logging in or signing up ELE386 Malware Alien Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 628 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 20, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: khanejaanshul (12 month(s) ago) hey i m anshul i wnt this ppt as soon as pssible its urgnt Saving..... Post Reply Close Saving..... Edit Comment Close By: chittibuddy (41 month(s) ago) the powerpoint presentation is good , i want to download it ,how can i download it Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Understanding the Threat of Malware: Understanding the Threat of Malware Nachiketh Potlapally ELE 386: Cyber Security 03/22/05 Prof. Ruby Lee Princeton University Spring 2005 What is Malware?: What is Malware? Malware refer to any software code written with the aim of degrading or subverting the normal operation of a computer system. It is also referred to as malicious code. There are different types of malware Viruses Worms Trojan horses Malicious mobile code Slide3: Unfortunately, most computer viruses are not so courteous! Slide4: Be afraid. Be very afraid. – The Fly, 1986 But, a computer virus is not inherently dangerous File Allocation Table Definitions: Definitions Computer virus is a program that when triggered by an action of the user, causes copies of itself to be created. Computer worm is a program that causes copies of itself to be created without any user intervention. Trojan horse is a program that appears to do something useful, but in reality, masks some hidden malicious functionality. It does not make copies of itself. Malicious mobile code is a lightweight malicious program that is downloaded from a remote system and executed with minimal intervention on the local system Encountered while browsing the web, and implemented using VB scripts, Javascript scripts, ActiveX controls etc Factors Contributing to the Rapid Spread of Malware: Factors Contributing to the Rapid Spread of Malware Ubiquitous connectivity Internet makes it easy to launch large-scale autonomous attacks Homogeneous computing environments Identifying a flaw in a particular hardware architecture or an operating system enables compromise of many computers Increasing computer system complexity High system complexity makes it very tough to guarantee security properties Easy extensibility of computer systems ‘Plug and play’ customization makes attacks easier Easily available malware writing toolkits Dramatic increase in attacks carried out by script kiddies History of Malicious Code: History of Malicious Code John Von Neumann presented theory of complicated automata at IAS/Princeton Postulated that a computer program could reproduce itself 'Darwin among the machines', George Dyson Victor Vyssotsky, Robert Morris Sr. and Doug McIlroy implemented ‘Darwin’ (Core Wars) in 1960s at Bell Labs Self-reproducing computer programs battle with each other to occupy the maximum memory space [called ‘Core’ back then] Shoch and Hupp implemented the first ‘computer worm’ in 1982 at Xerox PARC Investigated usage of the worm for distributed computing Fred Cohen wrote the first ‘computer virus’ and did a formal study in 1983 at USC for his PhD thesis. Term ‘Computer virus’ coined by his PhD advisor, Len Adleman History of Malicious Code (contd): Robert Morris Jr. wrote the 'Internet worm' in 1988 at Cornell University Exploited multiple vulnerabilities to spread from machine to machine Generated huge traffic and completely clogged the Internet On the positive side: Exposed the vulnerability of the network designed to be resilient against such attacks (including a nuclear strike) But, the 'Morris Worm' opened the virus and worm flood gate for more deadly viruses and worms: Melissa, CIH Chernobyl, Worm.ExploreZip, BubbleBoy, The Love Bug…….. History of Malicious Code (contd) Now, a professor at MIT Components of Viruses and Worms: Components of Viruses and Worms Basic components of viruses and worms: Infection mechanism: Method of ‘infecting’ a computer system Payload: Code responsible for carrying out specific tasks. Viruses and worms differ primarily in the infection mechanism Viruses require human intervention for infecting computer systems. Also, viruses cannot exist stand-alone, instead they piggyback on other programs Worms propagate on their own, and can exist independently Payloads are of different types: Null payload, alter data on the infected system, usurp system resources, clog network, steal data, create backdoors which allow the attacker to take over the system at a later date (used primarily for distributed denial attacks) One of the most damaging payloads Steps in Normal Program Execution: Steps in Normal Program Execution OS A Main Memory (volatile) Hard Disk (non-volatile) ROM (non-volatile) 0x0 OS OS 1 2 3 4 Program A 0x0 0x0 OS Program A 0x0 OS locates andamp; copies the program to be executed into memory Main memory is empty at the beginning BIOS locates andamp; copies OS from disk to memory Program A starts executing FAT FAT : File Allocation Table stores the location of all files on the system. It is maintained by the OS. BIOS code Executing programs use the OS to perform standard functions