Vic:m's IP address. • Vic:m's port number. • AKacking packet size. • AKacking inter-‐packet delay. • Dura:on of aKack.
59!
Example 1 • Ping-‐of-‐death
– IP packet with a size larger than 65,536 bytes is illegal by standard
– Many opera:ng system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted.
– Routers forward each packet independently.
– Routers don’t know about connec:ons.
– Complexity is in end hosts; routers are simple.
60!
Example 1
Example 2 • TCP handshake
• SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the
vic:m – The host vic:m must allocate new data structures to each SYN request – legi:mate connec:ons are denied while the vic:m machine is wai:ng
to complete bogus "half-‐open" connec:ons – Not a bandwidth consump:on aKack
• IP Spoofing
62!
Example 2
63!
From DoS to DDoS
64!
From DoS to DDoS
65!
Distributed DoS AKack
66!
DDoS Countermeasures • Three broad lines of defense:
1. aKack preven:on & preemp:on (before)
2. aKack detec:on & filtering (during)
3. aKack source trace back & iden:fica:on (aAer)
67!