perangkat lunak berbahaya (malware malicious software) · •one of oldest types of malicious...
TRANSCRIPT
www.telkomuniversity.ac.id
PERANGKAT LUNAK BERBAHAYA (MALWARE – MALICIOUS SOFTWARE)
Instructor : Team
Course : TTH3K3 - Network Security
As Taught In : 2nd semester 2017-2018
Level : Undergraduate
CLO : 1
Week : 2
Sub-Topic : Malicious Software
www.telkomuniversity.ac.id
Outline
• Malware: What is it?
• Propagation: Viruses
• Propagation: Worms
• Propagation: Trojans, social engineering
• Payload: Bots & spyware
• Distributed Denial of Service
www.telkomuniversity.ac.id
Analogies: The Human Body
• Humans infected with virus and bacteria
• Virus replicates itself and spreads throughout the body
• Attacks vital organs
• Doctor conducts tests and detects the problem
• Medicine is given to slow the progress of the disease
• Patient’s condition may improve or the patient may die
www.telkomuniversity.ac.id
Viruses and Other Malicious Content
computer viruses have got a lot of publicity
one of a family of malicious software
effects usually obvious
have figured in news reports, fiction, movies (often exaggerated)
getting more attention than deserve
are a concern though
www.telkomuniversity.ac.id
Malicious Software
www.telkomuniversity.ac.id
What is a Malware?
• It’s a piece of software that is malicious and carries out bad things
• It infects a vulnerable and neglected machine
• It attacks the various components of the machine– the operating system (vital organs), applications (limbs) and hardware (bone)
• It spreads across a network of machines
• It cripples the machines and the network
• It conveys vital information to the enemy – the hacker
• It takes over the network and carries out its agenda
Victim Network
www.telkomuniversity.ac.id
Malcode
• Malicious programs which spread from machine to machine without the consent of the owners/operators/users – Windows Automatic Update is (effectively) consensual
• Many strains possible – Viruses
– Worms
– Compromised Auto-updates
• No user action required, very dangerous
www.telkomuniversity.ac.id
Trapdoors (Back doors)
• Secret entry point into a program
• Allows those who know access bypassing usual security procedures, e.g., authentications
• Have been commonly used by developers
• A threat when left in production programs allowing exploited by attackers
• Very hard to block in O/S
• Requires good s/w development & update
www.telkomuniversity.ac.id
Logic Bomb
• One of oldest types of malicious software
• Code embedded in legitimate program
• Activated when specified conditions met
– E.g., presence/absence of some file
– Particular date/time
– Particular user
– Particular series of keystrokes
• When triggered typically damage system
– Modify/delete files/disks
www.telkomuniversity.ac.id
Trojan Horse
• Programs that appear to have one function but actually perform another.
• Modern Trojan Horse: resemble a program that the user wishes to run - usually superficially attractive – E.g., game, s/w upgrade etc
• When run performs some additional tasks – Allows attacker to indirectly gain access they do
not have directly
• Often used to propagate a virus/worm or install a backdoor
• Or simply to destroy data
www.telkomuniversity.ac.id
Zombie
• Program which secretly takes over another networked computer
• Then uses it to indirectly launch attacks
• Often used to launch distributed denial of service (DDoS) attacks
• Exploits known flaws in network systems
www.telkomuniversity.ac.id
Terminologi Malware
www.telkomuniversity.ac.id
Jenis Perangkat Lunak Malicious
www.telkomuniversity.ac.id
Malware Statistics
www.telkomuniversity.ac.id
PROPAGATION: Virus
www.telkomuniversity.ac.id
Viruses
• Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
• On execution
– Search for valid target files
• Usually executable files
• Often only infect uninfected files
– Insert a copy into targeted files
• When the target is executed, the virus starts running
• Only spread when contaminated files are moved from machine to machine
• Mature defenses available
www.telkomuniversity.ac.id
Virus Operation
• virus phases:
– propagation – replicating to programs/disks
– dormant – waiting on trigger event
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific
– exploiting features/weaknesses
www.telkomuniversity.ac.id
Anatomy of a Virus
• Two primary components
– Propagation mechanism
– Payload
• Propagation
– Method by which the virus spreads itself.
– Old days: single PC, transferred to other hosts by ways of floppy diskettes.
– Nowadays: Internet.
www.telkomuniversity.ac.id
Struktur Virus
www.telkomuniversity.ac.id
What does it look like?
