Malware With material from Dave Levin, Michelle Mazurek, Vern Paxson, Dawn Song http://betanews.com/wp-content/uploads/2013/06/stop-malware-600x521.jpg.

Slides:



Advertisements
Similar presentations
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Chapter 3 (Part 1) Network Security
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Structure Classifications &
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
Information Technology Software. SYSTEM SOFTWARE.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
10/11/2015 Computer virus By Al-janabi Rana J 1. 10/11/2015 A computer virus is a computer program that can copy itself and infect a computer without.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
For any query mail to or BITS Pilani Lecture # 1.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
original slides provided by
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
VIRUSES & ANTI- VIRU-SES. WHAT IS A COMPUTER VIRUS? A computer virus is a small software program that spreads from one computer to another computer and.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
bitdefender virus protection
Computer Viruses Author: Alyse Allen.
Security Issues in Information Technology
Chapter Objectives In this chapter, you will learn:
original slides provided by
MALWARE.
LECTURE 6 MALICIOUS SOFTWARE
Tonga Institute of Higher Education IT 141: Information Systems
3.6 Fundamentals of cyber security
Outline Introduction Viruses Trojan horses Trap doors Logic bombs
Techniques, Tools, and Research Issues
computer virus infection & symptoms
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.
Intercept X for Server Early Access Program Sophos Tester
Chap 10 Malicious Software.
Malicious Software Network security Master:Mr jangjou
Faculty of Science IT Department By Raz Dara MA.
Chap 10 Malicious Software.
original slides provided by
Malicious Program and Protection
original slides provided by
Introduction to Internet Worm
original slides provided by
Presentation transcript:

Malware With material from Dave Levin, Michelle Mazurek, Vern Paxson, Dawn Song http://betanews.com/wp-content/uploads/2013/06/stop-malware-600x521.jpg

Malware: Malicious code that runs on the victim’s system

How does malware run? Attacks a user- or network-facing vulnerable service e.g., using techniques from prior lectures Backdoor: Added by a malicious developer Social engineering: Trick user into running/clicking Trojan horse: Offer a good service, add in the bad Attacker with physical access installs & runs it

What does malware do? Potentially nearly anything (subject to permissions) Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!” Destroy: files, hardware Crash the machine, e.g., by over-consuming resource Fork bombing or “rabbits”: while(1) { fork(); Steal information (“exfiltrate”) Launch external attacks: spam, click fraud, DoS Ransomware: e.g., by encrypting files Rootkits: Hide from user or software-based detection Often by modifying the kernel Man-in-the-middle attacks to sit between UI and reality

The line between these is thin and blurry; some are both Viruses vs. worms Virus: Run when user initiates something Run program open attachment, boot machine Typically infects by altering stored code Self-propagating: Create new instance elsewhere Worm: Runs while another program is running No user intervention required Typically infects by altering running code Self-propagating: infect running code elsewhere The line between these is thin and blurry; some are both

Technical challenges Viruses: Detection Worms: Spreading Antivirus software wants to detect Virus writers want to avoid detection as long as possible Evade human response Worms: Spreading The goal is to hit as many machines and as quickly as possible Outpace human response

Viruses

Viruses They are opportunistic: they will eventually be run due to user action Two orthogonal aspects define a virus: How does it propagate? What else does it do (what is the “payload”)? General infection strategy: Alter some existing code to include the virus Share it, expect users to (unwittingly, possibly automatically) re- share Viruses have been around since at least the 70s

Classified by what they infect Document viruses Implemented within a formatted document (Word, PDF, etc.) Enabled by macros, javascript (Why you shouldn’t open random attachments) Boot sector viruses Boot sector: small disk partition at fixed location; loaded by firmware at boot What’s supposed to happen: this code loads the OS Similar: AutoRun on music/video disks (Why you shouldn’t plug random USB drives into your computer) Etc.

