malicious software computer security peter reiher
play

Malicious Software Computer Security Peter Reiher November 25, - PowerPoint PPT Presentation

Mar 18, 2024 •159 likes •838 views

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

  1. Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014

  2. Outline • Introduction • Viruses • Trojan horses • Trap doors • Logic bombs • Worms • Botnets • Spyware • Malware components Lecture 12 Page 2 CS 136, Fall 2014

  3. Introduction Clever programmers can get software to do their dirty work for them Programs have several advantages for these purposes – Speed – Mutability – Anonymity Lecture 12 Page 3 CS 136, Fall 2014

  4. Where Does Malicious Code Come From? • Most commonly, it’s willingly (but unwittingly) imported into the system – Electronic mail – Downloaded executables • Often automatically from web pages – Sometimes shrink-wrapped software • Sometimes it breaks in • Sometimes an insider intentionally introduces it Lecture 12 Page 4 CS 136, Fall 2014

  5. Magnitude of the Problem • Considering viruses only, by 1994 there were over 1,000,000 annual infections – One survey shows 10-fold increase in viruses since 1996 • In November 2003, 1 email in 93 scanned by particular survey contained a virus • 2008 CSI report shows 50% of survey respondents had virus incidents – Plus 20% with bot incidents • 2009 Trend Micro study shows 50% of infected machines still infected 300 days later Lecture 12 Page 5 CS 136, Fall 2014

  6. Viruses • “Self-replicating programs containing code that explicitly copies itself and that can ‘infect’ other programs by modifying them or their environment” • Typically attached to some other program – When that program runs, the virus becomes active and infects others • Not all malicious codes are viruses Lecture 12 Page 6 CS 136, Fall 2014

  7. How Do Viruses Work? • When a program is run, it typically has the full privileges of its running user • Including write privileges for some other programs • A virus can use those privileges to replace those programs with infected versions Lecture 12 Page 7 CS 136, Fall 2014

  8. Before the Infected Program Runs Virus Code Infected Uninfected Program Program Lecture 12 Page 8 CS 136, Fall 2014

  9. The Infected Program Runs Virus Code Infected Uninfected Program Program Lecture 12 Page 9 CS 136, Fall 2014

  10. Infecting the Other Program Virus Code Virus Code Infected Infected Uninfected Program Program Program Lecture 12 Page 10 CS 136, Fall 2014

  11. Macro and Attachment Viruses • Modern data files often contain executables – Macros – Email attachments • Many formats allow embedded commands to download of arbitrary executables • Popular form of viruses – Requires less sophistication to get right Lecture 12 Page 11 CS 136, Fall 2014

  12. Virus Toolkits • Helpful hackers have written toolkits that make it easy to create viruses • A typical smart high school student can easily create a virus given a toolkit • Generally easy to detect viruses generated by toolkits – But toolkits are getting smarter Lecture 12 Page 12 CS 136, Fall 2014

  13. How To Find Viruses • Basic precautions • Looking for changes in file sizes • Scan for signatures of viruses • Multi-level generic detection Lecture 12 Page 13 CS 136, Fall 2014

  14. Precautions to Avoid Viruses • Don’t import untrusted programs – But who can you trust? • Viruses have been found in commercial shrink-wrap software • The hackers who released Back Orifice were embarrassed to find a virus on their CD release • Trusting someone means not just trusting their honesty, but also their caution Lecture 12 Page 14 CS 136, Fall 2014

  15. Other Precautionary Measures • Scan incoming programs for viruses – Some viruses are designed to hide • Limit the targets viruses can reach • Monitor updates to executables carefully – Requires a broad definition of “executable” Lecture 12 Page 15 CS 136, Fall 2014

  16. Containment • Run suspect programs in an encapsulated environment – Limiting their forms of access to prevent virus spread • Requires versatile security model and strong protection guarantees – No use to run in tightly confined mode if user allows it to get out Lecture 12 Page 16 CS 136, Fall 2014

  17. Viruses and File Sizes • Typically, a virus tries to hide • So it doesn’t disable the infected program • Instead, extra code is added • But if it’s added naively, the size of the file grows • Virus detectors look for this growth • Won’t work for files whose sizes typically change • Clever viruses find ways around it – E.g., cavity viruses that fit themselves into “holes” in programs Lecture 12 Page 17 CS 136, Fall 2014

  18. Signature Scanning • If a virus lives in code, it must leave some traces • In unsophisticated viruses, these traces are characteristic code patterns • Find the virus by looking for the signature Lecture 12 Page 18 CS 136, Fall 2014

  19. How To Scan For Signatures • Create a database of known virus signatures • Read every file in the system and look for matches in its contents • Also check every newly imported file • Also scan boot sectors and other interesting places • Can use same approach for other kinds of malware Lecture 12 Page 19 CS 136, Fall 2014

