Malware - PowerPoint PPT Presentation

About This Presentation
Title:

Malware

Description:

Malware Ge Zhang Karlstad Univeristy Focus What malware are Types of malware How do they infect hosts How do they propagate How do they hide How to detect them What ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 39
Provided by: csKauSec
Category:
Tags: malware | trojans

less

Transcript and Presenter's Notes

Title: Malware


1
Malware
  • Ge Zhang
  • Karlstad Univeristy

2
Focus
  • What malware are
  • Types of malware
  • How do they infect hosts
  • How do they propagate
  • How do they hide
  • How to detect them

3
What is a malware ?
  • A Malware is a set of instructions that run on
    your computer and make your system do something
    that an attacker wants it to do.

4
What it is good for ?
  • Steal personal information
  • Steal valuable data
  • Destroy data
  • Denial of Service
  • Use your computer as relay

5
Viruses
  • A malicious piece of code that spreads itself
    from file to file
  • A virus needs a host file
  • Requires user interaction
  • Like opening a file
  • Different types of viruses
  • Program viruses
  • Boot viruses
  • Macro viruses

Infected File
Virus as payload
6
Worms
  • A malicious piece of code that spreads itself
    from computer to computer by exploiting
    vulnerabilities
  • A worm needs no host file
  • Spreads without user interaction
  • Can spread via
  • e-mail attachments
  • LAN or Internet
  • 2nd generation of worms automatically search for
    vulnerable computers and infect them
  • Whole Internet can be infected in less than 20
    minutes

7
Malicious Scripts
  • Malicious scripts written in JavaScript,
    VBScript, ActiveX, Flash, etc
  • Can be hidden in e-mails or websites
  • Flash banners and included JavaScript files
  • Cross Site Script (XSS)
  • Cookie steal

8
Trojans
  • Trojan Horse
  • Programs with hiddenmalicious functionalities
  • Appear to be screensavers, games, or
    otheruseful programs
  • Theres an app for that!
  • IPhone and Android apps

9
Backdoors Rootkits
  • A secret entry point into a program/system that
    allows someone aware of the trap door to gain
    access without going through the usual security
    access procedures
  • Backdoors
  • Usually left by programmers for debugging and
    testing purposes, intentionally or
    unintentionally
  • Rootkits
  • Usually installed by an attacker after having
    gained root/administrator access
  • Modifies the entire system and avoids detection

10
Logical Bombs
  • Malicious code programmed to be activated on a
    specific date, time or circumstances
  • Action could be everything from formatting hard
    drive to display a silly message on the users
    screen
  • Often combined with a virus/worm (e.g, Chernobyl
    virus)

11
Blended Threats
  • Advanced malicious software that combines the
    characteristics of viruses, worms, trojans and
    malicious scripts are sometimescalled Blended
    Threats
  • Its hard to know where to draw the line
  • Exploits one or many vulnerabilities inprograms
    or operating system

Mick Douglas, PaulDotCom Podcast
https//twitter.com/!/haxorthematrix/statuses/242
1087772
12
Viruses
  • 4 phases
  • Dormant phase It is idle, waiting for some event
  • Triggering phase activated to perform some
    intended actions
  • Propagation phase Copy itself into other
    programs
  • Execution phase execute the payload

13
DOS boot Sequence
  • ROM BIOS locates the master boot sector
  • Master boot sector partition table
  • DOS boot sector executable codes and FAT

14
DOS bootstrap virus
  • A bootstrap virus resides in one of the boot
    sectors
  • Becomes active before DOS is operational
  • Example stoned virus

15
How a bootstrap virus takes control?
16
Parasitic virus
  • Overwriting virus
  • Appending virus

17
Companion virus
  • Do not need to modify the original files
  • Create a new file with a specific name

18
Lifecycle of virus
  • A virus gets created and released
  • The virus infects several machines
  • Samples are sent to anti-virus companies
  • Records a signature from the virus
  • The companies include the new signature in their
    database
  • Their scanner now can detect the virus

19
Virus hidden mechanisms
  • Encrypt virus code with random generated keys
  • What happens if the boot area is encrypted?

