Malware FundamentalsPOLITEHNICA University of Bucharest14th of January 2015

Ionuţ – Daniel BARBU

Agenda• Evolution

• Security implementations in Operating Systems

• Historical facts

• Malware types

Source of the information: Wikipedia.org

Source: theusindependent.com

Evolution

Operating Systems

• Designed for security but not for the INTERNET

Windows NT

• Offered the option of multi profiles but not of multi – users• Partial memory protection• No Access Privileges Concept

Windows 9x

• XP• limited accounts

• Vista• User Account Control• The first user was administrator by default – Removed

• 7• BitLocker Drive Encryption and Biometrics• Improved Windows Firewall, Microsoft Security Essentials & Windows

Defender• 8• New authentication methods

Newer Versions

“Consumer versions of Windows were originally designed for ease-of-use on a single-user PC

without a network connection, and did not have security features built in from the outset.” , Wikipedia

Windows Patch Tuesday

Malware…is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Regin

Reversed in November 2014

Samples date from 2003

Customized Spying

Stealthy

Steal Information

Stuxnet

Worm discovered in 2010

Attacked industrial programmable logic

controllers

Ruined 20% of Iran’s nuclear centrifuges

Cause harm

Sabotage

CryptoLocker

Ransomware Trojan

Discovered by Dell SecureWorks

Propagated via e-mail attachments or

botnets

Encrypts

Money Extortion - Bitcoin

History1949 – John von Neumann introduces the theory of self replicating programs

1972 – Veith RISAK writes an article describing a fully functional virus for SIEMENS 4004/35

1980 - Jürgen KRAUS: “ computer programs can behave in a way similar to biological viruses”

Early Stages 1971 – Creeper Virus –

ARPANET “I’m the creeper, catch me if you can!” The Reaper worm was design to catch it – it did!

1982 – ELK Cloner – first personal computer virus – displayed a poem

1992 – first Windows Virus - WinVir

First Comput

er Viruses

Source: ajovomultja.hu

Viruses

When infected:Steals hard disk space of CPU time

Access private information, corrupts data

Keystroke logging

“the defining characteristic of viruses is that they are self-

replicating computer programs which install themselves without

the user's consent.”

Motivation:Seek profitMessage

ConveyingSabotageDenial of Service

Anti - virusOpen SourceProprietary

Often use of complex anti-detection/stealth strategies to

evade antivirus software.Keep the same “last modification date”,

file size or try to kill detection tasksRead requests intercept, self

modification, encrypted viruses, polymorphic vs metamorphic code

Methods:Social

EngineeringSecurity

Vulnerabilities

Replication Techniques:

Resident (after installation it remains

in RAM) vs. non-resident (scans for targets, infects and

exits)Macro virus (embedded

in macro containing documents)Boot sector

When executed, it replicates by inserting copies of self in other programs etc.

Worms

Unlike a virus, it does not need to attach itself to an existing program.

At least some harm is caused due to bandwidth consumption.

The payload is

usually designed to delete

files, encrypt or send docs via mail.

PatchingFirewall

Many of them are payload free, however even these cause major disruption: Morris Worm

1988 (first distributed worm via Internet from MIT)

Backdoors represent a known payload and they

usually lead to Zombie computers

and further to botnets

Packet filtersACL

…standalone malware computer program that replicates itself in order to spread to other computers

Trojan Horse

Zeus / Zbot

Microsoft Windows OSSteal banking information

Man-in-the-browserKeystroke logging

Distributes also CryptoLocker

carries out actions determined by its nature…

remote access hack

Interesting use:

anonymizer proxy!

data theft or loss

Beasts 2.07

system harm

can act as a backdoor

Protection:IPSIDS

Content Filtering

….is a generally non-self-replicating type of malware program containing malicious code

Source: megasecurity.org

Others

Backdoor

Method of bypassing

normal authentication

Basic example of backdoor: default

password

Rootkit

Hide existence of certain

processes or programs

Enables continued

privileges to a computer

Spyware & Adware

Aids in gathering information

about a person or organization without their knowledge

Automatically renders

advertisements in order to generate

revenue for its author

Zero -

Day

Antivirus software

signatures are not yet available

Behavior signatures

Zero – Day Vulnerability & Exploit

Sandbox

Thank you!

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Bruce Schneier