like, reading and writing files etc Virus Infection Mechanism : Virus Infection Mechanism OS B Infected program enters memory Hard Disk 0x0 OS OS 0x0 0x0 OS 0x0 Virus searches for a suitable program to infect OS Program A Virus From infected floppy disk or an email attachment OS Hard Disk B + virus Virus Program A Program B 1 FAT 2 3 Program A Program A Virus Virus Virus Program B Virus copies the infected target back into the disk 5 4 Virus copies itself into the target program in memory Virus copies the target program to main memory When program B is executed it infects a new file Virus makes use of OS constructs to search for target files, copying etc Virus Infecting a File: Virus Infecting a File Jump Jump Virus Program A Program A 1st instruction 1st instruction 2nd instruction 2nd instruction 1st instruction Program A infected with virus Viral Infection End program A End program A In in the execution of the infected program, the virus is executed before program A, and the correct sequence of instruction execution In program A is maintained Virus Classification: Virus Classification Virus File virus Boot sector virus Executable file virus Document file virus Overwriting virus Prepending virus Appending virus Virus affects the OS boot sector Virus coded into macros1 embedded in documents Virus attaches itself to executables Very popular since easy to write. No knowledge of target machine required unlike in the case of executable file viruses 1 Macros are commands embedded in documents for enhancing the application, or automating some tasks. They are written in Visual Basic. Executable file viruses: Executable file viruses Program + = Program Virus Virus Program Virus Program Virus Overwriting Prepending Appending Slide15: Very much possible...could have been an overwriting virus or maybe the virus payload was designed to delete files!! Worms: Worms Worms are autonomous and more proactive is spreading compared to viruses Worms have a modular structure to aid propagation Target discovery: Finding suitable hosts to infect. [Random scanning, Pre-determined lists of hosts] Entry mechanism: Use vulnerabilities to gain entry into target [Buffer overflows, Email attachments, Protocol weaknesses] Propagation mechanism: After gaining entry the worm needs to copy its entire contents into the target Activation mechanism: The worm is activated for executing its payload and further propagation. [Self-activated, Triggered on external event ] Payload: This code is designed to implement some specific action [Null payload, Planting a backdoor, Data collection, Destructive intent] Malicious Mobile Code: Malicious Mobile Code Mobile code is employed by website designers to create dynamic content, like, scrolling news tickers, embedded multimedia etc Implemented using Javascript, ActiveX controls, Java applets, VB scripts Browsing a webpage embedded with malicious mobile code causes the code to be downloaded and executed on the local machine. Malicious mobile code is spread via web browsers. Malicious mobile code can carry out a wide array of nasty activities, like, illegal monitoring of your browsing behavior (spyware), installing Trojan horses, stealing information, browser hijacking, resource exhaustion etc. Malicious Mobile Code (contd): Malicious Mobile Code (contd) ActiveX controls have the greatest potential to do harm among all forms of malicious mobile code ActiveX controls can do everything a regular program can do: access files, connect to network, invoke other programs etc ActiveX controls are widely employed to install spyware and backdoors on local machines Highly advisable to restrict ActiveX controls in the web browsers Two highly recommended free anti-spyware tools Ad-aware Spybot – search andamp; destroy It might be a good idea to install them and use them regularly Trojan horses: Trojan horses Two common ways in which Trojan horses are spread are deceiving users into installing them, and blending Trojan horses with normal programs Users are duped into installing Trojan horses by making them believe that they are genuine/useful programs Give the Trojan horse the same name as a popular program Tricking Windows users by using spaces to obscure the file type Attacking software distribution sites and replace genuine software with Trojan horse-included versions Use wrapper tools to tightly integrate Trojan horse code with some harmless piece of software When users run the resulting software, the Trojan is executed first. Slide20: What alternatives do we have? Malware Prevention: Malware Prevention Static techniques like aggressive application level scanning removes many infections before they reach the computer system Malware code has distinct signatures which can be used to identify and remove them Dynamic techniques like emulation nicely complement the static techniques Malware code is first simulated in a tightly isolated environment before it is allowed to run on the computer system Any anomalous behavior during emulation results in the code being red flagged. Malware prevention and detection is a constant effort Malware writers continue to come up with cleverer schemes You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
