Running code securely An overview of threats and countermeasures



Similar documents
Computer Security DD2395

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Malware. Björn Victor 1 Feb [Based on Stallings&Brown]

1 Introduction. Agenda Item: Work Item:

Spyware. Summary. Overview of Spyware. Who Is Spying?

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Incident Report

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

1 Introduction. Agenda Item: Work Item:

Intruders and viruses. 8: Network Security 8-1

Securing small business. Firewalls Anti-virus Anti-spyware

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Ohio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide

CS549: Cryptography and Network Security

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Introduction to Computer Security Table of Contents

Computer Viruses: How to Avoid Infection

How Spyware and Anti-Spyware Work

Guideline for Prevention of Spyware and other Potentially Unwanted Software

Self Protection Techniques in Malware

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Different Types of Adware and Services

Certified Ethical Hacker Exam Version Comparison. Version Comparison

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Common Cyber Threats. Common cyber threats include:

F-Secure Internet Security 2012

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Loophole+ with Ethical Hacking and Penetration Testing

WHITE PAPER. Understanding How File Size Affects Malware Detection

COB 302 Management Information System (Lesson 8)

Network Security and the Small Business

Survey of Spyware Tools and Counter Measures

Cyber Security Awareness

Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Computer Security Maintenance Information and Self-Check Activities

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

FORBIDDEN - Ethical Hacking Workshop Duration

HoneyBOT User Guide A Windows based honeypot solution

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Spyware Doctor Enterprise Technical Data Sheet

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

CS 356 Lecture 9 Malicious Code. Spring 2013

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Integrated Protection for Systems. João Batista Territory Manager

ViRobot Desktop 5.5. User s Guide

Chapter 11 Computers and Society, Security, Privacy, and Ethics

License for Use Information

Section 12 MUST BE COMPLETED BY: 4/22

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Malware: Malicious Software

CS574 Computer Security. San Diego State University Spring 2008 Lecture #7

By:XÇzA A TÅÅtÜ ]A `t{åééw

Description: Objective: Attending students will learn:

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

white paper Malware Security and the Bottom Line

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

PC Security and Maintenance

Top tips for improved network security

CIT 480: Securing Computer Systems. Malware

Spyware: Securing gateway and endpoint against data theft

The information contained in this session may contain privileged and confidential information. This presentation is for information purposes only.

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

ANTIVIRUS BEST PRACTICES

Chapter 4 Application, Data and Host Security

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Introduction: 1. Daily 360 Website Scanning for Malware


CHAPTER 10: COMPUTER SECURITY AND RISKS

Cyber Security Awareness

Get Started Guide - PC Tools Internet Security

Countermeasures against Spyware

Network Security. Demo: Web browser

Advanced Endpoint Protection Overview

Barracuda Intrusion Detection and Prevention System

Stopping zombies, botnets and other - and web-borne threats

October Is National Cyber Security Awareness Month!

Usages of Selected Antivirus Software in Different Categories of Users in selected Districts

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

IBM Protocol Analysis Module

How to stay safe online

Corporate Account Takeover & Information Security Awareness

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Transcription:

Running code securely An overview of threats and countermeasures Almut Herzog Overview over protective technology for end users anti-virus software anti-spyware personal firewall backup encryption ssl and other network encryption, ssh, file encryption, password storage Lecture on Network Security knowledge smooth surface: keep updated, shut down unnecessary services Almut Herzog 1

