Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCSC 555 Computer Security Chapter 10 Malicious software Part B.

Published byRonald Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "SCSC 555 Computer Security Chapter 10 Malicious software Part B."— Presentation transcript:

1 SCSC 555 Computer Security Chapter 10 Malicious software Part B

2 Index Social Engineering Malware Payload Countermeasures of malware DDoS Buffer overflow

3 Social Engineering Tricking user to assist in the comprise of their own systems or personal information  Spam e-mail Most spam is sent by botnets using compromised user systems Advertising, scams, carrier of malware (attachment), or phishing attack  Trojan horse program A useful, or apparently useful program or utility containing hidden code that performs some unwanted or harmful funciton

4 Social Engineering Trojan horse program  E.g. claim to be antivirus scanner, security update actual carrying payload such as spyware  Three models of Trojan horses Continuing to perform the function of the original program and additionally performing a separate malicious activity … but modifying the function to perform malicious activity Performing a malicious function that completely replaces the function of the original program

5 Malware Payload System corruption  Data destruction  Ransomware, e.g. Gpcode Trojan  Real-world damage: cause damage to physical equipment  Logic bomb: is set to “explode” when certain conditions are met

6 Malware Payload Attack agent  Bot: malware subverts the computational and network resources of infected system for use by the attacker  The uses of bots: DDoS attack, Spamming …  Botnet: the collection of bots often is capable of acting in a coordinated manner.

7 Malware Payload Information theft  Keyloggers and Spyware What is a keylogger? (next slide)  Countermeasure to keylogger Spyware  Phishing and Identity theft URL of fake Web site controlled by the attacker Spear-phishing: an email claiming to be from a trusted sources, the recipients are carefully researched by the attacker  greatly increases the likehood of the recipient responding as desired by the attacker

8 Malware Payload Backdoor and Rootkit  Backdoor (trapdoor) is a secret entry point into a program without going through the usual security access procedures  Rootkit is a set of programs installed on a system to maintain covert access to that system with root privileges, while hiding evidence of its presence Make many changes to a system to hide its existence Difficult to detect

9 Keyloggers Keyloggers are used to capture keystrokes on a computer  Hardware  Software Software  Behaves like Trojan programs Hardware  Easy to install  Goes between the keyboard and the CPU  KeyKatcher and KeyGhost

10 Countermeasures of malware Ensure all systems are current  All patches applied Set appropriate access controls on the applications and data  to reduce the number of files that any user can access Training the users to against social engineering attack

11 Countermeasures of malware Technical mechanism to mitigate threat  Detection  Identification  Removal Requirements for effective malware countermeasures  Generality, Timeliness, Resiliency, minimal DOS costs, transparency, global and local coverage

12 Countermeasures of malware Four generations of antivirus software  1 st generation  2 nd generation  3 rd generation  4 th generation More sophisticated antivirus approaches  Host-based behavior-blocking  Perimeter scanning approaches (Reading page 323 – 327)

13 Distributed Denial-of-Service (DDoS) Attacks DDoS attack on a host from multiple servers or workstations Network could be flooded with billions of requests  Loss of bandwidth  Degradation or loss of speed Often participants (zombies) are not aware they are part of the attack  Thousands zombies are controlled by the attacker via Trojan programs

14

15 DDoS Tools and Countermeasures DDoS countermeasures: Security patches from software vendors Antivirus software Firewalls: Ingress (inbound) and egress (outbound) filtering (details next …)

16 Buffer Overflow Attacks A vulnerability in poorly written code  does not check predefined size of input field Goal of buffer overflow attack:  Fill overflow buffer with executable code  OS executes this code, elevates attacker’s permission Administrator Owner of running application To stop software exploits  Train your programmer in developing applications with security in mind  Stay appraised of latest security patches provided by software vendors

17 Buffer Overflow Exploits Buffer Overflow Exploits is the Most common cause of Internet attacks Over 50% of advisories published by CERT (computer security incident report team) are caused by various buffer overflows Morris worm (1988): overflow in fingerd Infected 10% of the existing Internet CodeRed (2001): overflow in MS-IIS server 300,000 machines infected in 14 hours SQL Slammer (2003): overflow in MS-SQL server 75,000 machines infected in 10 minutes

18 Buffer is a data storage area inside computer memory (stack or heap)  Intended to hold pre-defined amount of data If more data is stuffed into it, it spills into adjacent memory  If executable code is supplied as “data”, victim’s machine may be fooled into executing it Code will self-propagate or give attacker control over machine Attack can exploit any memory operation  Pointer assignment, format strings, memory allocation and de-allocation, function pointers, calls to library routines via offset tables Memory Buffers

19 Stack Buffers Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } When this function is invoked, a new frame with local variables is pushed onto the stack Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer Top of stack Stack grows this way bufsfp ret addr str Local variables Pointer to previous frame Frame of the calling function Execute code at this address after func() finishes Arguments

20 What If Buffer is Overstuffed? Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy(buf,str); } If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations strcpy does NOT check whether the string at *str contains fewer than 126 characters Top of stack buf str Frame of the calling function This will be interpreted as return address! overflow

21 Executing Attack Code Suppose buffer contains attacker supplied string  For example, *str contains a string received from the network as input to some network service daemon When function exits, code in the buffer will be executed, giving attacker a shell  The attacker gets a root shell if the victim program is SUID root Top of stack code str Frame of the calling function ret Attacker puts actual instructions into his input string, e.g., binary code of execve(“/bin/sh”) In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address

22 Executable attack code is stored on stack, inside the buffer containing attacker’s string  Stack memory is supposed to contain only data, but… Overflow portion of the buffer must contain correct address of attack code in the RET position  The value in the RET position must point to the beginning of attack code in the buffer Otherwise application will crash with segmentation violation  Attacker must know or correctly guess in which stack position his buffer will be when the function is called Some Issues on Buffer Overflow

23 The Cause : No Range Checking strcpy does not check input size  strcpy(buf, str) simply copies memory contents into buf starting from *str until “\0” is encountered  Ignoring the size of area allocated to buf Many C library functions are unsafe  strcpy(char *dest, const char *src)  strcat(char *dest, const char *src)  gets(char *s)  scanf(const char *format, …)  printf(const char *format, …)

24 Examples of Common Buffer Overflow Attacks

25

Download ppt "SCSC 555 Computer Security Chapter 10 Malicious software Part B."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Lecture 14 Malicious Software (cont) modified from slides of Lawrie Brown.

Lecture 14 Malicious Software (cont) modified from slides of Lawrie Brown.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Hands-On Ethical Hacking and Network Defense Chapter 3 Network and Computer Attacks.

Hands-On Ethical Hacking and Network Defense Chapter 3 Network and Computer Attacks.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google