ELE386 Malware Alien Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 628 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 20, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: khanejaanshul (12 month(s) ago) hey i m anshul i wnt this ppt as soon as pssible its urgnt Saving..... Post Reply Close Saving..... Edit Comment Close By: chittibuddy (41 month(s) ago) the powerpoint presentation is good , i want to download it ,how can i download it Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Understanding the Threat of Malware: Understanding the Threat of Malware Nachiketh Potlapally ELE 386: Cyber Security 03/22/05 Prof. Ruby Lee Princeton University Spring 2005 What is Malware?: What is Malware? Malware refer to any software code written with the aim of degrading or subverting the normal operation of a computer system. It is also referred to as malicious code. There are different types of malware Viruses Worms Trojan horses Malicious mobile code Slide3: Unfortunately, most computer viruses are not so courteous! Slide4: Be afraid. Be very afraid. – The Fly, 1986 But, a computer virus is not inherently dangerous File Allocation Table Definitions: Definitions Computer virus is a program that when triggered by an action of the user, causes copies of itself to be created. Computer worm is a program that causes copies of itself to be created without any user intervention. Trojan horse is a program that appears to do something useful, but in reality, masks some hidden malicious functionality. It does not make copies of itself. Malicious mobile code is a lightweight malicious program that is downloaded from a remote system and executed with minimal intervention on the local system Encountered while browsing the web, and implemented using VB scripts, Javascript scripts, ActiveX controls etc Factors Contributing to the Rapid Spread of Malware: Factors Contributing to the Rapid Spread of Malware Ubiquitous connectivity Internet makes it easy to launch large-scale autonomous attacks Homogeneous computing environments Identifying a flaw in a particular hardware architecture or an operating system enables compromise of many computers Increasing computer system complexity High system complexity makes it very tough to guarantee security properties Easy extensibility of computer systems ‘Plug and play’ customization makes attacks easier Easily available malware writing toolkits Dramatic increase in attacks carried out by script kiddies History of Malicious Code: History of Malicious Code John Von Neumann presented theory of complicated automata at IAS/Princeton Postulated that a computer program could reproduce itself 'Darwin among the machines', George Dyson Victor Vyssotsky, Robert Morris Sr. and Doug McIlroy implemented ‘Darwin’ (Core Wars) in 1960s at Bell Labs Self-reproducing computer programs battle with each other to occupy the maximum memory space [called ‘Core’ back then] Shoch and Hupp implemented the first ‘computer worm’ in 1982 at Xerox PARC Investigated usage of the worm for distributed computing Fred Cohen wrote the first ‘computer virus’ and did a formal study in 1983 at USC for his PhD thesis. Term ‘Computer virus’ coined by his PhD advisor, Len Adleman History of Malicious Code (contd): Robert Morris Jr. wrote the 'Internet worm' in 1988 at Cornell University Exploited multiple vulnerabilities to spread from machine to machine Generated huge traffic and completely clogged the Internet On the positive side: Exposed the vulnerability of the network designed to be resilient against such attacks (including a nuclear strike) But, the 'Morris Worm' opened the virus and worm flood gate for more deadly viruses and worms: Melissa, CIH Chernobyl, Worm.ExploreZip, BubbleBoy, The Love Bug…….. History of Malicious Code (contd) Now, a professor at MIT Components of Viruses and Worms: Components of Viruses and Worms Basic components of viruses and worms: Infection mechanism: Method of ‘infecting’ a computer system Payload: Code responsible for carrying out specific tasks. Viruses and worms differ primarily in the infection mechanism Viruses require human intervention for infecting computer systems. Also, viruses cannot exist stand-alone, instead they piggyback on other programs Worms propagate on their own, and can exist independently Payloads are of different types: Null payload, alter data on the infected system, usurp system resources, clog network, steal data, create backdoors which allow the attacker to take over the system at a later date (used primarily for distributed denial attacks) One of the most damaging payloads Steps in Normal Program Execution: Steps in Normal Program Execution OS A Main Memory (volatile) Hard Disk (non-volatile) ROM (non-volatile) 0x0 OS OS 1 2 3 4 Program A 0x0 0x0 OS Program A 0x0 OS locates andamp; copies the program to be executed into memory Main memory is empty at the beginning BIOS locates andamp; copies OS from disk to memory Program A starts executing FAT FAT : File Allocation Table stores the location of all files on the system. It is maintained by the OS. BIOS code Executing programs use the OS to perform