Source: Peter Ször. The Art of Computer Research and Defense. Addison-Wesley. 2005. Malicious code some names, not a taxonomy a program that recursively and explicitly copies a possibly evolved version of itself. Worm a network virus: mailers and mass-mailer worms, octopus (exist on more than one computer on the network), rabbit (single copy that moves around) Logic bombs programmed malfunction of a legitimate application; Easter eggs (non-malicious, give credit to developers, MS flight simulator, Spyware? Adware?) Trojan horse useful functionality to entice or subversion of an existing tool (ps, ls, password, logon screen), backdoors (listen on port). Germs first-generation virus, not attached to an infected file but plain, readable code. Exploits specific to one or more vulnerabilities, shows that a vulnerability can be exploited. Downloaders installs a set of other items on a machine Dialers modem users are directed to a premium-rate Internet connection. Droppers installer for first-generation virus code. Injectors dropper that installs virus code in memory, also network injector Auto rooters break into new machines using an exploit to gain root access automatically Kits (virus generators) generate new computer viruses automatically Spammer programs send unsolicited messages (spim instant messaging, spit SMS) Flooders stage an DoS attack Keyloggers capture keystrokes Rootkits used after an attacker has broken into a computer system and gained root-level access to change legitimate programs into Trojan horses Miscellaneous joke programs (lock screen randomly), hoaxes (chain letters), adware, spyware. self-protection techniques = how viruses protect themselves from being found tunnelling virus installs on the layer below, preferably on the very lowest layer armoured virus, armoured against (fast) attempts by anti-virus analysts to find out about the virus code encryption, obfuscation, match checksums rather than strings, anti-debugging aggressive retrovirus disables countermeasures code evolution encryption, oligomorphic changes the decryptor, polymorphic mutates decryptor, metamorphic evolves code (NOP, recompile on host, ) Almut Herzog 2

classification according to payload no payload, virus replicates only accidentally destructive non-destructive (display message, open/close CD tray etc.) somewhat destructive: flip bitmap, stop service highly destructive overwrite data (format HD), data diddler, encrypt, HW destruction (overheat), DoS on local or remote host, steal data file infection strategies Overwriting virus: overwrites/destroys a file on disk with virus code, usually starting at the beginning of the file Random overwriting virus overwrites at a random position in the host file, may not execute but destroys host Appending virus: appends virus code to host code, host starts by jumping to the end Overwriting virus that changes host size Overwriting virus that does not change host size JMP Random overwriting virus Appending virus Almut Herzog 3

file infection strategies Prepending virus: virus code first, then full host code Classic parasitic virus prepends virus code and appends overwritten code to the end of the host file Amoeba infection prepend + append virus code Prepending virus (Head) Classic parasitic virus Amoeba (Tail) file infection strategies Cavity virus does not increase file size, overwrites unused portions of the host file Fractioned cavity virus: virus code scattered in the file, program starts with modified entry point that points to virus code Compressing virus compresses host file to hide size increase due to virus code infection + decompressor Packed Cavity virus Compressing virus Almut Herzog 4

file infection strategies Embedded decryptor: decryptor scattered in host file, overwritten code saved at the end, host starts by invoking the decryptor that uncompresses and launches appended virus code Embedded decryptor and virus body: both decryptor and virus body are scattered in the file, overwritten parts are appended JMP De cr yp t or saved blocks Embedded Encryptor file infection strategies Entry-point obscuring (EPO): an arbitrary instruction is replaced by a jump to the virus code EP JMP JMP (1) first instruction is jump to virus code (2) arbitrary instruction is jump to virus code Almut Herzog 5

file infection strategies Possible future infection techniques: code builders (build virus out of the legal host instructions) ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS JMP Builder V + I + R + U + S in-memory strategies single-tasking operating system non-resident/direct action: virus code looks for new targets to infect before letting the host program run memory-resident: virus code loads itself in memory (stays resident) and then lets host program run hooks interrupt handler swapping virus: executed upon interrupt, finds target of attack, infects and terminates multi-tasking operating system viruses in processes, threads Almut Herzog 6

Worms worm = network virus, does not need to infect files to propagate structure of a worm 1. target locator finds new victims in address books, news groups, search engines, by contacting more or less random IP addresses 2. infection propagator transfers to new node and gets control through e-mail with social engineering, backdoor, exploit vulnerability 3. (optional) remote control so author can control infected nodes 4. (optional) life-cycle manager if worm commits suicide 5. (optional) payload: many do not have any, DoS, spam relay 6. (optional) self-tracker sends away spread info future of worms: worm communication protocol and plug-in API Anti- software on-demand scanning on-access scanning memory-resident hook interrupts scan files when opened, created or closed challenge: must do all the searching in a limited amount of time scan only first and last 2, 4 or 8 kb of a file scan only around the entry point (after first jump or call instruction) earlier: access raw disk, today: too many file systems and disk controllers Almut Herzog 7

