malware
play

Malware Prof. Tom Austin San Jos State University Malware: The Cat - PowerPoint PPT Presentation

CS 166: Information Security Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers and Defenders Play 1971 "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU


  1. CS 166: Information Security Malware Prof. Tom Austin San José State University

  2. Malware: The Cat & Mouse Game Attackers and Defenders Play

  3. 1971

  4. "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU CAN." "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN." "I'M THE CREEPER : CATCH ME IF YOU CAN."

  5. Creeper • The world's first computer virus (probably) • Created by Bob Thomas as an experiment in "mobile" self-replicating programs • Not malicious, just annoying… • …Very annoying.

  6. Reaper • A second self-replicating program soon appeared. It 1. Deleted Creeper 2. Spread to other machines 3. Deleted itself • Arguably the first anti-virus software… • …and the second virus. • "Core War" game inspired by Creeper/Reaper.

  7. The ongoing struggle The contest between malware writers and anti-malware writers has continued ever since…

  8. Malware has gone from a lone-wolf's tool for petty revenge…

  9. ...to the realm of the professional criminal…

  10. …even to weapons for nation states.

  11. What is malware? • Mal icious soft ware • Covers a variety of hostile or intrusive software

  12. Types of Malware Trojan horse: Appears benign, but has some malicious behavior. Backdoor: Allows unauthorized access.

  13. Yay, free music! To listen: 1. Double click on the file 2. iTunes opens But then things get weird…

  14. Mac Trojan • Double click on freeMusic.mp3 – iTunes opens (expected) – “Wild Laugh” (not expected) – Message box (not expected)

  15. Trojan Example • How does freeMusic.mp3 trojan work? • This “mp3” is an application, not data • This trojan is harmless, but… • …could have done anything user could do (like delete all of your files)

  16. More Types of Malware Rabbit: exhausts system resources. Worm: Actively spreads over the network. Many more exist: Rootkits, Adware, Keyloggers…

  17. Trojan Rabbit? These categories often overlap. • A Trojan Horse might attempt to exhaust system resources • A worm might install a backdoor on its victim

  18. One type of malware I have not defined so far… Computer Viruses In the vernacular, 'virus' is often a synonym for malware. So how do computer scientists use the term?

  19. The Many Definitions of "Virus" "A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself." --Frederick Cohen "A computer virus is a program that recursively and explicitly copies a possibly modified version of itself." --Peter Szor

  20. Infection process (viruses under Cohen's definition) • Attacker creates an initial germ file. • The germ infects other programs. • When infected programs run, they spread the virus to other programs.

  21. How a file gets infected original code infected code

  22. How a file gets infected original code infected code JMP JMP

  23. History of Famous Worms

  24. November 2, 1988 Apple and Micro$oft were fighting for control of the PC market. Windows 3.0 had not yet been released.

  25. Robert Tappan Morris • Cornell grad student. • Allegedly, he wanted to gauge the size of the Internet. • He wrote a program that would: 1. Determine where it could spread 2. Transmit itself 3. Hide, and then repeat the process.

  26. How Morris Worm Spread • Obtained access to machines by… – User account password guessing – Exploit buffer overflow in fingerd – Exploit trapdoor in sendmail • Flaws in fingerd and sendmail were well-known, but not widely patched

  27. Bootstrap Loader • Once Morris worm got access… • “Bootstrap loader” sent to victim – 99 lines of C code • Victim compiled and executed code • Bootstrap loader fetched the worm • Victim authenticated sender – Don’t want user to get a bad worm…

  28. How to Remain Undetected? • If transmission interrupted, code deleted • Code encrypted when downloaded • Code deleted after decrypt/compile • When running, worm regularly changed name and process identifier (PID)

  29. Whoops Morris's program had a bug (or so he claimed). • It would re-infect the same systems • It acted like a fork-bomb (a type of rabbit) and took out many systems

  30. The Internet had been designed to survive a nuclear war… …but apparently not one grad student.

  31. Morris Worm Aftermath • Estimate of damages: between $100,000 and $10 million • Morris became the first person convicted under the 1986 Computer Fraud and Abuse Act • The Computer Emergency Response Team Coordination Center (CERT/CC) was created as a direct result of this attack • Increased awareness of computer security

  32. 2001 We had survived Y2K. The world did not end. Windows XP began its long reign.