standard functions like, reading and writing files etc Virus Infection Mechanism : Virus Infection Mechanism OS B Infected program enters memory Hard Disk 0x0 OS OS 0x0 0x0 OS 0x0 Virus searches for a suitable program to infect OS Program A Virus From infected floppy disk or an email attachment OS Hard Disk B + virus Virus Program A Program B 1 FAT 2 3 Program A Program A Virus Virus Virus Program B Virus copies the infected target back into the disk 5 4 Virus copies itself into the target program in memory Virus copies the target program to main memory When program B is executed it infects a new file Virus makes use of OS constructs to search for target files, copying etc Virus Infecting a File: Virus Infecting a File Jump Jump Virus Program A Program A 1st instruction 1st instruction 2nd instruction 2nd instruction 1st instruction Program A infected with virus Viral Infection End program A End program A In in the execution of the infected program, the virus is executed before program A, and the correct sequence of instruction execution In program A is maintained Virus Classification: Virus Classification Virus File virus Boot sector virus Executable file virus Document file virus Overwriting virus Prepending virus Appending virus Virus affects the OS boot sector Virus coded into macros1 embedded in documents Virus attaches itself to executables Very popular since easy to write. No knowledge of target machine required unlike in the case of executable file viruses 1 Macros are commands embedded in documents for enhancing the application, or automating some tasks. They are written in Visual Basic. Executable file viruses: Executable file viruses Program + = Program Virus Virus Program Virus Program Virus Overwriting Prepending Appending Slide15: Very much possible...could have been an overwriting virus or maybe the virus payload was designed to delete files!! Worms: Worms Worms are autonomous and more proactive is spreading compared to viruses Worms have a modular structure to aid propagation Target discovery: Finding suitable hosts to infect. [Random scanning, Pre-determined lists of hosts] Entry mechanism: Use vulnerabilities to gain entry into target [Buffer overflows, Email attachments, Protocol weaknesses] Propagation mechanism: After gaining entry the worm needs to copy its entire contents into the target Activation mechanism: The worm is activated for executing its payload and further propagation. [Self-activated, Triggered on external event ] Payload: This code is designed to implement some specific action [Null payload, Planting a backdoor, Data collection, Destructive intent] Malicious Mobile Code: Malicious Mobile Code Mobile code is employed by website designers to create dynamic content, like, scrolling news tickers, embedded multimedia etc Implemented using Javascript, ActiveX controls, Java applets, VB scripts Browsing a webpage embedded with malicious mobile code causes the code to be downloaded and executed on the local machine. Malicious mobile code is spread via web browsers. Malicious mobile code can carry out a wide array of nasty activities, like, illegal monitoring of your browsing behavior (spyware), installing Trojan horses, stealing information, browser hijacking, resource exhaustion etc. Malicious Mobile Code (contd): Malicious Mobile Code (contd) ActiveX controls have the greatest potential to do harm among all forms of malicious mobile code ActiveX controls can do everything a regular program can do: access files, connect to network, invoke other programs etc ActiveX controls are widely employed to install spyware and backdoors on local machines Highly advisable to restrict ActiveX controls in the web browsers Two highly recommended free anti-spyware tools Ad-aware Spybot – search andamp; destroy It might be a good idea to install them and use them regularly Trojan horses: Trojan horses Two common ways in which Trojan horses are spread are deceiving users into installing them, and blending Trojan horses with normal programs Users are duped into installing Trojan horses by making them believe that they are genuine/useful programs Give the Trojan horse the same name as a popular program Tricking Windows users by using spaces to obscure the file type Attacking software distribution sites and replace genuine software with Trojan horse-included versions Use wrapper tools to tightly integrate Trojan horse code with some harmless piece of software When users run the resulting software, the Trojan is executed first. Slide20: What alternatives do we have? Malware Prevention: Malware Prevention Static techniques like aggressive application level scanning removes many infections before they reach the computer system Malware code has distinct signatures which can be used to identify and remove them Dynamic techniques like emulation nicely complement the static techniques Malware code is first simulated in a tightly isolated environment before it is allowed to run on the computer system Any anomalous behavior during emulation results in the code being red flagged. Malware prevention and detection is a constant effort Malware writers continue to come up with cleverer schemes