CS3235: Introduction to Computer Security
43K - views

CS3235: Introduction to Computer Security

Similar presentations


Download Presentation

CS3235: Introduction to Computer Security




Download Presentation - The PPT/PDF document "CS3235: Introduction to Computer Securit..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "CS3235: Introduction to Computer Security"— Presentation transcript:

Slide1

CS3235: Introduction to Computer Security

Lecture 4: Malware

CS3235 Lecture 4

1

Slide2

Review of Lecture 3AESPublic-key cryptosystem: RSAApplication of cryptography

Cryptographic hash functionsKey exchangeDigital signaturesCertificatesCS3235 Lecture 4

2

Slide3

Is Cryptography Alone Enough?CS3235 Lecture 4

3

Network

Slide4

Importance of Program SecurityProtecting programs is at the heart of computer securityPrograms constitute much of a computing of a system

Operating system, device drivers, …Types of threatsMalicious programsVulnerable programsCS3235 Lecture 4

4

Slide5

Big Picture of AttacksCS3235 Lecture 4

5

Reconnaissance

Scanning

Break-in

Malware

Hiding

Slide6

Threats from Malicious CodeSteal confidential informationCredit card, bank account, password

Trade secretsSurveillanceCapture keystrokes, webcam streamsCollect system informationControlling computerForm botnetsSend spam emails

CS3235 Lecture 46

Slide7

Types of Malicious Code

7CS3235 Lecture 4

Slide8

Computer VirusesA program that can replicate itself and

pass on malicious code to other non-malicious programs by modifying them.Transient virusResident virusCS3235 Lecture 4

8

Slide9

Three Aspects of a VirusPropagation mechanismHow viruses attach?Activation mechanism

How viruses gain control?Behavior of virus payloadWhat will viruses do besides propagating?CS3235 Lecture 4

9

Slide10

Virus Propagation MechanismAttaching to a programAppended, surrounded, integratedDocument virus

Executable code in data filesAttaching to email messagesEmbedded in instant messagesInjected into disk/USB driveCS3235 Lecture 4

10

Slide11

Virus Activation MechanismViruses have no harm until activatedInjecting themselves into normal activities

At the beginning of a programDeceptive email or IM messageAutorun in WindowsHomes for virusesOne-time, boot sector, memoryCS3235 Lecture 4

11

Slide12

Code Execution Path

Operating System

Drive

BIOS

Application

Data/Scripts

12

CS3235 Lecture 4

Slide13

Demo of Virus Behaviors

13

CS3235 Lecture 4

Slide14

Virus DetectionVirus scannerDetect and remove virus using virus signatures

E.g., Norton AntiVirusVirus signaturesA unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses.CS3235 Lecture 4

14

Slide15

Types of Virus SignaturesOn storage patternsChanges at fixed locations of a program

Changes in file size and checksumOn Transmission PatternsOn execution patternsCode for common behaviorsCS3235 Lecture 4

15

Jump

Original Program

Malicious

Slide16

Anti-Detection TechniquesPolymorphic virusesTransform virus code to a different formInsert NOP instructions

Change x = 0 to x = a – aEncrypted virusesDecrypt before executionCS3235 Lecture 4

16

Key

Encrypted Virus

Code

Decryption Routine

Slide17

Prevention of Virus Infection

Use only software from reliable sources

Test new software on isolated computers

Be careful of email attachments

Make recovery system image

Backup data

Use virus scanners

17

CS3235 Lecture 4

Slide18

Truth and Misconceptions

Viruses can infect any computer system

Viruses can modify read-only files

Viruses can appear in any type of files

Viruses cannot remain in memory after a system reboot, but ...

Viruses cannot infect hardware

18

CS3235 Lecture 4

Slide19

The Brain VirusVirus behaviorLabeling attacked disk as “BRAIN”Propagation and activation

Residing in the first and other six boot sectorsIntercept disk read requestsCS3235 Lecture 419

Slide20

CIH VirusSpread via Windows executable filesDamages:Overwriting the first 1024KB of the hard drive with zeroes

Overwriting the BIOS with junk codeActivated on April 26, 1999An untold number of computers worldwide were affected, much in AsiaCS3235 Lecture 4

20

Slide21

MelissaMacro virus found on March 26, 1999Targeting MS Word and Outlook-based systemsIn a file called “List.DOC”

Spread on MS Word 97 and 2000Mass-mail itself from email client MS Outlook 97 or Outlook 98Activated once the word document is openedCS3235 Lecture 4

21

Slide22

ILOVEYOUFirst appeared on May 3, 2000Caused world-wide email outage, damage estimated $10 billionVBScript virus

Email:Subject: “ILOVEYOU”Attachment: “LOVE-LETTER-FOR-YOU.TXT.vbs”Overwrite important files with a copy of itselfSend out itself to everyone in a user’s contact list

CS3235 Lecture 422

Slide23

Targeted Malicious Code

23CS3235 Lecture 4

Slide24

24

Trapdoor (Backdoor)

Secret entry point into a system

Specific user identifier or password that circumvents normal security procedures.

