malware - stanford university · pdf file• what malware are ... any attempt to reinstall...
TRANSCRIPT
![Page 1: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/1.jpg)
MalwareCS155 Spring 2009
Elie Bursztein
![Page 2: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/2.jpg)
Welcome to the zoo
• What malware are• How do they infect hosts• How do they hide• How do they propagate• Zoo visit !• How to detect them• Worms
![Page 3: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/3.jpg)
What is a malware ?
A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
![Page 4: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/4.jpg)
What it is good for ?
• Steal personal information
• Delete files
• Click fraud
• Steal software serial numbers
• Use your computer as relay
![Page 5: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/5.jpg)
A recent illustration
• Christians On Facebook
• Leader hacked on march 2009
• Post Islamic message
• Lost >10 000 members
![Page 6: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/6.jpg)
The Malware Zoo
• Virus• Backdoor• Trojan horse• Rootkit• Scareware• Adware• Worm
![Page 7: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/7.jpg)
What is a Virus ?
a program that can infect other programs by modifying them to include a, possibly
evolved, version of itself
Fred Cohen 1983
![Page 8: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/8.jpg)
Some Virus Type
• Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)
• Methamorpic : Change after each infection
![Page 9: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/9.jpg)
What is a trojan
A trojan describes the class of malware that appears to perform a desirable function but in fact performs
undisclosed malicious functions that allow unauthorized access to the victim computer
Wikipedia
![Page 10: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/10.jpg)
What is rootkit
A root kit is a component that uses stealth to maintain a persistent and
undetectable presence on the machine
Symantec
![Page 11: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/11.jpg)
What is a worm
A computer worm is a self-replicating computer program. It uses a network to send copies of itself
to other nodes and do so without any user intervention.
![Page 12: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/12.jpg)
Almost 30 years of Malware
From Malware fighting malicious code
![Page 13: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/13.jpg)
History
• 1981 First reported virus : Elk Cloner (Apple 2)
• 1983 Virus get defined
• 1986 First PC virus MS DOS
• 1988 First worm : Morris worm
• 1990 First polymorphic virus
• 1998 First Java virus
• 1998 Back orifice
• 1999 Melissa virus
• 1999 Zombie concept
• 1999 Knark rootkit
• 2000 love bug
• 2001 Code Red Worm
• 2001 Kernel Intrusion System
• 2001 Nimda worm
• 2003 SQL Slammer worm
Melissa spread by email and share
Knark rootkit made by creed demonstrate the first ideas
love bug vb script that abused a weakness in outlook
Kernl intrusion by optyx gui and efficent hidding
![Page 14: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/14.jpg)
Number of malware signatures
0
500000
1000000
1500000
2000000
2002 2003 2004 2005 2006 2007 2008
Symantec report 2009
![Page 15: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/15.jpg)
Malware Repartition
74%
3%1%
9%
13%
TrojanWormOtherAdwareSpyware
Panda Q1 report 2009
![Page 16: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/16.jpg)
Infection methods
![Page 17: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/17.jpg)
Outline
• What malware are
• How do they infect hosts
• How do they propagate
• Zoo visit !
• How to detect them
• Worms
![Page 18: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/18.jpg)
What to Infect
• Executable
• Interpreted file
• Kernel
• Service
• MBR
• Hypervisor
![Page 19: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/19.jpg)
Overwriting malware
TargetedExecutable
MalwareMalware
![Page 20: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/20.jpg)
prepending malware
TargetedExecutable
Malware
Infected host
ExecutableMalware
![Page 21: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/21.jpg)
appending malware
TargetedExecutable
Malware
Infectedhost
ExecutableMalware
![Page 22: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/22.jpg)
Cavity malware
TargetedExecutable Infected
hostExecutable
MalwareMalware
![Page 23: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/23.jpg)
Multi-Cavity malware
TargetedExecutableMalware
Malware
Malware
Malware
![Page 24: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/24.jpg)
Packers
Malware Infected hostExecutable
PackerPayload
![Page 25: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/25.jpg)
Packer functionalities
• Compress
• Encrypt
• Randomize (polymorphism)
• Anti-debug technique (int / fake jmp)
• Add-junk
• Anti-VM
• Virtualization
![Page 26: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/26.jpg)
Auto start
• Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu
\Programs\Startup
• Win.ini : run=[backdoor]" or "load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Wininit
• Config.sys
![Page 27: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/27.jpg)
Auto start cont.
