malware
play

Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First - PowerPoint PPT Presentation

Mar 15, 2024 •298 likes •989 views

Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First homework is out! Check out the class webpage Due in two weeks from today, in class 2 CIS-5373: 27.January.2020 In this lecture Viruses How they attach How

  1. Malware Week 3 1 CIS-5373: 27.January.2020

  2. Announcement!  First homework is out!  Check out the class webpage  Due in two weeks from today, in class 2 CIS-5373: 27.January.2020

  3. In this lecture  Viruses  How they attach  How they gain control  Where they are stored  Detection …  Worms  Web Bugs  Trapdoors  … 3 CIS-5373: 27.January.2020

  4. Qualities of Virus  Hard to detect  Not easily destroyed or deactivated  Spreads widely  Can re-infect home program/other programs  Easy to create  Machine/OS independent 4 CIS-5373: 27.January.2020

  5. How Viruses Invade 1. Virus is on CD When executed, the virus can  Install on hard drive  Attach to any executing program in memory  2. E-mail virus The attacker convince victim to open attachment  Executable file  Graphics, photos …  5 CIS-5373: 27.January.2020

  6. How Viruses Attach Append to Program  Surround Program  Integrate into Program  Overwrite Program  6 CIS-5373: 27.January.2020

  7. Apending Virus Add to beginning of target  First instruction of new program  Virus Targeted Virus Original Executable Program Virus writer doesn’t need to know target program 7 CIS-5373: 27.January.2020

  8. Surrounding Virus Add to beginning and end of target  Control before and after target program  Virus A Original Virus Program Targeted Executable Virus B 8 CIS-5373: 27.January.2020

  9. Surrounding Virus - Example Prevent user from detecting virus  Virus attaches to ls/dir command  When ls/dir completes, virus takes control  Eliminate entry from listing  Distribute space among other programs to hide size  9 CIS-5373: 27.January.2020

  10. Integrated Virus Replace some of target  Virus Targeted Virus Infected Executable host Executable Virus writer needs to know target program 10 CIS-5373: 27.January.2020

  11. Integrated Virus (cont’d) Virus Part 1 Targeted Virus Executable Virus Part 2 Virus Part n 11 CIS-5373: 27.January.2020

  12. Overwriting Virus Replace entire target  Mimick effect of target or  Not – user likely to perceive virus  Targeted Virus Virus Executable 12 CIS-5373: 27.January.2020

  13. Where Are Viruses Stored  One-Time execution  Boot sector  Memory resident 13 CIS-5373: 27.January.2020

  14. Where Are Viruses Stored  One-Time execution  Boot sector  Memory resident 14 CIS-5373: 27.January.2020

  15. Boot Sector  When computer starts  Firmware determines hardware components  Transfer control to OS  OS stored on disk  Bootstrap process:  Firmware reads boot sector to a fixed address in mem  Jump to that address  Boot sector contains the bootloader  Bootloader pulls the rest of the OS from disk 15 CIS-5373: 27.January.2020

  16. Boot Sector  Boot sector has 512 bytes  Bootstrap loader size > 512 bytes  Use chaining Boot sector Bootstrap Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 16 CIS-5373: 27.January.2020

  17. Placing Virus in Boot Sector  The virus could be placed in any bootstrap sector  But … boot sector particularly appealing  Virus gains control right at the beginning  Protection tools are not yet active Boot sector Bootstrap Virus Code Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 17 CIS-5373: 27.January.2020

  18. Example: The BRAIN Virus  Changes label of infected disks to BRAIN   From Pakistan (Believed)  Sole purpose: to pass the infection  Traps disk read interrupts  Only interested in reads in the boot sector  Believed to be proof-of-concept  Many other variants, more efficient … 18 CIS-5373: 27.January.2020

  19. The BRAIN Virus Location Before Boot Hard Drive sector After … BRAIN BRAIN BRAIN Boot BRAIN BRAIN BRAIN 1 3 1-dup sector 2-dup 3-dup 2 Marked as faulty 19 CIS-5373: 27.January.2020

  20. The BRAIN Virus Infection Memory Interrupt Address Table To upper BRAIN # 6 Reset Upper Memory Bound Code for # 19 interrupt 19 1. Locates in upper memory 2. System call to reset upper memory below it To lower 3. Traps interrupt #19 (disk read) 4. Any disk read for boot sector returns content of hijacked sector 20 CIS-5373: 27.January.2020

