viruses and malware
play

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of - PowerPoint PPT Presentation

Apr 11, 2024 •143 likes •551 views

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

  1. VIRUSES AND MALWARE Ben Livshits, Microsoft Research

  2. Overview of Today’s Lecture 2  Viruses  Intrusion detection  Behavioral detection  Firewalls  Virus/antivirus  Application firewalls coevolution paper discussed  Advanced attack techniques  Heap spraying  Heap feng shui  JIT spraying

  3. What is a Virus?  a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen, 1983

  4. Malware Timeline 4

  5. Coevolution: Basic Setup 5 Virus Antivirus  Identify a sequence of  Wait for user to instructions or data execute an infected file  Formulate a signature  Scan all files  Infect other (binary)  Look for signature files found verbatim  Bottleneck: scanning speed  Spread that way

  6. Coevolution: Entry Point Scanning 6 Virus Antivirus  Entry point scanning  Place virus at the entry point or make it directly reachable  Do exploration of reachable instruction from the entry point starting with the entry point of the program  Make virus small to avoid being easily  Continue until no more noticed by user instructions are found

  7. Coevolution: Virus Encryption 7 Virus Antivirus  Decryption (and encryption)  Decryption routine routines (packers) used by  Virus body viruses are easy to fingerprint  Decrypt into memory, not do disk  Develop signatures to match these routines  Set PC to the beginning of the decryption buffer  Attempt to decrypt the virus  Encrypt with a different body to perform a secondary key before adding virus to verification (x-raying) new executable

  8. Coevolution: Polymorphic 8 Virus Antivirus  Custom detection program Use a mutation engine to generate  a (decryption routine, encryption designed to recognize specific routine) pair detection engines Functionally similar or the same,   Generic decryption (GD) but syntactically very different  Emulator  Signature matching engine Use the encryption routine to   Scan memory/disk at regular encode the body of the virus intervals in hopes of finding decoded virus body No fixed part of the virus preserved  (decryption, encryption, body)

  9. GD Challenges 9  How long to emulate the execution? Viruses use padding instructions to delay execution. Can also use sleep for a while to slow down the scanner.  What is the quality of the emulator? How many CPUs to support?  What if decryption starts upon user interactions? How do we trigger it? What about anti-emulation tricks?

  10. False Positives in Virus Detection 10 • A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens, it can cause serious problems. • For example, if an antivirus program is configured to immediately delete or quarantine infected files, a false positive in an essential file can render the operating system or some applications unusable. In May 2007, a faulty virus signature issued by In April 2010, McAfee VirusScan detected svchost.exe,   Symantec mistakenly removed essential operating a normal Windows binary, as a virus on machines system files, leaving thousands of PCs unable to boot running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access Also in May 2007, the executable file required by  Pegasus Mail was falsely detected by Norton AntiVirus In December 2010, a faulty update on the AVG anti-  as being a Trojan and it was automatically removed, virus suite damaged 64-bit versions of Windows 7, preventing Pegasus Mail from running. Norton anti- rendering it unable to boot, due to an endless boot virus had falsely identified three releases of Pegasus loop created Mail as malware, and would delete the Pegasus Mail installer file when that happened n response to this Pegasus Mail stated: In October 2011, Microsoft Security Essentials  removed the Google Chrome browser, rival to Microsoft's own Internet Explorer. MSE flagged On the basis that Norton/Symantec has done this for Chrome as a Zbot banking trojan  every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favor of alternative, less buggy anti-virus packages

  11. Top 20 Malware on Internet/user Computer 11 http://www.securelist.com/en/analysis/204792170/Monthly_Malware_Statistics_March_2011

  12. Vulnerability Gap 12  As long as user has the right virus signatures and computer has recently been scanner, detection will likely work  But the virus landscape changes fast  This calls for monitoring techniques for unknown viruses http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  13. CVE-2009-4324: December 2009 13 http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  14. Exploit in the PDF Unfolding… 14 http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  15. Automatic Zero-Day Blocking 15 Scanning engine recognizes the newPlayer() vulnerability (checked in red).  Because this is a zero-day vulnerability, the newPlayer() vulnerability would be  considered unknown Subsequently, the M86 Secure Web Gateway falls back to its behavioral analysis capability.  Below, the behavior of the JavaScript is suspicious; therefore it is blocked by this default rule,  requiring no updates http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  16. Proactive Detection Techniques 16  heuristic analyzer  policy-based security  intrusion detection/prevention systems  etc. http://www.securelist.com/en/downloads/vlpdfs/wp_nikishin_proactive_en.pdf

