malice on the internet
play

Malice on the Internet A Peek into Todays Security Attacks Arvind - PowerPoint PPT Presentation

Jan 09, 2023 •36 likes •926 views

Malice on the Internet A Peek into Todays Security Attacks Arvind Krishnamurthy Thursday, November 4, 2010 Bit of History: Morris Worm Worm was released in 1988 by Robert Morris Graduate student at Cornell, son of NSA scientist

  1. Malice on the Internet A Peek into Today’s Security Attacks Arvind Krishnamurthy Thursday, November 4, 2010

  2. Bit of History: Morris Worm • Worm was released in 1988 by Robert Morris • Graduate student at Cornell, son of NSA scientist • Worm was intended to propagate slowly and harmlessly measure the size of the Internet • Due to a coding error, it created new copies as fast as it could and overloaded infected machines • $10-100M worth of damage • Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probabation • Now an EECS professor at MIT Thursday, November 4, 2010

  3. Morris Worm and Buffer Overflow • One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems • By sending a special string to the finger daemon, worm caused it to execute code creating a new worm copy • Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy) Thursday, November 4, 2010

  4. Buffer Overflow Attacks Over Time • Used to be a very common cause of Internet attacks • 50% of advisories from CERT in 1998 • Morris worm (1988): overflow in fingerd • 6,000 machines infected • CodeRed (2001): overflow in MS-IIS server • 300,000 machines infected in 14 hours • SQL Slammer (2003): overflow in MS-SQL server • 75,000 machines infected in 10 minutes • Question: how effective are buffer overflow attacks today? Thursday, November 4, 2010

  5. Today’s Security Landscape • How are today’s attacks executed? • How can we defend against them? • What are the economic incentives? Thursday, November 4, 2010

  6. Economic Incentives • Phishing • Steal personal information • Click Fraud • DDoS (distributed denial of service) • Compromise machines to perform all of the above Thursday, November 4, 2010

  7. Example 1 • Phishing campaign to steal critical information Thursday, November 4, 2010

  8. Example 2 • Compromising website that downloads malware Thursday, November 4, 2010

  9. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  10. Devising Defenses • Comprehensive defense is necessary • Measure and understand • Learn from attacker’s actions • Infiltration is an effective technique Thursday, November 4, 2010

  11. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  12. Typical Timeline • Step 1: Compromise a popular webserver • Target popular webservers because they are likely to attract more web traffic • How does the attacker find a server to compromise? Thursday, November 4, 2010

  13. The dark side of Search Engines • Poorly configured servers may expose sensitive information • Attackers can craft malicious queries "index of /etc” • Find misconfigured or vulnerable servers Thursday, November 4, 2010

  14. Finding vulnerable servers search term Text Thursday, November 4, 2010

  15. Finding vulnerable servers search term Text Thursday, November 4, 2010

  16. Finding vulnerable servers search term Text “Powered by DataLife Engine” Thursday, November 4, 2010

  17. Finding vulnerable servers search term Text Thursday, November 4, 2010

  18. Defense: “Search Engine Audits” • Identify malicious queries issued by an attacker • can filter results for such queries • Study and gain insights • follow attackers trail and understand objectives • detect attacks earlier Thursday, November 4, 2010

  19. Our dataset • Bing search logs for 3 months • 1.2 TB of data • Billions of queries Thursday, November 4, 2010

  20. SearchAudit: the approach • Two stages: Identification & Investigation • Identification 1. Start with a few known malicious queries (seed set) 2. Expand the seed set 3. Generalize • Investigation • Analyze identified queries to learn more about attacks Thursday, November 4, 2010

  21. The seed set Seed queries Seed queries Seed queries Thursday, November 4, 2010

  22. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries Thursday, November 4, 2010

  23. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries Thursday, November 4, 2010

  24. The seed set • Seed Hackers post such malicious queries Seed queries in underground forums queries Seed queries • We crawl these forums to find such posts • We used 500 seed queries posted between May ’06 - August ’09 Thursday, November 4, 2010

  25. Seed set expansion Seed queries Search Seed queries log Seed queries Seed query IPs Expanded query set Thursday, November 4, 2010

  26. Seed set expansion Seed set is small and incomplete Seed queries To expand the small seed set: Search Seed queries log Seed queries 1. Find exact query match from search logs Seed query IPs 2. Find IPs which performed these malicious queries Expanded query set 3. Mark other queries from these IPs as suspect Thursday, November 4, 2010

