Malicious Software NS-H0503-02/1104 1

advertisement
Malicious Software
NS-H0503-02/1104
1
Why bother to secure data?
• Information has value, it can affect our
lives and our livelihood
• Information has become an integral part of
the structure of society
• Information needs to be trusted if it is to
be useful, the breakdown of trust removes
value from the information protected.
NS-H0503-02/1104
2
What are we protecting against?
•
•
•
•
NS-H0503-02/1104
Deletion or destruction
Alteration (Detected or undetected)
Unauthorised Access (Privacy)
Loss of productivity
3
Who is the enemy?
•
•
•
•
•
NS-H0503-02/1104
External Threats
Virus Attacks
Hacker Attacks
Theft of data
Sabotage
Natural Disaster
4
Hackers, Crackers & SK’s
What is a Hacker?
• Traditionally used a term of respect
• High level user, talented in programming
• Renowned for finding previously undiscovered
and often unexpected uses for computer systems
and networks
NS-H0503-02/1104
5
Black Hat Hacker
• May be Amateur or Professional
• May attempt to destroy or alter data
• Will often use known security flaws to create a
”beachhead”
• Attempts to gain Administrator or root access
• Will prey on systems users’ naïveté or
carelessness
• Will attempt to remove all traces of intrusion
NS-H0503-02/1104
6
Black Hat Arsenal
•
•
•
•
NS-H0503-02/1104
Trojan programs
“Spy ware” programs
Password stealers
Password crackers
7
Black Hat Tactics
• Exploit published or known security flaws to gain
access
• User impersonation and deception
• Eavesdropping on Email correspondence
NS-H0503-02/1104
8
White Hat Hacker
•
•
•
•
Cyber Idealist
Often very active in online discussion
Very competitive
Wishes to expose poor programming and
claim credit for being the “first” to find
errors
• Feels compelled to inform cyber
community of security issues
NS-H0503-02/1104
9
Are they a Problem?
• Not Interested in stealing / altering data
• Often use carriers with weak payload or none at all
• Often view security in an abstract form (a challenge
or test of cyber strength)
• May warn users of potential security risks without
thought of reward
NS-H0503-02/1104
10
The White Hat Dilemma
• Software is often “unsecured” when released
• Software producers are not always responsive to
warnings
• Should a security flaw be published if there is no
solution?
• The conflict of idealism and commercial reality
NS-H0503-02/1104
11
Script Kiddies
•
•
•
•
Not true hackers (i.e. relatively unskilled)
Often immature
Use tools devised by skilled hackers
Will destroy data without understanding
the implications of their actions
• Seeking attention from their peer group
NS-H0503-02/1104
12
Malicious Programs
• Computer “Viruses” and related programs have
the ability to replicate themselves on an ever
increasing number of computers. They originally
spread by people sharing floppy disks. Now they
spread primarily over the Internet (a “Worm”).
• Other “Malicious Programs” may be installed by
hand on a single machine. They may also be built
into widely distributed commercial software
packages. These are very hard to detect before
the payload activates (Trojan Horses, Trap Doors,
and Logic Bombs).
NS-H0503-02/1104
13
Taxanomy of Malicious Programs
Malicious Programs
Need Host
Program
Independent
Trapdoors
Viruses
Logic
Bombs
Trojan
Horses
Zombie
Bacteria
Worms
Replicate
NS-H0503-02/1104
14
Definitions
• Virus - code that copies itself into other
programs.
• A “Bacteria” replicates until it fills all disk space,
or CPU cycles.
• Payload - harmful things the malicious program
does, after it has had time to spread.
• Worm - a program that replicates itself across the
network (usually riding on email messages or
attached documents (e.g., macro viruses).
NS-H0503-02/1104
15
Definitions
• Trojan Horse - instructions in an otherwise good
program that cause bad things to happen
(sending your data or password to an attacker
over the net).
• Logic Bomb - malicious code that activates on an
event (e.g., date).
• Trap Door (or Back Door) - undocumented entry
point written into code for debugging that can
allow unwanted users.
• Easter Egg - extraneous code that does
something “cool.” A way for programmers to
show that they control the product.
NS-H0503-02/1104
16
What is a Virus?
• A program that is designed explore or exploit the
security of a system
• Originally designed to perform useful functions
they were given the name “daemons”
• Daemons are independent processes that have a
“life” of their own.
• Daemons run in the background of a operating
system and perform specified operations at
predefined times or in response to certain events.
NS-H0503-02/1104
17
Common Vectors of infection
• Removable media (Floppy disk, CDROM)
• Network Connections (LAN, WAN and Internet)
– Email (Most Common)
– WWW (Becoming more common e.g Nimda)
– FTP (Rare)
NS-H0503-02/1104
18
The Daemon evolves
• A Daemon can be used to “retrieve” passwords
or other secure information and send them to an
unauthorised user or third party.
• Viruses have further evolved over time, and
exhibit similar strategies to their biological
namesakes.
