Đang tải... (xem toàn văn)
programs exploiting system vulnerabilities known as malicious software or malware oprogram fragments that need a host program •e.g. viruses, logic bombs, and backdoors oindependent self-contained programs •e.g. worms, bots o replicating or not sophisticated threat to computer systems
HCMUTE 29/05/2017 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE GV: VANNT HCMUTE 29/05/2017 Malicious Software - Introduction Malware Terminology Where malware lives What to Infect Taxonomy of Malicious Software 29/05/2017 programs exploiting system vulnerabilities known as malicious software or malware o program fragments that need a host program • e.g viruses, logic bombs, and backdoors o independent self-contained programs • e.g worms, bots o replicating or not GV: VANNT sophisticated threat to computer systems HCMUTE 29/05/2017 GV: VANNT Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot Virus attaches itself to a program and propagates copies of itself to other programs Worm program that propagates copies of itself to other computers Logic bomb triggers action when condition occurs Trojan horse program that contains unexpected additional functionality Backdoor program modification that allows unauthorized access to functionality M obile code software that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics Auto-rooter malicious hacker tools used to break into new machines remotely Kit (virus generator) Set of tools for generating new viruses automatically Spammer and Flooder programs are used to send large volumes of unwanted email, or to attack systems with a large volumes of traffic to carry out a DoS attack Keyloggers captures keystrokes on a compromised system Rootkit set of hacker tools used after attacker has broken into a computer system and gained root-level access Zombie program on infected machine activated to launch attacks on other machines HCMUTE 29/05/2017 Folder auto - start Win.ini: run =[backdoor]" or "load =[backdoor]" System.ini: shell =”myexplorer exe” Autoexec.bat Config.sys Init.d 29/05/2017 • Executable • Interpreted file • Kernel • Service • Master Boot Record 29/05/2017 GV: VANNT HCMUTE 29/05/2017 Virus Trojan Applet Malicious Logic bombs Replication Trap door Worm Alone Zombie 29/05/2017 piece of software that infects other programs o modifying them to include a copy of the virus o so it executes secretly when host program is run specific to operating system and hardware o taking advantage of their details and weaknesses GV: VANNT HCMUTE 29/05/2017 Dormant Propagation Triggering Execution Dormant: o The virus is idle It will eventually be activated by some event Propagation: o The virus places an identical copy of itself into other programs or into certain system areas Triggering: o The virus is activated to perform the function for which it was intended (such as a date, the presence of another program or file) Execution o The function is performed, which may be harmless GV: VANNT HCMUTE 29/05/2017 components: o infection mechanism - enables replication o trigger - event that makes payload activate o payload - what it does, malicious or benign GV: VANNT prepended / postpended / embedded when infected program invoked, executes virus code then original program code can block initial infection (difficult) or propogation (with access controls) HCMUTE 29/05/2017 boot sector Target file infector macro Virus encrypted Stealth Concealment strategy polymorphic metamorphic GV: VANNT HCMUTE 29/05/2017 Boot Sector Infector : Infects master boot record / boot record (boot sector) of a disk and spreads when a system is booted with an infected disk (original DOS viruses) They are Memory-resident Virus File Infector : Infects executable files, they are also called Parasic Virus as they attach their self to executable files as part of their code Runs whenever the host program is executed Macro Virus –Infects files with macro code that is interpreted by the relevant application, such as doc or excel files 29/05/2017 Encrypted Virus - A portion of virus creates a random encryption key and encrypts the remainder of the virus The key is stored with the virus When the virus replicates, a different random key is generated Stealth Virus - explicitly designed to hide from Virus Scanning programs Polymorphic Virus - mutates with every new host to prevent signature detection, signature detection is useless Metamorphic Virus – Rewrites itself completely with every new host, may change their behavior and appearance 29/05/2017 GV: VANNT 17 18 HCMUTE 29/05/2017 more recent development e.g Melissa o exploits MS Word macro in attached doc o if attachment opened, macro activates o sends email to all on users address list o and does local damage then saw versions triggered reading email hence much faster propagation file types should never be opened if … E XE, PIF, BAT, VBS, COM prevention - ideal solution but difficult realistically need: o detection o identification o Removal GV: VANNT if detect but can’t identify or remove, must discard and replace infected program 10 HCMUTE 29/05/2017 virus & antivirus tech have both evolved early viruses simple code, easily removed as become more complex, so must the countermeasures Generations o Scanner: • first - signature scanners • second - heuristics o Real time Monitors • third - identify actions • fourth - combination packages Kaspersky 29/05/2017 GV: VANNT 23 11 HCMUTE 29/05/2017 runs executable files through GD scanner: o CPU emulator to interpret instructions o virus scanner to check known virus signatures o emulation control module to manage process lets virus decrypt itself in interpreter periodically scan for virus signatures issue is long to interpret and scan o tradeoff chance of detection vs time delay GV: VANNT 12 HCMUTE 29/05/2017 replicating program that propagates over net o using email, remote exec, remote login has phases like a virus may disguise itself as a system process The features: o Do not require a host application to perform their activities Do not necessarily require any user interaction, direct or otherwise, to function o Replicate extremely rapidly across networks and hosts o Consume bandwidth