Download Computer Security: Principles and Practice, 1/e

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
Document related concepts

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Computer Security:
Principles and Practice
Introduction
by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown &
Susan Lincke
Chapter 6 – Malicious Software
= Malware
Study Sheet







Define attacks: cracking, script kiddies, cyberterrorist, phishing,
spearphishing, pharming, drive-by download.
Define and provide examples for: social engineering, Denial Of
Service.
Define and describe DDOS, logic bomb, worm, virus, trojan horse,
backdoor, botnet, handler, bot, spyware, adware, root kit, spamware,
crimeware.
Define and describe stealth virus, polymorphic virus, metamorphic
virus, macro virus, boot sector virus, zero-day exploit, rate limiting,
immune system
Describe why ‘ethical’ hackers are not completely ethical.
Define the 4 stages of viruses and worms
Define 4 mechanisms antivirus software uses to recognize or control
viruses and worms
FBI PRIORITIES
1. Protect the United States from terrorist attack
2. Protect the United States against foreign intelligence
operations and espionage
3. Protect the United States against cyber-based attacks and
high-technology crimes
4. Combat public corruption at all levels
5. Protect civil rights
6. Combat transnational/national criminal organizations and
enterprises
7. Combat major white-collar crime
8. Combat significant violent crime
9. Support federal, state, local and international partners
10. Upgrade technology to successfully perform the FBI’s mission
The Problem of Network Security
The Internet allows an
attacker to attack from
anywhere in the world
from their home desk.
They just need to find one
vulnerability: a security
analyst need to close
every vulnerability.
Progression of Security
Attacks
Threat
Type
Year: Example Threats
Experiment 1984: Fred Cohen publishes “Computer Viruses: Theory and Experiments”
Vandalism
Hactivism
1988: Jerusalem Virus deletes all executable files on the system, on Friday the 13th.
1991: Michelangelo Virus reformats hard drives on March 6, M’s birthday.
2010: Anonymous’ Operation Payback hits credit card and communication
companies with DDOS after companies refuse to accept payment for Wiki-Leaks.
Cyber2007: Zeus Trojan becomes ‘popular’; turns computers into zbots and spyware steals
crime
credit card (CC) numbers.
2008, 2009: Gonzales re-arrested for implanting spyware on WLANs, affecting 171 M
CC.
2013: In July 160 M CC numbers are stolen via SQL Attack. In Dec. 70 M CC numbers
are stolen through Target stores.
Informatio 2007, 2008: Russia launches DDOS attack against Estonia, Georgia news, gov’t,
n Warfare banks
2010: Stuxnet worm disables 1000 of Iran’s nuclear centrifuges.
Surveillanc 2012: Chinese affiliations attack U.S./foreign businesses to steal intellectual
e State
property.
2013: Lavabit closes secure email service rather than divulge corporate private key
to NSA without customers’ knowledge.
HISTORY OF CYBER-WAR
YEAR
FROM -> TO
ATTACK DESCRIPTION
2007
Russia -> Estonia
DOS attacks on gov’t, financial inst.,
news
2008
Russia -> Georgia
DOS attacks on Internet, gov’t websites
2008
US -> US
Malware to top aides of pres.
candidates
2009
China->Embassies, GhostNet malware: Command &
foreign ministries
Control software
2012
US, Israel -> Iran
Stuxnet Worm disables nuclear facilities
2010
India <->Pakistan
Hacker groups hit gov’t websites
2011
China -> Canada
Spyware virus causes shutdown of
economic agencies
2012
-> Iran, Middle East Flame cyber-espionage malware
2013
N. Korea -> S.
Korea
Dark Seoul Malware hits TV, banks;
makes computers unusable.
Advanced Persistent Threat
 Advanced:
Combination of custom &
common malware

Target: Business or Gov’t data/operation
 Persistent:
Extended period attack until
target is compromised
 Threat: Organized, capable, well-funded
attacker