Example: Melissa Virus March 26, 1999
www.telkomuniversity.ac.id
Virus Kompresi
• Ketika program dipanggil, pengendalian dialihkan ke virus yang melakukan langkah-langkah berikut:
– Untuk setiap file tak terinfeksi P2 yang ditemukan, virus mula-mula melakukan kompresi file untuk menghasilkan P2’
– Salinan virus dimasukkan ke program terkompres
– Versi terkompres dari program asli, P1’, kemudian didekompres
– Program asli tanpa kompresi dieksekusi
www.telkomuniversity.ac.id
Virus Kompresi
www.telkomuniversity.ac.id
Virus Infectables -- Macros
• Usually executable files: .com, .exe, .bat
• Macro code attached to some data file
• Interpreted by program using file
– E.g., Word/Excel macros
– Especially using auto command & command macros
• Code is now platform independent
• Is a major source of new viral infections
• Blur distinction between data and program files
• Classic trade-off: "ease of use" vs "security”
• Have improving security in Word etc
• Are no longer dominant virus threat
www.telkomuniversity.ac.id
Klasifikasi Virus
www.telkomuniversity.ac.id
Variable Viruses
• Polymorphic viruses – Change with each infection
• Executables virus code changing (macros: var name, line spacing, etc.)
• Control flow permutations (rearrange code with goto’s)
– Attempt to defeat scanners
• Virus writing tool kits have been created to "simplify" creation of new viruses – Current tool kits create viruses that can be detected easily
with existing scanner technology
– But just a matter of time …
www.telkomuniversity.ac.id
Virus Detection/Evasion
• Look for changes in size
• Check time stamp on file
• Look for bad behavior – False alarm prone
• Look for patterns (byte streams) in virus code that are unique
• Look for changes in file checksum
• Compression of virus and target code
• Modify time stamp to original
• Do bad thing insidiously
• Change patterns – polymorphism
• Rearrange data in the file
• Disable anti-virus programs
www.telkomuniversity.ac.id
More on Virus Detection
• Scanning
– Depend on prior knowledge of a virus
– Check programs before execution
– Need to be regularly updated
• Integrity Checking
– Read entire disk and record integrity data that acts as a signature for the files and system sectors
– Use cryptographic computation technique instead of simple checksum
www.telkomuniversity.ac.id
More on Virus Detection
• Interception
– Monitoring for system-level routines that perform destructive acts
– Good for detecting logic bomb and Trojan horse as well
– Cannot depend entirely upon behavior monitors as they are easily bypassed.
• Combination of all three techniques can detect most viruses
www.telkomuniversity.ac.id
The Virus-Antivirus Arms Race
FEARLESS engineering
• Malware (e.g., viruses)
– Rogue programs that carry out malicious actions on victim
machines
• Vandalism (delete files, carry out phishing scams, etc.)
• reconnaissance & secret exfiltration (cyber-warfare /
hacktivism)
• Sabotage (e.g., attacks against power grids)
– Randomly mutate themselves automatically as they propagate
• Harder to detect since no two samples look identical
• Antivirus defenses
– Defenders manually reverse-engineer many malware samples
– Find mutation patterns
– Build defenses to automatically detect & quarantine all mutants
www.telkomuniversity.ac.id
Incidents Reported 1990-2001
Incidents Reported to Computer Emergency
Response Team/Coordination Center (CERT/CC)
0
10000
20000
30000
40000
50000
60000
90 91 92 93 94 95 96 97 98 99 00 01
Everything changed with Code Red attack in 2001
www.telkomuniversity.ac.id
Data Mining Solutions
Data Mining
Knowledge Discovery
in Databases
Knowledge Extraction
Data Pattern Processing
The process of discovering meaningful new correlations,
patterns, trends and nuggets by sifting through large
amounts of attack data, often previously unknown, using
pattern recognition technologies and machine learning
statistical and mathematical techniques.
FEARLESS engineering
www.telkomuniversity.ac.id
Frankenstein Press Coverage
• Presented at USENIX Offensive Technologies (WOOT) mid-August 2012 • Thousands of news stories in August/September
– The Economist, New Scientist, NBC News, Wired UK, The Verge, Huffington Post, Live Science, …
FEARLESS engineering
www.telkomuniversity.ac.id
That’s not all – Attacks to Critical Infrastructures
Attacks
Maroochy Shire 2000
Threats
HVAC 2012
Stuxnet 2010
Smart Meters 2012
Obama administration
demonstrates attack to
power grid in Feb. 2012
DHS and INL study impact of
cyber-attacks on generator
FEARLESS engineering
www.telkomuniversity.ac.id
Behavior-Blocking Software
www.telkomuniversity.ac.id
Where do we go from here: Holistic Treatment
Three actors interacting with each other:
• The Doctor
– The Defender/Analyst
• The Patient
– The User /Soldier
• The Virus/Bacteria
– The Malware/Attacker
Together, we could propose an Interdisciplinary approach.
www.telkomuniversity.ac.id
PROPAGATION: Worm
www.telkomuniversity.ac.id
Worms
• Autonomous, active code that can replicate to remote hosts without any triggering
– Replicating but not infecting program
• Because they propagate autonomously, they can spread much more quickly than viruses!
