Lecture . 4: Malware. CS3235 Lecture 4. 1. Review of Lecture 3. AES. Public-key cryptosystem: RSA. Application of cryptography. Cryptographic hash functions. Key exchange. Digital signatures. Certificates. ID: 658313
DownloadNote - The PPT/PDF document "CS3235: Introduction to Computer Securit..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
CS3235: Introduction to Computer Security
Lecture 4: Malware
CS3235 Lecture 4
1
Slide2Review of Lecture 3AESPublic-key cryptosystem: RSAApplication of cryptography
Cryptographic hash functionsKey exchangeDigital signaturesCertificatesCS3235 Lecture 4
2
Slide3Is Cryptography Alone Enough?CS3235 Lecture 4
3
Network
Slide4Importance of Program SecurityProtecting programs is at the heart of computer securityPrograms constitute much of a computing of a system
Operating system, device drivers, …Types of threatsMalicious programsVulnerable programsCS3235 Lecture 4
4
Slide5Big Picture of AttacksCS3235 Lecture 4
5
Reconnaissance
Scanning
Break-in
Malware
Hiding
Slide6Threats from Malicious CodeSteal confidential informationCredit card, bank account, password
Trade secretsSurveillanceCapture keystrokes, webcam streamsCollect system informationControlling computerForm botnetsSend spam emails
CS3235 Lecture 46
Slide7Types of Malicious Code
7CS3235 Lecture 4
Slide8Computer VirusesA program that can replicate itself and
pass on malicious code to other non-malicious programs by modifying them.Transient virusResident virusCS3235 Lecture 4
8
Slide9Three Aspects of a VirusPropagation mechanismHow viruses attach?Activation mechanism
How viruses gain control?Behavior of virus payloadWhat will viruses do besides propagating?CS3235 Lecture 4
9
Slide10Virus Propagation MechanismAttaching to a programAppended, surrounded, integratedDocument virus
Executable code in data filesAttaching to email messagesEmbedded in instant messagesInjected into disk/USB driveCS3235 Lecture 4
10
Slide11Virus Activation MechanismViruses have no harm until activatedInjecting themselves into normal activities
At the beginning of a programDeceptive email or IM messageAutorun in WindowsHomes for virusesOne-time, boot sector, memoryCS3235 Lecture 4
11
Slide12Code Execution Path
Operating System
Drive
BIOS
Application
Data/Scripts
12
CS3235 Lecture 4
Slide13Demo of Virus Behaviors
13
CS3235 Lecture 4
Slide14Virus DetectionVirus scannerDetect and remove virus using virus signatures
E.g., Norton AntiVirusVirus signaturesA unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses.CS3235 Lecture 4
14
Slide15Types of Virus SignaturesOn storage patternsChanges at fixed locations of a program
Changes in file size and checksumOn Transmission PatternsOn execution patternsCode for common behaviorsCS3235 Lecture 4
15
Jump
Original Program
Malicious
Slide16Anti-Detection TechniquesPolymorphic virusesTransform virus code to a different formInsert NOP instructions
Change x = 0 to x = a – aEncrypted virusesDecrypt before executionCS3235 Lecture 4
16
Key
Encrypted Virus
Code
Decryption Routine
Slide17Prevention of Virus Infection
Use only software from reliable sources
Test new software on isolated computers
Be careful of email attachments
Make recovery system image
Backup data
Use virus scanners
17
CS3235 Lecture 4
Slide18Truth and Misconceptions
Viruses can infect any computer system
Viruses can modify read-only files
Viruses can appear in any type of files
Viruses cannot remain in memory after a system reboot, but ...
Viruses cannot infect hardware
18
CS3235 Lecture 4
Slide19The Brain VirusVirus behaviorLabeling attacked disk as “BRAIN”Propagation and activation
Residing in the first and other six boot sectorsIntercept disk read requestsCS3235 Lecture 419
Slide20CIH VirusSpread via Windows executable filesDamages:Overwriting the first 1024KB of the hard drive with zeroes
Overwriting the BIOS with junk codeActivated on April 26, 1999An untold number of computers worldwide were affected, much in AsiaCS3235 Lecture 4
20
Slide21MelissaMacro virus found on March 26, 1999Targeting MS Word and Outlook-based systemsIn a file called “List.DOC”
Spread on MS Word 97 and 2000Mass-mail itself from email client MS Outlook 97 or Outlook 98Activated once the word document is openedCS3235 Lecture 4
21
Slide22ILOVEYOUFirst appeared on May 3, 2000Caused world-wide email outage, damage estimated $10 billionVBScript virus
Email:Subject: “ILOVEYOU”Attachment: “LOVE-LETTER-FOR-YOU.TXT.vbs”Overwrite important files with a copy of itselfSend out itself to everyone in a user’s contact list
CS3235 Lecture 422
Slide23Targeted Malicious Code
23CS3235 Lecture 4
Slide2424
Trapdoor (Backdoor)
Secret entry point into a system
Specific user identifier or password that circumvents normal security procedures.
