Malicious Software By Kavita Khanna ( kavita_jairath@yahoo ) & Himani Singh
Malicious software
-
Upload
rajakhurram -
Category
Education
-
view
902 -
download
1
Transcript of Malicious software
Raja M. Khurram Shahzad
1!
MALICIOUS SOFTWARE
Overview � IntroducAon � Virus � Worm
� Other Malicious SoEware o Backdoor/Trapdoor o Logic Bomb o Trojan Horse
� DDoS ANack o DDos DescripAon o ConstrucAon of ANack
2!
Program DefiniAon A computer program tells a computer
what to do and how to do it • Computer viruses, network worms, and Trojan Horse are
computer programs.
3!
Malicious soEware ?
• Malicious SoEware (Malware) is a soEware that is included or inserted in a system for harmful purposes.
OR • A Malware is a set of instrucAons that run on your computer
and make your system do something that an aNacker wants it to do.
4!
The Malware Zoo • Virus
• Worms
• Logic Bomb
• Trojan horse • Zoombie
• Scareware • Adware • Backdoor / Trapdoors
5!
Taxonomy of Malicious Programs
6!
Need Host Program Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Zombies
Worms
Malicious Programs
Most current malicious code mixes all capabilities!
What it is good for ? • Steal personal informaAon
• Delete files
• Click fraud
• Steal soEware serial numbers
7!
What to Infect • Executable
• Interpreted file
• Kernel
• Service
• Master Boot Record
8!
Virus • Self-‐replicaAng code, aNaches itself to another program
and executes secretly when the host program is executed.
• No Hidden acAon – Generally tries to remain undetected, but what about acAviAes,
such as deleted files ?
9!
Parts of a Virus • Three Parts
– InfecAon Mechanism: The means by which a virus spreads, enabling it to replicate, also referred as InfecAon Vector.
– Trigger: The event or condiAon that determines when the payload is acAvated or delivered.
– Payload: The payload may involve damage or may involve benign but NOTICEABLE acAvity.
Phases – Life Cycle • Dormant phase -‐ the virus is idle
• Propaga1on phase -‐ the virus places an idenAcal copy of itself into other programs
• Triggering phase – the virus is acAvated to perform the funcAon for which it was intended
• Execu1on phase – the funcAon is performed
11!
Virus Structure
12!
OperaAon rouAne • Operates when infected code executed (execuAon
sequence) – Jump to Main Virus program – If spread (infecAon) condiAon then
{ For target files : if not infected, then alter file to include virus
} – Perform malicious acAon – Transfer control back – Execute normal program
• If the infecAon phase is rapid, user will not noAce any difference between the execuAon of infected program and uninfected program.
Types of Viruses • On the basis of target
• Boot Sector Infector: Infects master boot record / boot record (boot sector) of a disk and spreads when a system is booted with an infected disk (original DOS viruses). They are Memory-‐resident Virus.
• File Infector : Infects executable files, they are also called Parasi1c Virus as they aNach their self to executable files as part of their code. Runs whenever the host program is executed.
• Macro Virus –Infects files with macro code that is interpreted by the relevant applicaAon, such as doc or excel files.
14!
Types of Viruses • On the basis of concealment strategy
• Encrypted Virus – A porAon of virus creates a random encrypAon key and encrypts the remainder of the virus. The key is stored with the virus. When the virus replicates, a different random key is generated.
• Stealth Virus -‐ explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus -‐ mutates with every new host to prevent signature detecAon, signature detecAon is useless.
• Metamorphic Virus – Rewrites itself completely with every new host, may change their behavior and appearance.
15!
Recent addiAon: Email Virus
• Moves around in e-‐mail messages, triggered when user opens aNachment
• Do local damages on the user’s system • Propagates very quickly • Replicates itself by automaAcally mailing itself to dozens of people in the vicAm’s e-‐mail address book
16!
Examples of risky file types • The following file types should never be opened if…
– .EXE – .PIF – .BAT – .VBS – .COM
17!
Viruses PropagaAon • Virus wriNen in some language e.g. C, C++, Assembly
etc.
• Inserted into another program – use tool called a “dropper”
• Virus dormant unAl program executed – then infects other programs – eventually executes its “payload”
18!
