malware
play

Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some - PowerPoint PPT Presentation

Sep 20, 2022 •349 likes •748 views

CSE 127: Computer Security Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and David Wagner Vulnerability of the week: Sudo flaw thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html Today

  1. CSE 127: Computer Security Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and David Wagner

  2. Vulnerability of the week: Sudo flaw thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html

  3. Today We’ve talked about ways machines can be compromised. What happens afterward? • Malware

  4. Viruses, Worms, and Rootkits • Virus: Code propagates by arranging itself to eventually be executed. Biological analogue: altering stored code. • Worm: Self-propagates by arranging itself to immediately be executed. Alters running code. Not really a sharp distinction. • Rootkit: Program designed to give access to an attacker while actively hiding its presence.

  5. The Simple Virus 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 1. User runs an infected program. 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 2. Program transfers control to the 013B 8BD6 MOV DX,SI virus. 013D CD13 INT 13 Infected Program

  6. The Simple Virus 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 0100 B435 MOV AH,35 010C FC CLD 0102 B021 MOV AL,21 010D B81B01 MOV AX,011B 0104 CD21 INT 21 0110 06 PUSH ES 0106 8C06A002 MOV [02A0],ES 0111 50 PUSH AX 010A 891E9E02 MOV [029E],BX 0112 06 PUSH ES 010E B425 MOV AH,25 0113 B81801 MOV AX,0118 0110 B021 MOV AL,21 0116 50 PUSH AX 0112 BA2001 MOV DX,0120 0117 CB RETF 0115 CD21 INT 21 0118 F3 REPZ 0117 83C24F ADD DX,+4F 0119 A4 MOVSB 011A 8BFA MOV DI,DX 011A CB RETF 011C 81FF8000 CMP DI,0080 011B E93221 JMP 2250 0120 725E JB 0187 011E 83C24F ADD DX,+4F 0122 7406 JZ 0131 0121 8BFA MOV DI,DX 0124 C606250273 MOV BYTE PTR [0225],73 0123 81FF8000 CMP DI,0080 0129 90 NOP 0127 725E JB 0187 012A FEC5 INC CH 0129 7406 JZ 0131 012C 7303 JNB 0138 012B C606250273 MOV BYTE PTR [0225],73 012E 80C140 ADD CL,40 0130 90 NOP 0132 B8010C MOV AX,0C01 0131 FEC5 INC CH 0135 8BD6 MOV DX,SI 0133 7303 JNB 0138 0137 CD13 INT 13 0135 80C140 ADD CL,40 3. Virus locates a new program. 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 4. Virus appends its logic to the 013D CD13 INT 13 end of the new file. Infected Program

  7. The Simple Virus 0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 0100 B435 MOV AH,35 0100 EB1C JMP 0117 010C FC CLD 0102 B021 MOV AL,21 010D B81B01 MOV AX,011B 0104 CD21 INT 21 0110 06 PUSH ES 0106 8C06A002 MOV [02A0],ES 0111 50 PUSH AX 010A 891E9E02 MOV [029E],BX 0112 06 PUSH ES 010E B425 MOV AH,25 0113 B81801 MOV AX,0118 0110 B021 MOV AL,21 0116 50 PUSH AX 0112 BA2001 MOV DX,0120 0117 CB RETF 0115 CD21 INT 21 0118 F3 REPZ 0117 83C24F ADD DX,+4F 0119 A4 MOVSB 011A 8BFA MOV DI,DX 011A CB RETF 011C 81FF8000 CMP DI,0080 011B E93221 JMP 2250 0120 725E JB 0187 011E 83C24F ADD DX,+4F 0122 7406 JZ 0131 0121 8BFA MOV DI,DX 0124 C606250273 MOV BYTE PTR [0225],73 0123 81FF8000 CMP DI,0080 0129 90 NOP 0127 725E JB 0187 012A FEC5 INC CH 0129 7406 JZ 0131 012C 7303 JNB 0138 012B C606250273 MOV BYTE PTR [0225],73 012E 80C140 ADD CL,40 0130 90 NOP 0132 B8010C MOV AX,0C01 0131 FEC5 INC CH 0135 8BD6 MOV DX,SI 0133 7303 JNB 0138 0137 CD13 INT 13 0135 80C140 ADD CL,40 5. Virus updates the new program 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI so the virus gets control when 013D CD13 INT 13 the program is launched. Infected Program

