Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Malware - EECS User Home Pages

advertisement 
ECE454 Homework – Malware Paragraphs
Contents
Botnets ............................................................................................................................................ 1
Buffer Overflow .............................................................................................................................. 2
Cross Site Scripting......................................................................................................................... 2
Directory Traversal ......................................................................................................................... 2
DoS/DDoS Explanation .................................................................................................................. 2
Encrypted and Polymorphic Virus .................................................................................................. 3
Logic Bomb .................................................................................................................................... 3
Phishing........................................................................................................................................... 3
Rootkit............................................................................................................................................. 4
Spyware........................................................................................................................................... 4
SQL Injection .................................................................................................................................. 4
Trapdoors ........................................................................................................................................ 5
Trojan Horse Attacks ...................................................................................................................... 5
Worms ............................................................................................................................................. 5
Zombies........................................................................................................................................... 6
Botnets
A botnet is a network of computers that are infected with malicious software that can be
controlled by the botnet’s originator. Each infected computer in the network is referred to as a
bot, and the originator can send the bots commands through IRC, HTTP, or other protocols.
These networks are used to send spam mail, perform DDoS attacks or click fraud, steal
confidential information, or execute a host of other malicious attacks. Signs of an infected
computer are slow operation and frequent crashes. Currently, there are several ways to detect or
stop botnets. On an individual computer, Antivirus software can remove known botnets and
firewalls can sometimes be used to block a botnet’s communication with its originator. On the
network level, Botnets can be detected by using advanced intrusion detection systems involving
network traffic analysis, honeypots, or various other techniques. To proactively protect against
becoming infected, users should install antivirus programs, frequently update software, use
strong passwords, and install a firewall.
Buffer Overflow
Buffer overflow is when a program is writing to a buffer but goes beyond the buffers
boundary and into adjacent memory not allocated to the buffer. The memory beyond the buffer is
overwritten to whatever the program was writing. This causes memory corruption which can lead
to unpredictable results if done by accident while coding. It can also be used maliciously to
exploit vulnerabilities in software. Attackers can purposely overwrite memory near a buffer to
change behavior in their favor using this method. The easiest way to counter this is just to have
built in automatic bounds checking at the language/compiler level. However, further protection
can come in the means of “canaries”. These are known values that are placed between a buffer
and nearby memory. Therefore, when it overflows, the first thing to be overwritten will be the
canary, and if the canary has been changed, a flag will be thrown for an overflow. Finally,
programmers should carefully control data allocation and ensure that there are no mistakes to
exploit.
Cross Site Scripting
Cross-Site scripting, or XSS, is when an outside source exploits a weakness in a web
page to insert its own malicious content. There are many ways that XSS can be done ranging
from JavaScript to a simple HTML hyperlink to fool the user; however, some XSS exploits don’t
even need to fool the user into entering data or clicking a link. Just by visiting a certain website
or forum one can be infected with the malicious code from the attacker. The XSS can steal
sensitive information from the user like cookies, passwords/usernames, create requests that can
be mistaken for valid requests, or execute malicious code. To minimize the potential for XSS
attacks, websites should filter and escape all user input. The escaped input will not be interpreted
by a user’s browser as executable code.
Directory Traversal
Directory traversal is where you exploit insufficient security validation of user supplied
input file names. The aim of the attack is to get to sensitive data such as system files. This is
accomplished by using the input “../” to move up a directory. Directory traversal attacks can be
prevented by carefully checking user input and normalize all characters. Checks should ensure
that the first N characters of the fully qualified path to the requested file are exactly the same as
the document root. If the characters match, allow the file to be returned; otherwise, return an
error. Furthermore, one should check for inputs that contain “..”. Other defense strategies consist
of using indexes rather than actual portions of the files names. The indices can be associated
with predetermined file paths.
DoS/DDoS Explanation
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS
attack) is an attempt to make a machine or network resource unavailable to its intended users.
DoS attacks originate from a single machine or IP address, while DDoS attacks appear to come
from a wide range of IP addresses. The attacks generally work to either crash a system or flood it
to the point that it is rendered unusable. Typical targets include sites or services hosted on highprofile web servers such as banks, credit card payment gateways, and even root nameservers.
Some defense techniques include firewalls, switches, and routers. More focused defense
techniques include application front end hardware, intrusion prevention systems, and DDS based
defense techniques.
Encrypted and Polymorphic Virus
A computer virus is code that copies itself into other programs so that it will be executed
unbeknownst to the user. One implementation of a virus is the encrypted virus; a type of virus
which copies both an encrypted copy of the virus and decryption instructions in the program.
Since the decryption module stays constant between infected files and because code modifying
itself is considered suspicious, anti-virus software can use these peculiarities in their virus
definitions to try to detect suspicious files that might be encrypted viruses. Another virus
implementation is the polymorphic virus. Every time a polymorphic virus is copied into new
code, it masks the way it appears to antivirus programs by altering the decryption instructions.
This way two programs can be infected by the same polymorphic virus, but one will not
compromise the other, if found, due to the different code structure. Anti-virus software can
detect polymorphic viruses by using pattern analysis, or by decrypting the malicious code within
an emulated environment to prevent any actual damage.
Logic Bomb
A logic bomb is a piece of code inserted into software that will set off a malicious or
unintended function when specified conditions are met. For something to be considered a logic
bomb, the payload should be unwanted and unknown to the user of the software. Viruses and
other malicious software can contain logic bombs to trigger at a pre-defined time or when some
condition is met. There are two types of triggers: positive and negative. Positive triggers activate
the code when something happens. Conversely, negative triggers activate the code when
something doesn't happen. Logic bombs can be used to gain momentum and spread a virus
before it is noticed. Usually logic bombs are not designed to spread to individual recipients;
usually they attempt to compromise specific software or networks.