• Assign know extension (.doc) to the malware
• Add a Registry key such as HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\Run
• Add a task in the task scheduler
• Run as service
![Page 28: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/28.jpg)
Unix autostart
• Init.d
• /etc/rc.local
• .login .xsession
• crontab
• crontab -e
• /etc/crontab
![Page 29: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/29.jpg)
Macro virus
• Use the builtin script engine
• Example of call back used (word)
• AutoExec()
• AutoClose()
• AutoOpen()
• AutoNew()
![Page 30: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/30.jpg)
Document based malware
• MS Office
• Open Office
• Acrobat
![Page 31: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/31.jpg)
Userland root kit
• Perform
• login
• sshd
• passwd
• Hide activity
• ps
• netstat
• ls
• find
• du
![Page 32: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/32.jpg)
Subverting the Kernel
Kernel task
• Process management
• File access
• Memory management
• Network management
What to hide
➡ Process➡ Files ➡ Network traffic
![Page 33: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/33.jpg)
Kernel rootkit
PS
KERNEL
Hardware : HD, keyboard, mouse, NIC, GPU
P1 P2
P3 P3
rootkit
![Page 34: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/34.jpg)
Subverting techniques
• Kernel patch
• Loadable Kernel Module
• Kernel memory patching (/dev/kmem)
![Page 35: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/35.jpg)
Windows Kernel
P1 P2 Pn Csrss.exe
Win32 subsystem DLLsUser32.dll, Gdi32.dll and Kernel32.dll
Other Subsytems(OS/2 Posix)
Ntdll.dll
ntoskrnl.exe
Hardware Abstraction Layer (HAL.dll)Hardware
Underlying kernelExecutive
![Page 36: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/36.jpg)
Kernel Device driver
P2
Win32 subsystem DLLs
Ntdll.dll
ntoskrnl.exe
Interrupt Hook
System service dispatcher
System service dispatch table
Driver Overwriting functions Driver Replacing Functions
New pointer
A
C
B
![Page 37: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/37.jpg)
MBR/Bootkit
Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
![Page 38: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/38.jpg)
BIOS MBR VBS NTBoot
SectorBOOTMGR.EXEWINLOAD.EXE
Windows 7 kernel HAL.DLL
![Page 39: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/39.jpg)
Vboot
• Work on every Windows (vista,7)
• 3ko
• Bypass checks by letting them run and then do inflight patching
• Communicate via ping
![Page 40: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/40.jpg)
Hypervisor rootkit
Target OS
Hardware
AppApp
![Page 41: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/41.jpg)
Hypervisor rootkit
Target OS
Hardware
AppApp
Virtual machine Host OS
Rogue app
![Page 42: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/42.jpg)
PropagationVector
![Page 43: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/43.jpg)
Outline
• What malware are
• How do they infect hosts
• How do they propagate
• Zoo visit !
• How to detect them
• Worms
![Page 44: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/44.jpg)
Shared folder
![Page 45: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/45.jpg)
Email propagation
from pandalab blog
![Page 46: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/46.jpg)
Valentine day ...
Waledac malicious domain from pandalab blog
!"#$%&'($')*+),)-.+($%./)-)&0'$-&1#'$)+$23
2456!7689$67:;6!$:5<=585>?$@A5<4569$B$C56DE$FGGHI FJ
KKKLM.+1.'#-0N)(OL-&%
!"#$%&#' ()#(*+
!"#$%&&#'"#()"*+),-*)./#0).122%.")3%4#5%""'/%"6#78,%+97+11:"#;'3%#-"%(#<'&%.*).%4"#='8#*1">+%'(#.-5%+1-"#5'&)7)1-"#71(%"#2+15#*;%#?'&%('7#2'5)&8#*;+1-/;#%5')&"#$)*;#5'&)7)1-"-+&"@