  8. Summary of Malicious Behavior • Malware runs with some user privileges on machine. Can do anything that user can do, or escalate privileges. • Mischief/Malice: • Pop up messages. • Trash files. • Damage hardware. • Surveillance/espionage: • Exfiltrate information • Keylogging, screen capture, audio, camera

  9. Summary of Malicious Behavior • Economics/crime: • Botnet: A network of autonomous programs controlled by a remote attacker can be used at a platform for attacks. • Denial of service • Spam and clickfraud • Launch new exploits • Spam • Selling goods/services • Advanced fee fraud (419 scam) • Phishing/spearphishing • Clickfraud • Produce clicks on ads for revenue • or to deplete others’ ad budgets • Extortion attacks • Ransomware: encrypt fi les and demand payment to decrypt • Steal credentials • Blackmail

  10. How does malware run? Attack a network-accessible vulnerable service. • The Morris Worm (1988) exploited a buffer overflow in the fingerd utility, also propagated itself via rsh and cracked passwords. • Bogged down infected machines by uncontrolled spawning. • Infected 10% of internet hosts at the time.

  11. How does malware run? Attack a network-accessible vulnerable service. • The Blaster Worm (2003) attacked a buffer overflow in the MS RPC interface.

  12. July 1 July 16 July 25 Aug 11 Vulnerability Bulletin & patch Exploit code in reported to us / available Worm in the world public Patch in progress No exploit Blaster shows the complex interplay between security researchers, software companies, and hackers Source: Microsoft The World Today

  14. How does malware run? Attack a network-accessible vulnerable service. • The WannaCry Ransomware (2017) used a Windows SMB exploit from the Shadow Broker archive called "Eternal Blue".

  15. WannaCry Malware • The "Eternal Blue" exploit used in WannaCry was developed by the NSA and not disclosed to Microsoft. • The WannaCry ransomware repurposed this exploit after it was leaked, and it took down many companies. • Marcus Hutchins discovered a “kill switch ” sinkhole domain that stopped the spread of the malware.

  16. How does malware run? Vulnerable client connects to remote system that sends over an attack “ driveby ” . • Malvertising: Using web ads to deliver malicious code. • The Cryptowall malware (2014) was a Cryptolocker clone that was delivered in malicious ads.

  17. How does malware run? Vulnerable client connects to remote system that sends over an attack “ driveby ” . • US Government search warrants describe installing malware on a target ’ s computer as a “ network investigative technique ” .

  18. How does malware run? Vulnerable client connects to remote system that sends over an attack “ driveby ” . • US Government search warrants describe installing malware on a target ’ s computer as a “ network investigative technique ” .

  19. How does malware run? Social engineering: Trick user into running or installing. • Fake antivirus: Pops up warning that machine is infected and o ff ers to clean for a fee.

  20. How does malware run? Social engineering: Trick user into running or installing. • Flashlight trojan horse apps that steal credentials.

  21. How does malware run? Social engineering: Trick user into running or installing. • Hacking Team: State-sponsored malware (2012) Uploaded to contact form on July 13, 2012: Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles. . . http://freeme.eu5.org/scandale%20(2).doc https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

  22. Hacking Team I nstallation Pathways Symantec

  23. Hacking Team Marketing Materials

  24. Lucrative legal market for exploits

  26. How does malware run? Social engineering: Trick user into running or installing. • Exploit USB autorun functionality.

Recommend

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides

More recommend