• Speed and general lack of user interaction make them the most significant threats
www.telkomuniversity.ac.id
Worms
• replicating program that propagates over net
– using email, remote exec, remote login
• has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects to it, copies self to it and runs
• may disguise itself as a system process
• concept seen in Brunner’s “Shockwave Rider”
• implemented by Xerox Palo Alto labs in 1980’s
www.telkomuniversity.ac.id
+
Attacker Target
Discovery
Carrier
Activation
Payload
Worm Overview
www.telkomuniversity.ac.id
Target
Discovery
• Brute Force Port Scanning
• Sequential: working through an address block
• Random
•Target Lists
• Externally generated through Meta servers
• Internal target list
• Passive worms
www.telkomuniversity.ac.id
External Target Lists: Metaserver Worms
• Many systems use a "metaserver", a server for information about other servers
– Games: Use as a matchmaker for local servers
– Google: Query google to find web servers
– Windows Active Directory: Maintains the "Network Neighborhood"
• Worm can leverage these services
– Construct a query to find new targets
– Each new victim also constructs queries
• Creates a divide-and-conquer infection strategy
• Original strategy, not yet seen
Metaserver
Server
Server
Server
Server
Server
Server
Server
Server
www.telkomuniversity.ac.id
How Fast Are Metaserver Worms?
• Game Metaserver: Used to attack a small population (eg, all Half-Life servers) – ~1 minute to infect all targets
• Google: Used to enhance a scanning web worm – Each worm conducts initial queries to find URLs
0%
20%
40%
60%
80%
100%
0 1 2 3 4 5 6
Time (Hours)
Perc
en
t In
fecte
d
No Acceleration
Metaserver Acceleration
www.telkomuniversity.ac.id
Worm Propagation Model
www.telkomuniversity.ac.id
Internal Target Lists: Topological Information
• Look for local information to find new targets
– URLs on disk and in caches
– Mail addresses
– .ssh/known_hosts
• Ubiquitous in mail worms
– More recent mail worms are more aggressive at finding new addresses
• Basis of the Morris worm (1988)
– Address space was too sparse for scanning to work
www.telkomuniversity.ac.id
How Fast are Topological Worms?
• Depends on the topology G = (V, E) – Vulnerable machines are vertices,
edges are local information
– Time to infect is a function of the shortest paths from the initial point of infection
• Power law or similar graph (KaZaA) – Depends greatly on the parameters,
but generally very, VERY fast
www.telkomuniversity.ac.id
Activation
www.telkomuniversity.ac.id
Activation
• Human activation – Needs social engineering, especially for email worms
• Melissa – “Attached is an important message for you!”
• Iloveyou – “Open this message to see who loves you!”
• Human activity-based activation – E.g. logging in, rebooting (Nimda’s secondary propagation)
• Scheduled process activation – E.g. updates, backup etc.
• Self activation, most common – E.g. Code Red exploit the IIS web servers
www.telkomuniversity.ac.id
www.telkomuniversity.ac.id
www.telkomuniversity.ac.id
Payload
www.telkomuniversity.ac.id
Payloads
• None/nonfunctional
– Most common
– Still can have significant effects through traffic and machine load (e.g., Morris worm)
• Internet Remote Control
– Code Red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code
• Internet Denial of Service (DOS)
– E.g., Code Red, Yaha
• Data Collection
• Data Damage: Klez
• Worm maintenance
www.telkomuniversity.ac.id
Attacker
• Experimental Curiosity, e.g., I Love You worm
• Pride and Power
• Commercial Advantage
• Extortion and Criminal Gain
• Terrorism
• Cyber Warfare
www.telkomuniversity.ac.id
Serangan Cacing
www.telkomuniversity.ac.id
Teknologi Cacing
www.telkomuniversity.ac.id
Cacing Telepon Bergerak
www.telkomuniversity.ac.id
Countermeasure Cacing
www.telkomuniversity.ac.id
Sistem Kekebalan Digital
www.telkomuniversity.ac.id
Proactive Worm Containment
www.telkomuniversity.ac.id
Arsitektur Pemantauan Cacing
www.telkomuniversity.ac.id
PROPAGATION: Trojan
www.telkomuniversity.ac.id
Spyware/Adware
• Hidden but not self-replicating
• Tracks web activity for marketing, shows popup ads, etc.
