Beruflich Dokumente
Kultur Dokumente
Jan Devos
pag. 1
Malicious Software
A program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity or availability of the victims
data, applications, or operating system or
otherwise annoying or disrupting the victim.
Jan Devos
pag. 2
Malicious Software
programs exploiting system vulnerabilities
known as malicious software or malware
program fragments that need a host program
e.g. viruses, logic bombs, and backdoors
independent self-contained programs
e.g. worms, bots
replicating or not
sophisticated threat to computer systems
Jan Devos
pag. 3
Jan Devos
pag. 4
pag. 5
Jan Devos
pag. 6
Jan Devos
pag. 7
Backdoor / Trapdoor
Secret entry point into a program
Any mechanism that bypasses a normal security check
Threat:
difficult to prevent or detect
Control over the development
and maintenance activities
Jan Devos
pag. 8
Easter Eggs
http://www.eeggs.com
Examples:
WORD:
1.
2.
3.
4.
FIREFOX
1.
2.
pag. 9
Logic
Bomb
Jan Devos
pag. 10
Logic Bomb
Program inserted into software by an intruder
Dormant until a predefined condition is met
Unauthorized act
Case Study Tim Lloyd / Omega
Jan Devos
pag. 11
Trojan Horses
An apparently useful program containing hidden
code that performs some unwanted or harmful
function
Harmful functions:
Authorization for unauthorized users
Data destruction
Spyware
Techniques:
Modified compiler
Internet downloads
Jan Devos
pag. 12
Mobile Code
Programs that can be shipped unchanged to a
heterogeneous collections of platforms (e.g.
Windows) and execute with identical semantics
Mobile Code act as a mechanism for a virus,
worm or Trojan Horse to be transmitted
Examples of Mobile Code:
Java Applets
ActiveX controls
JavaScript
VB-Script
Jan Devos
pag. 13
Viruses
Malware that, when executed, tries to replicate
itself into other executable code.
First appearance in 1983 (after launching the
PC)
Fred Cohen
Jan Devos
pag. 14
Viruses
piece of software that infects programs
modifying them to include a copy of the virus
it executes secretly when host program is run
Jan Devos
pag. 15
Viruses
components:
infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign
pag. 16
Virus Structure
Jan Devos
pag. 17
Jan Devos
pag. 18
Viruses Classification
boot sector
file infector
macro virus
encrypted virus: creates a Key and encrypts
itself (= another pattern)
stealth virus: hides itself from detection
polymorphic virus: virus mutates !
metamorphic virus: virus mutates + rewrites
itself
Jan Devos
pag. 19
Macro Viruses
pag. 20
E-Mail Viruses
more recent development
e.g. Melissa
exploits MS Word macro in attached doc
if attachment opened, macro activates
sends email to all on users address list
and does local damage
pag. 21
Virus Countermeasures
prevention - ideal solution but difficult
realistically need:
detection
identification
removal
pag. 22
Virus Countermeasures
virus & antivirus tech have both evolved
early viruses simple code, easily removed
as become more complex, so must the
countermeasures
generations
pag. 23
Virus Countermeasures
second - heuristics
No specific signature
Heuristic rules
Fragments of code
Integrity checking (checksum check / hashing)
Jan Devos
pag. 24
Virus Countermeasures
third - identify actions
Memory-resident
Identification by its actions rather than structure
pag. 25
Generic Decryption
runs executable files through GD scanner:
CPU emulator to interpret instructions
virus scanner to check known virus signatures
emulation control module to manage process
pag. 26
Jan Devos
pag. 27
Behavior-Blocking Software
Jan Devos
pag. 28
Worms
replicating program that propagates over net
using email, remote exec, remote login
pag. 29
Morris Worm
one of best known worms
released by Robert Morris in 1988
various attacks on UNIX systems
cracking password file to use login/password to
logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail
pag. 30
Jan Devos
pag. 31
Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack (360,000
servers in 14 hours)
consumes significant net capacity when active
Mydoom
mass-mailing e-mail worm that appeared in 2004
installed remote access backdoor in infected systems
Jan Devos
pag. 32
multiplatform
multi-exploit
ultrafast spreading
polymorphic
metamorphic
transport vehicles
zero-day exploit
mobile phone worms (since 2004: BlueTooth, MMS)
Jan Devos
pag. 33
Worm Countermeasures
pag. 34
Jan Devos
pag. 35
Jan Devos
pag. 36
(Ro)Bots
spreading mechanism
attack software, vulnerability, scanning strategy
pag. 37
Uses of (Ro)Bots
DDOS attacks
Spamming
Sniffing traffic
Keylogging: capturing keystrokes
Spreading new malware
Ad add-ons and BHO (Browser helper objects):
Generating clicks
Attacking IRC chat networks
Manipulating online polls and games
Jan Devos
pag. 38
pag. 39
pag. 40
pag. 41
Countermeasures
IDS
Honeypots
DIS
Try to detect the botnet during its
construction phase
Jan Devos
pag. 42
Rootkits / Crimeware
set of programs installed for admin access
malicious and stealthy changes to host O/S
may hide its existence
subverting report mechanisms on processes, files, registry entries
etc
may be:
persisitent or memory-based
user or kernel mode
pag. 43
Rootkits
Jan Devos
pag. 44
DDOS
Jan Devos
pag. 45
DDOS
Jan Devos
pag. 46