malware tomas kegel sørensen esben b. larsen christoph froeschel magnus koch itu copenhagen...
TRANSCRIPT
![Page 1: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/1.jpg)
MALWARE
Tomas Kegel SørensenEsben B. Larsen
Christoph Froeschel Magnus Koch
ITU Copenhagen 07.11.2008
![Page 2: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/2.jpg)
AGENDA
• PART I: INTRODUCTION TO MALWARE• PART II: MOBILE MALICIOUS CODE• PART III: PURPOSE OF MALWARE• PART IV: AVOIDING MALWARE
![Page 3: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/3.jpg)
PART I: INTRODUCTION TO MALWARE
![Page 4: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/4.jpg)
WHAT IS MALWARE?
• Malware is a contraction of mal-ious soft-ware• Malware refers to various types of software
that can cause problems, damage, disrupt a computer
• Installed without user knowledge or approval
![Page 5: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/5.jpg)
DEFINITIONS OF COMMON ATTACKS• Virus- is a program that copies itself into other
programs. Viruses infect host files associated with applications.
- typically, user interaction is required for propagation, such as running a program or opening a document file.
![Page 6: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/6.jpg)
DEFINITION OF COMMON ATTACKS
• Worm - is a program that copies itself over computer
networks, infection machines in remote locations.
- typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems.
- Expontiel growth
![Page 7: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/7.jpg)
Definitions of common attacks
•Warhead : Penetrate the target - Browers That surf infected webservers- Outlook E-mail- Windows File Sharing- Backdoors from previous worms•Propagation Engine : Moves the body to the destination-Files sharing programs such as FTP, HTTP and SMB- Mail programs•TSA : Looking for new victims to attack- Recieved or send emails- Ip adresses that is similar to victim•Scanning Engine : Fire warheads against the new victims•Payload : What it does to the target-Nothing called null payload worms-Opening up Backdoors-Planting a zombie-Performing a Mathematical Operation
![Page 8: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/8.jpg)
DEFINITIONS OF COMMON ATTACKS
• Trojan horse - is a program that seems to do something usefull
or interesting, but actually runs malicious code behind the scene.
- Eg. Screen savers
- a common use is a ”trap door” that enables a malious code adversary discreet acces to the machine at a future date.
![Page 9: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/9.jpg)
DEFINITIONS OF COMMON ATTACKS
• Time bombs or logic bombs - are programs that hibernates until at
specified event happends or until a condition is true.
- effective when coupled to a virus
![Page 10: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/10.jpg)
TAXONOMY OF MALWARE
MaliciousPrograms
Need Host Program Independent
Viruses Logic Boms TrojanHorses
Worms
![Page 11: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/11.jpg)
COMBINING MALWARE
• Worms and viruses is the transport mechanism for malicious code
• Trojan horses and time/logic bombs is the malicious code.
![Page 12: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/12.jpg)
PART II: MALICIOUS MOBILE CODE
![Page 13: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/13.jpg)
MALICIOUS MOBILE CODE
• Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention
• Malicious mobile code is mobile code that makes your system do something that you do not want it to do.
![Page 14: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/14.jpg)
MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES
• Monitoring your browsing activities• Obtaining unauthorized access to your file
system• Infecting your machine with a Trojan horse• Hijacking your Web browser
![Page 15: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/15.jpg)
MOBILE CODE EXAMPLES
- Browser Scripts- ActiveX Controls- Java Applets- Mobile Code in E-mail Clients
![Page 16: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/16.jpg)
BROWSER SCRIPTS
• <script type="text/javascript"> <-- a • function do_something() {• // Code for this function would go here. • }• </script> <-- b
• (a)Script begins
• (b)Script ends
![Page 17: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/17.jpg)
ACTIVEX CONTROLS
• A software component based on Microsoft's ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic.
• The first time a control is accepted it is downloaded to your computer and registered.
![Page 18: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/18.jpg)
AUTHENTICATION THROUGH CODE SIGNING
![Page 19: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/19.jpg)
JAVA APPLETS
• Java applets are relatively lightweight programs designed to be transmitted across the Internet
• Java Applet Security Model– Java applet security model forces downloaded Java
applets to run within a highly restrictive sandbox. • Exploit bugs in the implementation of the JRE
to allow an un trusted applet to escape from its sandbox.– program called Brown Orifice
![Page 20: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/20.jpg)
MOBILE CODE IN E-MAIL CLIENTS
• The majority of modern e-mail clients contains some form of Web browser functionality to display HTML.
• Turn off support for mobile code in your e-mail client if you don't use this functionality.
![Page 21: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/21.jpg)
![Page 22: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/22.jpg)
CONCLUSION• Do not execute ActiveX controls, whether signed or
not signed, unless you trust their author with access to your system.
• Do not execute signed Java applets unless you trust their author with access to your system.
• Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access.
• Disable support for mobile code that you do not require in your browser and e-mail software.