Viruses PropagaAon
• An executable program • With a virus at the front (File size is increased) • With the virus at the end (File size is increased) • With a virus spread over free space within program
19!
Viruses PropagaAon
(a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code
20!
AnA-‐virus • It is not possible to build a perfect virus/malware
detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type :
– Scanner – Real Ame monitor
21!
AnA-‐virus • Scanners
– First GeneraAon, relied on signature. – Second GeneraAon, relied on heurisAc rules or integrity
checking (e.g. checksum appended to a program).
• Real Ame Monitors • Third GeneraAon, memory resident and idenAfy virus by its
acAons (behaviour). • Fourth GeneraAon, combinaAon of different capabiliAes.
22!
Worm
23!
A computer worm is a self-replicating computer virus. It uses a network to send copies of itself to other nodes and do so without any user intervention.!
Comparision of Worm Features
24!
1) Computer Virus: • Needs a host file
2) Network Worm: • No host (self-‐contained) • Copies itself • Executable
• Copies itself • Executable
3) Trojan Horse: • No host (self-‐contained) • Does not copy itself • Imposter Program
Worm: History • Runs independently
– Does not require a host program
• Propagates a fully working version of itself to other machines
� History ◦ Morris worm was one of the first worms distributed over Internet � Two examples
◦ Morris – 1998, ◦ Slammer – 2003
25!
Worm OperaAon • Worm has similar phases like a virus:
• Dormant (inacAve; rest)
• PropagaAon • Search for other systems to infect • Establish connecAon to target remote system • Replicate self onto remote system
– Triggering
– ExecuAon
26!
Morris Worm • Best known classic worm
• Released by Robert Morris in 1988
• Targeted Unix systems • Using several propagaAon techniques
• If any aNack succeeds then replicated self
27!
Slammer (Sapphire) Worm • When
• Jan 25 2003
• How • Exploit Buffer-‐overflow with MS SQL
• Random Scanning • Randomly select IP addresses
• Cost • Caused ~ $2.6 Billion in damage
28!
Slammer Scale
29!
The diameter of each circle is a funcAon of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent locaAons
The worm itself … � System load ◦ InfecAon generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down
• Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to conAnue the infecAon
while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -‐r -‐n‘, /etc/hosts,
• Worm DO NOT: – Delete system's files, modify exisAng files, install Trojan horses, record or
transmit decrypted passwords, capture super user privileges
30!
Backdoor or Trapdoor � Secret entry point into a program � Allows those who know access by passing usual security procedures
� Remains hidden to casual inspecAon � Can be a new program to be installed � Can modify an exisAng program � Trap doors can provide access to a system for unauthorized procedures
� Very hard to block in O/S
31!
Trap Door Example
(a) Normal code. (b) Code with a trapdoor inserted
32!
Logic Bomb • One of oldest types of malicious soEware • Piece of code that executes itself when pre-‐defined condiAons are
met • Logic Bombs that execute on certain days are known as Time
Bombs • AcAvated when specified condiAons met
– E.g., presence/absence of some file – parAcular date/Ame – parAcular user
• When triggered typically damage system – modify/delete files/disks, halt machine, etc.
33!
Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer
• Example of benign logical fun – http://googletricks.com/top-25-fun-google-tricks/ – Type zerg rush in google
34!
Trojan Horse
35!
Trojan Horse • Trojan horse is a malicious program that is designed as
authenAc, real and genuine soEware. • Like the giE horse leE outside the gates of Troy by the
Greeks, Trojan Horses appear to be useful or interesAng to an unsuspecAng user, but are actually harmful.
36!
Trojan Percentage
37!
What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the
Trojan horse is called a 'dropper'. • Sevng up networks of zombie computers in order to launch
DDoS aNacks or send Spam.
• Logging keystrokes to steal informaAon such as passwords and credit card numbers (known as a key logger)
• Phish for bank or other account details, which can be used for criminal acAviAes.
• Or simply to destroy data • Mail the password file.
38!
How can you be infected ? • Websites: You can be infected by visiAng a rogue website.
Internet Explorer is most oEen targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potenAal of receiving a Trojan horse.
• Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger.
• E-‐mail: ANachments on e-‐mail messages may contain Trojans. Trojan horses via SMTP.
39!
Sample Delivery • ANacker will aNach the Trojan to an e-‐mail with an enAcing
header. • The Trojan horse is typically a Windows executable
program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file.
