CSE509 System Security

Similar documents
CIT 480: Securing Computer Systems. Malware

Computer Security DD2395

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

CS 356 Lecture 9 Malicious Code. Spring 2013

Malware. Björn Victor 1 Feb [Based on Stallings&Brown]

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

CS549: Cryptography and Network Security

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Operation Liberpy : Keyloggers and information theft in Latin America

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Randy Lee FireEye Labs. Understanding Modern Malware.

WORMS HALMSTAD UNIVERSITY. Network Security. Network Design and Computer Management. Project Title:

WEB ATTACKS AND COUNTERMEASURES

Security A to Z the most important terms

ANTIVIRUS BEST PRACTICES

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Storm Worm & Botnet Analysis

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

WHITE PAPER. Understanding How File Size Affects Malware Detection

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

The Value of Physical Memory for Incident Response

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Barracuda Intrusion Detection and Prevention System

Seminar Computer Security

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

Malicious Network Traffic Analysis

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

HoneyBOT User Guide A Windows based honeypot solution

Computer Viruses: How to Avoid Infection

Computer Security Threats

Information Security Threat Trends

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

ZeroAccess. James Wyke. SophosLabs UK

Innovations in Network Security

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Integrated Protection for Systems. João Batista Territory Manager

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Locking down a Hitachi ID Suite server

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

IBM Protocol Analysis Module

Current Threat Scenario and Recent Attack Trends

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Lecture 13 - Network Security

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

DDoS Attacks Can Take Down Your Online Services

Firewalls and Software Updates

Detecting P2P-Controlled Bots on the Host

Multifaceted Approach to Understanding the Botnet Phenomenon

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Firewall and UTM Solutions Guide

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

Spyware. Summary. Overview of Spyware. Who Is Spying?

DATA SHEET. What Darktrace Finds

The Underground Economy of the Pay-Per-Install (PPI) Business

Defending Against Cyber Attacks with SessionLevel Network Security

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

The Key to Secure Online Financial Transactions

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

BotNets- Cyber Torrirism

Cyber Security and Critical Information Infrastructure

A Critical Investigation of Botnet

Threat Events: Software Attacks (cont.)

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Fighting Advanced Threats

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

DDoS Attacks & Defenses

Detailed Description about course module wise:

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

OS Security. Malware. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CEH Version8 Course Outline

Transcription:

CSE509 System Security Malware and bots Nick Nikiforakis nick@cs.stonybrook.edu

Malware Malware, short for malicious software, is software designed to gain access to confidential information, disrupt computer operations, and/or gain access to private computer systems. Malware can be classified by how it infects systems: Trojan Horses Viruses Worms Or by what assets it targets: Ransomware Information stealers Spyware and adware Backdoors Rootkits Botnets 2

How much malware is out there? 3

Malware The installation of malware is done in predominantly two ways: 1. Exploit a vulnerability in the user s browsing software to automatically and without the user s permission download and install malware (known as drive-by downloads) Buffer overflows, dangling pointers, etc. 2. Convince the user to install some software, pretending that it is something that the user wants/requires 4

For example Let s say that I want to watch a movie, but I do not want to pay for it. Let s go to google.com and search for streaming movies free 5

6

7

This pretends to be a notification box that Internet Explorer sometimes show 8

9

10

11

Types of malware 12

Virus A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other files. This process is called infecting. 13

Types of Viruses 1. Boot Sector When system boots, code in boot sector executed. Propagate by altering boot disk creation. Uncommon today because of low use of boot floppies, but some Vista laptops shipped with one. 2. Executable Infects executable programs (e.g., COM, EXE). Executes when infected program is run. Virus usually runs first, then runs original code. 3. Dynamic Library Infected dynamically linked libraries (DLLs.) Executed when any program uses infected DLL. 14

Types of Viruses 4. Device Driver Infects loadable device driver. Executes in kernel mode. 5. Archive Infectors Inserts Trojan Horse into ZIP files. Uses social engineering techniques to get user to run. 15

Types of Viruses 6. Macro Virus Infects embedded interpreted code. Needs interpreter like sh, MS Word macro. Can infect executables or data files Executables must invoke appropriate interpreter. Most modern data formats support some type of scripting, including Microsoft Office Windows Help files HTML: VBScript, JScript 16