  20. Weaknesses of Scanning for Signatures • What if the virus changes its signature? • What if the virus takes active measures to prevent you from finding the signature? • You can only scan for known virus signatures Lecture 12 Page 20 CS 136, Fall 2014

  21. Polymorphic Viruses • A polymorphic virus produces varying but operational copies of itself • Essentially avoiding having a signature • Sometimes only a few possibilities – E.g., Whale virus has 32 forms • But sometimes a lot – Storm worm had more than 54,000 forms Lecture 12 Page 21 CS 136, Fall 2014

  22. Polymorphism By Hand • Malware writers have become professional and security-aware • They know when their malware has been identified – And they know the signature used – Smart ones subscribe to all major anti- virus programs • They change the malware to remove that signature and re-release it Lecture 12 Page 22 CS 136, Fall 2014

  23. Stealth Viruses • A virus that tries actively to hide all signs of its presence • Typically a resident virus • For example, it traps calls to read infected files – And disinfects them before returning the bytes – E.g., the Brain virus Lecture 12 Page 23 CS 136, Fall 2014

  24. Combating Stealth Viruses • Stealth viruses can hide what’s in the files • But may be unable to hide that they’re in memory • Careful reboot from clean source won’t allow stealth virus to get a foothold • Concerns that malware can hide in other places, like peripheral memory Lecture 12 Page 24 CS 136, Fall 2014

  25. Other Detection Methods • Checksum comparison • Intelligent checksum analysis – For files that might legitimately change • Intrusion detection methods – E.g., look for attack invariants instead of signatures • Identify and handle “clusters” of similar malware Lecture 12 Page 25 CS 136, Fall 2014

  26. Preventing Virus Infections • Run a virus detection program – Almost all serious organizations do this – And many still get clobbered • Keep its signature database up to date – Modern virus scanners do this by default • Disable program features that run executables without users asking – Quicktime had this problem a few years ago • Make sure users are careful about what they run • Also make sure users are careful about what they attach to computers Lecture 12 Page 26 CS 136, Fall 2014

  27. How To Deal With Virus Infections • Reboot from a clean, write-protected medium – Vital that the medium really is clean – Necessary, but not sufficient • If backups are available and clean, replace infected files with clean backup copies – Another good reason to keep backups • Proof-of-concept code showed infection of firmware in peripherals . . . Lecture 12 Page 27 CS 136, Fall 2014

  28. Disinfecting Programs • Some virus utilities try to disinfect infected programs – Allowing you to avoid going to backup • Potentially hazardous, since they may get it wrong – Some viruses destroy information needed to restore programs properly Lecture 12 Page 28 CS 136, Fall 2014

  29. Trojan Horses • Seemingly useful program that contains code that does harmful things • When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 29 CS 136, Fall 2014

  30. Basic Trojan Horses • A program you pick up somewhere that is supposed to do something useful • And perhaps it does – But it also does something less benign • Games are a common location host program • Downloaded applets are also popular • Frequently found in email attachments • Bogus security products also popular • Flash drives are a hardware vector Lecture 12 Page 30 CS 136, Fall 2014

  31. Recent Trends in Trojan Horses • Qakbot Trojan steals online banking credentials • Android/IoS Trojan targeting Hong Kong protestors • Trojan targeting customers of Islamic banks – Using man-in-the-middle techniques to overcome 2 factor authentication – Other similar Trojans floating around, including a toolkit for them • Citadel Trojan stole sensitive info from petrochemical companies Lecture 12 Page 31 CS 136, Fall 2014

Recommend

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

859 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Some Important Network Characteristics for Security Degree of locality Media used Protocols used Lecture 9

156 views • 11 slides
Introduction CS 118 Computer Network Fundamentals Peter Reiher Lecture 1 CS 118 Page 1

Introduction CS 118 Computer Network Fundamentals Peter Reiher Lecture 1 CS 118 Page 1

Introduction CS 118 Computer Network Fundamentals Peter Reiher Lecture 1 CS 118 Page 1 Winter 2016 Purpose of the class To familiarize you with the basic concepts of computer networking Computer networks are increasingly key to

1.13k views • 66 slides
Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1 CS 136, Fall 2014 Outline Properties of keys Key management Key servers Certificates Lecture 5 Page 2 CS 136, Fall 2014

1.02k views • 68 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides
Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 3 Page 1 CS 236 Online Mandatory Access Control and the Real World For a long time, things like Bell-La Padula were hard to run

220 views • 6 slides
Communications Channels CS 118 Computer Network Fundamentals Peter Reiher Lecture 3 CS 118

Communications Channels CS 118 Computer Network Fundamentals Peter Reiher Lecture 3 CS 118

Communications Channels CS 118 Computer Network Fundamentals Peter Reiher Lecture 3 CS 118 Page 1 Winter 2016 Review: Comm. as shared state Communication is less than most think Just syntax not semantics or intent Information

795 views • 76 slides

More recommend