Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Malware and Defenses Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Published byHoward Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Malware and Defenses Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved."— Presentation transcript:

1 Security Malware and Defenses Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

2 The Security Environment Threats Security goals and threats. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

3 Computer Security Triad Three key objectives are at the heart of computer security Data and services Availability Confidentiality Integrity

4 Malware Malicious software – Trojan hourses, virus, worms,.. Etc Today’s malware is all about stealth Infected machines report back to attacker, its address, information…?? Attacker uses backdoor to control the infected machine…. Make it a zombie. A collection of zombies is called a botnet Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

5 Malware Criminals can rent out botnets Keyloggers Identity theft Malware can lay in wait for something interesting Malware can interfere with competition’s production process Malware could target another person in the company to discredit that person Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

6 Types of Malware Trojan Horse Virus Worm Spyware RootKits Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

7 Trojan Horse Transport means…Getting victims to download virus without attacker’s intervention. Now you have to get the victim to run it Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

8 Trojan Horse Download program somewhere in users PATH. (Find directory not secured) Pick a name of a mistyped command ‘la’. If the user mistypes ‘ls’ as ‘la’, the Trojan will run. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

9 Trojan Horse Legitimate, but malicious, user Puts an infected version of ‘ls’ on the system. Call admin…… cd/home/mal ls –l Admin just ran Trojan with superuser privileges Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

10 Viruses Virus is a program that can reproduce itself by attaching its code to another program. Often written in assembler or C. Attacker infects a program on his own machine, then gets that program distributed. Once installed on victim’s machine, it remains dormant until executed. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

11 Virus Once activated… – Executes it payload – Often waits for a specific date or time – …. We want to make sure the virus is well distributed before people start noticing it. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

12 Different Kinds of Viruses 1.Companion 2.Executable Program 3.Memory 4.Boot sector 5.Device Driver 6.Macro 7.Source code Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

13 1. Companion Virus Old virus type Runs with the program is supposed to run Ex: in old MS-DOS – We install a program named prog.com – When user enters prog, instead of prog.exe, our infected program is executed. – We’ll call prog.exe after our malicious activity and no one will be the wiser Can also be done with symbolic links Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

14 2. Executable Program Virus Overwrites the executable program with itself. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

15 Executable Program Viruses (1) A recursive procedure that finds executable files on a UNIX system. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

16 Executable Program Viruses (2) A recursive procedure that finds executable files on a UNIX system. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

17 Executable Virus Overwriting virus is easy to detect…. Parasitic virus: this virus attaches itself to the program to do the bad thing, but allows the program to function normally afterward. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

18 Executable Program Viruses (3) (a) An executable program. (b) With a virus at the front. (c) With a virus at the end. (d) With a virus spread over free space within the program. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Cavity Virus

19 3. Memory-Resident Viruses Stays in RAM, either hiding at the top of memory or down among the interrupt vectors (the last few hundred bytes are generally unused) Capture one of the interrupt vectors – Putting it’s own address there – Call the interrupt after it does what it does – Benefit.. It can run in system mode Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

20 4. Boot Sector Virus Virus that overwrites the master boot record or boot sector. Requires intimate knowledge of the operating system’s internal data structure Copies the first sector of the boot sector to a safe place so it can call it later. At start-up, it copies the virus to RAM Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

21 Boot Sector Viruses (a) After the virus has captured all the interrupt and trap vectors. (b) After the operating system has retaken the printer interrupt vector. (c) After the virus has noticed the loss of the printer interrupt vector and recaptured it. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

22 5. Device Driver Viruses Infect the device driver – it’s just a executable programs that live on disk Device drivers are always loaded at boot time and may run kernel mode. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

23 6. Macro Viruses Virus attached to macros in Microsoft Office. Send the infected word document to someone. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

24 7. Source Code Viruses Very portable Looks for C code and changes it to call the virus. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

25 Worms Self-replicating program Moves itself through the network and system without the victims help. Robert Morris Internet worm of 1988 Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