Phishing
Phishing refers to the act of using deception to obtain information such as usernames,
passwords, and credit card numbers from users. Phishers masquerade as well-known and trusted
entities and usually use electronic communication such as email. These emails often claim that a
user’s account has been hacked or needs updated. The phisher instructs the user to supply their
account information either by replying to the message or by visiting a malicious website.
Techniques used to defend against phishing include user training, public awareness, and several
technical security measures. The best way to protect against phishing is to simply be cautious of
where you enter your any account information. Most legitimate businesses will never ask for
passwords or credit card information through email. If there is any question about whether or not
an email is legitimate, it is a good idea to call the business and ask.
Rootkit
A rootkit is a type of nefarious software that is installed through privilege escalation to
perform malicious activities on a compromised system, cloaking its presence in the process.
Rootkits can only be detected when there is some flaw in their cloaking mechanisms. Because
they can intercept operating system calls, normal detection methods cannot be expected to work.
Some ways to detect rootkits involve using difference based techniques or behavioral detection.
Rootkits can be very difficult to remove because they can target the security software that is
designed to root them out, such as antivirus software or event loggers. To minimize the potential
of being infected, operating systems should follow the principle of least privilege. Furthermore,
users should apply the latest security updates, and install appropriate security software. Once a
rootkit is installed, it can be almost impossible to remove successfully. A complete wipe of the
hard drive and reinstall of the operating system may be necessary.
Spyware
Spyware is a form of malware that gets installed on your computer and collects
information on what you do on your computer. Spyware can monitor a user’s activities to steal
personal information, install additional software, change computer settings, and redirect web
browsers. One way to prevent this is to use anti-spyware software which scans all downloads at
the time they are downloaded. The software then scans the download and, if any file matches the
description of a known spyware program, it is removed from the download. To remove spyware
deleting the file in is not always enough. You can restore your system to a previous backup
version or reinstall your operating system to remove the spyware.
SQL Injection
SQL is a language that allows for interacting with databases consisting of named tables
with named fields via specially constructed strings that are often generated dynamically from
user input. If this user input is not properly sanitized this can result in a vulnerability that allows
unauthorized access to the database known as an SQL injection. Some examples of attacks that
can be performed are to use Boolean operators to force the statement to only evaluate to true
when some sensitive information within the database is guessed correctly, or to add additional
statements to the SQL string that maliciously modify the database. SQL injection attacks do not
require foreknowledge of the format of the SQL string or the layout of the database. A clever
attacker can unveil these using the vulnerability itself and then perform more sophisticated
actions with this information. Defense against this type of attack can be accomplished by not
allowing unbounded user input to be directly inserted into SQL strings as well as limiting the
scope of any potential vulnerability through usage of database permissions and proper isolation
of data.
Trapdoors
A trapdoor, in computing, refers to a block of code or a program which allows for a user
to gain access to a system, bypassing the security protocols. Some programmers create trapdoors
in order to quickly access parts of a program that may need fixing without having to deal with
the security protocols. These trapdoors should be removed in the final version of the program,
but sometimes they are forgotten. Most unintended trapdoors are a result of poor program design
or mistakes. Attackers can also create trapdoors to bypassing normal security protocols. Due to
the fact that trapdoors can be created intentionally or left in programs unintentionally it is very
difficult to remove them or detect them. The only reliable way to remove a trapdoor is to
reformat the system and not install that particular program again. The best way to prevent a
trapdoor is to make sure that programs are reviewed carefully during the programming process
and thoroughly checked for any security errors.
Trojan Horse Attacks
A trojan horse attack distributes a useful program which contains a malicious “trojan
horse”. These types of attacks almost always rely on social engineering tactics to activate and
spread. Once the user voluntarily runs the infected software, the trojan horse can do any number
of things to the infected system such as collecting personal information. The best defense against
these attacks today is to keep a strong anti-virus program running and use a modern web browser
that can alert you to these infected files when visiting a website known to harbor trojan horse
programs. Also, being aware socially and not downloading and running suspicious files from
unknown sites and services is a first line of defense to curb the social engineering exploits.
Worms
A worm is a piece of malware that, like a virus, replicates itself to spread to other
systems. The difference between a worm and a virus is that a worm doesn’t need to inject into an
existing program to be executed. Worms can have payloads, such as installing backdoors to
create zombie machines for botnets, but even without payloads can cause damage due to network
traffic created. Worms are generally protected against with security updates to vulnerabilities in
software. Researchers have also found a way to combat worms that scans the network randomly
to find new hosts, by monitoring the scans of a machine, so that if it sends out too many it can be
identified as likely being infected. Additional mitigation techniques include Access Control Lists
and null routing.
Zombies
One of the definitions for the word Zombie – one more metaphorical - is someone, or
something, that currently finds themself unaware of what they are doing. Similarly, in the topic
of computer security, the term Zombie is used to define a computer, connected to the web, which
is used to perform a pre-programmed task. Usually this computer is infected with some kind of
virus or is manually compromised by a hacker. The tasks that it performs generally consist of
spreading spam emails and participating in DDOS attacks.
Related documents
Chapter 18
Chapter 18
Health_Fact_Sheets_files/Hand Foot & Mouth Disease Fact Sheet
Health_Fact_Sheets_files/Hand Foot & Mouth Disease Fact Sheet
Ebola thingy - WordPress.com
Ebola thingy - WordPress.com
Abstract
Abstract
Battlefield Cell Virus Attacks
Battlefield Cell Virus Attacks
Program Security(power point)
Program Security(power point)
Crimean-Congo hemorrhagic fever virus
Crimean-Congo hemorrhagic fever virus
Presentation 1
Presentation 1
Download
advertisement