malware viruses
play

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code - PowerPoint PPT Presentation

Oct 18, 2022 •199 likes •1.02k views

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

  1. MALWARE: 
 VIRUSES CMSC 414 FEB 08 2018

  2. MALWARE Malicious code that is stored on and runs on a victim’s system • How does it get to run? • Attacks a user- or network-facing vulnerable service • Backdoor: Added by a malicious developer • Social engineering: Trick the user into running/ clicking/installing • Trojan horse: Offer a good service, add in the bad • Drive-by download: Webpage surreptitiously installs • Attacker with physical access downloads & runs it

  3. MALWARE Malicious code that is stored on and runs on a victim’s system • How does it get to run? • Attacks a user- or network-facing vulnerable service • Backdoor: Added by a malicious developer • Social engineering: Trick the user into running/ clicking/installing • Trojan horse: Offer a good service, add in the bad • Drive-by download: Webpage surreptitiously installs • Attacker with physical access downloads & runs it Potentially from any mode of interaction (automated or not), provided sufficient vulnerability

  4. MALWARE: WHAT CAN IT DO? Virtually anything, subject only to its permissions • Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!” • Destroy: Delete/mangle files - Damage hardware (more later this lecture) - • Crash the machine, e.g., by over-consuming resources Fork bombing or “rabbits”: while(1) { fork(); } - • Steal information (“exfiltrate”) • Launch external attacks Spam, click fraud, denial of service attacks - • Ransomware: e.g., by encrypting files • Rootkits: Hide from user or software-based detection Often by modifying the kernel - Man-in-the-middle attacks to sit between UI and reality -

  5. MALWARE: WHEN DOES IT RUN? Some delay based on a trigger • Time bomb: triggered at/after a certain time On the 1st through the 19th of any month… - • Logic bomb: triggered when a set of conditions hold If I haven’t appeared in two consecutive payrolls… - • Can also include a backdoor to serve as ransom “I won’t let it delete your files if you pay me by Thursday…” - Some attach themselves to other pieces of code • Viruses: run when the user initiates something Run a program, open an attachment, boot the machine - • Worms: run while another program is running No user intervention required -

  6. SELF-PROPAGATING MALWARE • Virus: propagates by arranging to have itself eventually executed • At which point it creates a new, additional instance of itself • Typically infects by altering stored code • User intervention required • Worm: self -propagates by arranging to have itself immediately executed • At which point it creates a new, additional instance of itself • Typically infects by altering running code • No user intervention required The line between these is thin and blurry Some malware uses both styles

  7. MALWARE: TECHNICAL CHALLENGES • Viruses: Detection • Antivirus software wants to detect • Virus writers want to avoid detection for as long as possible • Evade human response • Worms: Spreading • The goal is to hit as many machines and as quickly as possible • Outpace human response

  8. VIRUS DESIGN

  9. VIRUSES • They are opportunistic : they will eventually be run due to user action • Two orthogonal aspects define a virus: 1. How does it propagate ? 2. What else does it do (what is the “ payload ”)? • General infection strategy: • Alter some existing code to include the virus • Share it, and expect users to (unwittingly) re-share • Viruses have been around since at least the 70s

  10. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program

  11. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Take over the 
 Original program point Virus entry point

  12. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT

  13. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments)

  14. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments) • Boot sector viruses • Boot sector: small disk partition at a fixed location • If the disk is used to boot , then the firmware loads the boot sector code into memory and runs it • What’s supposed to happen: this code loads the OS • Similar: AutoRun on music/video disks • (Why you shouldn’t plug random USB drives into your computer)

  15. VIRUSES ARE CLASSIFIED BY WHAT THEY INFECT • Document viruses • Implemented within a formatted document • Word documents (very rich macros) • PDF (Acrobat permits javascript) • (Why you shouldn’t open random attachments) • Boot sector viruses • Boot sector: small disk partition at a fixed location • If the disk is used to boot , then the firmware loads the boot sector code into memory and runs it • What’s supposed to happen: this code loads the OS • Similar: AutoRun on music/video disks • (Why you shouldn’t plug random USB drives into your computer) • Memory-resident viruses • “Resident code” stays in memory because it is used so often

