Lecture 14 Overview - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Lecture 14 Overview

Description:

... Malicious Codes Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) ... – PowerPoint PPT presentation

Number of Views:142
Avg rating:3.0/5.0
Slides: 32
Provided by: Adm665
Learn more at: https://www.cse.unr.edu
Category:

less

Transcript and Presenter's Notes

Title: Lecture 14 Overview


1
Lecture 14 Overview
2
Program Flaws
  • Taxonomy of flaws
  • how (genesis)
  • when (time)
  • where (location)
  • the flaw was introduced into the system

3
Security Flaws by Genesis
  • Genesis
  • Intentional
  • Malicious Trojan Horse, Trapdoor, Logic Bomb,
    Worms, Virus
  • Non-malicious
  • Inadvertent
  • Validation error
  • Domain error
  • Serialization error
  • Identification/authentication error
  • Other error

4
Flaws by time
  • Time of introduction
  • During development
  • Requirement/specification/design
  • Source code
  • Object code
  • During maintenance
  • During operation

5
Flaws by Location
  • Location
  • Software
  • Operating system system initialization, memory
    management, process management, device
    management, file management, identification/authen
    tication, other
  • Support tools privileged utilities, unprivileged
    utilities
  • Application
  • Hardware

6
Malware Evolution
  • 1980s
  • Malware for entertainment (pranks)
  • 1983 virus
  • 1988 Internet Worm
  • 1990s
  • Malware for social status / experiments
  • 1990 antivirus software
  • Early 2000s
  • Malware to spam
  • Mid 2000s
  • Criminal malware

7
Lecture 15Malicious Codes
  • CS 450/650
  • Fundamentals of
  • Integrated Computer Security

Slides are modified from Csilla Farkas and
Brandon Phillips
8
Kinds of Malicious Codes
  • Virus a program that attaches copies of itself
    into other programs.
  • Propagates and performs some unwanted
    function
  • Viruses are not programs
  • Definition from RFC 1135 A virus is a piece of
    code that inserts itself into a host program,
    including operating systems, to propagate. It
    cannot run independently. It requires that its
    host program be run to activate it.

9
Kinds of Malicious Code
  • Worm a program that propagates copies of itself
    through the network.
  • Independent program.
  • May carry other code, including programs
    and viruses.
  • Definition from RFC 1135 A worm is a program
    that can run independently, will consume the
    resources of its host machine from within in
    order to maintain itself and can propagate a
    complete working version of itself on to other
    machines.

10
Kinds of Malicious Code
  • Rabbit/Bacteria make copies of themselves to
    overwhelm a computer system's resources
  • Denying the user access to the resources
  • Logic/Time Bomb programmed threats that lie
    dormant for an extended period of time until they
    are triggered
  • When triggered, malicious code is executed

11
Kinds of Malicious Code
  • Trojan Horse secret, undocumented routine
    embedded within a useful program
  • Execution of the program results in execution of
    secret code
  • Trapdoor secret, undocumented entry point into a
    program, used to grant access without normal
    methods of access authentication
  • Dropper Not a virus or infected file
  • When executed, it installs a virus into memory,
    on to the disk, or into a file

12
Malware Proliferation
(Microsoft Security Intelligence Report 6)?
13
Malware Families
14
Regional Threat Categories
(Microsoft Security Intelligence Report 6)?
15
Virus Lifecycle
  • Dormant phase the virus is idle
  • not all viruses have this stage
  • Propagation phase the virus places an identical
    copy of itself into other programs of into
    certain system areas
  • Triggering phase the virus is activated to
    perform the function for which it was created
  • Execution phase the function is performed
  • The function may be harmless or damaging

16
Virus Types
  • Parasitic virus
  • Attaches itself to a file and replicates when the
    infected program is executed
  • most common form
  • Memory resident virus
  • lodged in main memory as part of a resident
    system program
  • Virus may infect every program that executes

17
Virus Types
  • Boot Sector Viruses
  • Infects the boot record and spreads when system
    is booted
  • Gains control of machine before the virus
    detection tools
  • Very hard to notice
  • Macro Virus
  • virus is part of the macro associated with a
    document

18
Virus Types
  • Stealth virus
  • A form of virus explicitly designed to hide from
    detection by antivirus software
  • Polymorphic virus
  • A virus that mutates with every infection making
    detection by the signature of the virus
    difficult

19
How Viruses Append


virus
virus
Original program
Original program
Virus appended to program
20
How Viruses Append


Virus-1
virus
Original program
Original program
Virus-2
Virus surrounding a program
21
How Viruses Append


virus
Original program
Original program
Virus integrated into program
22
How Viruses Gain Control
  • Virus V has to be invoked instead of target T
  • V overwrites T
  • V changes pointers from T to V

23
High risk virus properties
  • Hard to detect
  • Hard to destroy
  • Spread infection widely
  • Can re-infect
  • Easy to create
  • Machine independent

24
Virus Signatures
  • Storage pattern
  • Code always located on a specific address
  • Increased file size
  • Execution pattern
  • Transmission pattern
  • Polymorphic Viruses

25
Antivirus Approaches
  • Detection
  • determine infection and locate the virus
  • Identification
  • identify the specific virus
  • Removal
  • remove the virus from all infected systems, so
    the disease cannot spread further
  • Recovery
  • restore the system to its original state

26
Preventing Virus Infection
  • Prevention
  • Good source of software installed
  • Isolated testing phase
  • Use virus detectors
  • Limit damage
  • Make bootable diskette
  • Make and retain backup copies important resources

27
Nyxem Email Virus
  • Estimate of total number of infected computers is
    between 470K and 945K
  • At least 45K of the infected computers were also
    compromised by other forms of spyware or botware
  • Spread

28
Worm
  • Self-replicating (like virus)
  • Objective system penetration (intruder)
  • Phases dormant, propagation, triggering, and
    execution
  • Propagation
  • Searches for other systems to infect
  • e.g., host tables
  • Establishes connection with remote system
  • Copies itself to remote system
  • Execute

29
Code-Red Worm
  • On July 19, 2001, more than 359,000 computers
    connected to the Internet were infected with the
    Code-Red (CRv2) worm in less than 14 hours
  • Spread

30
Sapphire/Slammer Worm
  • was the fastest computer worm in history
  • doubled in size every 8.5 seconds
  • infected more than 90 percent of vulnerable 75K
    hosts within 10 minutes.

31
Witty Worm
  • reached its peak activity after approximately 45
    minutes
  • at which point the majority of vulnerable hosts
    had been infected
  • World
  • USA
Write a Comment
User Comments (0)
About PowerShow.com