  27. Generalize the queries Seed queries • Exact queries are too specific at times Search Seed queries log Seed • queries Problem if queries are modified slightly • Seed Regular Solution: Regular Expressions query IPs Attackers' expressions queries + results • captures the structure of the query Regular Expanded • expression query set match similar queries in the future engine Thursday, November 4, 2010

  28. Generalize the queries Seed queries • Exact queries are too specific at times Search Seed queries log Seed • queries Problem if queries are modified slightly • Seed Regular Solution: Regular Expressions query IPs Attackers' expressions queries + results • captures the structure of the query Regular Expanded • expression query set match similar queries in the future engine Thursday, November 4, 2010

  29. A quantitative example Seed queries Unique 122 Queries 174 IPs Thursday, November 4, 2010

  30. A quantitative example Seed queries Expanded set Unique 122 800 Queries 174 264 IPs Thursday, November 4, 2010

  31. A quantitative example Seed queries Expanded set RegEx match Unique 122 800 3560 Queries 174 264 1001 IPs Thursday, November 4, 2010

  32. Looping back • We now have a larger set of malicious queries • These can be fed back to SearchAudit as a new set of seeds Thursday, November 4, 2010

  33. Architecture Loop back seed queries Seed queries Search Seed queries log Seed queries Seed Regular query IPs Attackers' expressions queries + results Regular Expanded expression query set engine Thursday, November 4, 2010

  34. A quantitative example RegEx match + Seed queries Expanded set RegEx match loopback Unique 122 800 3560 ~540k Queries 174 264 1001 ~40k IPs Total pageviews : 9M+ Thursday, November 4, 2010

  35. Typical Timeline Search for vulnerable webservers Compromise webserver Host phishing/malware page Propagate link to potential victims Compromised machine joins a Botnet Thursday, November 4, 2010

  36. An Example • OSCommerce is a web software for managing shopping carts • Compromise is simple: just upload a file! • If http://www.example.com/store is the site, upload a file by issuing a post on: http://www.example.com/store/admin/file_manager.php/ login.php?action=processuploads • Post argument provides the file to be uploaded • Uploaded file is typically a graphical command interpreter Thursday, November 4, 2010

  37. Command Module • Allows hacker to navigate through the file system, upload new files, perform brute force password cracking, open a network port, etc . Thursday, November 4, 2010

  38. Uploaded PHP Script Thursday, November 4, 2010

  39. Web Honeypots • First goal is to understand what techniques are being used to compromise • Setup web honeypots that appear attractive to attackers • Log all interactions with attackers Thursday, November 4, 2010

  40. Options • Install popular vulnerable software • Create front pages that appear to be running vulnerable software • Proxy requests to website running vulnerable software • Issues: • Manual overhead in installing specific packages • High interaction vs. low interaction honeypots Thursday, November 4, 2010

  41. Heat-Seeking Honeypots World Wide Web Search 2 3 results 1 1 Web pages Attack request 6 1 Malicious query Webapp feed 4 Apache 1 1 1 Encapsulated VM pages Attackers Query Add to search 5 1 engine index HEAT-SEEKING HONEYPOT 7 1 Attack log Thursday, November 4, 2010

  42. Heat-Seeking Honeypots World Wide Web Search 2 3 results 1 1 Web pages Attack request 6 1 Malicious query Webapp feed 4 Apache 1 1 1 Encapsulated VM pages Attackers Query Add to search 5 1 engine index HEAT-SEEKING HONEYPOT 7 1 Attack log • Step 1: obtain malicious queries from SearchAudit Thursday, November 4, 2010

Recommend

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday,

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday,

CreepyDOL: Cheap, Distributed Stalking Brendan OConnor Malice Afterthought, Inc. Friday, August 2, 13 So, there are three takeaways from my talk: (next slide) Everything leaks too much data. At every level, weve forgotten that privacy,

783 views • 46 slides
Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison MU Department of Computer Science Hi, Im Bill, glad to meet you } Ph.D 2001, UIUC } Thesis: Modular Compilers and Their Correctness Proofs }

936 views • 60 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

5/15/2012 How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been tremendously successful From Architecture to Network Has sustained tremendous growth g Supports very diverse set of applications

484 views • 10 slides
IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet

IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites IOC: Internet of Composites Robert Bjekovic, University of applied sciences Ravensburg Weingarten, Weingarten, Germany Michael Elwert, University of applied

351 views • 32 slides
Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of

Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of

Enabling the Internet of Everything with 3G The Internet of Everything The Next Era of Networking and Computing, Where Everything Is Intelligently Connected Family device layout. Think weve done in past. Add in printer, electric meter,