40!
Where They Live ? (1) • Autostart Folder
The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automaAcally starts everything placed there.
• Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan
• System.ini Using Shell=Explorer.exe trojan.exe results in execuAon of every file aEer Explorer.exe
• Wininit.ini Setup-‐Programs use it mostly; once run, it's being auto-‐deleted, which is very handy for Trojans to restart
41!
Where They Live ? (2) • Winstart.bat
AcAng as a normal bat file trojan is added as @trojan.exe to hide its execuAon from the user
• Autoexec.bat It's a DOS auto-‐starAng file and it's used as auto-‐starAng method like this -‐> c:\Trojan.exe
• Config.sys Could also be used as an auto-‐starAng method for Trojans
• Explorer Startup Is an auto-‐starAng method for Windows95, 98, ME, XP and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
42!
What the aNacker wants? • Credit Card InformaAon (oEen used for domain
registraAon, shopping with your credit card)
• Any accounAng data (E-‐mail passwords, Login passwords, Web Services passwords, etc.)
• Email Addresses (Might be used for spamming, as explained above)
• Work Projects (Steal your presentaAons and work related papers)
• School work (steal your papers and publish them with his/her name on it)
43!
Stopping the Trojan …
The Horse must be “invited in” ….
44!
How does it get in? Downloading a file
By:
Installing a program Opening an aNachment
Opening bogus Web pages
Copying a file from someone else
Zombie • The program which secretly takes over another
networked computer and force it to run under a common command and control infrastructure.
• Uses it to indirectly launch aNacks, e.g., DDoS, phishing, spamming, cracking
• Difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are
now the major delivery method of spam.
• Zombies have been used extensively to send e-‐mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers.
45!
Adware
46!
Scareware / Rouge/ Fake anAvirus
47!
Where malware Lives: Auto start • Folder auto-‐start
• Win.ini : run=[backdoor]" or "load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys • Init.d
48!
Auto start • Assign know extension (.doc) to the malware
• Add a Registry key such as HKCU\SOFTWARE\Microso=\Windows \CurrentVersion\Run
• Add a task in the task scheduler
• Run as service
49!
Web � 1.3% of the incoming search queries to Google returned at a least one malware site
� Visit sites with an army of browsers in VMs, check for changes to local system
� Indicate potenAally harmful sites in search results
Web: Fake page
51!
Shared folder
52!
53!
Email again
54!
P2P Files
• 35.5% malwares
55!
Typical Symptoms • File deleAon • File corrupAon • Visual effects • Pop-‐Ups • Computer crashes • Slow ConnecAon • Spam Relaying
56!
Distributed Denial of Service • A denial-‐of-‐service aKack is an aNack that causes a loss
of service to users, typically the loss of network connecAvity.
• CPU, memory, network connecAvity, network bandwidth, baNery energy
• Hard to address, especially in distributed form
57!
DDoS Mechanism • Goal: make a service unusable.
• How: overload a server, router, network link, by flooding with useless traffic
• Focus: bandwidth aNacks, using large numbers of “zombies”
58!
How it works? • The flood of incoming messages to the target system
essenAally forces it to shut down, thereby denying service to the system to legiAmate users.
• VicAm's IP address. • VicAm's port number. • ANacking packet size. • ANacking inter-‐packet delay. • DuraAon of aNack.
59!
Example 1 • Ping-‐of-‐death
– IP packet with a size larger than 65,536 bytes is illegal by standard
– Many operaAng system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted.
– Routers forward each packet independently.
– Routers don’t know about connecAons.
– Complexity is in end hosts; routers are simple.
60!
Example 1
Example 2 • TCP handshake
• SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the
vicAm – The host vicAm must allocate new data structures to each SYN request – legiAmate connecAons are denied while the vicAm machine is waiAng
to complete bogus "half-‐open" connecAons – Not a bandwidth consumpAon aNack
• IP Spoofing
62!
Example 2
63!
From DoS to DDoS
64!
From DoS to DDoS
65!
Distributed DoS ANack
66!
DDoS Countermeasures • Three broad lines of defense:
1. aNack prevenAon & preempAon (before)
2. aNack detecAon & filtering (during)
3. aNack source trace back & idenAficaAon (aEer)
67!