Source: Gov’t or criminal enterprise
A Common Means of Attack
Study Org:
Contact names
Send
Phishing
email
With internal
access, scope
network
Copy data:
prop., conf.
Establish
Watering
hole
Guess
Passwords
Infect POS
Spy
Passwords
2014 Ponemon Breach Cost
by Industry
Communications
Consumer
Education
Energy
Financial
Health care
Hospitality
Industry
Media
Pharmaceutical
Public sector
Research
Retail
Services
Technology
Transportation
Prob. of Breach
Cost/rec
Churn rate
15.6%
19.9%
21.1%
7.5%
17.1%
19.2%
19.5%
9.0%
19.7%
16.9%
23.8%
11.5%
22.7%
19.8%
18.9%
13.5%
219
196
254
237
236
316
93
204
183
209
172
73
125
223
181
286
1.2
2.6
2.0
4.0
7.1
5.3
2.9
3.6
1.9
3.8
0.1
0.7
1.4
4.2
6.3
5.5
Crackers
Cracker:
Computer-savvy
programmer creates
attack software
Script Kiddies:
Know how to
execute programs
System Administrators
Some scripts are useful
to protect networks…
Hacker Bulletin Board
Sql Injection
Buffer overflow
Password Crackers
Password Dictionaries
Successful attacks!
Crazyman broke into …
CoolCat penetrated…
Criminals:
Create & sell botnets -> spam
Sell credit card numbers,…
Crimeware or
Attack Kit=$1K-2K
1 M Email addresses = $8
10,000 PCs = $1000
Other Hackers/Crackers:

Cyberterrorists
 Cyberwar: National
governments attack
IT
 Espionage:
Accused: France,
Russia, China,
South Korea,
Germany, Israel,
India, Pakistan, US.
Ethical Hackers
 “Do no damage”
However they approve
of:




Changing security logs
Disabling security
protections
Reading corporate
information
Attitude: hacking is
beneficial: keeps ‘stupid
corp’s on their toes’
Covert Channel

Exfiltrate information
outside the
organization
 E.g.: manipulate bits
in a jpeg or mpeg
 E.g.: carry out info in
a Lady GaGa CD
 E.g.: set bytes in an
Excel spreadsheet
Malicious Software
 programs
exploiting system vulnerabilities
 known as malicious software or malware

program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors

independent self-contained programs
• e.g. worms, bots

replicating or not
 sophisticated
threat to computer systems
Malware Propagation
Classification
Infection
Of Executable
(e.g., Virus)
Exploit of
Software
Vulnerability
(SQL Attack,
Worm)
Social Engineering
(E.g., Phishing,
Watering hole,
Trojans)
Social Engineering
I need a
password reset.
What is the
passwd set to?
This is John,
the System
Admin. What
is your
password?
What ethnicity
are you? Your
mother’s
maiden name?
and have
some
software
patches
I have come
to repair
your
machine…
Phishing =
Fake Email
The bank has found
problems with your
account.
Please contact …”
ABC BANK
Your bank account
password is about
to expire.
Please login…
Spearfishing
John:
This was a cool
YouTube link: …
Alice
Pharming = Fake web pages
Pharming:
 A fake web page
may lead to a real
web page
 The fake web page
looks like the real
thing

Extracts account
information
www.abc.com
Login
Passwd
www.abcBank.com
Welcome
To ABC
Bank
Denial of Service

Single-Message DoS Attacks: Crash or disable
system by attacking vulnerability
 Flooder DoS Attack: Flood victim with requests



SYN Flooding: Flood victim host with TCP SYNs
(which initiate session).
Smurf Attack: Broadcast Pings to third parties with
source address of victim host
Rabbit or Bacteria: Reproduces exponentially, using
up system resources
Logic Bomb
Logic Bomb= Functional software
has a built-in malicious attack or
failure mechanism
 E.g., Software will malfunction if
maintenance fee is not paid
Ransomware: E.g., Pay fee to
decrypt software
Trojan Horse: E.g., Social
Engineering: “Try this game…it is so
cool”

Game also emails password file.
Drive-By Download

A web site exploits a
Games:
vulnerability in the
visitor’s browser when  Vampires and Wolfmen
 Planet of the Apes
the site is viewed
 Dungeons and Dragons
Root Kit
Root Kit
 Upon penetrating a
computer, a hacker
installs a root kit
 May enable:



Easy entrance for the
hacker (and others)
Keystroke logger
Eliminates evidence of
break-in
 Modifies the operating
system
 Requires new OS install,
when detected
Rootkit System Table Mods
Exploit/Maintain Access
Abnormal way to enter
system, provided by
Programmer or
Vulnerability
Backdoor
Trojan Horse Useful utility also performs
malicious function
Bots
Slave forwards/performs
commands; spreads,
list email addrs, DOS
attacks
Spyware/Adware
Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
to hide itself
Spyware collects info:
keystroke logger,
collect credit card #s,
Adware: insert ads,
filter search results
Kernel-Level Rootkit
Replaces OS kernel:
e.g. process or file
control to hide
Distributed Denial of Service
Zombies
Attacker
Handler
Victim
China
Russia
United
States
Can barrage a victim
server with requests,
causing the network
to fail to respond to anyone
Bots
Flooder
Botnets
Botnets: Bots
Attacker
India
Handler
Hungary
Bots: Host illegal movies,
music, pornography,
criminal web sites, …
Forward Spam for
financial gain
Sniffing traffic or
Keylogging
Zombies DDOS, spread bots
Manipulate voting games
Generate clicks for ads
Bots
 program
taking over other computers
 hard to trace attacks
 if coordinated form a botnet
 characteristics:

remote control facility
• via IRC/HTTP etc

spreading mechanism
• attack software, vulnerability, scanning strategy
 various
counter-measures applicable
Bot Uses

DDOS attacks

E.g., Internet Relay Chat overload

Spamming
 Spying



Sniffing traffic
Keylogging
Malware abuse



Spread malware
Install advertisement add-ons: pay-for-clicks
Manipulating online games
Attack Kit - Crimeware

Attack kit = Crimeware: Tools which generate
malware automatically


with varied propagation and payload mechanisms
Auto-rooter: Breaks into new machines
remotely
 Downloader: Original attack opens the door,
then downloads the full attack software
 Spammer program: Generates large volumes
of unwanted email
Virus




A virus attaches itself to a
program, file, or disk
When the program is
executed, the virus too is
executed
When the program is
given away (floppy/email)
the virus spreads
The virus may be benign
or malignant but executes
its load pay at some point
(often upon contact)
Dear John, This
link is a cool web
site
Program
A
Program
A
Extra Code
infects
Viruses

piece of software that infects programs



modifying them to include a copy of the virus
so it executes secretly when host program is run
a typical virus goes through phases of:
1.
2.
3.
4.
Dormant: Wait for file presence, date, event,…
Propagation: Spreading technique
Triggering: Complete full intention
Execution: Harmless or harmful
Virus Structure
 components:



infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign
 prepended
/ postpended / embedded
 when infected program invoked, executes
virus code then original program code
 can block initial infection (difficult)
 or propogation (with access controls)
Virus Structure
Compression Virus
Virus Target Classification
 boot
sector: Spreads when system is
booted from disk containing virus
 macro virus: Inserted in application file as
script (e.g., MS Word doc.)
 file infector: Infects executable in OS or
shell
 multipartite: Infects multiple ways/files

Difficult to clean, eradicate
Virus Concealment Strategies
 encrypted
virus: Uses a random key to
encrypt virus, and stores key with virus
 stealth virus: Hides via encryption, file
sizing, virus location, rootkit
 polymorphic virus: Mutates new virus
with each infection
 metamorphic virus: Changes itself with
each iteration; also polymorphic
Macro Virus
 became



platform independent
infect documents
easily spread
 exploit


very common in mid-1990s since
macro capability of office apps
executable program embedded in MS Office
doc
often a form of Basic
 more
recent releases include protection
 recognized by many anti-virus programs
E-Mail Viruses
 more
recent development
 e.g. Melissa





exploits MS Word macro in attached doc
if attachment opened, macro activates
sends email to all on users address list
does local damage
had no Dormant phase -> faster propagation
• 100k computers in 3 days
Brain Virus





Lodges in upper memory then sets upper
memory bound below itself
Replaces interrupt vector for disk reads to
screen disk read calls. Calls interrupt handler
after screening.
Places itself in the boot sector and six other
sectors on disk
Marks sectors as ‘bad’ so they will not get
overwritten.
Variants erase disks or destroy file allocation
table
Virus Countermeasures
 prevention
- ideal solution but difficult
 realistically need:



 if
detection
identification
removal
detect but can’t identify or remove, must
discard and replace infected program
 But what has cracker done in the mean
time?
Anti-Virus Evolution
 virus
& antivirus tech have both evolved
 early viruses simple code, easily removed
 more complex viruses -> more complex
countermeasures
 4 generations:


