perangkat lunak berbahaya (malware malicious software) · •one of oldest types of malicious...

www.telkomuniversity.ac.id

PERANGKAT LUNAK BERBAHAYA (MALWARE – MALICIOUS SOFTWARE)

Instructor : Team

Course : TTH3K3 - Network Security

As Taught In : 2nd semester 2017-2018

Level : Undergraduate

CLO : 1

Week : 2

Sub-Topic : Malicious Software

http://www.telkomuniversity.ac.id/






Outline

• Malware: What is it?

• Propagation: Viruses

• Propagation: Worms

• Propagation: Trojans, social engineering

• Payload: Bots & spyware

• Distributed Denial of Service







Analogies: The Human Body

• Humans infected with virus and bacteria

• Virus replicates itself and spreads throughout the body

• Attacks vital organs

• Doctor conducts tests and detects the problem

• Medicine is given to slow the progress of the disease

• Patient’s condition may improve or the patient may die







Viruses and Other Malicious Content

computer viruses have got a lot of publicity

one of a family of malicious software

effects usually obvious

have figured in news reports, fiction, movies (often exaggerated)

getting more attention than deserve

are a concern though







Malicious Software







What is a Malware?

• It’s a piece of software that is malicious and carries out bad things

• It infects a vulnerable and neglected machine

• It attacks the various components of the machine– the operating system (vital organs), applications (limbs) and hardware (bone)

• It spreads across a network of machines

• It cripples the machines and the network

• It conveys vital information to the enemy – the hacker

• It takes over the network and carries out its agenda

Victim Network







Malcode

• Malicious programs which spread from machine to machine without the consent of the owners/operators/users – Windows Automatic Update is (effectively) consensual

• Many strains possible – Viruses

– Worms

– Compromised Auto-updates

• No user action required, very dangerous







Trapdoors (Back doors)

• Secret entry point into a program

• Allows those who know access bypassing usual security procedures, e.g., authentications

• Have been commonly used by developers

• A threat when left in production programs allowing exploited by attackers

• Very hard to block in O/S

• Requires good s/w development & update







Logic Bomb

• One of oldest types of malicious software

• Code embedded in legitimate program

• Activated when specified conditions met

– E.g., presence/absence of some file

– Particular date/time

– Particular user

– Particular series of keystrokes

• When triggered typically damage system

– Modify/delete files/disks







Trojan Horse

• Programs that appear to have one function but actually perform another.

• Modern Trojan Horse: resemble a program that the user wishes to run - usually superficially attractive – E.g., game, s/w upgrade etc

• When run performs some additional tasks – Allows attacker to indirectly gain access they do

not have directly

• Often used to propagate a virus/worm or install a backdoor

• Or simply to destroy data







Zombie

• Program which secretly takes over another networked computer

• Then uses it to indirectly launch attacks

• Often used to launch distributed denial of service (DDoS) attacks

• Exploits known flaws in network systems







Terminologi Malware







Jenis Perangkat Lunak Malicious







Malware Statistics







PROPAGATION: Virus







Viruses

• Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

• On execution

– Search for valid target files

• Usually executable files

• Often only infect uninfected files

– Insert a copy into targeted files

• When the target is executed, the virus starts running

• Only spread when contaminated files are moved from machine to machine

• Mature defenses available







Virus Operation

• virus phases:

– propagation – replicating to programs/disks

– dormant – waiting on trigger event

– triggering – by event to execute payload

– execution – of payload

• details usually machine/OS specific

– exploiting features/weaknesses







Anatomy of a Virus

• Two primary components

– Propagation mechanism

– Payload

• Propagation

– Method by which the virus spreads itself.

– Old days: single PC, transferred to other hosts by ways of floppy diskettes.

– Nowadays: Internet.







Struktur Virus







What does it look like?