  17. Heuristic Analyzers 17  A heuristic analyzer looks at  code of executable files  Macros  Scripts  memory or boot sectors to detect malicious programs that cannot be identified using the usual (signature-based) methods  Heuristic analyzers search for unknown malicious software  Detection rates are usually low: 20-30% at most http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

  18. Policy-based Security 18  Use an overall security policy  The Cisco-Microsoft approach to restrict certain types of  Scan computers of users actions on the machine connecting to the network  Limit network access from  For instance machines that are not found  Don’t open email to be fully compliant (i.e. attachments virus definitions are out of  Don’t open files from the date) internet whose reputation is unknown  Force access to an update  Only allow access to a server whitelist of web sites  Disallow software installation  “Shepherd” the user into compliance

  19. Behavioral Monitoring Techniques 19

  20. IDS: Intrusion Detection Systems 20  What it is  Components  Security guards and  Collect signals “beware of dog” signs  Process and are forms of IDS create alerts  Serve two purposes:  Notify system  Detect something bad operators was happening  deter the perpetrator

  21. Host-Based vs. Network-Based IDS 21  Log analyzers  Scan incoming and outgoing traffic  Signature-based sensors  Primarily signature- based  System call analyzers  Combined into  Application behavior firewalls analyzers  Can be located on a  File integrity checkers different machine

  22. Host-Based Intrusion Detection open() f(int x) { Entry(g) Entry(f) x ? getuid() : geteuid(); x++ } g() { close() getuid() geteuid() fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0); exit() } Exit(g) Exit(f) If the observed code behavior is inconsistent with the statically inferred model, something is wrong

  23. Question of the Day 23 How do you minimize false positives in an intrusion detection system?

  24. Firewalls : Network and App-level Elizabeth D. Zwicky Michael Becher Simon Cooper D. Brent Chapman

  25. Basic Firewall Concept  Separate local area net from internet Firewall Local network Internet Router All packets between LAN and internet routed through firewall

  26. Firewall Goals  Prevent malicious attacks  Provide defense in depth on hosts  Programs contain bugs and are vulnerable to attack  Port sweeps, ICMP echo to broadcast addr, syn flooding,  Network protocols may … contain;  Worm propagation  Design weaknesses (SSH CRC)  Implementation flaws (SSL, NTP, FTP, SMTP...)  Prevent general disruption of internal network  Control traffic between “zones of trusts”  Monitor and control  Can control traffic between quality of service (QoS) separate local networks, etc.

  27. Review: TCP Protocol Stack Application protocol Application Application TCP, UDP protocol Transport Transport IP protocol IP protocol IP Network Network Network Data Data Link Link Access Link Link Transport layer provides ports , logical channels identified by number

  28. Review: Data Formats TCP Header Application message - data message Application segment Transport (TCP, UDP) TCP data TCP data TCP data packet Network (IP) IP TCP data frame Link Layer ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer

  29. Screening Router for Packet Filtering Illustrations: Simon Cooper

Recommend

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES, WORMS, AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

915 views • 56 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Foundations Security in MAS Conclusion Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till Drges td@pre-secure.de PRESECURE Consulting GmbH June 20, 2007 Till Drges Protection Malware seen

739 views • 57 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

1.06k views • 31 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates

Viruses & Worms Thanks to Prof. Vern Paxson for these slides Malware That Propagates Virus = code that propagates (replicates) across systems by arranging to have itself eventually executed Generally infects by altering stored code

800 views • 67 slides
Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison

Malice, Exploitation, and Infection An Overview of Computer Viruses and Malware Bill Harrison MU Department of Computer Science Hi, Im Bill, glad to meet you } Ph.D 2001, UIUC } Thesis: Modular Compilers and Their Correctness Proofs }

936 views • 60 slides
Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate

555 views • 28 slides
Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1

Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1 Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs

1.29k views • 86 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and Defense Reading } Start reading Chapter 4 of Szor 2 Virus Infection Techniques } We will survey common locations of virus infections: MBR (Master

727 views • 49 slides
CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4 Viruses, Worms, Trojans, Rootkits Malware = Malicious Software can be classified into several categories, depending on propagation and concealment

472 views • 46 slides
Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca

Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca

Miscellaneous: Malware contd & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates by

757 views • 56 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic & Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses (1) } Why polymorphism? } Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code) } Virus writers

641 views • 40 slides

More recommend