510 likes | 709 Views
Computer Security: Principles and Practice Introduction. by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown & Susan Lincke. Chapter 6 – Malicious Software = Malware. Study Sheet.
E N D
Computer Security: Principles and PracticeIntroduction by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown & Susan Lincke Chapter 6 – Malicious Software = Malware
Study Sheet • Define attacks: cracking, script kiddies, cyberterrorist, phishing, spearphishing, pharming, drive-by download. • Define and provide examples for: social engineering, Denial Of Service. • Define and describe DDOS, logic bomb, worm, virus, trojan horse, backdoor, botnet, handler, bot, spyware, adware, root kit, spamware, crimeware. • Define and describe stealth virus, polymorphic virus, metamorphic virus, macro virus, boot sector virus, zero-day exploit, rate limiting, immune system • Describe why ‘ethical’ hackers are not completely ethical. • Define the 4 stages of viruses and worms • Define 4 mechanisms antivirus software uses to recognize or control viruses and worms
The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst need to close every vulnerability.
2009: CSI/FBI Computer Crime and Security Survey Losses: $234,244 average per respondent (185 respondents): Top 3 in $ Wireless Exploit ($770K – 7.6%) Theft of Personal Information ($710K – 16%) Financial Fraud ($450K – 19.5%)
Top in % Organizations Experienced: Malware Infection (64.3%) Laptop or mobile H/W theft (42.2%) Phishing in which organization was fraudulently represented as sender (34%) Insider abuse of Net access or e-mail (29.7%) Denial of Service (29.2%) Bots (zombies) within the organization (23%) Financial Fraud ($450K – 19.5%) Password sniffing (17.3%) Theft of Personal Information ($710K – 16%) Unauthorized access to information by insider (14%) Web site defacement (14%) Wireless Network Exploit ($770 - 7.6%) Instant messaging misuse (7.6%) DNS server exploit (7%)
Crackers System Administrators Some scripts are useful to protect networks… Cracker: Computer-savvy programmer creates attack software Hacker Bulletin Board Sql Injection Buffer overflow Password Crackers Password Dictionaries Successful attacks! Crazyman broke into … CoolCat penetrated… Script Kiddies: Know how to execute programs Criminals:Create & sell botnets -> spam Sell credit card numbers,… Crimeware or Attack Kit=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000
Other Hackers/Crackers: • Cyberterrorists • Cyberwar: National governments attack IT • Espionage: Accused: France, Russia, China, South Korea, Germany, Israel, India, Pakistan, US. Ethical Hackers • “Do no damage” However they approve of: • Changing security logs • Disabling security protections • Reading corporate information • Attitude: hacking is beneficial: keeps ‘stupid corp’s on their toes’
Malicious Software • programs exploiting system vulnerabilities • known as malicious software or malware • program fragments that need a host program • e.g. viruses, logic bombs, and backdoors • independent self-contained programs • e.g. worms, bots • replicating or not • sophisticated threat to computer systems
Malware Propagation Classification Infection Of Executable (e.g., Virus) Social Engineering (E.g., Phishing, Trojans) Exploit of Software Vulnerability (SQL Attack, Worm)
Social Engineering I need a password reset. What is the passwd set to? Email: ABC Bank has noticed a problem with your account… This is John, the System Admin. What is your password? I have come to repair your machine… What ethnicity are you? Your mother’s maiden name? and have some software patches
Phishing = Fake Email ABC BANK Your bank account password is about to expire. Please login… Spearfishing John: This was a cool YouTube link: … Alice The bank has found problems with your account. Please contact …”
Pharming = Fake web pages Pharming: • A fake web page may lead to a real web page • The fake web page looks like the real thing • Extracts account information www.abc.com www.abcBank.com Login Passwd Welcome To ABC Bank
Denial of Service Single-Message DoS Attacks: Crash or disable system by attacking vulnerability Flooding DoS Attack: Flood victim with requests SYN Flooding: Flood victim host with TCP SYNs (which initiate session). Smurf Attack: Broadcast Pings to third parties with source address of victim host Rabbit or Bacteria: Reproduces exponentially, using up system resources
Logic Bomb Logic Bomb= Malware has malicious purpose in addition to functional purpose • Ransomware: Software which will malfunction if maintenance fee is not paid • + Social Engineering: “Try this game…it is so cool” • Game also emails password file.
