malware by ms. allwood

MALWARE

OBJECTIVES

What malware are Types of malware

How do they infect hosts

How do they hide

How to detect them

WHAT IS A MALWARE ?

A Malware is a set of instructions that run on your computer and

make your system do something that an attacker wants it to do.

WHAT IT IS GOOD FOR ?

Steal personal information Steal valuable data Destroy data Denial of Service Use your computer as relay

VIRUSES A malicious piece of code that spreads itself from file to file

A virus needs a host file

Requires user interaction Like opening a file

Different types of viruses Program viruses Boot viruses Macro viruses

Infected File

Virus as payload

WORMS A malicious piece of code that spreads itself from computer to

computer by exploiting vulnerabilities A worm needs no host file Spreads without user interaction

Can spread via e-mail attachments LAN or Internet

2nd generation of worms automatically search for vulnerable computers and infect them Whole Internet can be infected in less than 20 minutes

TROJANS “Trojan Horse”

Programs with hiddenmalicious functionalities

Appear to be screensavers, games, or other“useful” programs “There’s an app for that!”

IPhone and Android apps

LOGICAL BOMBS Malicious code programmed to be activated on a specific date,

time or circumstances

Action could be everything from formatting hard drive to display a silly message on the user’s screen

Often combined with a virus/worm (e.g, Chernobyl virus)

BLENDED THREATS Advanced malicious software that combines the characteristics of

viruses, worms, trojans and malicious scripts are sometimescalled “Blended Threats” It’s hard to know where to draw the line

Exploits one or many vulnerabilities inprograms or operating system

*Mick Douglas, PaulDotCom Podcast https://twitter.com/#!/haxorthematrix/statuses/2421087772

https://twitter.com/

VIRUSES

4 phases: Dormant phase: It is idle, waiting for some event Triggering phase: activated to perform some intended

actions Propagation phase: Copy itself into other programs Execution phase: execute the payload

MACRO VIRUSES Macro: an executable program embedded in a

document to automate repetitive tasks. (save keystrokes)

Application-dependent, e.g., MS office Cross the O.S. platform Why virus writers like macro viruses?

Easy to learn Easy to write Popularity of MS office

HOW MACRO VIRUS WORKS

Every word document is based on a template When an existing or new document is opened,

the template setting are applied first A global template: NORMAL.DOT

WORM

Worm: self-replicating over networks, but not infecting program and files

Example: Morris worm, blaster worm

THE STRUCTURE OF WORMS Target locator (find the target)

Email address collector IP/port scanner

Warhead Break into remote machines

Propagation Automatically sending emails Automatically attack remote hosts

Remote control and update Download updates from a web server Join a IRC channel

Lifecycle management Commit suicide Avoid repeatedly infecting the same host

Payload

STATE OF WORM TECHNOLOGY

Multiplatform: Windows, unix, mac, … Multiexploit: web server, browser, email,… Ultrafast spreading: host/port scanning Polymorphic: Each copy has new code generated by

equivalent instructions and encryption techniques. Metamorphic: different behavior patterns Transport vehicles: for the payloads (spread attacking

tools and zombies) Zero-day exploit: self-updated

DISCUSSION

Is it a good idea to spread worms with system patches?

TROJAN

A program with hidden side-effects that are not specified in the program documentation and are not intended by the user executing the program

WHAT A TROJAN CAN DO Remote administration trojans: attackers

get the complete control of a PC Backdoor: steal data and files Distributed attacks: zombie network Password stealers: capture stored

passwords Audio, video capturing: control devices Keyloggers: capture inputting passwords Adware: popup advertisements Logic bomb: only executed when a specific

trigger condition is met

FAMILIAR WITH YOUR PC

Startup programs/services

Frequently used IP ports20/21 FTP23 Telnet25 SMTP80 WWW

Netstat

MALWARE PAYLOADS No payload Payload without damage

Only display some information Payload with little impact

Modify documents (wazzu virus) Payload with heavy impact

Remove files, format storageEncrypting data (blackmail)Destroy hardware (W95.CIH): rewrite flash

bios DDoS attacks Steal data for profit

MALWARE NAMING

CARO (computer antivirus researchers organization)

CARO naming convention (1991) <family_name>.<group_name>.<Infective_length

>.<variant>.<modifier> e.g., cascade.1701.A.

Platform prefix win32.nimda.A@mm

MALWARE DEFENSES (1)

Detection: once the infection has occurred, determine that it has occurred and locate the virus

Identification: once detection has been achieved, identify the specific virus that has infected a program

Removal: once the specific virus has been identified, remove the virus from the infected program and restore it to its original state


The first generation scannerVirus signature (bit pattern)Maintains a record of the length of programs

The second generation scannerLooks for fragments of code (neglect

unnecessary code)Checksum of files (integrity checking)

Virus-specific detection algorithmDeciphering (W95.Mad, xor encrypting)Filtering


The third generation scanner Identify a virus by its actions

The fourth generation scanner Include a variety of anti-virus techniques

Collection method Using honeypots

MALWARE IN MOBILE PHONES Mobile phones are computers with great connectivity

Internet WLAN Bluetooth Regular phone network (SMS, MMS) RFID

IN THE FUTURE…

New spreading methods: e.g., RFID

Infected!

Infected!

Infected!

QUESTIONS?

malware by ms. allwood

Software