26 Spyware Runs on the victims machine with victim knowing, doing things behind victim’s back 3 Broad categories – Marketing – Surveillance – Zombie army Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

27 Actions Taken by Spyware (1) 1.Change the browser’s home page. 2.Modify the browser’s list of favorite (bookmarked) pages. 3.Add new toolbars to the browser. 4.Change the user’s default media player. 5.Change the user’s default search engine. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

28 Actions Taken by Spyware (2) 6.Add new icons to the Windows desktop. 7.Replace banner ads on Web pages with those the spyware picks. 8.Put ads in the standard Windows dialog boxes 9.Generate a continuous and unstoppable stream of pop-up ads. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

29 Rootkit A rootkit is a program or set of programs and files that attempts to conceal it’s existence Usually contains malware Where they hide is how they are defined…. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

30 Types of Rootkits (1) Five kinds of rootkits – issue is where do they hide? 1.Firmware rootkit 2.Hypervisor rootkit 3.Kernel rootkit 4.Library rootkit 5.Application rootkit Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

31 Types of Rootkits (2) Figure 9-31. Five places a rootkit can hide. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

32 Rootkit Detection Read the files in the directory – Unless the dir system call is infected Timing related – Does something take longer than it should Sony Rootkit Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

33 Defenses Firewall Antivirus Code Signing Jailing Model-Based Intrusion Detection Encapsulating Mobile Code Java Security Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

34 Defense 1: Firewalls A simplified view of a hardware firewall protecting a LAN with three computers No packets can enter or exit the LAN without approval from Firewall Stateless Firewall – Packet header information is used in approval Stateful Firewall – Firewall tracks connections … may inspect packets. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

35 Defense 2: Antivirus Some techniques – Virus Scanner Goat file to attract a virus – After analysis of virus, add to database known viruses Store file lengths – If they change…. Potential problem Hunt for decryption procedure – If virus compresses to fit in pgm size.. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

36 Virus Scanners (1) Figure 9-33. (a) A program. (b) An infected program. (c) A compressed infected program. (d) An encrypted virus. (e) A compressed virus with encrypted compression code. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

37 Antivirus (2) Some techniques – Integrity Checkers Compute checksum for clean files – Behavioral Checkers Monitor all activity Word shouldn’t overwrite a file Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

38 Defense 3: Code Signing Using digital signatures to sign code Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

39 Defense 4: Jailing The new program’s execution is monitored in a jail. System call is transferred to jailer who makes the decision if it is allowed. Like running in a debugger. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

40 Defense 5: Model-Based Intrusion Detection Intrusion Detection System (IDS) 1.Network-Based IDS Focused on incoming packets 2.Host based IDS Static model-based intrusion detection Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

41 Model-Based Intrusion Detection Static model-based intrusion detection – Implemented using jailing technique – Learn the ‘good’ behavior of a program from program model. Compiler can generate it and the author certifies it Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

42 Model-Based Intrusion Detection (a) A program. (b) System call graph for (a). Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

43 Defense 6: Encapsulating Mobile Code Problem: – Javascript, applets, agents… – Things that want to execute on our machines – Things we may want to let execute on our machines Defensive methods – Sandboxing – Interpretation Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

44 Sandboxing (a) Memory divided into 16-MB sandboxes. (b) One way of checking an instruction for validity. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Divides virtual address into 2 regions: One for data One for code Confines applet to a limited range of virtual addresses enforced at runtime Guarantees the applet cannot jump to code outside its code or reference data outside data sandbox

45 Interpretation Run applets interpretively. Every instruction can be examined by interpreter. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

46 Defense 7: Java Security Checks on applets include: 1.Does applet attempt to forge pointers? 2.Does it violate access restrictions on private-class members? 3.Does it try to use variable of one type as another? 4.Does it generate stack overflows or underflows? 5.Does it illegally convert variables of one type to another? Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

47 Java Security (2) Some examples of protection that can be specified with JDK 1.2. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

48 End Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Download ppt "Security Malware and Defenses Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Similar presentations

Ads by Google