Beruflich Dokumente
Kultur Dokumente
Intruder
Hacker: 4 phases
Malicious Software:
o Malicious Software - Introduction
o Malware Terminology
o Where malware lives
o What to Infect
o Taxonomy of Malicious Software
3/25/2018 2
1
3/25/2018
3/25/2018 3
3/25/2018 4
2
3/25/2018
3/25/2018 6
3
3/25/2018
Foot printing/Reconnaissance
Gaining access
Maintaining access
Covering track
3/25/2018 7
4
3/25/2018
3/25/2018 9
5
3/25/2018
Virus
Worm
Logic bomb
Trojan horse
Backdoor (trapdoor)
Mobile code
Auto-rooter Kit (virus generator)
Spammer and Flooder programs
Keyloggers
Rootkit
Zombie, bot
Autoexec.bat
Config.sys
Init.d
3/25/2018 12
6
3/25/2018
• Executable
• Interpreted file
• Kernel
• Service
• Master Boot Record
3/25/2018 13
Virus
Trojan
Applet
Logic
bombs Replication
Malicious Trap door
Worm
Alone
Zombie
3/25/2018 14
7
3/25/2018
8
3/25/2018
Dormant:
o The virus is idle. It will eventually be activated by some event
Propagation:
o The virus places an identical copy of itself into other programs or into
certain system areas
Triggering:
o The virus is activated to perform the function for which it was
intended (such as a date, the presence of another program or file)
Execution
o The function is performed, which may be harmless
components:
o infection mechanism - enables replication
o trigger - event that makes payload activate
o payload - what it does, malicious or benign
prepended / postpended / embedded
when infected program invoked, executes virus code
then original program code
can block initial infection (difficult)
or propogation (with access controls)
9
3/25/2018
Virus V:
o 1: go to “main” of virus program
o 2: a special flag (infected or not)
Main:
o Find uninfected programs - infect
them
o Do something damaging to the
system
o “Go to“ first line of the host
program - do normal work
10
3/25/2018
boot sector
Parasic
Target
Memory
macro
Virus
encrypted
Stealth
Concealment
strategy polymorphic
metamorphic
11
3/25/2018
Boot Sector Virus: Infects master boot record / boot record (boot
sector) of a disk and spreads when a system is booted with an
infected disk (original DOS viruses).
3/25/2018 23
Memory-resident Virus:
o Reside in RAM
o is infect running programs
Parasic Virus:
o Infects executable files.
o They attach their self to executable files as part of their code.
o Runs whenever the host program is executed.
3/25/2018 24
12
3/25/2018
Macro Virus:
o became very common in mid-1990s
o platform independent
o infect documents (Word or excel files)
o easily spread
o often a form of Basic
o more recent releases include protection
o recognized by many anti-virus programs
13
3/25/2018
Rootkit filters
call and results
14
3/25/2018
3/25/2018 29
15
3/25/2018
Kaspersky
3/25/2018 32
16
3/25/2018
17
3/25/2018
—
Secret entry point into a program
3/25/2018 36
18
3/25/2018
3/25/2018 37
the gift horse left outside the gates of Troy by the Greeks, Trojan
Horses appear to be useful or interesting to an unsuspecting user,
3/25/2018 but are actually harmful. 38
19
3/25/2018
3/25/2018 40
20
3/25/2018
3/25/2018 41
21
3/25/2018
22
3/25/2018
Code Red
o July 2001 exploiting MS IIS bug
o probes random IP address, does DDoS attack
o consumes significant net capacity when active
Code Red II variant includes backdoor
SQL Slammer
o early 2003, attacks MS SQL Server
o compact and very rapid spread
Mydoom
o mass-mailing e-mail worm that appeared in 2004
o installed remote access backdoor in infected systems
23
3/25/2018
24
3/25/2018
3/25/2018 50
25
3/25/2018
Zombies
26
3/25/2018
Botnets: Bots
Handler
Attacker
China Hungary
Bots: Host illegal movies,
music, pornography,
criminal web sites, …
Forward Spam for
financial gain
Zombies
3/25/2018 54
27
3/25/2018
3/25/2018 55
3/25/2018 56
28
3/25/2018
3/25/2018 57
3/25/2018 58
29
3/25/2018
30
3/25/2018
3/25/2018 61
3/25/2018 62
31
3/25/2018
Intruder
Hacker: 4 phases
Attack: many types
Malicious Software: many types
3/25/2018 64
32
3/25/2018
3/25/2018 65
3/25/2018 66
33