Anti- software strategies first-generation: search pre-defined areas of files or system areas for given signature strings wildcards, mismatch (slow), bookmarks (offset to virus body start + offset to virus detection string) second-generation no more NOP confusion, two signature, compare checksum of constant bytes algorithmic scanning: signatures have evolved into code code emulation geometric detection, integrity checks heuristics for detecting previously unknown viruses code execution starts in the last section, suspicious flags, incorrect virtual size, suspicious code redirection inoculation access control, sandbox Disinfection Erase virus from disk reverse of the infection strategy, only possible if the virus has not destroyed the host program Terminate infected process which may not be so easy: keep-alive/twin processes multiple infected processes Almut Herzog 8

Spyware Def.: Any software intended to aid an unauthorised person or entity in causing a computer, without the knowledge of the computer s user or owner, to divulge private information., software programs that act as data sensors and illicitly collect and transmit information about end users, and then send it back to a third party, sources: pop-ups, free downloads, shareware, driveby downloads Spyware classification cookies and web bugs invisibly keeping track of people adware browser hijackers, browser changers, browser plugins alter start page, change browser security settings, insert toolbars/buttons, spoof sites, deny access to sites, monitor surf habits extortion ware installs spyware, informs user and demands payment to uninstall keyloggers capture every keystroke (passwords, credit card information) tracks, spybots trojan, bundleware masks as a harmless or desirable application Almut Herzog 9

Spyware effects slow down computer (at strange rates/patterns), especially start-up destabilise computer hijack browser start page prevent starting certain programs (IE, anti-virus, antispyware) cannot be removed hidden tasks privacy data collection Anti-Spyware Much like anti-virus software signature-based behaviour-based (Windows Defender) mixture For testing: http://www.spycar.org/spycar.html Almut Herzog 10

Personal Firewall (all) realised in software (all) make the computer invisible by not answering to any packets, drop all unsolicited incoming packets (all) control incoming connections (some) control outgoing connections Personal Firewalls Problems A software firewall resides on the target of attack. Evil programs may attach themselves with DLLs to regular programs. An evil process may modify the memory of an allowed application. Attacker can use a driver to inject the packets below the level where the process filtering is done, and then he only has to worry about the packet filter. Malware can change firewall rule. Almut Herzog 11

Last year s project: Usability and security of personal firewalls two use cases making a successful outgoing connection with WinSCP to remote-und.ida.liu.se setting up an FTP server and only allowing one specific host to connect to it two misuse cases port scanning replacing an application Backup strategies no one needs a backup, until they need one strategies unstructured full + incremental/differential mirror + reverse continuous reasonable backup media for home users: USB-devices, CD, P2P network, service Almut Herzog 12

Knowledge: A checklist A Home User's Security Checklist for Windows http://www.securityfocus.com/columnists/220 Do your own risk analysis and assess your security. When to choose what: risk analysis Identify the assets data, hardware, network, services Identify threats a possible danger to your system: spy, hacker, disgruntled employees, blackout, flood, theft, break down, virus/worm/spyware/adware infection Identify vulnerabilities Absence or weakness of a countermeasure, a condition that has the potential to allow a threat to occur no mail/network encryption used, closeness to a river, cheap locks, exposed area Identify countermeasures (controls, safeguards) Almut Herzog 13

Typical Risk Analysis Identify the assets, threats, vulnerabilities, countermeasures Identify the risk = probabilities for attack (the materialisation of a vulnerability) P, costs for replacement of assets C A and costs for countermeasures C C Mathematically: Only if P C A > C C is it feasible to install the countermeasure. Practically: How to quantify the cost of volatile assets such as knowledgeable staff, good reputation, reliable customers, etc. Almut Herzog 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information