Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 14 Page 1 CS 236 Online Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Published byAileen Short Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 14 Page 1 CS 236 Online Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."— Presentation transcript:

1 Lecture 14 Page 1 CS 236 Online Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

2 Lecture 14 Page 2 CS 236 Online Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Rootkits

3 Lecture 14 Page 3 CS 236 Online Introduction Clever programmers can get software to do their dirty work for them Programs have several advantages for these purposes –Speed –Mutability –Anonymity

4 Lecture 14 Page 4 CS 236 Online Where Does Malicious Code Come From? Most typically, it’s willingly (but unwittingly) imported into the system –Electronic mail (most common today) –Downloaded executables Often automatically from web pages –Sometimes shrink-wrapped software Sometimes it breaks in Sometimes an insider intentionally introduces it

5 Lecture 14 Page 5 CS 236 Online Is Malicious Code Really a Problem? Considering viruses only, by 1994 there were over 1,000,000 annual infections –One survey shows 10-fold increase in viruses since 1996 In November 2003, 1 email in 93 scanned by particular survey contained a virus 2008 CSI report shows 50% of survey respondents had virus incidents –Plus 20% with bot incidents

6 Lecture 14 Page 6 CS 236 Online More Alarming Statistics In 1992, there were around 2000 unique viruses known In 2007, Symantec’s databases of viruses includes 73,000+ entries Kaspersky Labs has over 83,000 virus signatures in its database The numbers continue to grow

7 Lecture 14 Page 7 CS 236 Online But Don’t Get too Alarmed Most viruses are never found “in the wild” Most viruses die out quickly The Wild List 1 shows 451 active viruses worldwide (March 2009) –Reported by two or more independent observers –Many are slight variants on a particular virus 1 www.wildlist.org

8 Lecture 14 Page 8 CS 236 Online But Do I Really Have to Worry About Viruses? “After all, I run Linux/Mac OS/Solaris/BSD” “Aren’t all viruses for Windows?” Mostly true in practice –Definitely not true in theory –First MacOS X virus discovered a couple years ago –Viruses for palmtops and cellphones Anyone, at any time, can write and release a virus that can clobber your machine, regardless of what OS you run

9 Lecture 14 Page 9 CS 236 Online Viruses “Self-replicating programs containing code that explicitly copies itself and that can ‘infect’ other programs by modifying them or their environment” Typically attached to some other program –When that program runs, the virus becomes active and infects others Not all malicious codes are viruses

10 Lecture 14 Page 10 CS 236 Online How Do Viruses Work? When a program is run, it typically has the full privileges of its running user Including write privileges for some other programs A virus can use those privileges to replace those programs with infected versions

11 Lecture 14 Page 11 CS 236 Online Typical Virus Actions 1). Find uninfected writable programs 2). Modify those programs 3). Perform normal actions of infected program 4). Do whatever other damage is desired

12 Lecture 14 Page 12 CS 236 Online Before the Infected Program Runs Infected Program Uninfected Program Virus Code

13 Lecture 14 Page 13 CS 236 Online The Infected Program Runs Infected Program Uninfected Program Virus Code

14 Lecture 14 Page 14 CS 236 Online Infecting the Other Program Infected Program Uninfected Program Virus Code Infected Program

15 Lecture 14 Page 15 CS 236 Online Macro and Attachment Viruses Modern data files often contain executables –Macros –Email attachments –Ability to run arbitrary executables from many applications, embedded in data Easily the most popular form of new viruses –Requires less sophistication to get right Most widespread viruses today use attachments

16 Lecture 14 Page 16 CS 236 Online Virus Toolkits Helpful hackers have written toolkits that make it easy to create viruses A typical smart high school student can easily create a virus given a toolkit Generally easy to detect viruses generated by toolkits –But we may see “smarter” toolkits

17 Lecture 14 Page 17 CS 236 Online How To Find Viruses Basic precautions Looking for changes in file sizes Scan for signatures of viruses Multi-level generic detection

18 Lecture 14 Page 18 CS 236 Online Precautions to Avoid Viruses Don’t import untrusted programs –But who can you trust? Viruses have been found in commercial shrink- wrap software The hackers who released Back Orifice were embarrassed to find a virus on their CD release Trusting someone means not just trusting their honesty, but also their caution

19 Lecture 14 Page 19 CS 236 Online Other Precautionary Measures Scan incoming programs for viruses –Some viruses are designed to hide Limit the targets viruses can reach Monitor updates to executables carefully –Requires a broad definition of “executable”

20 Lecture 14 Page 20 CS 236 Online Containment Run suspect programs in an encapsulated environment –Limiting their forms of access to prevent virus spread Requires versatile security model and strong protection guarantees

21 Lecture 14 Page 21 CS 236 Online Viruses and File Sizes Typically, a virus tries to hide So it doesn’t disable the infected program Instead, extra code is added But if it’s added naively, the size of the file grows Virus detectors look for this growth Won’t work for files whose sizes typically change Clever viruses find ways around it –E.g., cavity viruses that fit themselves into “holes” in programs

