Post on 04-Jan-2016
description
Chapter 9
Applications
Benevolent Malware Benevolent malware?
o “Obviously a contradiction in terms”o Malware characteristics, but tries to do
“good” Den Zuk --- 1988, removed Brain virus
o Later versions would reformat disk… Cheese --- 2001, remove li0n worm
o Created lots of network traffic Welchia --- 2003, patched problem that
Blaster exploited (used official MS patch)o Lots of traffic, cure worse than disease
Predator Worms Like Cheese and Welchia Destroy malware and/or immunize
o Trying to do good, but it’s still illegalo Previous “predators” caused problemso Might be OK on local networko But how to prevent spread to
Internet? Other technical problems
o Control, bandwidth use, monitoring, etc.
Benevolent Malware No “killer app” for benevolent
malware Everything can be done by more
controlled means Many unresolved issues…
o Legal issueso Ethical issueso Technical issues
Mobile agents --- a niche application?
Mobile Agents Program transfers itself over
networko It does things on behalf of a usero For example, propagate to various
airline sites in search of best airfare Questions about mobile agent
securityo Has a lot in common with malwareo A “solution in search of a problem”?o Mobile agents have some advantages,
but what they do can be done by other means
Mobile Agents Previous master’s project Platform for Privacy Preferences
Project (P3P)o Privacy policies that websites follow
Student developed an “agent-based privacy enhancing model”o Used agents to analyze P3P
preferenceso Essentially, a reputation systemo Research papers are here and here
Spam Infection may be “means to an
end”o For example, DDoS attacks or
May use zombies/bots for spamo Harvest your email addresso Customized spam so that it looks like
it came from you , and so on Aycock has lots of interest in spam
o Spam simulator: Spamulator
Access-for-Sale Worms “Scalable, targeted intrusion” Compromise machine, install back
door Access to the back door is for sale
o Might, for example, use key for access
o Can’t allow unauthorized accesso So, patch flaws once access obtainedo Good for ID theft, blackmail, etc.
Like a botnet, but single machine(s)
Access-for-Sale Worms Two “business models”1. Organized crime
o Attacker and cyberthieves work together
o Defenses?
2. Disorganized crimeo Attacker sells access to cyberthieveso How to advertise?o Defenses?
Access-for-Sale Worms
Organized crime
Access-for-Sale Worms Disorganize
d crime
Access-for-Sale Worms Good idea to use public key crypto
o That is, worm carries public key, and…
o Private key used to access back door What is the advantage of public
key crypto over symmetric key crypto?
Cryptovirology Use malware for extortion Example: virus encrypts valuable
datao Victim must pay to get decryption keyo Again, public key crypto is best hereo Note that data encrypted with
symmetric key, and symmetric key is encrypted with a public key (we call this “hybrid crypto” in CS 265)
o Password-protected may be good enough
Cryptovirology Examples AIDS Trojan --- 1989
o Floppy disk, sent by mail, with “curious software license”
o Encrypted files if user didn’t pay PGPCoder Trojan (Gpcode, 2006)
o Encrypted files having various extensions
o Cost $200 to buy decryptor
Information Warfare Use computers to supplement (or
supplant?) conventional warfareo Acquire info from adversary’s
computerso Plant false info, corrupt data, denial of
service, etc. Laws and such are not clear Of limited use if communication
infrastructure is damaged…
Information Warfare Electronic countermeasures (ECM)
o Deny enemy use of electronic technology
o For example, radar jamming Information warfare analog of
ECM?o Denial of serviceo Comparison with traditional ECM?
Information Warfare ECM vs DoS
o Persistence --- jamming usually temporary, malware can last longer
o Targeting --- ECM uses direct targeting, malware could be direct or indirect
o Deception --- possible in both caseso Range of effects --- limited in ECM,
much broader with malware (logic bomb, DoS, precision attack, intelligence gathering, forced quarantine, …)
Information Warfare ECM vs DoS
o Reliability --- ECM may be more difficult to test, so reliability is less certain
o Continuity --- ECM subject to “ECCM”, while malware only has to succeed once and can attack weakest link
Indirect ways to insert malware?o Software vendors, dormant in
systems, deliberately leak infected systems, etc.
Cyberterrorism Difficult to define? Create fear, not just irritate users
o Inability to use facebook does not strike fear of death into (most) users
So cyberterrorist must somehow create tangible results in real worldo Nuclear power plants, utility grid,
… ???
Cyberterrorism Similar uses as info warfare
o That is, supplement to real attackso For example, attack communication
infrastructure during physical attack to delay response, cause confusion, etc.
Disinformation before and during attack
Other?