  33. HELLO! Welcome to http://www.worm.com! Hacked By Chinese! In 15 hours , 250,000 machines were infected

  34. Code Red Worm • Eventually infected 750,000 out of about 6,000,000 vulnerable systems • Exploited buffer overflow in Microsoft IIS server software – Then monitor traffic on port 80, looking for other susceptible servers

  35. Code Red: What it Did • Day 1 to 19 of month: spread its infection • Day 20 to 27: distributed denial of service attack (DDoS) on www.whitehouse.gov • Later version (several variants) – Included trapdoor for remote access – Rebooted to flush worm, leaving only trapdoor • Some say it was “beta test for info warfare” – But no evidence to support this

  36. January 25, 2003 As impressive as Code Red was, 2 years later we saw an even more effective worm.

  37. SQL Slammer • Infected 75,000 systems in 10 minutes! • At its peak, infections doubled every 8.5 seconds • Spread “too fast”… • …so it “burned out” available bandwidth

  38. Why was Slammer Successful? • Worm size: one 376-byte UDP packet • Firewalls often let one packet thru – Then monitor ongoing “connections” • Expectation was that much more data required for an attack – So no need to worry about 1 small packet • Slammer defied “experts”

  39. The Worms of the Future?

  40. Warhol Worm • “In the future everybody will be world-famous for 15 minutes” ¾ Andy Warhol • Warhol Worm is designed to infect the entire Internet in 15 minutes • Slammer infected 250,000 in 10 minutes – “Burned out” bandwidth – Could not have infected entire Internet in 15 minutes ¾ too bandwidth intensive • Can rapid worm do “better” than Slammer?

  41. A Possible Warhol Worm • Seed worm with an initial hit list containing a set of vulnerable IP addresses – Depends on the particular exploit – Tools exist for identifying vulnerable systems • Each successful initial infection would attack selected part of IP address space

  42. Flash Worm • Can we do “better” than Warhol worm? • Infect entire Internet in less than 15 minutes? • Searching for vulnerable IP addresses is the slow part of any worm attack • Searching might be bandwidth limited – Like Slammer • Flash worm designed to infect entire Internet almost instantly

  43. Flash Worm • Predetermine all vulnerable IP addresses – Depends on details of the attack • Embed these addresses in worm(s) – Results in huge worm(s) – But, the worm replicates, it splits • No wasted time or bandwidth! Original worm(s) 1st generation 2nd generation

  44. Flash Worm • Estimated that ideal flash worm could infect the entire Internet in 15 seconds! • So how could we defend against this attack? • Any defense must be fully automated

  45. We have reviewed different types of malware. How do we stop its spread? Protect against the attacks Detect when malware has spread

  46. Stopping the Spread of Malware

  47. Attack vectors • Spread by network (worms) • Drive by downloads • Code injection vulnerabilities – Cross-site scripting (XSS) attacks – Buffer overflow vulnerabilities • USB sticks

  48. Stopping Trojan Horses and Backdoors

  49. Defending against a Trojan horse with cryptographic hashes • A Trojan horse relies on a user downloading it • Using checksums provided by a cryptographic hash verifies that a file has not been tampered with.

  50. Sandboxing • Applications written for the web browser in JavaScript, Flash, Java, etc. rely on sandboxing. • Code run in the sandbox has reduced privileges. • Provided it does not escape from its sandbox.

  51. App Stores • Applications are reviewed by a trusted party. • Therefore, applications can be given greater permissions. • Examples include Apple's app store, Mozilla's Firefox addon gallery, etc. • Labor intensive

  52. Firewalls Great tool for fighting viruses: • Stop malware from entering the network • Detect messages coming from infected machines on your network (botnet)

  53. USB Drives • Common method of transmitting data between machines. • Potentially dangerous: – Pass out infected drives to compromise machines – Convince users to plug drives into infected machines

Recommend


More recommend