ELE386 Malware

Information about ELE386 Malware

Published on August 20, 2007

Author: Alien

Source: authorstream.com

Content

Understanding the Threat of Malware:  Understanding the Threat of Malware Nachiketh Potlapally ELE 386: Cyber Security 03/22/05 Prof. Ruby Lee Princeton University Spring 2005 What is Malware?:  What is Malware? Malware refer to any software code written with the aim of degrading or subverting the normal operation of a computer system. It is also referred to as malicious code. There are different types of malware Viruses Worms Trojan horses Malicious mobile code Slide3:  Unfortunately, most computer viruses are not so courteous! Slide4:  Be afraid. Be very afraid. – The Fly, 1986 But, a computer virus is not inherently dangerous File Allocation Table Definitions:  Definitions Computer virus is a program that when triggered by an action of the user, causes copies of itself to be created. Computer worm is a program that causes copies of itself to be created without any user intervention. Trojan horse is a program that appears to do something useful, but in reality, masks some hidden malicious functionality. It does not make copies of itself. Malicious mobile code is a lightweight malicious program that is downloaded from a remote system and executed with minimal intervention on the local system Encountered while browsing the web, and implemented using VB scripts, Javascript scripts, ActiveX controls etc Factors Contributing to the Rapid Spread of Malware:  Factors Contributing to the Rapid Spread of Malware Ubiquitous connectivity Internet makes it easy to launch large-scale autonomous attacks Homogeneous computing environments Identifying a flaw in a particular hardware architecture or an operating system enables compromise of many computers Increasing computer system complexity High system complexity makes it very tough to guarantee security properties Easy extensibility of computer systems ‘Plug and play’ customization makes attacks easier Easily available malware writing toolkits Dramatic increase in attacks carried out by script kiddies History of Malicious Code:  History of Malicious Code John Von Neumann presented theory of complicated automata at IAS/Princeton Postulated that a computer program could reproduce itself 'Darwin among the machines', George Dyson Victor Vyssotsky, Robert Morris Sr. and Doug McIlroy implemented ‘Darwin’ (Core Wars) in 1960s at Bell Labs Self-reproducing computer programs battle with each other to occupy the maximum memory space [called ‘Core’ back then] Shoch and Hupp implemented the first ‘computer worm’ in 1982 at Xerox PARC Investigated usage of the worm for distributed computing Fred Cohen wrote the first ‘computer virus’ and did a formal study in 1983 at USC for his PhD thesis. Term ‘Computer virus’ coined by his PhD advisor, Len Adleman History of Malicious Code (contd):  Robert Morris Jr. wrote the 'Internet worm' in 1988 at Cornell University Exploited multiple vulnerabilities to spread from machine to machine Generated huge traffic and completely clogged the Internet On the positive side: Exposed the vulnerability of the network designed to be resilient against such attacks (including a nuclear strike) But, the 'Morris Worm' opened the virus and worm flood gate for more deadly viruses and worms: Melissa, CIH Chernobyl, Worm.ExploreZip, BubbleBoy, The Love Bug…….. History of Malicious Code (contd) Now, a professor at MIT Components of Viruses and Worms:  Components of Viruses and Worms Basic components of viruses and worms: Infection mechanism: Method of ‘infecting’ a computer system Payload: Code responsible for carrying out specific tasks. Viruses and worms differ primarily in the infection mechanism Viruses require human intervention for infecting computer systems. Also, viruses cannot exist stand-alone, instead they piggyback on other programs Worms propagate on their own, and can exist independently Payloads are of different types: Null payload, alter data on the infected system, usurp system resources, clog network, steal data, create backdoors which allow the attacker to take over the system at a later date (used primarily for distributed denial attacks) One of the most damaging payloads Steps in Normal Program Execution:  Steps in Normal Program Execution OS A Main Memory (volatile) Hard Disk (non-volatile) ROM (non-volatile) 0x0 OS OS 1 2 3 4 Program A 0x0 0x0 OS Program A 0x0 OS locates andamp; copies the program to be executed into memory Main memory is empty at the beginning BIOS locates andamp; copies OS from disk to memory Program A starts executing FAT FAT : File Allocation Table stores the location of all files on the system. It is maintained by the OS. BIOS code Executing programs use the OS to perform standard functions like, reading and writing files etc Virus Infection Mechanism :  Virus Infection Mechanism OS B Infected program enters memory Hard Disk 0x0 OS OS 0x0 0x0 OS 0x0 Virus searches for a suitable