Malware Fundamentals POLITEHNICA University of Bucharest 14 th of January 2015 Ionuţ – Daniel...
-
Upload
bethany-gardner -
Category
Documents
-
view
228 -
download
2
Transcript of Malware Fundamentals POLITEHNICA University of Bucharest 14 th of January 2015 Ionuţ – Daniel...
Malware FundamentalsPOLITEHNICA University of Bucharest14th of January 2015
Ionuţ – Daniel BARBU
Agenda• Evolution
• Security implementations in Operating Systems
• Historical facts
• Malware types
Source of the information: Wikipedia.org
Source: theusindependent.com
Evolution
Operating Systems
• Designed for security but not for the INTERNET
Windows NT
• Offered the option of multi profiles but not of multi – users• Partial memory protection• No Access Privileges Concept
Windows 9x
• XP• limited accounts
• Vista• User Account Control• The first user was administrator by default – Removed
• 7• BitLocker Drive Encryption and Biometrics• Improved Windows Firewall, Microsoft Security Essentials & Windows
Defender• 8• New authentication methods
Newer Versions
“Consumer versions of Windows were originally designed for ease-of-use on a single-user PC
without a network connection, and did not have security features built in from the outset.” , Wikipedia
Windows Patch Tuesday
Malware…is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Regin
Reversed in November 2014
Samples date from 2003
Customized Spying
Stealthy
Steal Information
Stuxnet
Worm discovered in 2010
Attacked industrial programmable logic
controllers
Ruined 20% of Iran’s nuclear centrifuges
Cause harm
Sabotage
CryptoLocker
Ransomware Trojan
Discovered by Dell SecureWorks
Propagated via e-mail attachments or
botnets
Encrypts
Money Extortion - Bitcoin
History1949 – John von Neumann introduces the theory of self replicating programs
1972 – Veith RISAK writes an article describing a fully functional virus for SIEMENS 4004/35
1980 - Jürgen KRAUS: “ computer programs can behave in a way similar to biological viruses”
Early Stages 1971 – Creeper Virus –
ARPANET “I’m the creeper, catch me if you can!” The Reaper worm was design to catch it – it did!
1982 – ELK Cloner – first personal computer virus – displayed a poem
1992 – first Windows Virus - WinVir
First Comput
er Viruses
Source: ajovomultja.hu
Viruses
When infected:Steals hard disk space of CPU time
Access private information, corrupts data
Keystroke logging
“the defining characteristic of viruses is that they are self-
replicating computer programs which install themselves without
the user's consent.”
Motivation:Seek profitMessage
ConveyingSabotageDenial of Service
Anti - virusOpen SourceProprietary
Often use of complex anti-detection/stealth strategies to
evade antivirus software.Keep the same “last modification date”,
file size or try to kill detection tasksRead requests intercept, self
modification, encrypted viruses, polymorphic vs metamorphic code
Methods:Social
EngineeringSecurity
Vulnerabilities
Replication Techniques:
Resident (after installation it remains
in RAM) vs. non-resident (scans for targets, infects and
exits)Macro virus (embedded
in macro containing documents)Boot sector
When executed, it replicates by inserting copies of self in other programs etc.
Worms
Unlike a virus, it does not need to attach itself to an existing program.
At least some harm is caused due to bandwidth consumption.
The payload is
usually designed to delete
files, encrypt or send docs via mail.
PatchingFirewall
Many of them are payload free, however even these cause major disruption: Morris Worm
1988 (first distributed worm via Internet from MIT)
Backdoors represent a known payload and they
usually lead to Zombie computers
and further to botnets
Packet filtersACL
…standalone malware computer program that replicates itself in order to spread to other computers
Trojan Horse
Zeus / Zbot
Microsoft Windows OSSteal banking information
Man-in-the-browserKeystroke logging
Distributes also CryptoLocker
carries out actions determined by its nature…
remote access hack
Interesting use:
anonymizer proxy!
data theft or loss
Beasts 2.07
system harm
can act as a backdoor
Protection:IPSIDS
Content Filtering
….is a generally non-self-replicating type of malware program containing malicious code
Source: megasecurity.org
Others
Backdoor
Method of bypassing
normal authentication
Basic example of backdoor: default
password
Rootkit
Hide existence of certain
processes or programs
Enables continued
privileges to a computer
Spyware & Adware
Aids in gathering information
about a person or organization without their knowledge
Automatically renders
advertisements in order to generate
revenue for its author
Zero -
Day
Antivirus software
signatures are not yet available
Behavior signatures
Zero – Day Vulnerability & Exploit
Sandbox
Thank you!
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Bruce Schneier