Viruses have resulted in a technological arms race The key is evasion Mechanisms for evasive propagation Mechanisms for detection and prevention Want to be able to claim wide coverage for a long time Want to be able to claim the ability to detect many viruses

How viruses propagate Opportunity to run: attach to something likely autorun.exe on storage devices Email attachments Opportunity to infect: See a USB drive: overwrite autorun.exe User is sending an email: alter the attachment Proactively create emails (“I Love You”)

Detecting viruses: Signatures Identify bytes corresponding to known virus Install recognizer to check all files In practice, requires fast scanning Drives multi-million$ antivirus market Marketing via # signatures recognized Is this a useful metric?

Um.. thanks?

You are a virus writer Your goal is for your virus to spread far and wide How do you avoid detection by antivirus software that uses signatures? Make signature harder to find

How viruses infect other programs Entry point Original program Original program Virus Entry point “Appending” Original program Entry point jmp “Surrounding” Confuse scanners Original program Entry point etc. Overwrite uncommonly used parts of the program

You are a virus writer Your goal is for your virus to spread far and wide How do you avoid detection by antivirus software that uses signatures? Make signature harder to find Change code to prevent defining a signature Mechanize code changes: Goal: every time you inject your code, it looks different

Polymorphic and metamorphic viruses

Polymorphic using encryption Original program Entry point Take over the entry point Virus Virus Encrypted virus code Key Decrypter Key Decrypter jmp Virus code

Making it automatic When used properly, encryption will yield Key Encrypted virus code Decrypter jmp Virus code Key Decrypter Encryptor When used properly, encryption will yield a different, random output upon each invocation Key 2 Encrypted virus code (same code, but each time you encrypt it looks different) Decrypter

Polymorphic viruses: Arms race Now you are the antivirus writer: how do you detect? Idea #1: Narrow signature to catch the decrypter Often very small: can result in many false positives Attacker can spread this small code around and jmp Idea #2: Execute or statically analyze the suspect code to see if it decrypts. How do you distinguish from common “packers” which do something similar (decompression)? How long do you execute the code?? Now you are the virus writer again: how do you evade?

Polymorphic countermeasures Change the decrypter Oligomorphic viruses: assemble decrypter from several interchangeable alternative pieces True polymorphic viruses: can generate an endless number of decrypters Different encryption methods Random generation of confounds Downside: inefficient

Metamorphic viruses Every time the virus propagates, generate a semantically different version of the code Higher-level semantics remain the same But the way it does it differs Different machine code instructions Different algorithms to achieve the same thing Different use of registers Different constants…. How would you do this? Include a code rewriter with your virus Add a bunch of complex code to throw others off (then just never run it)

When can AV software successfully scan? Polymorphic When can AV software successfully scan?

When can AV software successfully scan? Metamorphic When can AV software successfully scan?

Detecting metamorphic viruses?

Scanning isn’t enough Need to analyze execution behavior Two broad stages in practice (both take place in a safe environment, like gdb or a virtual machine) AV company analyzes new virus to find behavioral signature AV system at end host analyzes suspect code to see if it matches the signature

Detecting metamorphic viruses Countermeasures Change slowly (hard to observe pattern) Detect if you are in a safe execution environment (e.g., gdb) and act differently Counter-countermeasures Detect detection and skip those parts Counter-counter-counter…. Arms race Attackers have the upper hand: AV systems hand out signature oracles

Crypting services Crypting service AV Many different vendors code CoDe clear detected “FUD” code Iteratively obfuscate the code (encrypt + jmp + …) Until the obfuscated code is “fully undetectable”

So how much malware is out there? Polymorphic and metamorphic viruses can make it easy to miscount viruses Take numbers with a grain of salt Large numbers are in the AV vendors’ best interest Previously, most malware was showy Now primary goal is frequently to not get noticed

How do we clean up an infection? Depends what the virus did, but.. May require restoring / repairing files A service that antivirus companies sell What if the virus ran as root? May need to rebuild the entire system So what, just recompile it? What if the malware left a backdoor in your compiler? Compile the malware back into the compiler May need to use original media and data backups

Malware summary Technological arms race between those who wish to detect and those who wish to evade detection Started off innocuously Became professional, commoditized Economics, cyber warfare, corporate espionage Advanced detection: based on behavior, anomalies Must react to attacker responses