vulnerabilities malicious code
play

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 - PowerPoint PPT Presentation

Aug 29, 2022 •301 likes •1.02k views

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

  1. Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

  2. Announcement  Presence sheet  Solution to Homework 2 is out  Grades will follow … 2 CIS-5372: 9.Nov.2011

  3. What Did We Cover Before ?  Nonmalicious Program Errors  Buffer Overflows  Incomplete Mediation  TOCTTOU  Introduction to Malicious Code 3 CIS-5372: 9.Nov.2011

  4. In this lecture  Viruses  How they attach  How they gain control  Where they are stored  Detection …  Worms  Web Bugs  Trapdoors  … 4 CIS-5372: 9.Nov.2011

  5. What is a Virus ?  Program that can infect other programs by modifying them to include a, possibly evolved, version of itself  Fred Cohen 1983 5 CIS-5372: 9.Nov.2011

  6. Qualities of Virus  Hard to detect  Not easily destroyed or deactivated  Spreads widely  Can re-infect home program/other programs  Easy to create  Machine/OS independent 6 CIS-5372: 9.Nov.2011

  7. How Viruses Attach 1. Virus is on CD  When executed, the virus can  Install on hard drive  Attach to any executing program in memory 2. E-mail virus  The attacker convince victim to open attachment  Executable file  Graphics, photos … 7 CIS-5372: 9.Nov.2011

  8. How Viruses Attach (cont’d)  Appending  Surrounding  Integrated  Overwriting 8 CIS-5372: 9.Nov.2011

  9. Apending Virus  Add to beginning of target  First instruction of new program Virus Targeted Virus Original Executable Program Virus writer doesn’t need to know target program 9 CIS-5372: 9.Nov.2011

  10. Surrounding Virus  Add to beginning and end of target  Control before and after target program Virus A Original Virus Program Targeted Executable Virus B 10 CIS-5372: 9.Nov.2011

  11. Surrounding Virus - Example  Prevent user from detecting virus  Using file name and size during ls/dir command  Virus attaches to ls/dir command  When ls/dir completes, virus takes control  Eliminate entry from listing  Distribute space among other programs to hide size 11 CIS-5372: 9.Nov.2011

  12. Integrated Virus  Replace some of target Virus Targeted Virus Infected Executable host Executable Virus writer needs to know target program 12 CIS-5372: 9.Nov.2011

  13. Integrated Virus (cont’d) Virus Part 1 Targeted Virus Executable Virus Part 2 Virus Part n 13 CIS-5372: 9.Nov.2011

  14. Overwriting Virus  Replace entire target  Mimick effect of target or  Not – user likely to perceive virus Targeted Virus Virus Executable 14 CIS-5372: 9.Nov.2011

  15. How Viruses Gain Control  After attachment virus needs to be invoked  Overwriting a target program  Changing pointers to programs  V denotes virus, T is the target program 15 CIS-5372: 9.Nov.2011

  16. Overwriting the Target File Directory When T is invoked V is actually executed ! T T V V Hard Disk  Overwrite T with V 16 CIS-5372: 9.Nov.2011

  17. Changing Pointer To Target File Directory When T is invoked V is again executed ! T T V Hard Disk  Change pointer to T to point to V 17 CIS-5372: 9.Nov.2011

  18. Where Are Viruses Stored  One-Time execution  Boot sector  Memory resident  … 18 CIS-5372: 9.Nov.2011

  19. One-Time Execution: E-mail Virus writer generates e-mail Sends it to all addresses in victim’s address book 1. 2. Or leave it to the victim to forward it 19 CIS-5372: 9.Nov.2011

  20. One-Time Execution: Valentine Day 20  Waledac malicious domain from pandalab blog CIS-5372: 9.Nov.2011

  21. One-Time Execution: Fake Antivirus 21 CIS-5372: 9.Nov.2011  from pandalab blog

  22. One-Time Execution: Fake Page 22 CIS-5372: 9.Nov.2011  from pandalab blog

  23. One-Time Execution: P2P Files  Popular query  35.5% are malwares ( Kalafut 2006) 23 CIS-5372: 9.Nov.2011

  24. Boot Sector Viruses  When computer starts  Firmware determines hardware components  Transfer control to OS  OS stored on disk  Bootstrap process:  Firmware reads boot sector to a fixed address in mem  Jump to that address  Boot sector contains the bootloader  Bootloader pulls the rest of the OS from disk 24 CIS-5372: 9.Nov.2011

  25. Boot Sector  Boot sector has 512 bytes  Bootstrap loader size > 512 bytes  Use chaining Boot sector Bootstrap Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 25 CIS-5372: 9.Nov.2011

  26. Placing Virus in Boot Sector  The virus could be placed in any bootstrap sector  But … boot sector particularly appealing  Virus gains control right at the beginning  Protection tools are not yet active Boot sector Bootstrap Virus Code Bstrap Ldr Bstrap Ldr Loader (bloc 2) (bloc 3) Hard Disk 26 CIS-5372: 9.Nov.2011

