Download Presentation - The PPT/PDF document "CS3235: Introduction to Computer Securit..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentation on theme: "CS3235: Introduction to Computer Security"— Presentation transcript:
Slide1
CS3235: Introduction to Computer Security
Lecture 4: Malware
CS3235 Lecture 4
1
Slide2
Review of Lecture 3AESPublic-key cryptosystem: RSAApplication of cryptography
Computer VirusesA program that can replicate itself and
pass on malicious code to other non-malicious programs by modifying them.Transient virusResident virusCS3235 Lecture 4
8
Slide9
Three Aspects of a VirusPropagation mechanismHow viruses attach?Activation mechanism
How viruses gain control?Behavior of virus payloadWhat will viruses do besides propagating?CS3235 Lecture 4
9
Slide10
Virus Propagation MechanismAttaching to a programAppended, surrounded, integratedDocument virus
Executable code in data filesAttaching to email messagesEmbedded in instant messagesInjected into disk/USB driveCS3235 Lecture 4
10
Slide11
Virus Activation MechanismViruses have no harm until activatedInjecting themselves into normal activities
At the beginning of a programDeceptive email or IM messageAutorun in WindowsHomes for virusesOne-time, boot sector, memoryCS3235 Lecture 4
11
Slide12
Code Execution Path
Operating System
Drive
BIOS
Application
Data/Scripts
12
CS3235 Lecture 4
Slide13
Demo of Virus Behaviors
13
CS3235 Lecture 4
Slide14
Virus DetectionVirus scannerDetect and remove virus using virus signatures
E.g., Norton AntiVirusVirus signaturesA unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses.CS3235 Lecture 4
14
Slide15
Types of Virus SignaturesOn storage patternsChanges at fixed locations of a program
Changes in file size and checksumOn Transmission PatternsOn execution patternsCode for common behaviorsCS3235 Lecture 4
15
Jump
Original Program
Malicious
Slide16
Anti-Detection TechniquesPolymorphic virusesTransform virus code to a different formInsert NOP instructions
Change x = 0 to x = a – aEncrypted virusesDecrypt before executionCS3235 Lecture 4
16
Key
Encrypted Virus
Code
Decryption Routine
Slide17
Prevention of Virus Infection
Use only software from reliable sources
Test new software on isolated computers
Be careful of email attachments
Make recovery system image
Backup data
Use virus scanners
17
CS3235 Lecture 4
Slide18
Truth and Misconceptions
Viruses can infect any computer system
Viruses can modify read-only files
Viruses can appear in any type of files
Viruses cannot remain in memory after a system reboot, but ...
Viruses cannot infect hardware
18
CS3235 Lecture 4
Slide19
The Brain VirusVirus behaviorLabeling attacked disk as “BRAIN”Propagation and activation
Residing in the first and other six boot sectorsIntercept disk read requestsCS3235 Lecture 419
Slide20
CIH VirusSpread via Windows executable filesDamages:Overwriting the first 1024KB of the hard drive with zeroes
Overwriting the BIOS with junk codeActivated on April 26, 1999An untold number of computers worldwide were affected, much in AsiaCS3235 Lecture 4
20
Slide21
MelissaMacro virus found on March 26, 1999Targeting MS Word and Outlook-based systemsIn a file called “List.DOC”
Spread on MS Word 97 and 2000Mass-mail itself from email client MS Outlook 97 or Outlook 98Activated once the word document is openedCS3235 Lecture 4
21
Slide22
ILOVEYOUFirst appeared on May 3, 2000Caused world-wide email outage, damage estimated $10 billionVBScript virus
Email:Subject: “ILOVEYOU”Attachment: “LOVE-LETTER-FOR-YOU.TXT.vbs”Overwrite important files with a copy of itselfSend out itself to everyone in a user’s contact list
CS3235 Lecture 422
Slide23
Targeted Malicious Code
23CS3235 Lecture 4
Slide24
24
Trapdoor (Backdoor)
Secret entry point into a system
Specific user identifier or password that circumvents normal security procedures.
Commonly used by developers
Could be included in a compiler.
CS3235 Lecture 4
Slide25
Trojan HorsePrograms that appear to be benign, but have hidden malicious codeExampleSoftware claims to convert a DVD reader drive into a DVD writer
It simply deletes files on a systemCS3235 Lecture 425
Slide26
26
Salami Attack
Merges bits of seemingly inconsequential data to yield powerful results
Example, interest calculation in a banking system.
Reason for salami attack
Computer computations have small errors involving rounding and truncation.
CS3235 Lecture 4
Slide27
27
Rootkits
Rootkit: a piece of malicious code that tries to obscure its presence on a computer system.
A typical rootkit will interfere with the normal interaction between a user an the OS
Remove its effects from results of system utilities
CS3235 Lecture 4
Slide28
28
Rootkit Classification
User-mode
RootKit
Kernel
Trojan
login
Trojan
ps
Trojan
ifconfig
good
program
Kernel-mode
RootKit
Kernel
good
login
good
ps
good
ifconfig
good
program
Trojan
Kernel Module
Application-level
Rootkit
Kernel
Evil Program
good
program
good
program
good
program
good
program
CS3235 Lecture 4
Slide29
User-mode RootkitsHiding existence of rootkit
by changing system utilitiesLinux/UNIX ls, du, find, ifconfig, login,
sshd, netstat
, …CS3235 Lecture 4
29
Slide30
Kernel-mode RootkitsHide themselves by modifying the OS kernelSo what?
No trusted service provided by the OSNo way to distinguish whether a program is a real one or fake oneCS3235 Lecture 430
Slide31
Sony BMG DRM Rootkit (2005)Extended Copy Protection (XCP) for CD copy protection
Users are required to install XCP softwareXCP intercepts all accesses to CD drive and only allows SONY’s media player to access the track on CDXCP conceals itself from the user by patching the Windows kernel. The patch stops ordinary system tools from displaying processes, registry entries, or files whose names begin with $sys$. About 4.7 million XCP-CDs shipped, 2.1 million sold. CS3235 Lecture 4
31
Slide32
SONY BMG Rootkit (Cont.)
Block access to file begin with $sys$, so that it is “invisible” to system usersWeaken system securityXCP rootkit can be used by other malware. One discovered in Nov. 2005XCP installer, which released later, leaves security holes on systemXCP mechanism affects system stability, resulting in blue-screen-of-death.
CS3235 Lecture 432
Slide33
33
Zombie & Botnet
Secretly takes over another networked computer by exploiting software flows
Builds the compromised computers into a zombie network or botnet
A
collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.
Uses it to indirectly launch attacks
E.g.,
DDoS
, phishing, spamming, cracking
CS3235 Lecture 4
Slide34
34
Botnet
Attacker
Internet
Zombies
Master
Server
CS3235 Lecture 4
A network of compromised computers controlled by an attacker.
Commonly controlled by an IRC channel.
Slide35
35
Other Targeted Attacks
Privilege escalation:
A means for malicious code to be launched by a user with lower privileges but run with higher privileges
Interface illusion
Keystroke logging
Man-in-the-Middle attacks
CS3235 Lecture 4
Slide36
36
Covert Channels
Malicious code can leak information without being noticed.
Change of font of a word in a document
Main types of covert channels
Storage channels
Timing
channels
CS3235 Lecture 4
Slide37
Storage ChannelsFile lock channelsFile existence channels