Drive-By Download • A web site exploits a vulnerability in the visitor’s browser when the site is viewed Games: • Vampires and Wolfmen • Planet of the Apes • Dungeons and Dragons
Virus Dear John, This link is a cool web site • A virus attaches itself to a program, file, or disk • When the program is executed, the virus too is executed • When the program is given away (floppy/email) the virus spreads • The virus may be benign or malignant but executes its load pay at some point (often upon contact) Program A Program A Extra Code infects
Viruses • piece of software that infects programs • modifying them to include a copy of the virus • so it executes secretly when host program is run • a typical virus goes through phases of: • Dormant: Wait for file presence, date, event,… • Propagation: Spreading technique • Triggering: Complete full intention • Execution: Harmless or harmful
Virus Structure • components: • infection mechanism - enables replication • trigger - event that makes payload activate • payload - what it does, malicious or benign • prepended / postpended / embedded • when infected program invoked, executes virus code then original program code • can block initial infection (difficult) • or propogation (with access controls)
Virus Target Classification • boot sector: Spreads when system is booted from disk containing virus • macro virus: Inserted in application file as script (e.g., MS Word doc.) • file infector: Infects executable in OS or shell • multipartite: Infects multiple ways
Virus Concealment Strategies encrypted virus: Uses a random key to encrypt virus, and stores key with virus stealth virus: Hides via encryption, file sizing, virus location, rootkit polymorphic virus: Mutates new virus with each infection metamorphic virus: Changes itself with each iteration; also polymorphic
Macro Virus • became very common in mid-1990s since • platform independent • infect documents • easily spread • exploit macro capability of office apps • executable program embedded in MS Office doc • often a form of Basic • more recent releases include protection • recognized by many anti-virus programs
E-Mail Viruses • more recent development • e.g. Melissa • exploits MS Word macro in attached doc • if attachment opened, macro activates • sends email to all on users address list • does local damage • had no Dormant phase -> faster propagation • 100k computers in 3 days
Brain Virus Lodges in upper memory then sets upper memory bound below itself Replaces interrupt vector for disk reads to screen disk read calls. Calls interrupt handler after screening. Places itself in the boot sector and six other sectors on disk Marks sectors as ‘bad’ so they will not get overwritten. Variants erase disks or destroy file allocation table
Virus Countermeasures • prevention - ideal solution but difficult • realistically need: • detection • identification • removal • if detect but can’t identify or remove, must discard and replace infected program
Anti-Virus Evolution • virus & antivirus tech have both evolved • early viruses simple code, easily removed • more complex viruses -> more complex countermeasures • 4 generations: • first - signature scanners • second – heuristics • Integrity checking & fragment recognition • third - identify actions (e.g., decompression) • fourth - combination packages • Limit access control to system & files
Generic Decryption • runs executable files through GD scanner: • CPU emulator to interpret instructions • virus scanner to check known virus signatures • emulation control module to manage process • lets virus decrypt itself in interpreter • periodically scan for virus signatures • issue is how long to interpret and scan? • tradeoff chance of detection vs time delay
Worm: Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate. Worm To Joe To Ann To Jill Email List: Joe@uwp.edu Ann@uws.edu Jill@uwm.edu
Worms • replicating program that propagates over net • using email, remote exec, remote login • has phases like a virus: • dormant, propagation, triggering, execution • propagation phase: automatically ‘scans’ for other systems, connects to it, copies self to it and runs • fast spread phase: each infection spreads to n other nodes, exponentially • may disguise itself as a system process
Morris Worm • one of best know worms • released by Robert Morris in 1988 • various attacks on UNIX systems • cracking password file to use login/password to logon to other systems • exploiting a bug in the finger protocol • exploiting a bug in sendmail to issue commands • if succeed have remote shell access
Morris Worm – cont’d Created by Robert Morris, convicted 1990, received $10K fine & 3 years jail, 400 hours community service Unintended Effect: Denial of service due to resource exhaustion: Worms created more worms (even on same machine) Once system penetrated Send a bootstrap loader to of 99 lines of C code to be executed on target machine Downloader: Fetch rest of worm, verified by password Stealth: encrypted itself, deleted original version, changed name periodically
Worm Technology • Multiplatform: Unix, Windows, … • Multi-exploit: travels in multiple ways • Polymorphic: generations mutate • Metamorphic: self-mutating & polymorphic • Transport vehicles: auto-builds bots • Zero-day exploit: attacks a vulnerability before vulnerability is known
Worm Countermeasures • overlaps with anti-virus techniques • once worm on system A/V can detect • worms also cause significant net activity • worm defense approaches include: • signature-based worm scan filtering • filter-based worm containment • payload-classification-based worm containment • threshold random walk scan detection • rate limiting and rate halting • puts speed limit on scanning / fignerprintingactions
Proactive Worm Containment Looks for surges in the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts. When such a surge is detected, the software immediately blocks its host from further connection attempts.
Root Kit Root Kit • Upon penetrating a computer, a hacker installs a root kit • May enable: • Easy entrance for the hacker (and others) • Keystroke logger • Eliminates evidence of break-in • Modifies the operating system • Requires new OS install, when detected Backdoor entry Keystroke Logger Hidden user
Exploit/Maintain Access Abnormal way to enter system, provided by Programmer or Vulnerability Useful utility also performs malicious function Backdoor Trojan Horse Replaces system executables: e.g. Login, ls, du to hide itself User-Level Rootkit Bots Spyware/Adware Spywarecollects info: keystroke logger, collect credit card #s, Adware: insert ads, filter search results Slave forwards/performs commands; spreads, list email addrs, DOS attacks Kernel-Level Rootkit Replaces OS kernel: e.g. process or file control to hide
Distributed Denial of Service Zombies Handler Victim Attacker China Russia United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Bots Flooder
Botnets Botnets: Bots Handler Attacker Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Sniffing traffic or Keylogging DDOS, spread bots Manipulate voting games Generate clicks for ads India Hungary Zombies
Bots • program taking over other computers • hard to trace attacks • if coordinated form a botnet • characteristics: • remote control facility • via IRC/HTTP etc • spreading mechanism • attack software, vulnerability, scanning strategy • various counter-measures applicable
Attack Kit - Crimeware • Attack kit: Tools which generate malware automatically • with varied propagation and payload mechanisms • Auto-rooter: Breaks into new machines remotely • Downloader: Original attack opens the door, then downloads the full attack software • Spammer program: Generates large volumes of unwanted email
Summary: Malware Payload Classification Theft of Information: E.g. Keyloggers, spyware, pharming Stealth:Hide presence: Rootkit, backdoors, viruses/worms Theft of Service Botnet, Denial of Service DDOS, ransomware, adware, spammers Corruption of System Or Files Virus, worm, rootkit
Summary: Malware Controls Look For: Two A/V Methods Rate limiting or rate halting: Halt or slow down suspicious activity Immune System: analyzes new malware in sandbox, recognizes and removes it, sends prescription • Are traffic (flows) entering network valid? • Is traffic exiting network valid? • Are actions on the computer suspicious? • Are actions by the program suspicious?