A;%#!"#$%&"'()*+#, #) " #" )5) &'+ #*1 #*;'* #12 #*;%#2 ) + " * #">'5#5%""'/%" #'(3%+* ) " )./>;'+5'7%-*)7'&"6#'"#*;%8#'+%#()"*+),-*%(#3)'#%5')&6#).#*;)"#7'"%#-")./#<'&%.*).%9+%&'*%(5%""'/%"#).21+5)./#+%7)>)%.*"#*;'*#"15%1.%#;'"#"%.*#*;%5#'#3)+*-''+(@#A;%#5%""'/%71.*')."#'#&).:#*;'*#)"#+%()+%7*%(#*1#'#5'&)7)1-"#(15').#).#1+(%+#*1#3)%$#*;%#7'+(@
B%&1$#)"#'.#%C'5>&%#12#'#5'&)7)1-"#(15').D
E)/-+%#FG@#H'&)7)1-"#?'&%('7#(15').@
!"#$%&$'()$&*+$%)*#,-#'#./)01#,"#$()2)3#$45)67789 6:
;;;<=>?@>ABCDEFGH<CIJ
!"#$%&#' ()#(*+
%KB)JIAG)AFL?FMFC>?G)J>NFCFIDA)CI@BA)F?)!O
!"#$%&'($)*$+&%,-&.+#+$/&$/"#$0&(12/#'$3.2/&(./)0.--4$&'$/"'&25"$2*#'$),/#'.0/)&,678&%#9#':$;&'$/"#$+&%,-&.+$/&$<#$*200#**;2-:$2*#'*$(2*/$.5'##$/&$)/=
>)52'#$??7$@&%,-&.+$&;$/"#$(.-)0)&2*$;)-#7
A4<#'B0'&&C*$0'#./#+$,2(#'&2*$+&(.),*$/&$+)*/')<2/#$/"#$D.-#+.0$%&'($2*),5$),&;;#,*)9#,.(#*$*20"$.*$0.'+7#E#:$#0.'+7#E#:$-&9#7#E#:$-&9#4&27#E#:$(#.,+4&27#E#:$#/07
F&(#$&;$/"#*#$+&(.),*$%#'#$+#*)5,#+$/&$(&+);4$/"#$;)-#$/&$<#$+&%,-&.+#+$),$&'+#'$/&+)*/')<2/#$+);;#'#,/$(.-)0)&2*$0&+#*$.,+$1'#9#,/$*#02')/4$0&(1.,)#*$;'&($+#/#0/),5$/"#(7!")*$)+#.$&;$,2(#'&2*$*(.--$),;#0/)&,*$)*$C,&%,$.*$.$*)-#,/$#1)+#()07
!"#$)(1.0/$&;$+&(.),*$+)*/')<2/),5$(.-)0)&2*$D.-#+.0$0&+#*$%.*$*&$5'#./$/"./$*&(#+&(.),*$%#'#$#9#,$")5"-4B'.,C#+$),$*#.'0"$#,5),#*7$!")*$0&2-+$0.2*#$2*#'*$/'4),5$/&$-&0./#9)'/2.-$0.'+*$/&$.00#**$(.-)0)&2*$+&(.),*$<4$.00)+#,/7
![Page 47: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/47.jpg)
Email again
Symantec 2009
![Page 48: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/48.jpg)
Fake codec
![Page 49: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/49.jpg)
Fake antivirus
from pandalab blog
![Page 50: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/50.jpg)
Hijack you browser
from pandalab blog
![Page 51: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/51.jpg)
Fake page !
from pandalab blog
![Page 52: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/52.jpg)
P2P Files
• Popular query
• 35.5% are malwares (Kalafut 2006)
![Page 53: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/53.jpg)
Backdoor
![Page 54: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/54.jpg)
Basic
InfectedHost AttackerTCP
![Page 55: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/55.jpg)
Reverse
InfectedHost AttackerTCP
![Page 56: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/56.jpg)
covert
InfectedHost AttackerICMP
![Page 57: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/57.jpg)
Rendez vous backdoor
InfectedHost Attacker
RDVPoint
![Page 58: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/58.jpg)
Bestiary
![Page 59: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/59.jpg)
Outline
• What malware are
• How do they infect hosts
• How do they propagate
• Zoo visit !
• How to detect them
• Worms
![Page 60: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/60.jpg)
Adware
![Page 61: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/61.jpg)
BackOrifice
• Defcon 1998
• new version in 2000
![Page 62: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/62.jpg)
Netbus
• 1998
• Used for “prank”
![Page 63: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/63.jpg)
Symantec pcAnywhere
![Page 64: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/64.jpg)
Browser Toolbar ...
![Page 65: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/65.jpg)
Toolbar again
![Page 66: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/66.jpg)
Ransomware
• Trj/SMSlock.A
• Russian ransomware
• April 2009 To unlock you need to send an SMS with the text4121800286
to the number3649
Enter the resulting code:
Any attempt to reinstall the system may lead to loss of important information and computer damage
from pandalab blog
![Page 67: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/67.jpg)
Detection
![Page 68: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/68.jpg)
Outline
• What malware are
• How do they infect hosts
• How do they propagate
• Zoo visit !
