Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Slides:



Advertisements
Similar presentations
Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
Advertisements

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Data and Computer Communications
Lecture 13 Malicious Software modified from slides of Lawrie Brown.
Chapter 18: Computer and Network Security Threats
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Karlstad University Malware Ge Zhang Karlstad Univeristy.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
1. 2 What is security? Computer Security deals with the prevention and detection of, and the reaction to, unauthorized actions by users of a computer.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
Malicious Software CIS 4361 Eng. Hector M Lugo-Cordero, MS Feb
Data Security and Encryption (CSE348) 1. Lecture # 27 2.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Fundamentals of The Internet Learning outcomes After this session, you should be able to: Identify the threat of intruders in systems and networks and.
1 Chapter 19: Malicious Software Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal, U of Kentucky)
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
CSCE 522 Lecture 12 Program Security Malicious Code.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
30.1 Lecture 30 Security II Based on Silberschatz & Galvin’s slides And Stallings’ slides.
CSCE 522 Lecture 12 Program Security Malicious Code.
For any query mail to or BITS Pilani Lecture # 1.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Malicious Software.
Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Understand Malware LESSON Security Fundamentals.
Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.
MALICIOUS SOFTWARE Rishu sihotra TE Computer
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
Attack Methods  Attacks  DoS (Denial of Service)  Malware.
Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
LECTURE 6 MALICIOUS SOFTWARE
Malicious Software.
Viruses and Other Malicious Content
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Presentation transcript:

Malware Ge Zhang Karlstad Univeristy

Focus What malware are Types of malware How do they propagate How do they hide How to detect them

What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.

Malware zoo (1) Virus: attaches it self to a program and propagates copies of itself to other programs Worm: program that propagates copies of itself to other computers Logic bomb: Triggers action when condition occurs Trojan horse: Program that contains unexpected additional functions Backdoor: Program modification that allows unauthorized access to functionality Exploits: code specific to a single vulnerability or a set of vulnerabilities

Malware zoo (2) Downloaders: Program that installs other items on a machine that is under attack Auto-rooter: Hacker tools used to break into new machines automatically Kit (virus generator): tools to generate new viruses automatically Spammer program: tools to produce large volume of unwanted s. Flooders: tools to generate large volume of unwanted traffics Keyloggers: capture keystrokes on a compromised computer. Zombie: Program activated on an infected machine that is actived to launch attacks on other machines

Number of malware signatures Symantec report 2009

Viruses 4 phases: –Dormant phase: It is idle, waiting for some event –Propagation phase: Copy itself into other programs –Triggering phase: activated to perform some intended actions –Execution phase: execute the payload, maybe harmless

DOS boot Sequence ROM BIOS: locates the master boot sector Master boot sector: partition table DOS boot sector: executable codes and FAT

DOS bootstrap virus A bootstrap virus resides in one of the boot sectors Becomes active before DOS is operational Example: stoned virus

How a bootstrap virus takes control?

Parasitic virus Overwriting virus Appending virus

Companion virus Do not need to modify the original files Create a new file with a specific name

Lifecycle of virus A virus gets created and released The virus infects several machines Samples are sent to anti-virus companies Records a signature from the virus The companies include the new signature in their database Their scanner now can detect the virus

Virus hidden mechanisms Encrypt virus code with random generated keys What happens if the boot area is encrypted?

Virus hidden mechanisms (2) Polymorphism: randomly changes the encryption/decryption portion of a virus –Change key each time the virus starts –Change the range of plaintext –Change the location of encryption subroutine Countermeasure: scan in RAM (after self- decrypting)

Virus hidden mechanisms (3) Entry point changes Random execution (JMP)

Macro viruses Macro: an executable program embedded in a document to automate repetitive tasks. (save keystrokes) Application-dependent, e.g., MS office Cross the O.S. and hardware platform Why virus writers like macro viruses? –Easy to learn –Easy to write –Popularity of MS office

How macro virus works Every word document is based on a template When an existing or new document is opened, the template setting are applied first A global template: NORMAL.DOT

Worm Worm: self-replicating over networks, but not infecting program and files Example: Morris worm, blaster worm

The structure of worms Target locator (find the target) – address collector –IP/port scanner Warhead –Break into remote machines Propagation –Automatically sending s –Automatically attack remote hosts Remote control and update –Download updates from a web server –Join a IRC channel Lifecycle management –Commit suicide –Avoid repeatedly infecting the same host Payload

State of Worm Technology Multiplatform: Windows, unix, mac, … Multiexploit: web server, browser, ,… Ultrafast spreading: host/port scanning Polymorphic: Each copy has new code generated by equivalent instructions and encryption techniques. Metamorphic: different behavior patterns (prepared) Transport vehicles: for the payloads (spread attacking tools and zombies) Zero-day exploit: self-updated

discussion Is it a good idea to spread worms with system patches?

Trojan A program with hidden side-effects that are not specified in the program documentation and are not intended by the user executing the program

What a trojan can do Remote administration trojans: attackers get the complete control of a PC Backdoor: steal data and files Distributed attacks: zombie network Password stealers: capture stored passwords Audio, video capturing: control devices Keyloggers: capture inputting passwords Adware: popup advertisements

Familiar with your PC Startup programs/services Frequently used IP ports –20/21 FTP –23 Telnet –25 SMTP –80 WWW Netstat

Malware Payloads No payload Payload without damage –Only display some information Payload with little impact –Modify documents (wazzu virus) Payload with heavy impact –Remove files, format storage –Encrypting data (blackmail) –Destroy hardware (W95.CIH): rewrite flash bios DDoS attacks Steal data for profit

Malware naming CARO (computer antivirus researchers organization) CARO naming convention (1991).... –e.g., cascade.1701.A. Platform prefix

Malware defenses (1) Detection: once the infection has occurred, determine that it has occurred and locate the virus Identification: once detection has been achieved, identify the specific virus that has infected a program Removal: once the specific virus has been identified, remove the virus from the infected program and restore it to its original state

Malware defenses (2) The first generation scanner –Virus signature (bit pattern) –Maintains a record of the length of programs The second generation scanner –Looks for fragments of code (neglect unnecessary code) –Checksum of files (integrity checking) Virus-specific detection algorithm –Deciphering (W95.Mad, xor encrypting) –Filtering

Malware defenses (3) The third generation scanner –Identify a virus by its actions The fourth generation scanner –Include a variety of anti-virus techniques Collection method –Using honeypots

In the future… New spreading methods: e.g., RFID Infected!

Key points Taxonomy of malwares The difference between virus and worm How does bootstrap/companion/parasitic/macro virus propagate Virus hidden method The structure of worm What a trojan/malware payload can do Malware naming standard (CARO) Malware defenses methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.