Infection Methods 1. Overwriting Overwrites section of program file with virus. May break infected program. 2. Companion Infects COM file of same name as EXE file. Given a name, Windows runs COM before EXE Infects alternate data stream of Win32 file. Legitimate application file.exe Virus: infect() if trigger payload() run file.exe file.com 17

Infection Methods: Prepending 3. Prepending Insert virus code at beginning of executable. Shift original code to follow virus. Executable code Virus code Executable code Infection 18

Infection Methods: Appending 4. Appending Append virus code to executable. Insert JMP at beginning of executable. Executable code Infection Jump to Virus Executable code infect() if trigger payload() goto start 19

Infection Methods: Fragmenting 5. Fragmenting Append virus code to executable. Insert JMP at beginning of executable. Executable code Jump to Virus Executable code Infection Virus code Executable code Virus code Executable code Virus code 20

Worms Copies self from one computer to another Self-replicating: No user action required unlike virus or Trojan horse programs. Spreads via network protocols ex: SMTP (email), fingerd, MS SQL 21

Timeline of Notable Worms Year Name Description 1988 Morris Worm Spreads across entire Internet, causing service disruptions. Vectors: buffer overflow, backdoors, passwords, and other authentication vulnerabilities. 1999 Melissa Macro virus that spread via e-mail to all people in address book, shutting down many e-mail servers. 2000 ILOVEYOU VBScript Trojan spread via e-mail to tens of millions of Windows PCs. 2001 Code Red Spread to millions of hosts, defaced web sites, and launched DDoS. Vector: buffer overflow in IIS. 2001 Nimda Vectors: multiple, including backdoors left by Sadmind and Code Red II worms. 2003 Slammer Fastest spreading worm, infecting all vulnerable MS SQL Server installations in <1hr. Vector: buffer overflow 2003 Nachi/Welchia Exploited vulnerability in MS RPC service to download MS security patches and remove Blaster worm. 22

Timeline of Notable Worms Year Name Description 2004 Cabir First worm to target mobile phones (Symbian OS), spreading via Bluetooth to nearby phones. 2004 Santy First worm to target web applications, exploiting a vulnerability in phpbb and using Google searches to find targets to infect. 2007 Storm E-mailed Trojan horse that recruited machines into the Storm botnet, infecting millions of hosts. 2008 Conficker Exploited buffer overflows in MS RPC services and poor passwords to recruit ~10 million hosts into botnet. 2010 Stuxnet Multi-vector malware designed to target SCADA facilities. Designed by US to target Iranian nuclear facilities. 2012 Flame Multi-vector malware designed for cyberespionage that targets Middle Eastern countries. 23

Worm Components 1. Vector 2. Propagation Engine 3. Target Selection 4. Scanning Engine 5. Payload 24

Vector Exploit code to gain access to target host. Common vectors: Buffer overflow exploits. Network file sharing, both NFS/SMB and P2P. Social-engineering via email or IM. Weak passwords. Parasitism: target backdoors and worm flaws. 25

Propagation Engine Transfers worm to host exploited by vector. Small worms like Slammer included in vector. Worm Propagation Methods: FTP HTTP SMB TFTP 26

Remote Control Interface RCI allows creator to control infected hosts. Many worms do not have a RCI. May be a well-known backdoor program. Common remote control features: Start/stop infecting new targets. Download new vectors. Download new target selectors. Download new payloads. 27

Target Selection Selecting targets for potential infection. E-mail address harvesting Address books. Parse disk files. Network share enumeration Check for filesystems shared with other systems. Network scanning Target hosts on current network and connected nets. Randomized scanning of Internet space. Web searching Search Google for addresses or vulnerable software. Try to attack friends on social networks 28

Scanning Engine Check targets for vulnerabilities. If vector small, scanning can be skipped. Scan for vulnerable services. Like targeted nmap port scan. OS Check Check for correct OS for vector to work. Version checking. Check version of target software. May customize vector based on information. 29

Morris Worm First Internet Worm: November 1988 Claimed purpose: Mapping the Internet Multi-architecture: Sun, VAX Multi-vector sendmail (debug backdoor) fingerd (buffer overflow) rsh (open.rhosts; password cracking) 30

Morris Worm Spreading algorithm Local network topology: gateways, neighbors. Used users.rhosts,.forward files. Limited reinfection rate to 1/7. Detection Avoidance Forged process listing as (sh). Removed created files quickly after use. 31