  21. Virus Detection: Signatures  Virus cannot be completely invisible  Code must be stored somewhere  Code must be in memory to execute Signature  Executes according to a pattern  Spreads using certain mechanisms  Example: Code Red GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 21 CIS-5373: 27.January.2020

  22. In this lecture  Viruses  Worms  Web Bugs  Trapdoors  … 22 CIS-5373: 27.January.2020

  23. What is a Worm  Reproducing programs that run independently and travel across network connections.  Unlike a simple virus, A worm can run completely independently and spread of its own will through network connections . 23 CIS-5373: 27.January.2020

  24. Example: The Internet Worm  November 2 nd 1988  Internet Worm released  Infected many computers  Many more severed network connection  Robert T. Morris Jr.  $10,000 fine  3 year suspended jail sentence  400 hours community service  Now with MIT 24 CIS-5373: 27.January.2020

  25. Intent of Internet Worm 1. Determine where it could spread 2. Spread to new target 3. Remain undiscovered and undiscoverable 25 CIS-5373: 27.January.2020

  26. Determine Targets Exploited three known vulnerabilities  1. Find user accounts to invade on target system Exploit password vulnerabilities  2. Fingerd: daemon which responds to queries about users Known buffer overflow vulnerability  Give worm a remote shell  3. Sendmail trapdoor In debug mode, sendmail can execute input string  26 CIS-5373: 27.January.2020

  27. Spread Infection Send a bootstrap loader to target machine  99 lines of C code  Compile and execute on target machine  Fetch rest of worm code from the sending system  Element of good security   Bootstrap loader required to provide password to  sending system If fail, sending system breaks connection  27 CIS-5373: 27.January.2020

  28. Remain Undiscovered 1. If transmission error occurs during worm fetch Bootstrap loader removes code and exits  2. Bring all worm code in memory Encrypt copy in memory  Delete copy from disk  Thus, the worm cannot easily be discovered  3. Periodic change of name and process id Avoid single process running a long time  28 CIS-5373: 27.January.2020

  29. Effect of Internet Worm 1. Resource exhaustion If target was already infected, don’t propagate  Bug in code (  ): many copies did not terminate !  Thus, serious performance degradation  2. Disconnection of machines from Internet To prevent copies from trying to propagate  … or to prevent infection  3. Isolation and inability to perform work Estimated cost $100,000 - $97 million  Thousands of systems were disconnected  29 CIS-5373: 27.January.2020

  30. What do we cover  Viruses  Worms  Web Bugs  Trapdoors  Salami Attack  Rootkits  Privilege Escalation  Keystroke Logging  Covert Channels 30 CIS-5373: 27.January.2020

  31. Web Bugs  Pixel tag, clear gif/one-by-one/invisible gif  Part of a web page  Invisible to user  Track activities of the user  Plants a cookie in your computer 31 CIS-5373: 27.January.2020

  32. Cookies  Set by web sites  To push storage from web sites to user platform  Have 6 fields  (name, value, expiration, path to server, server domain, SSL-req?)  Used to remember values for subsequent usage  (“visa credit card”, 1234 1234 1234 1234, …)  (“user id”, carbunar, …)  (“password”, ****, …)  Used to build browsing profile  (“visits for www.abc.com”, 10, …) 32 CIS-5373: 27.January.2020

  33. Web Bugs (cont’d)  Plant cookie on user computer to track web use  Can be used for good or bad purposes  How ?  Can build a profile for the user containing  Surfing habits  Personal data: name, DOB, address, IP address, etc 33 CIS-5373: 27.January.2020

  34. What do we cover  Viruses  Worms  Web Bugs  Trapdoors  Salami Attack  Rootkits  Privilege Escalation  Keystroke Logging  Covert Channels 34 CIS-5373: 27.January.2020

  35. Trapdoors  Undocumented entry point to a software module  For testing purposes  For future updates  For access in case of future failures 35 CIS-5373: 27.January.2020

  36. Trapdoor: Example  Hidden trap door in Linux, Nov 2003  Allows attacker to take over a computer  Practically undetectable change  Uncovered by anomaly in CVS usage  Inserted line in wait4() if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;  Looks like a standard error check  Anyone see the problem? See: http://lwn.net/Articles/57135/ 36 CIS-5373: 27.January.2020

Recommend

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides

More recommend