program to infect OS Program A Virus From infected floppy disk or an email attachment OS Hard Disk B + virus Virus Program A Program B 1 FAT 2 3 Program A Program A Virus Virus Virus Program B Virus copies the infected target back into the disk 5 4 Virus copies itself into the target program in memory Virus copies the target program to main memory When program B is executed it infects a new file Virus makes use of OS constructs to search for target files, copying etc Virus Infecting a File:  Virus Infecting a File Jump Jump Virus Program A Program A 1st instruction 1st instruction 2nd instruction 2nd instruction 1st instruction Program A infected with virus Viral Infection End program A End program A In in the execution of the infected program, the virus is executed before program A, and the correct sequence of instruction execution In program A is maintained Virus Classification:  Virus Classification Virus File virus Boot sector virus Executable file virus Document file virus Overwriting virus Prepending virus Appending virus Virus affects the OS boot sector Virus coded into macros1 embedded in documents Virus attaches itself to executables Very popular since easy to write. No knowledge of target machine required unlike in the case of executable file viruses 1 Macros are commands embedded in documents for enhancing the application, or automating some tasks. They are written in Visual Basic. Executable file viruses:  Executable file viruses Program + = Program Virus Virus Program Virus Program Virus Overwriting Prepending Appending Slide15:  Very much possible...could have been an overwriting virus or maybe the virus payload was designed to delete files!! Worms:  Worms Worms are autonomous and more proactive is spreading compared to viruses Worms have a modular structure to aid propagation Target discovery: Finding suitable hosts to infect. [Random scanning, Pre-determined lists of hosts] Entry mechanism: Use vulnerabilities to gain entry into target [Buffer overflows, Email attachments, Protocol weaknesses] Propagation mechanism: After gaining entry the worm needs to copy its entire contents into the target Activation mechanism: The worm is activated for executing its payload and further propagation. [Self-activated, Triggered on external event ] Payload: This code is designed to implement some specific action [Null payload, Planting a backdoor, Data collection, Destructive intent] Malicious Mobile Code:  Malicious Mobile Code Mobile code is employed by website designers to create dynamic content, like, scrolling news tickers, embedded multimedia etc Implemented using Javascript, ActiveX controls, Java applets, VB scripts Browsing a webpage embedded with malicious mobile code causes the code to be downloaded and executed on the local machine. Malicious mobile code is spread via web browsers. Malicious mobile code can carry out a wide array of nasty activities, like, illegal monitoring of your browsing behavior (spyware), installing Trojan horses, stealing information, browser hijacking, resource exhaustion etc. Malicious Mobile Code (contd):  Malicious Mobile Code (contd) ActiveX controls have the greatest potential to do harm among all forms of malicious mobile code ActiveX controls can do everything a regular program can do: access files, connect to network, invoke other programs etc ActiveX controls are widely employed to install spyware and backdoors on local machines Highly advisable to restrict ActiveX controls in the web browsers Two highly recommended free anti-spyware tools Ad-aware Spybot – search andamp; destroy It might be a good idea to install them and use them regularly Trojan horses:  Trojan horses Two common ways in which Trojan horses are spread are deceiving users into installing them, and blending Trojan horses with normal programs Users are duped into installing Trojan horses by making them believe that they are genuine/useful programs Give the Trojan horse the same name as a popular program Tricking Windows users by using spaces to obscure the file type Attacking software distribution sites and replace genuine software with Trojan horse-included versions Use wrapper tools to tightly integrate Trojan horse code with some harmless piece of software When users run the resulting software, the Trojan is executed first. Slide20:  What alternatives do we have? Malware Prevention:  Malware Prevention Static techniques like aggressive application level scanning removes many infections before they reach the computer system Malware code has distinct signatures which can be used to identify and remove them Dynamic techniques like emulation nicely complement the static techniques Malware code is first simulated in a tightly isolated environment before it is allowed to run on the computer system Any anomalous behavior during emulation results in the code being red flagged. Malware prevention and detection is a constant effort Malware writers continue to come up with cleverer schemes