first - signature scanners
second – heuristics
• Integrity checking & fragment recognition


third - identify actions (e.g., decompression)
fourth - combination packages
• Limit access control to system & files
Antivirus, Antispyware
Antivirus
 Scheduled scans
 Antivirus updates
 Real-time file access
protection
 E-mail protection
 Popular: Norton,
McAfee,Panda, Fprot,
AVG
Antispyware
 Real-time protection
 Scheduled scans
 Browser hijack protection
 Auto updates
 Popular: Spybot, Ad-aware,
MS Windows Defender
All-in-one also includes
 URL Filter
 Content inspection: packet
content
Generic Decryption
 runs



executable files through GD scanner:
CPU emulator to interpret instructions
virus scanner to check known virus signatures
emulation control module to manage process
 lets
virus decrypt itself in interpreter
 periodically scan for virus signatures
 issue is how long to interpret and scan?

tradeoff chance of detection vs time delay
Digital Immune System
Behavior-Blocking Software
Worm

Worm: Independent
program which replicates
itself and sends copies
from computer to
computer across network
connections. Upon
arrival the worm may be
activated to replicate.
To Joe
To Ann
To Jill
Email List:
[email protected]
[email protected]
[email protected]
Worms

replicating program that propagates over net


has phases like a virus:




using email, remote exec, remote login
dormant, propagation, triggering, execution
propagation phase: automatically ‘scans’ for other
systems, connects to it, copies self to it and runs
fast spread phase: each infection spreads to n other
nodes, exponentially
may disguise itself as a system process
Morris Worm
 one
of best know worms
 released by Robert Morris in 1988
 various attacks on UNIX systems



 if
cracking password file to use login/password
to logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail to issue
commands
succeed have remote shell access
Morris Worm – cont’d

Created by Robert Morris, convicted 1990, received
$10K fine & 3 years jail, 400 hours community service
 Unintended Effect: Denial of service due to resource
exhaustion: Worms created more worms (even on same
machine)
Once system penetrated
 Send a bootstrap loader with 99 lines of C code to be
executed on target machine
 Downloader: Fetch rest of worm, verified by password
 Stealth: encrypted itself, deleted original version,
changed name periodically
Worm Technology
Unix, Windows, …
 Multi-exploit: travels in multiple ways
 Polymorphic: generations mutate
 Metamorphic: self-mutating &
polymorphic
 Transport vehicles: auto-builds bots
 Zero-day exploit: attacks a vulnerability
before vulnerability is known
 Multiplatform:
Worm Countermeasures
 overlaps
with anti-virus techniques
 once worm on system A/V can detect
 worms also cause significant net activity
 worm defense approaches include:





signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
• puts speed limit on scanning / fignerprinting actions
Proactive Worm Containment
Looks for surges in the rate of frequency of outgoing connection attempts and the
diversity of connections to remote hosts. When such a surge is detected, the software
immediately blocks its host from further connection attempts.
Network Based Worm Defense
Summary: Malware Payload
Classification
Theft of Information:
E.g. Keyloggers,
spyware, pharming,
exfiltration
Theft of Service
Botnet, Denial of Service
DDOS, ransomware,
adware, spammers
Stealth:
Hide presence:
Rootkit, backdoors,
viruses/worms
Corruption of System
Or Files
Virus, worm, rootkit
Summary: Malware Controls
Countermeasures:





Ingress Monitor: Are traffic (flows) entering
network valid?
Egress Monitor: Is traffic exiting network valid?
Host Scanner: Are actions on the computer
suspicious?
Malware Countermeasure: Are actions by the
program suspicious?
Distributed Intelligence: Host-based and
perimeter sensors, intelligence analysis
Related documents
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
Contagion Worksheet
Contagion Worksheet
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
Cool SCIENCE! - University of California, Irvine
Cool SCIENCE! - University of California, Irvine
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
vet_virology_symposium
vet_virology_symposium
Understanding viruses classwork
Understanding viruses classwork
Possible Origin of Viruses
Possible Origin of Viruses
Cancer Quiz 2: Richard Hill 1st DEC 2002 Cancer of the _____
Cancer Quiz 2: Richard Hill 1st DEC 2002 Cancer of the _____
Symptoms of Ebola virus disease
Symptoms of Ebola virus disease