  27. Example: The BRAIN Virus  Changes label of infected disks to BRAIN   From Pakistan (Believed)  Sole purpose: to pass the infection  Traps disk read interrupts  Only interested in reads in the boot sector  Believed to be proof-of-concept  Many other variants, more efficient … 27 CIS-5372: 9.Nov.2011

  28. The BRAIN Virus Location Before Boot Hard Drive sector After … BRAIN BRAIN BRAIN Boot BRAIN BRAIN BRAIN 1 3 1-dup sector 2-dup 3-dup 2 Marked as faulty 28 CIS-5372: 9.Nov.2011

  29. The BRAIN Virus Infection Memory Interrupt Address Table To upper BRAIN # 6 Reset Upper Memory Bound Code for # 19 interrupt 19 1. Locates in upper memory 2. System call to reset upper memory below it To lower 3. Traps interrupt #19 (disk read) 4. Any disk read for boot sector returns content of hijacked sector 29 CIS-5372: 9.Nov.2011

  30. In this lecture  Viruses  How they attach  How they gain control  Where they are stored  Detection …  Worms  Web Bugs  Trapdoors  … 30 CIS-5372: 9.Nov.2011

  31. Virus Detection  Based on  Virus Signatures  Storage Patterns  Execution Patterns  Transmission Patterns  Virus scanner uses such patterns to  Detect  And even remove viruses 31 CIS-5372: 9.Nov.2011

  32. Virus signatures  Virus cannot be completely invisible  Code must be stored somewhere  Code must be in memory to execute Signature  Executes according to a pattern  Spreads using certain mechanisms  Example: Code Red GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 32 CIS-5372: 9.Nov.2011

  33. In this lecture  Viruses  Worms  Web Bugs  Trapdoors  … 33 CIS-5372: 9.Nov.2011

  34. Reminder: What is a Worm  Reproducing programs that run independently and travel across network connections.  Reproduction Differences:  A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread.  A worm can run completely independently and spread of its own will through network connections. 34 CIS-5372: 9.Nov.2011

  35. Example: The Internet Worm  November 2 nd 1988  Internet Worm released  Infected many computers  Many more severed network connection  Robert T. Morris Jr.  $10,000 fine  3 year suspended jail sentence  400 hours community service  Now with MIT 35 CIS-5372: 9.Nov.2011

  36. Intent of Internet Worm 1. Determine where it could spread 2. Spread to new target 3. Remain undiscovered and undiscoverable 36 CIS-5372: 9.Nov.2011

  37. Determine Targets  Exploited three known vulnerabilities 1. Find user accounts to invade on target system  Remember password vulnerabilities  432 common passwords + dictionary file 2. Fingerd: daemon which responds to queries about users  Known buffer overflow vulnerability  Give worm a remote shell 3. Sendmail trapdoor  In debug mode, sendmail can execute input string 37 CIS-5372: 9.Nov.2011

  38. Spread Infection  Send a bootstrap loader to target machine  99 lines of C code  Compile and execute on target machine  Fetch rest of worm code from the sending system  Element of good security   Bootstrap loader required to provide password to sending system  If fail, sending system breaks connection 38 CIS-5372: 9.Nov.2011

  39. Remain Undiscovered 1. If transmission error occurs during worm fetch  Bootstrap loader removes code and exits 2. Bring all worm code in memory  Encrypt copy in memory  Delete copy from disk  Thus, the worm cannot easily be discovered 3. Periodic change of name and process id  Avoid single process running a long time 39 CIS-5372: 9.Nov.2011

  40. Effect of Internet Worm 1. Resource exhaustion  If target was already infected, propagate one copy  Bug in code (  ): many copies did not terminate !  Thus, serious performance degradation 2. Disconnection of machines from Internet  To prevent copies from trying to propagate  … or to prevent infection 3. Isolation and inability to perform work  Estimated cost $100,000 - $97 million  Thousands of systems were disconnected 40 CIS-5372: 9.Nov.2011

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of

373 views • 22 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

804 views • 35 slides
Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer Security Trap doors March 15, 2004 Logic bombs Worms Examples Lecture 16 Lecture 16 Page 1 Page 2 CS 239, Winter 2004 CS 239,

408 views • 12 slides
Outline Introduction Malicious Code Viruses CS 236 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 236 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 236 Trojan horses Computer Security Trap doors March 14, 2007 Logic bombs Worms Examples Lecture 15 Lecture 15 Page 1 Page 2 CS 236, Winter 2007 CS 236,

341 views • 12 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Everyones a Target Criminals are Always Two Steps Ahead 90% of all cybercrime costs are

Everyones a Target Criminals are Always Two Steps Ahead 90% of all cybercrime costs are

Hackers are Equal Opportunity Businessmen: Everyones a Target Criminals are Always Two Steps Ahead 90% of all cybercrime costs are caused by web attacks, malicious code and malicious insiders. Kaspersky 60% of enterprises said

449 views • 13 slides

More recommend