Related presentations


Other presentations created by Alien

Physical Security Lecture
05. 01. 2008
0 views

Physical Security Lecture

GREEK THEATRE
15. 10. 2007
0 views

GREEK THEATRE

Singapore National Symbols
14. 09. 2007
0 views

Singapore National Symbols

Origins of the Cold War
23. 12. 2007
0 views

Origins of the Cold War

CG43SlideSet
30. 04. 2008
0 views

CG43SlideSet

kaiser pres
28. 04. 2008
0 views

kaiser pres

GoldDifferences
22. 04. 2008
0 views

GoldDifferences

visn8
17. 04. 2008
0 views

visn8

Nov24 Regulatory approaches
16. 04. 2008
0 views

Nov24 Regulatory approaches

dr rom
14. 04. 2008
0 views

dr rom

file 6943
13. 04. 2008
0 views

file 6943

The Peak Oil Context Tom Petrie
10. 04. 2008
0 views

The Peak Oil Context Tom Petrie

H106g
09. 04. 2008
0 views

H106g

JapaneseGeography
07. 04. 2008
0 views

JapaneseGeography

Hamburg 2007
14. 09. 2007
0 views

Hamburg 2007

lfg
14. 09. 2007
0 views

lfg

Eddie Final Presentation
14. 09. 2007
0 views

Eddie Final Presentation

chalmers
14. 09. 2007
0 views

chalmers

The Rain Forest Final
14. 09. 2007
0 views

The Rain Forest Final

ECAKnowledgeFair
12. 10. 2007
0 views

ECAKnowledgeFair

Ch18part1
15. 10. 2007
0 views

Ch18part1

WNV AVB 02212006
21. 10. 2007
0 views

WNV AVB 02212006

giraffe pp
14. 09. 2007
0 views

giraffe pp

giraffe powerpoint
14. 09. 2007
0 views

giraffe powerpoint

giraffe
14. 09. 2007
0 views

giraffe

COOL STUFF ABOUT GIRAFFES
14. 09. 2007
0 views

COOL STUFF ABOUT GIRAFFES

ub041104
23. 10. 2007
0 views

ub041104

STORY OF THEME AND PLOT
23. 10. 2007
0 views

STORY OF THEME AND PLOT

PhiladelphiaZooPPP
14. 09. 2007
0 views

PhiladelphiaZooPPP

qu10 11
01. 12. 2007
0 views

qu10 11

Angelos CME Energetics
02. 11. 2007
0 views

Angelos CME Energetics

pptPanama s
22. 10. 2007
0 views

pptPanama s

hirotani
13. 11. 2007
0 views

hirotani

bon2003 mpls
29. 10. 2007
0 views

bon2003 mpls

PROF AZZA
23. 10. 2007
0 views

PROF AZZA

Fenton
29. 10. 2007
0 views

Fenton

Countering Offshore
29. 12. 2007
0 views

Countering Offshore

walters082902
23. 11. 2007
0 views

walters082902

razbash
26. 11. 2007
0 views

razbash

DVMRPandMOSPF
01. 01. 2008
0 views

DVMRPandMOSPF

One 783Ngupta
04. 01. 2008
0 views

One 783Ngupta

Chapter 18 PPT
22. 10. 2007
0 views

Chapter 18 PPT

History of NAIS John Wiemers
20. 08. 2007
0 views

History of NAIS John Wiemers

BSP2D
14. 09. 2007
0 views

BSP2D

costarica1 ftparraud
22. 10. 2007
0 views

costarica1 ftparraud

mcmc2000a
06. 11. 2007
0 views

mcmc2000a

050317lc
16. 11. 2007
0 views

050317lc

ALA2003 OAI
04. 10. 2007
0 views

ALA2003 OAI

fwing
22. 10. 2007
0 views

fwing

acute 060727 transfusionmed
23. 10. 2007
0 views

acute 060727 transfusionmed

bckexpk3b
09. 07. 2007
0 views

bckexpk3b

anorexia
09. 07. 2007
0 views

anorexia

070207 Adjektiv
09. 07. 2007
0 views

070207 Adjektiv

A Brachmann
09. 10. 2007
0 views

A Brachmann

mueller jun07
19. 10. 2007
0 views

mueller jun07

Late Classic Maya Collapse
16. 02. 2008
0 views

Late Classic Maya Collapse

ISLAS GALAPAGOS
14. 09. 2007
0 views

