Lecture 14 Overview - PowerPoint PPT Presentation

1 / 31

About This Presentation

Title:

Lecture 14 Overview

Description:

... Malicious Codes Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) ... – PowerPoint PPT presentation

Number of Views:134

Avg rating:3.0/5.0

Slides: 32

Provided by: Adm665

Learn more at: https://www.cse.unr.edu

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 14 Overview

1
Lecture 14 Overview
2
Program Flaws

Taxonomy of flaws
how (genesis)
when (time)
where (location)
the flaw was introduced into the system

3
Security Flaws by Genesis

Genesis
Intentional
Malicious Trojan Horse, Trapdoor, Logic Bomb,
Worms, Virus
Non-malicious
Inadvertent
Validation error
Domain error
Serialization error
Identification/authentication error
Other error

4
Flaws by time

Time of introduction
During development
Requirement/specification/design
Source code
Object code
During maintenance
During operation

5
Flaws by Location

Location
Software
Operating system system initialization, memory
management, process management, device
management, file management, identification/authen
tication, other
Support tools privileged utilities, unprivileged
utilities
Application
Hardware

6
Malware Evolution

1980s
Malware for entertainment (pranks)
1983 virus
1988 Internet Worm
1990s
Malware for social status / experiments
1990 antivirus software
Early 2000s
Malware to spam
Mid 2000s
Criminal malware

7
Lecture 15Malicious Codes

CS 450/650
Fundamentals of
Integrated Computer Security

Slides are modified from Csilla Farkas and
Brandon Phillips
8
Kinds of Malicious Codes

Virus a program that attaches copies of itself
into other programs.
Propagates and performs some unwanted
function
Viruses are not programs
Definition from RFC 1135 A virus is a piece of
code that inserts itself into a host program,
including operating systems, to propagate. It
cannot run independently. It requires that its
host program be run to activate it.

9
Kinds of Malicious Code

Worm a program that propagates copies of itself
through the network.
Independent program.
May carry other code, including programs
and viruses.
Definition from RFC 1135 A worm is a program
that can run independently, will consume the
resources of its host machine from within in
order to maintain itself and can propagate a
complete working version of itself on to other
machines.

10
Kinds of Malicious Code

Rabbit/Bacteria make copies of themselves to
overwhelm a computer system's resources
Denying the user access to the resources
Logic/Time Bomb programmed threats that lie
dormant for an extended period of time until they
are triggered
When triggered, malicious code is executed

11
Kinds of Malicious Code

Trojan Horse secret, undocumented routine
embedded within a useful program
Execution of the program results in execution of
secret code
Trapdoor secret, undocumented entry point into a
program, used to grant access without normal
methods of access authentication
Dropper Not a virus or infected file
When executed, it installs a virus into memory,
on to the disk, or into a file

12
Malware Proliferation
(Microsoft Security Intelligence Report 6)?
13
Malware Families
14
Regional Threat Categories
(Microsoft Security Intelligence Report 6)?
15
Virus Lifecycle

Dormant phase the virus is idle
not all viruses have this stage
Propagation phase the virus places an identical
copy of itself into other programs of into
certain system areas
Triggering phase the virus is activated to
perform the function for which it was created
Execution phase the function is performed
The function may be harmless or damaging

16
Virus Types

Parasitic virus
Attaches itself to a file and replicates when the
infected program is executed
most common form
Memory resident virus
lodged in main memory as part of a resident
system program
Virus may infect every program that executes

17
Virus Types

Boot Sector Viruses
Infects the boot record and spreads when system
is booted
Gains control of machine before the virus
detection tools
Very hard to notice
Macro Virus
virus is part of the macro associated with a
document

18
Virus Types

Stealth virus
A form of virus explicitly designed to hide from
detection by antivirus software
Polymorphic virus
A virus that mutates with every infection making
detection by the signature of the virus
difficult

19
How Viruses Append

virus
virus
Original program
Original program
Virus appended to program
20
How Viruses Append

Virus-1
virus
Original program
Original program
Virus-2
Virus surrounding a program
21
How Viruses Append

virus
Original program
Original program
Virus integrated into program
22
How Viruses Gain Control

Virus V has to be invoked instead of target T
V overwrites T
V changes pointers from T to V

23
High risk virus properties

Hard to detect
Hard to destroy
Spread infection widely
Can re-infect
Easy to create
Machine independent

24
Virus Signatures

Storage pattern
Code always located on a specific address
Increased file size
Execution pattern
Transmission pattern
Polymorphic Viruses

25
Antivirus Approaches

Detection
determine infection and locate the virus
Identification
identify the specific virus
Removal
remove the virus from all infected systems, so
the disease cannot spread further
Recovery
restore the system to its original state

26
Preventing Virus Infection

Prevention
Good source of software installed
Isolated testing phase
Use virus detectors
Limit damage
Make bootable diskette
Make and retain backup copies important resources

27
Nyxem Email Virus

Estimate of total number of infected computers is
between 470K and 945K
At least 45K of the infected computers were also
compromised by other forms of spyware or botware
Spread

28
Worm