Morris Worm Resource Requirements Disk Space. C compiler and linker. Network connection to parent computer. Problems Didn t limit re-infections. Saturated CPU, network resources. 32

Fast Worms Slammer Worm Characteristics Attacked MS SQL servers. Worm is single 404-bye UDP packet. Random-scan (PRNG bugs limited.) Limited by network bandwidth, not latency. Observed scan rate of 26,000 hosts/second. Infected 90% of vulnerable hosts in 10 min. Too fast for humans to react. Shutdown 13,000 Bank of America ATMs due to compromising db servers, heavy traffic. 33

Counter-worms Worm that removes other worms from net. Nachi/Welchia Multi-vector W32 worm Nachi.A removes W32/Blaster worm Nachi.B removes W32/MyDoom worm Installed MSRPC DCOM patch to prevent future infections from Blaster. Removes self after 2004. Side-effects Infected Diebold ATMs Worm traffic DOSed Internet, esp Microsoft. 34

Unintentional Offline Impact Slammer infected nuclear power plant Reached Plant Process Computer and Safety Parameter Display System via contractor network that supposedly not connected to internal plant network. Slammer also disabled Seattle s 911 system Blaster infected First Energy systems Contributing cause to 2003 blackout of northeast US. Sasser worm disabled many systems Lund University Hospital X-ray department disabled, Delta Air Lines cancelled flights, British Coastguard lost access to maps, etc. 35

Generic malware In recent years, attackers have moved away from viruses and worms and more towards malicious executables who just attempt to gain money from each installation Steal user s credentials Use the user s Internet connection for sending SPAM Use the user s CPU for mining cryptographic resources Use extortion and ask for money from the victim user 36

Ransomware Ransomware encrypts the user s files and asks for an amount of money in order to decrypt them Money typically transferred using bitcoins or other methods that are hard to trace If you are backing up your files on a local external disk, the attacker can encrypt your back-ups as well 37

Malware Handling Process 1. Static Analysis (for signatures) 2. Dynamic Analysis (for signatures) 3. Reverse Engineering (if needed) 4. Signature Creation 5. Quality Assurance 6. Signature Deployment 38

Static Analysis Static analysis includes any approach to analyzing a program without running it. File type Strings found in file Assembly code for program Safest form of analysis, as malware is never executed. 39

Dynamic Analysis Dynamic analysis includes any approach to analyzing a program while running it. Malware sandbox (to run malware safely). Host analysis tools (local changes). Network analysis tools (network traffic). 40

Reverse Engineering Reverse engineering is the use of static analysis (decompilers, disassemblers) and dynamic analysis (debuggers) techniques to determine precisely how a program works. 41

Static Malware Protection 1. Encryption. Virus starts with small decryption algorithm. Remainder of virus is encrypted, typically XOR with key. Often encrypts different parts of virus with different encryption techniques or keys. 2. Polymorphism Changes encryption key or technique each infection. Dynamic scan can wait until malware decrypts self in RAM. 3. Metamorphism Rewrites decryption code using different machine instructions each infection too. Too many variants for signature detection 42

Example of Zperm Mutation From Szor and Ferrie, Hunting for Metamorphic slide 43

Dynamic Malware Protection 1. Anti-sandboxing techniques. Researchers use VMs to analyze malware safely, so If detect VM, then disable or delete self. 2. Anti-debugging tricks. Researchers use debuggers to analyze software activity. Detect some debuggers and break debugging session. Write code in such a way to make it difficult to debug. 3. Anti-detection techniques. Disable AV software on system. Obfuscate code. 44

Runtime Packers Runtime packers compress the code of programs better than general purpose compression tools and automatically decompress the program upon execution. Today they are primarily used to prevent analysis of programs. Thousands of packers exist. Can pack code multiple times with different packers. AV can unpack some formats, but not all. 45

EXE Binding An EXE binder takes multiple programs and merges them into a single executable file that performs the functions of all of them. It is primarily used to bind malware into legitimate programs to make Trojan horses. 46

Botnets A botnet is A network of compromised machines that can be controlled remotely used for malicious activities. Bot 1 Bot 2 Threat Command & Control Server Bot n 47