22 Lecture 14 Page 22 CS 236 Online Signature Scanning If a virus lives in code, it must leave some traces In early and unsophisticated viruses, these traces were essentially characteristic code patterns Find the virus by looking for the signature

23 Lecture 14 Page 23 CS 236 Online How To Scan For Signatures Create a database of known virus signatures Read every file in the system and look for matches in its contents Also check every newly imported file Also scan boot sectors and other interesting places

24 Lecture 14 Page 24 CS 236 Online Weaknesses of Scanning for Signatures What if the virus changes its signature? What if the virus takes active measures to prevent you from finding the signature? You can only scan for known virus signatures

25 Lecture 14 Page 25 CS 236 Online Polymorphic Viruses A polymorphic virus produces varying but operational copies of itself Essentially avoiding having a signature Sometimes only a few possibilities –E.g., Whale virus has 32 forms But sometimes a lot –Storm worm had more than 54,000 formats as of 2006

26 Lecture 14 Page 26 CS 236 Online Stealth Viruses A virus that tries actively to hide all signs of its presence Typically a resident virus For example, it traps calls to read infected files –And disinfects them before returning the bytes –E.g., the Brain virus

27 Lecture 14 Page 27 CS 236 Online Combating Stealth Viruses Stealth viruses can hide what’s in the files But may be unable to hide that they’re in memory Also, if you reboot carefully from a clean source, the stealth virus can’t get a foothold

28 Lecture 14 Page 28 CS 236 Online Other Detection Methods Checksum comparison Intelligent checksum analysis –For files that might legitimately change Intrusion detection methods –E.g., look for attack invariants instead of signatures Identify and handle “clusters” of similar malware

29 Lecture 14 Page 29 CS 236 Online Preventing Virus Infections Run a virus detection program –Almost all CSI reporting companies do –And many still get clobbered Keep its signature database up to date –Modern virus scanners do this by default Disable program features that run executables without users asking –Quicktime had this problem a couple years ago Make sure users are very careful about what they run

30 Lecture 14 Page 30 CS 236 Online How To Deal With Virus Infections Reboot from a clean, write-protected floppy or from a clean CD ROM –Important to ensure that the medium really is clean –Necessary, but not sufficient If backups are available and clean, replace infected files with clean backup copies –Another good reason to keep backups Recent proof-of-concept code showed infection of firmware in peripherals...

31 Lecture 14 Page 31 CS 236 Online Disinfecting Programs Some virus utilities try to disinfect infected programs –Allowing you to avoid going to backup Potentially hazardous, since they may get it wrong –Some viruses destroy information needed to restore programs properly

32 Lecture 14 Page 32 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code that does harmful things

33 Lecture 14 Page 33 CS 236 Online Basic Trojan Horses A program you pick up somewhere that is supposed to do something useful And perhaps it does –But it also does something less benign Games are common locations for Trojan Horses Downloaded applets are also popular locations Frequently found in email attachments Bogus security products also popular

34 Lecture 14 Page 34 CS 236 Online Trojan Horse Login Programs Probably the original Trojan horse Spoof the login or authentication screen of a machine or service Capture attempts to access that service Then read the user IDs and the passwords

35 Lecture 14 Page 35 CS 236 Online Recent Peer-Distributed Trojan Embedded in pirated copies of iWorks and Adobe Photoshop CS4 Made available over peer file sharing networks When run, installed bot on your machine Macs aren’t safe any more Pirated software never has been Recent Trojan in pirated Windows 7 Release Candidate

36 Lecture 14 Page 36 CS 236 Online Trapdoors A secret entry point into an otherwise legitimate program Typically inserted by the writer of the program Most often found in login programs or programs that use the network But also found in system utilities

37 Lecture 14 Page 37 CS 236 Online Trapdoors and Other Malware Malware that has taken over a machine often inserts a trapdoor To allow the attacker to get back in –If the normal entry point is closed Infected machine should be handled carefully to remove such trapdoors –Otherwise, attacker comes right back

38 Lecture 14 Page 38 CS 236 Online Logic Bombs Like trapdoors, typically in a legitimate program A piece of code that, under certain conditions, “explodes” Also like trapdoors, typically inserted by program authors Often used by disgruntled employees to get revenge –Dismissed Fannie Mae employee planted one last October –If not found first, would have shut down Fannie Mae for at least a week

39 Lecture 14 Page 39 CS 236 Online Extortionware A little similar to logic bombs Attacker breaks in and does something to system –Demands money to undo it Encrypting vital data is common variant Unlike logic bombs, not timed or triggered

Download ppt "Lecture 14 Page 1 CS 236 Online Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Lecture 12 Page 1 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code.

Lecture 12 Page 1 CS 236 Online When you run it, the Greeks creep out and slaughter your system Trojan Horses Seemingly useful program that contains code.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
Computer Network Forensics Lecture - Virus © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU.

Computer Network Forensics Lecture - Virus © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU.

Similar presentations

Ads by Google