20
Virus hidden mechanisms (2)
  • Polymorphism randomly changes the
    encryption/decryption portion of a virus
  • Change key each time the virus starts
  • Change the range of plaintext
  • Change the location of encryption subroutine
  • Countermeasure scan in RAM (after
    self-decrypting)

21
Virus hidden mechanisms (3)
  • Entry point changes
  • Random execution (JMP)

22
Macro viruses
  • Macro an executable program embedded in a
    document to automate repetitive tasks. (save
    keystrokes)
  • Application-dependent, e.g., MS office
  • Cross the O.S. platform
  • Why virus writers like macro viruses?
  • Easy to learn
  • Easy to write
  • Popularity of MS office

23
How macro virus works
  • Every word document is based on a template
  • When an existing or new document is opened, the
    template setting are applied first
  • A global template NORMAL.DOT

24
Worm
  • Worm self-replicating over networks, but not
    infecting program and files
  • Example Morris worm, blaster worm

25
The structure of worms
  • Target locator (find the target)
  • Email address collector
  • IP/port scanner
  • Warhead
  • Break into remote machines
  • Propagation
  • Automatically sending emails
  • Automatically attack remote hosts
  • Remote control and update
  • Download updates from a web server
  • Join a IRC channel
  • Lifecycle management
  • Commit suicide
  • Avoid repeatedly infecting the same host
  • Payload

26
State of Worm Technology
  • Multiplatform Windows, unix, mac,
  • Multiexploit web server, browser, email,
  • Ultrafast spreading host/port scanning
  • Polymorphic Each copy has new code generated by
    equivalent instructions and encryption
    techniques.
  • Metamorphic different behavior patterns
  • Transport vehicles for the payloads (spread
    attacking tools and zombies)
  • Zero-day exploit self-updated

27
discussion
  • Is it a good idea to spread worms with system
    patches?

28
Trojan
  • A program with hidden side-effects that are not
    specified in the program documentation and are
    not intended by the user executing the program

29
What a trojan can do
  • Remote administration trojans attackers get the
    complete control of a PC
  • Backdoor steal data and files
  • Distributed attacks zombie network
  • Password stealers capture stored passwords
  • Audio, video capturing control devices
  • Keyloggers capture inputting passwords
  • Adware popup advertisements
  • Logic bomb only executed when a specific trigger
    condition is met

30
Familiar with your PC
  • Startup programs/services
  • Frequently used IP ports
  • 20/21 FTP
  • 23 Telnet
  • 25 SMTP
  • 80 WWW
  • Netstat

31
Malware Payloads
  • No payload
  • Payload without damage
  • Only display some information
  • Payload with little impact
  • Modify documents (wazzu virus)
  • Payload with heavy impact
  • Remove files, format storage
  • Encrypting data (blackmail)
  • Destroy hardware (W95.CIH) rewrite flash bios
  • DDoS attacks
  • Steal data for profit

32
Malware naming
  • CARO (computer antivirus researchers
    organization)
  • CARO naming convention (1991)
  • ltfamily_namegt.ltgroup_namegt.ltInfective_lengthgt.ltvar
    iantgt.ltmodifiergt
  • e.g., cascade.1701.A.
  • Platform prefix
  • win32.nimda.A_at_mm

33
Malware defenses (1)
  • Detection once the infection has occurred,
    determine that it has occurred and locate the
    virus
  • Identification once detection has been achieved,
    identify the specific virus that has infected a
    program
  • Removal once the specific virus has been
    identified, remove the virus from the infected
    program and restore it to its original state

34
Malware defenses (2)
  • The first generation scanner
  • Virus signature (bit pattern)
  • Maintains a record of the length of programs
  • The second generation scanner
  • Looks for fragments of code (neglect unnecessary
    code)
  • Checksum of files (integrity checking)
  • Virus-specific detection algorithm
  • Deciphering (W95.Mad, xor encrypting)
  • Filtering

35
Malware defenses (3)
  • The third generation scanner
  • Identify a virus by its actions
  • The fourth generation scanner
  • Include a variety of anti-virus techniques
  • Collection method
  • Using honeypots

36
Malware in Mobile Phones
  • Mobile phones are computers with great
    connectivity
  • Internet
  • WLAN
  • Bluetooth
  • Regular phone network (SMS, MMS)
  • RFID

37
In the future
  • New spreading methods e.g., RFID

Infected!
Infected!
Infected!
38
Questions?
Write a Comment
User Comments (0)
About PowerShow.com