Commonly used by developers

Could be included in a compiler.

CS3235 Lecture 4

Slide25

Trojan HorsePrograms that appear to be benign, but have hidden malicious codeExampleSoftware claims to convert a DVD reader drive into a DVD writer

It simply deletes files on a systemCS3235 Lecture 425

Slide26

26

Salami Attack

Merges bits of seemingly inconsequential data to yield powerful results

Example, interest calculation in a banking system.

Reason for salami attack

Computer computations have small errors involving rounding and truncation.

CS3235 Lecture 4

Slide27

27

Rootkits

Rootkit: a piece of malicious code that tries to obscure its presence on a computer system.

A typical rootkit will interfere with the normal interaction between a user an the OS

Remove its effects from results of system utilities

CS3235 Lecture 4

Slide28

28

Rootkit Classification

User-mode

RootKit

Kernel

Trojan

login

Trojan

ps

Trojan

ifconfig

good

program

Kernel-mode

RootKit

Kernel

good

login

good

ps

good

ifconfig

good

program

Trojan

Kernel Module

Application-level

Rootkit

Kernel

Evil Program

good

program

good

program

good

program

good

program

CS3235 Lecture 4

Slide29

User-mode RootkitsHiding existence of rootkit

by changing system utilitiesLinux/UNIX ls, du, find, ifconfig, login,

sshd, netstat

, …CS3235 Lecture 4

29

Slide30

Kernel-mode RootkitsHide themselves by modifying the OS kernelSo what?

No trusted service provided by the OSNo way to distinguish whether a program is a real one or fake oneCS3235 Lecture 430

Slide31

Sony BMG DRM Rootkit (2005)Extended Copy Protection (XCP) for CD copy protection

Users are required to install XCP softwareXCP intercepts all accesses to CD drive and only allows SONY’s media player to access the track on CDXCP conceals itself from the user by patching the Windows kernel. The patch stops ordinary system tools from displaying processes, registry entries, or files whose names begin with $sys$. About 4.7 million XCP-CDs shipped, 2.1 million sold. CS3235 Lecture 4

31

Slide32

SONY BMG Rootkit (Cont.)

Block access to file begin with $sys$, so that it is “invisible” to system usersWeaken system securityXCP rootkit can be used by other malware. One discovered in Nov. 2005XCP installer, which released later, leaves security holes on systemXCP mechanism affects system stability, resulting in blue-screen-of-death.

CS3235 Lecture 432

Slide33

33

Zombie & Botnet

Secretly takes over another networked computer by exploiting software flows

Builds the compromised computers into a zombie network or botnet

A

collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.

Uses it to indirectly launch attacks

E.g.,

DDoS

, phishing, spamming, cracking

CS3235 Lecture 4

Slide34

34

Botnet

Attacker

Internet

Zombies

Master

Server

CS3235 Lecture 4

A network of compromised computers controlled by an attacker.

Commonly controlled by an IRC channel.

Slide35

35

Other Targeted Attacks

Privilege escalation:

A means for malicious code to be launched by a user with lower privileges but run with higher privileges

Interface illusion

Keystroke logging

Man-in-the-Middle attacks

CS3235 Lecture 4

Slide36

36

Covert Channels

Malicious code can leak information without being noticed.

Change of font of a word in a document

Main types of covert channels

Storage channels

Timing

channels

CS3235 Lecture 4

Slide37

Storage ChannelsFile lock channelsFile existence channels

CS3235 Lecture 437

Service

File

Spy

Create: 1

Exist?

Yes: 1

Service

File

Spy

Delete: 0

Exist?

No: 0

Service

Spy

Exist?

No: 0

0

Slide38

38

Shared Resource Matrix

CS3235 Lecture 4

Slide39

39

Information FlowB := A

C := BIF D=1 THEN

E

:= C

RED: Explicit flow

(Data dependency)

Blue: Implicit flow

(Control dependency)

CS3235 Lecture 4

Slide40

40

Readings for This LectureSecurity in Computing

Chapter 3.3, Chapter 3.4.

CS3235 Lecture 4

Slide41

http://www.youtube.com/watch?v=32JgSJYpL8o&feature=fvwWEP hacking

http://www.youtube.com/watch?v=TiPWUykw3uU&NR=1TV Hack http://www.youtube.com/watch?v=QrXkmP_3kBs&feature=fvwUrban Hack http://www.youtube.com/watch?v=0L7DTMKekoUCS3235 Lecture 4

41

Slide42

Slide43