• How to detect them
• Worms
![Page 69: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/69.jpg)
Anti-virus
• Analyze system behavior
• Analyze binary to decide if it a virus
• Type :
• Scanner
• Real time monitor
![Page 70: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/70.jpg)
Impossibility result
• It is not possible to build a perfect virus/malware detector (Cohen)
![Page 71: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/71.jpg)
Impossibility result
• Diagonal argument
• P is a perfect detection program
• V is a virus
• V can call P
• if P(V) = true -> halt
• if P(V) = false -> spread
![Page 72: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/72.jpg)
Virus signature
• Find a string that can identify the virus
• Fingerprint like
![Page 73: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/73.jpg)
Heuristics
• Analyze program behavior
• Network access
• File open
• Attempt to delete file
• Attempt to modify the boot sector
![Page 74: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/74.jpg)
Checksum
• Compute a checksum for
• Good binary
• Configuration file
• Detect change by comparing checksum
• At some point there will more malware than “goodware” ...
![Page 75: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/75.jpg)
Sandbox analysis
• Running the executable in a VM
• Observe it
• File activity
• Network
• Memory
![Page 76: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/76.jpg)
Dealing with Packer
• Launch the exe
• Wait until it is unpack
• Dump the memory
![Page 77: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/77.jpg)
Worms
![Page 78: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/78.jpg)
Outline
• What malware are
• How do they infect hosts
• How do they propagate• Zoo visit !
• How to detect them
• Worms
![Page 79: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/79.jpg)
79
Worm
A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services
Can cause enormous damage
Launch DDOS attacks, install bot networks
Access sensitive information
Cause confusion by corrupting the sensitive information
Worm vs Virus vs Trojan horse
![Page 80: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/80.jpg)
80
Cost of worm attacks
Morris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet
cost ~ $10 million in downtime and cleanup
Code Red worm, July 16 2001
![Page 81: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/81.jpg)
81
Internet Worm (First major attack)
Released November 1988Program spread through Digital, Sun
workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code
![Page 82: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/82.jpg)
82
Some historical worms of note
Worm Date Distinction
Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys
ADM 5/98 Random scanning of IP address space
Ramen 1/01 Exploited three vulnerabilities
Lion 3/01 Stealthy, rootkit worm
Cheese 6/01 Vigilante worm that secured vulnerable systems
Code Red 7/01 First sig Windows worm; Completely memory resident
Walk 8/01 Recompiled source code locally
Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, …
Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer network of compromised systems
Slammer 1/03 Used a single UDP packet for explosive growth
Kienzle and Elder
![Page 83: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/83.jpg)
83
Increasing propagation speed
Code Red, July 2001 Affects Microsoft Index Server 2.0,
Windows 2000 Indexing service on Windows NT 4.0.
Windows 2000 that run IIS 4.0 and 5.0 Web servers
Exploits known buffer overflow in Idq.dll
Vulnerable population (360,000 servers) infected in 14 hours
SQL Slammer, January 2003 Affects in Microsoft SQL 2000
Exploits known buffer overflow vulnerability
![Page 84: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/84.jpg)
84
Code Red
Initial version released July 13, 2001Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then run
When executed,Worm checks for the file C:\Notworm
![Page 85: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/85.jpg)
85
Code Red of July 13 and July 19
Initial release of July 13 1st through 20th month: Spread
via random scan of 32-bit IP addr space
20th through end of each month: attack. Flooding attack against 198.137.240.91 (www.whitehouse.gov)
Failure to seed random number generator ⇒ linear growth
Revision released July 19, 2001. White House responds to threat of flooding attack by changing
the address of www.whitehouse.gov
Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded
Slides: Vern Paxson
![Page 86: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/86.jpg)
86
Infection rate
![Page 87: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/87.jpg)
87
Measuring activity: network telescope
Monitor cross-section of Internet address space, measure traffic “Backscatter” from DOS floods Attackers probing blindly Random scanning from worms
LBNL’s cross-section: 1/32,768 of Internet
UCSD, UWisc’s cross-section: 1/256.
![Page 88: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/88.jpg)
88
Spread of Code Red
Network telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.
That night (⇒ 20th), worm dies … … except for hosts with inaccurate clocks!
It just takes one of these to restart the worm on August 1st … Slides: Vern
Paxson
![Page 89: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/89.jpg)
89
Slides: Vern Paxson
![Page 90: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/90.jpg)
90
Code Red 2
Released August 4, 2001.Comment in code: “Code Red 2.” But in fact completely different code base.
Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.
Localized scanning: prefers nearby addresses.
Kills Code Red 1.
Safety valve: programmed to die Oct 1, 2001.Slides: Vern
Paxson
![Page 91: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/91.jpg)
91
Striving for Greater Virulence: Nimda
Released September 18, 2001.Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client
exploit scanning for Code Red II backdoors (!)
worms form an ecosystem!Leaped across firewalls. Slides: Vern
Paxson
![Page 92: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/92.jpg)
92
Code Red 2 kills off Code Red 1
Code Red 2 settles into weekly pattern
Nimda enters the ecosystem
Code Red 2 dies off as programmed
CR 1 returns thanksto bad clocks
Slides: Vern Paxson
![Page 93: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/93.jpg)
93
How do worms propagate?