ISLAS GALAPAGOS

Heatingoilwebsection ppp
24. 02. 2008
0 views

Heatingoilwebsection ppp

PIndustrialTrucks
26. 02. 2008
0 views

PIndustrialTrucks

ethanap
14. 09. 2007
0 views

ethanap

Propulsion CEV
07. 11. 2007
0 views

Propulsion CEV

MichelleWatt
20. 02. 2008
0 views

MichelleWatt

newsletterfall04
11. 03. 2008
0 views

newsletterfall04

EC T9 2008 Conference Proposal
12. 03. 2008
0 views

EC T9 2008 Conference Proposal

drugstatistics
17. 12. 2007
0 views

drugstatistics

icfa chep06
23. 10. 2007
0 views

icfa chep06

Hubert CW8
14. 09. 2007
0 views

Hubert CW8

A mi Papi 2089
19. 06. 2007
0 views

A mi Papi 2089

An ode to Mothers
19. 06. 2007
0 views

An ode to Mothers

LoffPresentation
17. 10. 2007
0 views

LoffPresentation

Maschera
19. 06. 2007
0 views

Maschera

manual
19. 06. 2007
0 views

manual

Luces De Navidad 1848
19. 06. 2007
0 views

Luces De Navidad 1848

leer
19. 06. 2007
0 views

leer

Lean Six SigmaATL011706
19. 06. 2007
0 views

Lean Six SigmaATL011706

lexisnexis
05. 10. 2007
0 views

lexisnexis

OAT Presentation v5
19. 06. 2007
0 views

OAT Presentation v5

moscatelli
19. 06. 2007
0 views

moscatelli

moon split
19. 06. 2007
0 views

moon split

money plus
19. 06. 2007
0 views

money plus

MKCL
19. 06. 2007
0 views

MKCL

Journey of the Spirit Lesson 6
01. 10. 2007
0 views

Journey of the Spirit Lesson 6

2 Jornada BISHOP
10. 10. 2007
0 views

2 Jornada BISHOP

No esperes
19. 06. 2007
0 views

No esperes

Amores locos 1992
19. 06. 2007
0 views

Amores locos 1992

College English book 2 Unit 7
24. 02. 2008
0 views

College English book 2 Unit 7

A vista de pajaro II 2109
19. 06. 2007
0 views

A vista de pajaro II 2109

Ammosov Vladimir ammosov pra
12. 10. 2007
0 views

Ammosov Vladimir ammosov pra

Amber la mejor de todas
19. 06. 2007
0 views

Amber la mejor de todas

CP317 lecture 6 Huck II 05
11. 12. 2007
0 views

CP317 lecture 6 Huck II 05

AHQA031204Mck
09. 07. 2007
0 views

AHQA031204Mck

Evergreen
03. 01. 2008
0 views

Evergreen

04 NJIT3
02. 01. 2008
0 views

04 NJIT3

Poster A4 Glasgow nov04
04. 10. 2007
0 views

Poster A4 Glasgow nov04

Ally McBeal
09. 07. 2007
0 views

Ally McBeal

sara paige
14. 09. 2007
0 views

sara paige

36181003
24. 10. 2007
0 views

36181003

MusicApprecBaroque 2
22. 11. 2007
0 views

MusicApprecBaroque 2

RohanShah
12. 10. 2007
0 views

RohanShah

1022MAS net big picture
03. 01. 2008
0 views

1022MAS net big picture

Lo Suficiente 1744
19. 06. 2007
0 views

Lo Suficiente 1744

gm3 jp item14 Mangrove ITTO
22. 10. 2007
0 views

gm3 jp item14 Mangrove ITTO

2005AuditResults
09. 07. 2007
0 views

2005AuditResults

HABIC1 summary
17. 11. 2007
0 views

HABIC1 summary

aro ald informalsession
24. 10. 2007
0 views

aro ald informalsession

etu ambassadeurs juin 07 en
13. 03. 2008
0 views

etu ambassadeurs juin 07 en

Gobert poster
03. 10. 2007
0 views

Gobert poster

Kistenev
15. 11. 2007
0 views

Kistenev

6 History of Chemistry I
12. 10. 2007
0 views

6 History of Chemistry I

Jan2000report
04. 01. 2008
0 views

Jan2000report

course 4
03. 01. 2008
0 views

course 4