and resources o GV: VANNT 13 HCMUTE 29/05/2017 one of best know worms released by Robert Morris in 1988 various attacks on UNIX systems o cracking password file to use login/password to logon to other systems o exploiting a bug in the finger protocol o exploiting a bug in sendmail if succeed have remote shell access o sent bootstrap program to copy worm over GV: VANNT 14 HCMUTE 29/05/2017 Code Red o o o July 2001 exploiting MS IIS bug probes random IP address, does DDoS attack consumes significant net capacity when active Code Red II variant includes backdoor SQL Slammer o o Mydoom o o GV: VANNT early 2003, attacks MS SQL Server compact and very rapid spread mass-mailing e-mail worm that appeared in 2004 installed remote access backdoor in infected systems Multiplatform: attack a variety of platforms (UNIX) multi-exploit: worms penetrate systems in a variety of ways ultrafast spreading: accelerate the spread of a worm Polymorphic: To evade detection, skip past filters, and foil real-time analysis Metamorphic: have a repertoire of behavior patterns that are unleashed at different stages of propagation transport vehicles: ideal for spreading other distributed attack tools, such as distributed denial of service bots zero-day exploit: To achieve maximum surprise and distribution 15 HCMUTE 29/05/2017 overlaps with anti-virus techniques once worm on system A/V can detect worms also cause significant net activity worm defense approaches include: o signature-based worm scan filtering o filter-based worm containment o payload-classification-based worm containment o threshold random walk scan detection o rate limiting and rate halting GV: VANNT 16 HCMUTE 29/05/2017 program taking over other computers to launch hard to trace attacks if coordinated form a botnet characteristics: o remote control facility • via IRC/HTTP etc o spreading mechanism • attack software, vulnerability, scanning strategy GV: VANNT various counter-measures applicable A ‘botnet’ is a large number of bots (or zombies) used for DDOS attacks 17 HCMUTE 29/05/2017 Botnets: Bots Attacker China Handler Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies Zombies Attacker Handler Victim Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone GV: VANNT Zombies 18 HCMUTE 29/05/2017 set of programs installed for admin access malicious and stealthy changes to host O/S may hide its existence o difficult to determine that the rootkit is present and to identify what changes have been made o disrupting report mechanisms on processes, files, registry entries… can be classified on whether survive a reboot and execution mode: o o o o Persistent: Activates each time the system boots, store code in a persistent store memory-based: Has no persistent code and therefore cannot survive a reboot user mode: Intercepts calls to AP Is and modifies returned results kernel mode: Can intercept calls to native AP Is in kernel mode; may hide the malware process by removing it from the kernel's list of active processes GV: VANNT installed by user via Trojan or intruder on system range of countermeasures needed 19 HCMUTE 29/05/2017 S —ecret entry point into a program — Allows those who know access by passing usual security procedures — Remains hidden to casual inspection — Can be a new program to be installed — Can modify an existing program — Trap doors can provide access to a system for unauthorized procedures — Very hard to block in O/S 29/05/2017 One of oldest types of malicious software Piece of code that executes itself when predefined conditions are met Logic Bombs that execute on certain days are known as Time Bombs Activated when specified conditions met – E.g., presence/ absence of some file – particular date/ time – particular user When triggered typically damage system – modify/ delete files / disks , halt machine, etc 29/05/2017 GV: VANNT 40 41 20 HCMUTE 29/05/2017 29/05/2017 Trojan horse is a malicious program that is designed as authentic, real and honest software Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful 29/05/2017 GV: VANNT 42 43 21 HCMUTE 29/05/2017 GV: VANNT What Trojan scan ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor ('dropper' ) • Networks of zombie computers in order to launch DoS attacks or send Spam • Logging keystrokes to steal information such as passwords and credit card numbers (known as a key logger) • Phish for bank or other account details, which can be used for criminal activities • Or simply to destroy data • Mail the password file 29/05/2017 44 29/05/2017 45 22 HCMUTE 29/05/2017 The program which secretly takes over another networked computer and force it to run under a common command and control infrastructure Uses it to indirectly launch aNacks, e.g., DDoS, phishing, spamming, cracking Difficult to trace zombie’ s creator) Infected computers — mostly Windows machines — are now the major delivery method of spam Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers GV: VANNT 29/05/2017 46 29/05/2017 47 23 HCMUTE 29/05/2017 Intruder Hacker: phases Attack: many types Malicious Software: many types Cryptography and Network Security, Principles and Practice, William Stallings, Prentice Hall, Sixth Edition, 2013 2014, CEHv8: Certified Ethical Hacker Version Study Guide o Chapter 8-12 29/05/2017 GV: VANNT 49 24 HCMUTE 29/05/2017 Exercises: see in CEH v8, ex o o o o Hping Using Netstat to Detect Open Ports (8.2) Using TCPView to Track Port Usage … Experience in group o Demo at least attacks, ex: • SYN Flood: Hping , • … o Demo at least malicious software, ex: • Creating a Sim ple Virus (EX 8.1, pg 189) • … 29/05/2017 GV: VANNT 50 25 ... Malicious Software - Introduction Malware Terminology Where malware lives What to Infect Taxonomy of Malicious Software 29/05/2017 programs exploiting system vulnerabilities known as malicious. .. HCMUTE 29/05/2017 components: o infection mechanism - enables replication o trigger - event that makes payload activate o payload - what it does, malicious or benign GV: VANNT prepended /... countermeasures Generations o Scanner: • first - signature scanners • second - heuristics o Real time Monitors • third - identify actions • fourth - combination packages Kaspersky 29/05/2017