  16. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion

  17. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 evasive 
 propagation

  18. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention

  19. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention

  20. VIRUSES HAVE RESULTED IN A TECHNICAL ARMS RACE The key is evasion Mechanisms for 
 Mechanisms for 
 evasive 
 detection and 
 propagation prevention Want to be able to 
 Want to be able to 
 claim wide coverage 
 claim the ability to 
 for a long time detect many viruses

  21. HOW VIRUSES PROPAGATE • First, the virus looks for an opportunity to run . 
 Increase chances by attaching malicious code to something a user is likely to run • autorun.exe on storage devices • Email attachments • When a virus runs, it looks for an opportunity to infect other systems. • User plugs in a USB thumb drive: try to overwrite autorun.exe • User is sending an email: alter the attachment • Viruses can also proactively create emails (“I Love You”)

  22. DETECTING VIRUSES • Method 1: Signature-based detection • Look for bytes corresponding to injected virus code • Protect other systems by installing a recognizer for a known virus • In practice, requires fast scanning algorithms • This basic approach has driven the multi-billion dollar antivirus market • #Recognized signatures is a means of marketing and competition • But what does that say about how important they are?

  23. Um.. thanks?

  25. YOU ARE A VIRUS WRITER…

  26. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide

  27. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software?

  28. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find

  29. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending”

  30. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp

  31. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp Entry point Original program Overwrite uncommonly 
 used parts of the program etc.

  32. HOW VIRUSES INFECT OTHER PROGRAMS Entry point Original program Entry Original program point Virus “Appending” jmp Entry “Surrounding” Original program point jmp Confuse 
 scanners Entry point Original program Overwrite uncommonly 
 used parts of the program etc.

  33. YOU ARE A VIRUS WRITER…

  34. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find

  35. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find 2. Change your code so they can’t pin down a signature

  36. YOU ARE A VIRUS WRITER… • Your goal is for your virus to spread far and wide • How do you avoid detection by antivirus software? 1. Give them a harder signature to find 2. Change your code so they can’t pin down a signature Mechanize code changes: Goal: every time you inject your code, it looks different

  37. BUILDING BLOCK: ENCRYPTION Key Key Plaintext Plaintext Encrypt Ciphertext Decrypt Symmetric key: both keys are the same 
 Asymmetric key: different keys Important property: the ciphertext is nondeterministic i.e., “Encrypt” has a different output each time but decrypting always returns the plaintext

Recommend

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

551 views • 40 slides
AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES, WORMS, AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

915 views • 56 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Foundations Security in MAS Conclusion Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till Drges td@pre-secure.de PRESECURE Consulting GmbH June 20, 2007 Till Drges Protection Malware seen

739 views • 57 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

1.06k views • 31 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates Virus = code that propagates (replicates) across systems by arranging to have itself eventually executed Generally infects by altering stored code

800 views • 67 slides
Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison MU Department of Computer Science Hi, Im Bill, glad to meet you } Ph.D 2001, UIUC } Thesis: Modular Compilers and Their Correctness Proofs }

936 views • 60 slides
Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate

555 views • 28 slides
Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1 Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs

1.29k views • 86 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and Defense Reading } Start reading Chapter 4 of Szor 2 Virus Infection Techniques } We will survey common locations of virus infections: MBR (Master

727 views • 49 slides
CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4 Viruses, Worms, Trojans, Rootkits Malware = Malicious Software can be classified into several categories, depending on propagation and concealment

472 views • 46 slides
Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca

Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca

Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates by

757 views • 56 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses (1) } Why polymorphism? } Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code) } Virus writers

641 views • 40 slides

More recommend