Scanning worms : Worm chooses “random” address
Coordinated scanning : Different worm instances scan different addresses
Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree
Not observed in the wild, yet
Potential for 106 hosts in < 2 sec ! [Staniford]
Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”)
Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”)
Contagion worm : Propagate parasitically along with normally initiated communication
![Page 94: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/94.jpg)
slammer
• 01/25/2003
• Vulnerability disclosed : 25 june 2002
• Better scanning algorithm
• UDP Single packet : 380bytes
![Page 95: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/95.jpg)
Slammer propagation
![Page 96: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/96.jpg)
Number of scan/sec
![Page 97: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/97.jpg)
Packet loss
![Page 98: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/98.jpg)
A server view
![Page 99: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/99.jpg)
Consequences
• ATM systems not available
• Phone network overloaded (no 911!)
• 5 DNS root down
• Planes delayed
![Page 100: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/100.jpg)
100
Worm Detection and DefenseDetect via honeyfarms: collections of “honeypots” fed by a network telescope. Any outbound connection from honeyfarm = worm.
(at least, that’s the theory)
Distill signature from inbound/outbound traffic. If telescope covers N addresses, expect detection when worm
has infected 1/N of population.
Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 5 minutes to several weeks to write a signature Several hours or more for testing
![Page 101: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/101.jpg)
101
months
days
hrs
mins
secs
ProgramViruses Macro
Viruses E-mailWorms Network
Worms
FlashWorms
Pre-automation
Post-automation
Con
tagi
on P
erio
d
Sign
atur
eR
espo
nse
Perio
d
Need for automation•Current threats can spread faster than defenses can reaction
•Manual capture/analyze/signature/rollout model too slow
1990 Time 2005
Contagion PeriodSignature Response Period
Slide: Carey Nachenberg, Symantec
![Page 102: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/102.jpg)
102
Signature inference
Challenge need to automatically learn a content “signature” for each
new worm – potentially in less than a second!
Some proposed solutions Singh et al, Automated Worm Fingerprinting, OSDI ’04
Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec ‘04
![Page 103: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/103.jpg)
103
Signature inference
Monitor network and look for strings common to traffic with worm-like behaviorSignatures can then be used for content
filtering
Slide: S Savage
![Page 104: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/104.jpg)
104
Content sifting
Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...)
Two consequences Content Prevalence: W will be more common in traffic than
other bitstrings of the same length
Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations
Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic
Slide: S Savage
![Page 105: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/105.jpg)
105
Observation:High-prevalence strings are rare
(Stefan Savage, UCSD *)
Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute
![Page 106: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/106.jpg)
106
Address Dispersion Table Sources Destinations Prevalence Table
The basic algorithm
Detector in network
A B
cnn.com
C
DE
(Stefan Savage, UCSD *)
![Page 107: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/107.jpg)
107
1 (B)1 (A)
Address Dispersion Table Sources Destinations
1
Prevalence Table
Detector in network
A B
cnn.com
C
DE
(Stefan Savage, UCSD *)
![Page 108: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/108.jpg)
1081 (A)1 (C)1 (B)1 (A)
Address Dispersion Table Sources Destinations
11
Prevalence Table
Detector in network
A B
cnn.com
C
DE
(Stefan Savage, UCSD *)
![Page 109: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/109.jpg)
1091 (A)1 (C)
2 (B,D)2 (A,B)
Address Dispersion Table Sources Destinations
12
Prevalence Table
Detector in network
A B
cnn.com
C
DE
(Stefan Savage, UCSD *)
![Page 110: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/110.jpg)
1101 (A)1 (C)
3 (B,D,E)
3 (A,B,D)
Address Dispersion Table Sources Destinations
13
Prevalence Table
Detector in network
A B
cnn.com
C
DE
(Stefan Savage, UCSD *)
![Page 111: Malware - Stanford University · PDF file• What malware are ... Any attempt to reinstall the system may lead to loss of ... Launch DDOS attacks, install bot networks](https://reader035.vdocuments.us/reader035/viewer/2022070606/5a78fc007f8b9a523d8b902b/html5/thumbnails/111.jpg)
111
Challenges
Computation To support a 1Gbps line rate we have 12us to process each
packet, at 10Gbps 1.2us, at 40Gbps… Dominated by memory references; state expensive
Content sifting requires looking at every byte in a packet
State On a fully-loaded 1Gbps link a naïve implementation can easily
consume 100MB/sec for table
Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM
(Stefan Savage, UCSD *)