Commonly used by developers
Could be included in a compiler.
CS3235 Lecture 4
Slide25Trojan HorsePrograms that appear to be benign, but have hidden malicious codeExampleSoftware claims to convert a DVD reader drive into a DVD writer
It simply deletes files on a systemCS3235 Lecture 425
Slide2626
Salami Attack
Merges bits of seemingly inconsequential data to yield powerful results
Example, interest calculation in a banking system.
Reason for salami attack
Computer computations have small errors involving rounding and truncation.
CS3235 Lecture 4
Slide2727
Rootkits
Rootkit: a piece of malicious code that tries to obscure its presence on a computer system.
A typical rootkit will interfere with the normal interaction between a user an the OS
Remove its effects from results of system utilities
CS3235 Lecture 4
Slide2828
Rootkit Classification
User-mode
RootKit
Kernel
Trojan
login
Trojan
ps
Trojan
ifconfig
good
program
Kernel-mode
RootKit
Kernel
good
login
good
ps
good
ifconfig
good
program
Trojan
Kernel Module
Application-level
Rootkit
Kernel
Evil Program
good
program
good
program
good
program
good
program
CS3235 Lecture 4
Slide29User-mode RootkitsHiding existence of rootkit
by changing system utilitiesLinux/UNIX ls, du, find, ifconfig, login,
sshd, netstat
, …CS3235 Lecture 4
29
Slide30Kernel-mode RootkitsHide themselves by modifying the OS kernelSo what?
No trusted service provided by the OSNo way to distinguish whether a program is a real one or fake oneCS3235 Lecture 430
Slide31Sony BMG DRM Rootkit (2005)Extended Copy Protection (XCP) for CD copy protection
Users are required to install XCP softwareXCP intercepts all accesses to CD drive and only allows SONY’s media player to access the track on CDXCP conceals itself from the user by patching the Windows kernel. The patch stops ordinary system tools from displaying processes, registry entries, or files whose names begin with $sys$. About 4.7 million XCP-CDs shipped, 2.1 million sold. CS3235 Lecture 4
31
Slide32SONY BMG Rootkit (Cont.)
Block access to file begin with $sys$, so that it is “invisible” to system usersWeaken system securityXCP rootkit can be used by other malware. One discovered in Nov. 2005XCP installer, which released later, leaves security holes on systemXCP mechanism affects system stability, resulting in blue-screen-of-death.
CS3235 Lecture 432
Slide3333
Zombie & Botnet
Secretly takes over another networked computer by exploiting software flows
Builds the compromised computers into a zombie network or botnet
A
collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.
Uses it to indirectly launch attacks
E.g.,
DDoS
, phishing, spamming, cracking
CS3235 Lecture 4
Slide3434
Botnet
Attacker
Internet
Zombies
Master
Server
CS3235 Lecture 4
A network of compromised computers controlled by an attacker.
Commonly controlled by an IRC channel.
Slide3535
Other Targeted Attacks
Privilege escalation:
A means for malicious code to be launched by a user with lower privileges but run with higher privileges
Interface illusion
Keystroke logging
Man-in-the-Middle attacks
CS3235 Lecture 4
Slide3636
Covert Channels
Malicious code can leak information without being noticed.
Change of font of a word in a document
Main types of covert channels
Storage channels
Timing
channels
CS3235 Lecture 4
Slide37Storage ChannelsFile lock channelsFile existence channels
CS3235 Lecture 437
Service
File
Spy
Create: 1
Exist?
Yes: 1
Service
File
Spy
Delete: 0
Exist?
No: 0
Service
Spy
Exist?
No: 0
0
Slide3838
Shared Resource Matrix
CS3235 Lecture 4
Slide3939
Information FlowB := A
C := BIF D=1 THEN
E
:= C
RED: Explicit flow
(Data dependency)
Blue: Implicit flow
(Control dependency)
CS3235 Lecture 4
Slide4040
Readings for This LectureSecurity in Computing
Chapter 3.3, Chapter 3.4.
CS3235 Lecture 4
Slide41http://www.youtube.com/watch?v=32JgSJYpL8o&feature=fvwWEP hacking
http://www.youtube.com/watch?v=TiPWUykw3uU&NR=1TV Hack http://www.youtube.com/watch?v=QrXkmP_3kBs&feature=fvwUrban Hack http://www.youtube.com/watch?v=0L7DTMKekoUCS3235 Lecture 4
41
Slide42Slide43
Next Slides
Introduction to computer security: terminology, security po
Introduction to computer security
Introduction to computer technology
Computer security in this section you will learn about diffe
Computer security in this section
Computer security in this section
Computer security
Introduction to computer security
Introduction to computer security