network & computer attacks (part 1) january 27, 2010 mis 4600 – mba 5880 - © abdou illia
TRANSCRIPT
Network & Computer Attacks (Part 1)
January 27, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Objectives
Describe different types of malicious softwareDiscuss methods of protecting against
malware attacksDescribe the types of network attacksIdentify physical security attacks and
vulnerabilities
2
ISC* ObjectivesConfidentiality
Making sure that corporate data and transactions with partners remain confidential
IntegrityMaking sure that software programs, local data, and
data in-transit are not altered or destroyedAvailability
Making sure that computer and network resources or services remain available for users and not disrupted
AccountabilityMaking sure that users are properly authenticated and
their actions accounted for.Authenticity
Also called non-repudiation. Making sure that business partner cannot deny their actions
3 * Information Security Countermeasures
C – Confidentiality
I – Integrity
A – Availability
A – Accountability/Authenticity
Malicious Software attacksCommon types of malware
VirusesWormsTrojan horsesAdware | SpywareLogic bombs [Web bots]
4
What is virus?A virus is a malware that …
attaches itself to files on a single computercan replicate from file to filedoes not stand on its own
needs a host file – a vector - [unlike some other malware]Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
5
Types of virus host / vectorBinary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices).
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, Microsoft Access database files, and AmiPro documents)ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious
code
Types of virusesBased on host files
Boot sector viruses: attach themselves to files in boot sector of HD
File infector viruses: attach themselves to program files and user files
Macro viruses: attach to files with macro programs embedded.
Based on mutation techniquesPolymorphic viruses: mutate with every
infection (using encryption techniques), making them hard to locate
Metamorphic viruses: rewrite themselves completely each time they are to infect new executables*
6* metamorphic engine is needed
Types of viruses (cont.)Based on deception methods
Core MS-DOS viruses: make sure that the "last modified" date of a host file stays the same when the file is infected by the virus.
Cavity viruses
infect files without increasing their sizes or damaging the files
overwrite unused areas of executable files
Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect Portable Executable files which have many empty gaps
Antivirus PID killers: kill tasks associated with antivirus
Stealth: hides itself by intercepting disk access requests by antivirus programs.
7* metamorphic engine is needed
Request
OS
StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.
File.exe of 300 KB on a 512 KB block
Using Base 64 encoding to hide viruses
Base 64 encoding is used to reduce the size of e-mail attachments
8
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address (es) failed:[email protected] message has been rejected because it has a potentially executable attachment “Price.cpl”. This form of attachment has been used by recent viruses or other malware. If you meant to send this file, then package it up as a zip file and resend it.
[Message header deleted for brevity]
<html><body></body></html>-----------sghsfzfldbjbzqmztbdxContent-Type: application/octet-stream; name=“Price.cpl”Content-Transfer-Encoding: base64Content-Disposition: attachment; filename=“Price.cpl”TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9nmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAABQRQRQAATAEDAA+kgUEAAAAAAOAADiELAQUMAAwAAAACAAAAAAAQBUAAAAQAAAAIAAAIAAEAAQAAAgAABAAA …..GWxWigppFLPigOA6Iqb3ZYDSw1XiXi1sV7d6oVtwKiyKmr4PDWUmgExWU6UOIHF6MK….
Email with the Price.cpl attached returned by server
Base 64 content of P
rice.cpl
This program cannot be run in DOS mode. User32.dll CloseHandle() CreateFileAb GetWindowsDirectory WriteFile scart kermel32.dll Shell Execute shell32 KEMEL32.DLL USER32.DLL GetProcAddress LoadLibrary ExitProcess Virtual FreeMessageBox
What decoding the content reveals.
Using Base 64 encoding to hide viruses
Base 64 encoding is used to reduce size of e-mail attachments
Represents 0 to 63 using six bitsA is 000000 … Z is 011001
Converting base 64 strings to decimal equivalentCreate groups of 4 characters, for each groupConvert decimal value of each letter to binaryRewrite as three groups of eight bitsConvert the binary into decimal
Commercial Base 64 encoders/decoders availableTry converting the Base 64 code below at
http://www.motobit.com/util/base64-decoder-encoder.asp
9
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Protecting against virusesSignature-based antivirus programs
Compare the contents of a file to a database of virus signaturesA signature is an algorithm or a hash (a number or string
of characters derived from the virus code) that uniquely identifies a specific virus.
Must update signature database periodically or use automatic update feature if available
10
1) 673448834099999999992) DF56eeb&^fgkFT&&&88jjj3) 010000101000000000004) 780200001000001023985) 89950-1=ddjjdfjj3k3l3556) …………………………………
1) Sales.xls2) Forecast.doc3) Staff.mdb4) Ingredients.doc5) Committees.xls6) Minutes.accdb7) ………………….
Viruses signatures Files
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
Heuristic-based antivirus that use generic signatureThrough mutation or refinements by attackers,
viruses can grow into dozens of slightly different strains called variants
Example: The Vundo trojan has evolve into two distinct family members, Trojan.Vundo and Trojan.Vundo.B
A generic signature can be generated for a virus family.
Heuristic analysis uses generic signatures to identify new malware or variants of known malware
11Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would happen if the suspicious file were to be executed
Execute the questionable program or script within a specialized virtual machine
It then analyzes the execution, monitoring for common viral activities: replication, file overwrites, attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus.
12
Question: Which of the following is likely to lead to false positive virus identifications? signature-based or heuristic-based antivirus.
1313
Based on the descriptions, is the classification of the malware as virus correct?
WormsDo not attach to files | A worm stands on its ownSelf-replicating malware that can propagate
across a network by themselvesUse host computer’s resources, and their own
network application to send copies of itself to other computers
Types of harms:Consuming network bandwidth. Moorris and Mydoom are
notoriousConsuming host computer resourses (processing, RAM)Delete files (e.g. ExploreZip worm)Encrypt files (which leads to cryptoviral extortion attack) Installing backdoor-zombie programs under control of the
worm author (e.g. Sobig)
14
Protecting against wormsWorms spread by exploiting OS vulnerabilities
Make sure that unnecessary ports are not open
Regular OS security updates is the best protection
Other effective defense systems: Antivirus programsLocal firewall software can block incoming worms
15
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs Non-self-replicating malware
That appear to be useful programs like game, screen saver, free antivirus, etc.
But are actually backdoor or rootkits that facilitate remote access or a “take over” by a remote hacker
Once a Trojan horse is installed on a target computer, a Trojan can be used to do the following:
Keystroke logging Data theft (e.g. passwords, credit cards information, etc) Installing other malware Using the host computer as part of botnet for spamming or Distributed
DoS Deleting or modifying files
16
17
Trojan Programs (cont.)
SpywareSends information from the infected computer
to the attackerConfidential financial dataPasswordsPINsAny other stored data
Can registered each keystroke enteredPrevalent technologyEducate users about spyware
18
AdwareSimilar to spyware
Can be installed without the user being awareSometimes displays a bannerMain goal
Determine user’s online purchasing habitsTailored advertisement
Main problemSlows down computers
19
Protecting Against Malware Attacks at the organizational levelWhat is/are the most effective technical
solution(s) that could be implemented at the network level to deal with malware attacks?
What is/are the most effective non-technical solution(s) that could be implemented in an organization to deal with malware attacks?
20