![Page 23: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/23.jpg)
PART III: PURPOSE OF MALWARE
![Page 24: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/24.jpg)
INCREASING MALWARE THREAT
![Page 25: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/25.jpg)
CHANGE OF PERSPECTIVE I
• Hacker wanted to show they canMorris Worm in 1988
• Malware used to be destructive ”I Love You” Virus – deleted files send and
forwarded itself to contacts in outlook (2000)• Today Malware is not destructive anymore – it
works silent on a PC
![Page 26: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/26.jpg)
IT’S BUSINESS
• ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM)
• ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (Torsten Holz, University of Mannheim)
![Page 27: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/27.jpg)
BOTNETS FOR RENT
• Hacker groups rent out their botnets• Reports suggest that botnets can be rented for
$100/hour• Pay-as-you go scheme – cybercrime made
easy!
![Page 28: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/28.jpg)
RETURN ON INVESTMENT
• Crime syndicates blackmail gambling sites/online shops
• They demand up to 50.000$• Stealing personal information (credit cards,
bank accounts)
![Page 29: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/29.jpg)
BEYOND TRADITIONAL CRIME I
• The Sony RootKit scandal automatically installing software on PCs Sony wanted an improved copy protection …but introduced new security holes on
computers with a Windows OS
![Page 30: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/30.jpg)
BEYOND TRADITIONAL CRIME II
• Remote Forensic Software Government installs spyware on computers of
”suspected” persons FBI uses a tool called ”Magic Lantern”Use key loggers in order to get sensitive
information Conflicts with the legislation
![Page 31: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/31.jpg)
FUTURE TRENDS
• Cybercrimes in virtual worlds• Increase in botnets• Mobile Devices• Virtual Machine RootKit (Blue Pill)
![Page 32: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/32.jpg)
SUM UP
• High Risk• Focus is on ”business” - earning money is
important• Malware gets smarter and thus hard to detect• Magnus will now talk about avoiding malware
![Page 33: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/33.jpg)
PART IV: AVOIDING MALWARE
![Page 34: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/34.jpg)
STRATEGY
1: User Education & restricted user privileges.2: Avoiding common software “packages”3: Anti-virus software (locally and at network
gateways.)
![Page 35: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/35.jpg)
1 USER EDUCATIONMETHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts (Configuration
Hardening).
PROBLEMS• Most users are not willing to spend time learning security.• Even expert users are not immune to unexpected attacks
(Bubble Boy).
![Page 36: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/36.jpg)
BUBBLE BOY - 1999
![Page 37: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/37.jpg)
1 USER EDUCATION
METHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts.
(Configuration Hardening)
PROBLEMS• Most users are not willing to spend time learning
security.• Even expert users are not immune to unexpected
attacks.
![Page 38: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/38.jpg)
2 AVOID COMMON SOFTWAREEXAMPLES• The “Microsoft Word” – “Outlook” combination.• The “Wordpress” cms system.
METHOD• Avoid common software, or at least include less popular
software somewhere in your workflow.
PROBLEM• What is common software?• How can you be sure that security issues will be identified
and addressed when using less common software?
![Page 39: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/39.jpg)
3 ANTI-VIRUS SOFTWARE
METHOD• Scan all incoming files for malware.
PROBLEMS• New malware emerges.• Malware-authors camouflage already known
threats.
![Page 40: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/40.jpg)
• Scan locally or use Secure Web Gateways.
![Page 41: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/41.jpg)
MALWARE SIGNATURES
• The fingerprints of malware (also called dat files)• Performance improvements– Fingerprints are matched to certain file types.– Depending on the file type different areas are
scanned.
![Page 42: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/42.jpg)
3 ANTI-VIRUS SOFTWARE
METHOD• Scan all incoming files for malware.
PROBLEMS• New malware emerges.• Malware-authors camouflage already known
threats.
![Page 43: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/43.jpg)
NEW MALWARE
• Can actually be new malware, or camouflaged versions of old threats.
• Polymorphism (obfuscated code)– Changed variable names.– Changed order of the instructions in the malware
program.– Encryption.– Metamorphism.
![Page 44: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/44.jpg)
HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE
• Generic Signatures.– Often broken up and containing “wildcard areas”.– Not god for totally new malware.
• Emulation.• Heuristics.
![Page 45: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/45.jpg)
HEURISTICS
• Establish a database of typical malware traits.– Attempts to access the boot sector.– to locate all documents in a current directory.– to write to an EXE file.– to delete hard drive contents.
![Page 46: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/46.jpg)
CURRENT THREAT PATTERNS
• Classic & server-side polymorphism • 10.000+ new strains per day.• Each victim potentially attacked by a different strain. • Today a signature protects < 20 users. Earlier > 100.000• Blacklisting strategy increasingly ineffective.
![Page 47: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/47.jpg)
SOLUTIONS (ACCORDING TO SYMANTEC)
• Whitelisting signatures for non-malware.• Reputation based approach.
![Page 48: MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649d215503460f949f64a5/html5/thumbnails/48.jpg)
THE END