Botnets 48

Botnet Components Host Component Malware running on victim s computer. Receives commands from botmaster. Executes attacks. Sends data to botmaster. Network Components Command & Control (C&C) servers. Malware distribution servers. Drop zone (for data exfiltration). 49

C&C Structure Centralized All bots connect to a single C&C server. Single point of failure that can take down botnet. Decentralized (peer-to-peer) Every bot is also a C&C server. Botmaster can administrate from any bot. Hybrid Every bot is a C&C server. Also have separate C&C server. 50

Botnet Applications 1. Distributed Denial of Server (DDoS) 2. Click fraud 3. Spam replay 4. Pay-per-install agent 5. Large-scale information harvesting 6. Information processing 51

Stopping Botnets 1. Identify C&C server(s) and take down. 2. Block C&C server DNS name. 3. Block C&C server IP address. 4. Update anti-virus to identify host component and remove (difficult to reach every infected host.) 5. Identify botmaster(s) and work with law enforcement to stop them. 52

Protecting C&C 1. Bulletproof Hosting ISP that permits criminal activity, spamming, c&c. 2. Dynamic DNS C&C changes IP addresses every few minutes. Uses DDNS service to point to changing IPs. 3. Fast Fluxing DNS requests resolve to set of flux agent IPs. Flux agents redirect traffic to C&C server. 53

Single Flux Networks 54

Double Flux Networks 1. Single flux change DNS name to IP mapping. 2. Double flux change DNS servers for domain too. 55

Domain Generation Algorithms Generate domain names for C&C servers Algorithmic, but hard to predict. Generate hundreds to thousands per day. Botmaster knows DGA domains Sets up C&C at one of the domains. Waits for bots to contact & request commands. Defends against C&C takedown Too many domains to blacklist. Generated domains are expendable, so takedowns don t matter as botmaster has moved on to new ones. 56

DGA Disadvantages 1. DGA bots produce much network traffic to nonexistent domains, returning errors. 2. If DGA is reverse engineered, someone can take control of botnet by registering domain name of a future C&C server. If the botnet is using proper authentication, this will not suffice to take-down a botnet 57

Torpig Study Security research group at UCSB took over the Torpig botnet for 10 days in 2009 Objective: the inside view of a real botnet Takeover exploited domain flux [ Your Botnet Is My Botnet ] Bot copies generate domain names to find their command & control (C&C) server Researchers registered the domain before attackers, impersonated botnet s C&C server slide 58

Torpig Architecture [ Your Botnet Is My Botnet ] Drive-by JavaScript tries to exploit multiple browser vulnerabilities to download Mebroot installer Installer writes Mebroot into MBR on hard drive, reboots infected host Mebroot obtains malicious DLLs from its C&C server, injects them into applications, contacts C&C server every 2 hours over HTTP using custom encryption DLLs upload stolen data to Torpig C&C server C&C server acks or instructs bot to perform phishing attacks against specific sites using injected content slide 59

Man-in-the-Browser Phishing [ Your Botnet Is My Botnet ] slide 60

Distribution of Infections [ Your Botnet Is My Botnet ] slide 61

Data Sent to Torpig C&C Server [ Your Botnet Is My Botnet ] slide 62

Target: Financial Institutions Typical Torpig config file lists approximately 300 domains of financial institutions to be targeted for man-in-the-browser phishing attacks In 10 days, researchers C&C server collected 8,310 accounts at 410 institutions Top 5: PayPal (1770), Poste Italiane (765), Capital One (314), E*Trade (304), Chase (217) 1660 unique credit and debit card numbers [ Your Botnet Is My Botnet ] 30 numbers came from a single work-at-home call-center agent who was entering customers credit card numbers into the central database slide 63

Summary Malware are malicious programs that are used to destroy user data, propagate malicious code to other machines and make money for the attackers would write them and install them In the past, viruses and worms were popular, today the lines are blurred Multiple ways of analyzing malware: Static analysis, Dynamic Analysis, Reverse engineering Botnets are collections of compromised machines under the control of the attacker The attacker can install new malware on each bot, or order to the bots to perform an attack 64

Questions? 65

Credits Original slides on malware by James Walden Slides on torpig from Vitaly Shmatikov Modified by Nick Nikiforakis to include social engineering attacks, ransomware, and other miscellaneous concepts 66

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information