NS-H0503-02/1104
19
Boot Sector Infection
• Infect the Boot Sector of a Floppy disk
• Manually transferred by users sharing files via the
floppy disk media
• Example: “The Brain Virus” (First recorded MSDOS
virus)
NS-H0503-02/1104
20
Basic or Overwriting Viruses/Worms
•
•
•
•
•
NS-H0503-02/1104
Begin by infecting a single file
May take residence in memory
spread without any attempt to evade detection
Usually limited to a single host
Examples: The "Jerusalem" and Melissa (I Love
You) Viruses
21
Trojan or Malware Viruses
• Comprising of a Carrier and a Payload
• Disguise themselves as a harmless file or even a
“useful” program
• Payload is triggered by either an internal counter
or external trigger
• Example: Michael Angelo virus
NS-H0503-02/1104
22
Polymorph or Mutating Viruses
• Attempts to evade detection by changing its
shape and size randomly
• May employ tactics such as encryption
• May also have retro-virus characteristics
• Example: W32.Magistr email worm
NS-H0503-02/1104
23
Multipartite Viruses
• Combine File infection with MBR infection
• Employ anti-detection measures such as stealth,
encryption, retro-virus and Trojan type behaviours
• These Viruses are the most sophisticated of all and
therefore carry the greatest potential to damage data
• Example: W95.Babylonia Y2K Virus (Masqueraded as
a Y2K fix)
NS-H0503-02/1104
24
Viruses
• a piece of self-replicating code attached to some
other code
– cf biological virus
• both propagates itself & carries a payload
– carries code to make copies of itself
– as well as code to perform some covert task
NS-H0503-02/1104
25
Virus Phases
• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
copy of itself into other programs
• Triggering phase – the virus is activated to
perform the function for which it was intended
• Execution phase – the function is performed
NS-H0503-02/1104
26
Virus Protection
Have a well-known virus protection program,
configured to scan disks and downloads
automatically for known viruses.
Do not execute programs (or "macro's") from
unknown
sources (e.g., PS files, Hypercard files, MS
Office documents, Avoid the most common
operating systems and email programs, if
possible
NS-H0503-02/1104
27
Virus Operation
• virus phases:
– dormant – waiting on trigger event
– propagation – replicating to programs/disks
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific
– exploiting features/weaknesses
NS-H0503-02/1104
28
Types of Viruses
• Parasitic Virus - attaches itself to executable files
as part of their code. Runs whenever the host
program runs.
• Memory-resident Virus - Lodges in main memory
as part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a
disk, and spreads when the operating system
boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from
Virus Scanning programs.
• Polymorphic Virus - mutates with every new host
to prevent signature detection.
NS-H0503-02/1104
29
Types of Viruses
•
•
•
•
•
•
•
NS-H0503-02/1104
can classify on basis of how they attack
parasitic virus
memory-resident virus
boot sector virus
stealth
polymorphic virus
macro virus
30
Email Virus
• spread using email with attachment containing a
macro virus
– cf Melissa
• triggered when user opens attachment
• or worse even when mail viewed by using
scripting features in mail agent
• usually targeted at Microsoft Outlook mail agent
& Word/Excel documents
NS-H0503-02/1104
31
Worms
• replicating but not infecting program
• typically spreads over a network
– cf Morris Internet Worm in 1988
– led to creation of CERTs
• using users distributed privileges or by exploiting
system vulnerabilities
• widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS
• major issue is lack of security of permanently
connected systems, esp PC's
NS-H0503-02/1104
32
Worm Operation
• worm phases like those of viruses:
– dormant
– propagation
• search for other systems to infect
• establish connection to target remote
system
• replicate self onto remote system
– triggering
– execution
NS-H0503-02/1104
33
Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• when triggered typically damage system
– modify/delete files/disks
NS-H0503-02/1104
34
Trojan Horse
• program with hidden side-effects
• which is usually superficially attractive
– eg game, s/w upgrade etc
• when run performs some additional tasks
– allows attacker to indirectly gain access
they do not have directly
• often used to propagate a virus/worm or
install a backdoor
• or simply to destroy data
NS-H0503-02/1104
35
Zombie
• program which secretly takes over another
networked computer
• then uses it to indirectly launch attacks
• often used to launch distributed denial of service
(DDoS) attacks
• exploits known flaws in network systems
NS-H0503-02/1104
36
Virus Countermeasures
• viral attacks exploit lack of integrity control on
systems
• to defend need to add such controls
• typically by one or more of:
– prevention - block virus infection mechanism
– detection - of viruses in infected system
– reaction - restoring system to clean state
NS-H0503-02/1104
37
Anti-Virus Software
• first-generation
– scanner uses virus signature to identify virus
– or change in length of programs
• second-generation
– uses heuristic rules to spot viral infection
– or uses program checksums to spot changes
• third-generation
– memory-resident programs identify virus by actions
• fourth-generation
– packages with a variety of antivirus techniques
– eg scanning & activity traps, access-controls
NS-H0503-02/1104
38
Antivirus Approaches
1st Generation, Scanners: searched files for any of
a library of known virus “signatures.” Checked
executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more
general signs than specific signatures (code
segments common to many viruses). Checked
files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in
memory and look for certain patterns of software
behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of
the techniques above.
NS-H0503-02/1104
39
Advanced Antivirus Techniques
• Generic Decryption (GD)
– CPU Emulator
– Virus Signature Scanner
– Emulation Control Module
• For how long should a GD scanner run each
interpretation?
NS-H0503-02/1104
40
Advanced Anti-Virus Techniques
• generic decryption
– use CPU simulator to check program signature
& behavior before actually running it
• digital immune system (IBM)
– general purpose emulation & virus detection
– any virus entering org is captured, analyzed,
detection/shielding created for it, removed
NS-H0503-02/1104
41
Advanced Antivirus Techniques
NS-H0503-02/1104
42
Behavior-Blocking Software
• integrated with host O/S
• monitors program behavior in real-time
– eg file access, disk format, executable mods,
system settings changes, network access
• for possibly malicious actions
– if detected can block, terminate, or seek ok
• has advantage over scanners
• but malicious code runs before detection
NS-H0503-02/1104
43
Recommended Reading and WEB
Sites
• Denning, P. Computers Under Attack: Intruders,
Worms, and Viruses. Addison-Wesley, 1990
• CERT Coordination Center (WEB Site)
• AntiVirus Online (IBM’s site)
NS-H0503-02/1104
44
Download