• Usually written by businesses: Legal gray area
www.telkomuniversity.ac.id
Efek Spyware
www.telkomuniversity.ac.id
Kuda Trojan
www.telkomuniversity.ac.id
Kuda Trojan: Program Utility
www.telkomuniversity.ac.id
Kuda Trojan: Program Utility
www.telkomuniversity.ac.id
Kuda Trojan: Program Utility
www.telkomuniversity.ac.id
Kuda Trojan: Trik Instalasi
www.telkomuniversity.ac.id
Browser Hijack
• An extremely nasty adware
• Resets homepage to a particular site
– Ads, porn – something you don’t want
– Any change you make doesn’t affect it
• Software running on your machine
– Does the usual adware/spyware stuff
– Also changes your browser settings
– Runs when system starts – changes the settings back
www.telkomuniversity.ac.id
Spyware is a Common Problem!
• Recall earlier study of users:
80% had spyware on their PCs
• (What about you?)
www.telkomuniversity.ac.id
Solutions
• Anti-spyware software
– Scans your system, removes problems
– Some have real-time protection, most don’t.
• Important (again): run “update” on these to get most recent spyware definitions
• Another option: Security Suites ($60-$70)
– Include antivirus, maybe anti-spyware software
– Also includes a firewall (explained later)
– May include spam filtering, parental control
www.telkomuniversity.ac.id
(detailed discussion next week)
Distributed Denial of Service
www.telkomuniversity.ac.id
Denial-of-service
• Denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space
• Attacks (overload or invalid request services that consume significant resources)
– network bandwidth
– system resources
– application resources
• Have been an issue for some time (25% of respondents to an FBI survey)
www.telkomuniversity.ac.id
Classic DoS attacks
• Flooding ping command – Aim of this attack is to overwhelm the capacity of the
network connection to the target organization
– Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases
• Source of the attack is clearly identified unless a spoofed address is used
• Network performance is noticeably affected
www.telkomuniversity.ac.id
Classic DoS attacks
www.telkomuniversity.ac.id
Soal
• Kata sandi (password) sebagai pengaman otentikasi lapis aplikasi
– Jika kata sandi memiliki panjang 3 karakter alphabet huruf besar, maka berapa lama waktu yang dibutuhkan untuk memecahkan kata sandi tertentu secara brute-force, asumsikan pengujian sebuah kata sandi membutuhkan waktu 8 detik?
– Jika batas antara kondisi “insecure” dan “secure” adalah selama x satuan waktu, maka berapa sebaiknya nilai y (panjang kata sandi)? Sebutkan dan jelaskan justifikasi dari asumsi tersebut dengan mempertimbangkan himpunan karakter pembentuk kata sandi dan waktu yang dibutuhkan untuk menguji sebuah kata sandi tunggal! Petunjuk: himpunan karakter dapat berupa huruf besar, huruf kecil, angka, dan tanda baca.
www.telkomuniversity.ac.id
Soal
• The Internet is, slowly, transitioning from the version of the TCP/IP protocol suite currently in use IPv4 to a new version, IPv6. Unlike IPv4 IP addresses, which are 32 bits long (e.g., 192.168.10.1), IPv6 IP addresses are 128 bits long (e.g., 2001:1890:1112:0001:0000:0000:0000:0020).
• a. Consider random-scanning Internet worms. These worms spread by choosing a random IP address, connecting to any host answering to that address, and attempting to infect it. Is the random-scanning strategy feasible if the Internet switches from IPv4 to IPv6? Why or why not?
• b. On the IPv6 Internet, try to give three different ways that a worm, executing on a compromised computer, can discover IP addresses of other hosts to try to infect.
www.telkomuniversity.ac.id
• B. Thuraisingham, “Reactively Adaptive Malware”, University of Texas, 2013
• H. Saiedian, “Denial-of-Service Attacks”, University of Kansas, 2014
• Y. Chen, “Information Security & Assurance: Malcode”, Northwestern University, 2016
Daftar Pustaka
www.telkomuniversity.ac.id
THANK YOU ! QUESTIONS ?