Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013
Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Today’s Threats
Viruses & Worms
Viruses • Program that copies itself to other programs In the same directory In a fixed directory • Virus spreads by the copying of files By users, typically • When program invoked Virus executes first Copies itself to other programs Optionally, performs some malicious action Then executes host program • Example: W97M.Marker 04/13 cja 2013 4
Worms • Viruses that use network to replicate • No dependence on copying files • Worm generates its own targets Via self-stored data Via host-stored data Randomly Combinations thereof • Example: Blaster 04/13 cja 2013 5
Types of Viruses • Boot sector • Executable infector • Multipartite • TSR • Stealth • Encrypted • Polymorphic • Metamorphic 04/13 cja 2013 6
Macro Viruses • Virus instructions are interpreted Platform independent • Infect common applications Microsoft Excel, … • Easily spread • Easily defeated Prohibit automatic execution of code 04/13 cja 2013 7
Virus distribution • Sophos study (2002) 26.1% macro viruses 26.1% Trojan horses 19.2% executable viruses 6.8% script viruses 21.8% other (Unix, boot sector, worms, file, Macintosh, multipartite) 04/13 cja 2013 8
Malicious code types, 2010 Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011 04/13 cja 2013 9
Malicious Code Types, 2012 Figure B11: Propagation Mechanisms Source: Symantec Internet Security Threat Report, Vol. 17, April 2012 02/13 cja 2013 10
Antiviral approaches • Detection Scan for virus code “ signatures ” More difficult for encrypting viruses Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically Metamorphic - harder • Identification Vendor databases • Removal Quarantine render harmless by encryption or compression copy to quarantine area Delete 04/13 cja 2013 11
U-M Anti-virus • http://safecomputing.umich.edu/antivirus/ • Free Microsoft Security Essentials for personally-owned Windows machines • Microsoft Forefront Endpoint Protection for university owned Windows machines 32- and 64-bit versions • Free Sophos Anti-Virus for Mac OS X machines All versions of OS X up to and including 10.7 (Lion) • Good, concise security recommendations http://www.safecomputing.umich.edu/tools/security_shorts.html � http://www.safecomputing.umich.edu/MDS/ http://www.safecomputing.umich.edu/students.php • More information http://www.safecomputing.umich.edu/ 04/13 cja 2013 12
Spyware • Generic name for software that tracks users ’ behavior • Wide range of activities Keystroke loggers Tracking cookies File inspectors Location awareness Remote video & audio recording • Store-and-forward As hard to detect remotely as botnets are 04/13 cja 2013 13
Spyware • Detection and removal tools Windows Defender (née Microsoft AntiSpyware) http://www.microsoft.com/athome/security/spyware/ software/default.mspx Lavasoft Ad-Aware http://www.lavasoftusa.net/ Spybot Search&Destroy http://www.safer-networking.org/ 04/13 cja 2013 14
Botnets
Botnets • Malware installed on victim machines listens for transmitted instructions Attack other machines Transmit spam Participate in DDOS attacks Crack passwords … • Installed via well-known vectors • Communicate with command and control host(s) via anonymous message services Typically irc Typically encrypted Typically silent, so hard to find 04/13 cja 2013 16
Botnets • One of the major threats Large increase in 4Q2006 spam traffic 30-450% increase Very large botnets 1.5 x 10 6 bots in Dutch botnet (2005) 5 x 10 6 bots in Conficker (2009) » Encrypted & authenticated » Some recent progress in detection 2 x 10 6 bots in CoreFlood (2011) » Operating for 8+ years 04/13 cja 2013 17
Microsoft Security Intelligence Report 1H2011 04/13 cja 2013 http://www.microsoft.com/security/sir/default.aspx 18
Microsoft Security Intelligence Report 1H2012 04/13 cja 2013 http://www.microsoft.com/security/sir/default.aspx 19
Super botnets • 1Q2013 DDOS attacks 48 Gbps average (130 Gbps peak) Up from 6 Gbps 1Q2012 • Attackers targeting Web servers Much more bandwidth Wordpress, Joomla, other DIY Source: Prolexic Quarterly Global Ddos Attack Report, Q1 2013 04/13 cja 2013 20
Today ’ s Threats
Attack Toolkits, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 22
Total vulnerabilities, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 23
Web Browser Vulnerabilities, 2011 Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 24
Web Browser Vulnerabilities, 2010 Source: Symantec Global Internet Security Threat Report, Vol. 16, April 2011 10/12 cja 2012 25
Today’s threats • In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 26
Today’s threats • We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executive Assistants, and Media/ Public Relations. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 27
Today’s threats • High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 28 • .
Today’s threats • Gartner predicts sales of smartphones to end users will reach 461.5 million in 2011 and rise to 645 million in 2012. [M]obile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card may go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 29
Today’s threats • More than 232.4 million identities were exposed overall during 2011. [B]reaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011. The most frequent cause of data breaches was theft or loss of a computer or other medium, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed. Source: Symantec Global Internet Security Threat Report, Vol. 17, 2012 10/12 cja 2012 30
References • http://en.wikipedia.org/wiki/ Timeline_of_notable_computer_viruses_and_worms • http://www.symantec.com/threatreport/ Symantec Internet Security Threat Report, Volume 17, April 2012 • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/ BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf • http://arstechnica.com/security/2013/04/fueled-by-super-botnets- ddos-attacks-grow-meaner-and-ever-more-powerful/ 04/13 cja 2013 31
Recommend
More recommend