397 views • 22 slides
Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet

Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet

Good morning! Internet, Web, Intranets, and Extranets Use and Functioning of the Internet Internet is international scope with users on every continent Asians make up 40% of Internet population Europeans about 20% North America

1.01k views • 56 slides
Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ram Durairajan Computer Sciences University of Wisconsin Motivation rkrish@cs.wisc.edu 2

505 views • 33 slides
History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet

History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet

History of the Internet Pat Morin COMP 2405 Outline Origins of the Internet Internet timeline from 1970s until today The Internet today 2 Origins of the Internet J.C.R. Licklider of MIT in August 1962 wrote about the

562 views • 13 slides
Internet routing is based on routing protocols that collect the input data No off-line route

Internet routing is based on routing protocols that collect the input data No off-line route

Introduction to Routing in Internet Internet basics IPv4 and ICMP Internet Addressing ARP - Address Resolution Protocol Routing Information (Distance Vector ) Protocol Principles 3-1 S-38.121 S-02 Rka, NB Internet routing is based on

214 views • 18 slides
1 Internet Email Internet Commercialization SMTP is Internet Email protocol Rapid and

1 Internet Email Internet Commercialization SMTP is Internet Email protocol Rapid and

Background of Chapter Software Infrastructure of the Commercializing Internet Not finished Mostly journalistic Recounting of basic events from secondary sources Focus on interplay between technology and business models Thomas

463 views • 3 slides
CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

10/4/16 CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of the Internet in 1990 The Global Internet (And Now) A simple multi-provider Internet 1 10/4/16 The Global Internet Some large

307 views • 12 slides
The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The Internet of Things (IoT ). A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send

575 views • 24 slides
The History of the Internet Presented by the St. Martins Episcopal Technology Department

The History of the Internet Presented by the St. Martins Episcopal Technology Department

The History of the Internet Presented by the St. Martins Episcopal Technology Department Agenda Internet History Internet Evolution Internet Pioneers Internet Growth The Future of the Internet Conclusion

540 views • 24 slides
Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet is the largest computer network in the world, connecting millions of computers. A network can also be a group of two or more computer systems linked

371 views • 13 slides
Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols

Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols

Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols that form the rules for how communications should happen The Internet is a network of networks. There is no centralized point. There are no

763 views • 34 slides
Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017

Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017

Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017 kevon@lacnic.net What is the Internet? How does it work? Source: ICANN Historical Facts about the Internet 1975: TCP/IP test between two networks (Stanford

634 views • 25 slides
Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

6PANview : A Network Monitoring System for the Internet of Things 23-August-2011 Lohith Y S, Brinda M C, Anand SVR, Malati Hegde Department of ECE Indian Institute of Science Bangalore Funded by DIT, Government of India Internet of

520 views • 20 slides
THE INTERNET IS FOR EVERYONE Join us to keep the Internet open, thriving, and benefitting people

THE INTERNET IS FOR EVERYONE Join us to keep the Internet open, thriving, and benefitting people

THE INTERNET IS FOR EVERYONE Join us to keep the Internet open, thriving, and benefitting people around the globe. Conference on Global Internet Interconnection Center for Information Technology Policy Princeton University 11 March 2016

517 views • 20 slides
Internet Safety Presentation for Parents What is Internet Safety week, and how is it

Internet Safety Presentation for Parents What is Internet Safety week, and how is it

Internet Safety Presentation for Parents What is Internet Safety week, and how is it implemented at Windlesham? How we ensure/promote safe internet usage at school Filtering and monitoring at home Gaming information,

389 views • 28 slides
The Internet of Everything Pete Lancia Sr. Dir., Marketing 1 The Internet of Everything The

The Internet of Everything Pete Lancia Sr. Dir., Marketing 1 The Internet of Everything The

The Internet of Everything Pete Lancia Sr. Dir., Marketing 1 The Internet of Everything The Next Era of Networking and Computing, Where Everything is Intelligently Connected 2 The Internet of Everything Opportunity 60+ 60+ 6+ 6+

488 views • 20 slides
on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which objects in the physical world can be connected to the Internet by sensors and actuators (coined 1999 by Kevin Ashton) Key aspects: E2E

343 views • 10 slides
The Internet Structure routers 1 The Internet Structure The AS graph The Internet Structure The

The Internet Structure routers 1 The Internet Structure The AS graph The Internet Structure The

DIMES DIMES Distributed Internet MEasurement and Simulation Yuval Shavitt shavitt@eng.tau.ac.il http://www.netdimes.org The Internet Structure routers 1 The Internet Structure The AS graph The Internet Structure The AS graph The PoP level

382 views • 21 slides

More recommend