Example: Melissa Virus March 26, 1999







Virus Kompresi

• Ketika program dipanggil, pengendalian dialihkan ke virus yang melakukan langkah-langkah berikut:

– Untuk setiap file tak terinfeksi P2 yang ditemukan, virus mula-mula melakukan kompresi file untuk menghasilkan P2’

– Salinan virus dimasukkan ke program terkompres

– Versi terkompres dari program asli, P1’, kemudian didekompres

– Program asli tanpa kompresi dieksekusi







Virus Kompresi







Virus Infectables -- Macros

• Usually executable files: .com, .exe, .bat

• Macro code attached to some data file

• Interpreted by program using file

– E.g., Word/Excel macros

– Especially using auto command & command macros

• Code is now platform independent

• Is a major source of new viral infections

• Blur distinction between data and program files

• Classic trade-off: "ease of use" vs "security”

• Have improving security in Word etc

• Are no longer dominant virus threat







Klasifikasi Virus







Variable Viruses

• Polymorphic viruses – Change with each infection

• Executables virus code changing (macros: var name, line spacing, etc.)

• Control flow permutations (rearrange code with goto’s)

– Attempt to defeat scanners

• Virus writing tool kits have been created to "simplify" creation of new viruses – Current tool kits create viruses that can be detected easily

with existing scanner technology

– But just a matter of time …







Virus Detection/Evasion

• Look for changes in size

• Check time stamp on file

• Look for bad behavior – False alarm prone

• Look for patterns (byte streams) in virus code that are unique

• Look for changes in file checksum

• Compression of virus and target code

• Modify time stamp to original

• Do bad thing insidiously

• Change patterns – polymorphism

• Rearrange data in the file

• Disable anti-virus programs







More on Virus Detection

• Scanning

– Depend on prior knowledge of a virus

– Check programs before execution

– Need to be regularly updated

• Integrity Checking

– Read entire disk and record integrity data that acts as a signature for the files and system sectors

– Use cryptographic computation technique instead of simple checksum







More on Virus Detection

• Interception

– Monitoring for system-level routines that perform destructive acts

– Good for detecting logic bomb and Trojan horse as well

– Cannot depend entirely upon behavior monitors as they are easily bypassed.

• Combination of all three techniques can detect most viruses







The Virus-Antivirus Arms Race

FEARLESS engineering

• Malware (e.g., viruses)

– Rogue programs that carry out malicious actions on victim

machines

• Vandalism (delete files, carry out phishing scams, etc.)

• reconnaissance & secret exfiltration (cyber-warfare /

hacktivism)

• Sabotage (e.g., attacks against power grids)

– Randomly mutate themselves automatically as they propagate

• Harder to detect since no two samples look identical

• Antivirus defenses

– Defenders manually reverse-engineer many malware samples

– Find mutation patterns

– Build defenses to automatically detect & quarantine all mutants







Incidents Reported 1990-2001

Incidents Reported to Computer Emergency

Response Team/Coordination Center (CERT/CC)

0

10000

20000

30000

40000

50000

60000

90 91 92 93 94 95 96 97 98 99 00 01

Everything changed with Code Red attack in 2001







Data Mining Solutions

Data Mining

Knowledge Discovery

in Databases

Knowledge Extraction

Data Pattern Processing

The process of discovering meaningful new correlations,

patterns, trends and nuggets by sifting through large

amounts of attack data, often previously unknown, using

pattern recognition technologies and machine learning

statistical and mathematical techniques.








Frankenstein Press Coverage

• Presented at USENIX Offensive Technologies (WOOT) mid-August 2012 • Thousands of news stories in August/September

– The Economist, New Scientist, NBC News, Wired UK, The Verge, Huffington Post, Live Science, …








That’s not all – Attacks to Critical Infrastructures

Attacks

Maroochy Shire 2000

Threats

HVAC 2012

Stuxnet 2010

Smart Meters 2012

Obama administration

demonstrates attack to

power grid in Feb. 2012

DHS and INL study impact of

cyber-attacks on generator








Behavior-Blocking Software







Where do we go from here: Holistic Treatment

Three actors interacting with each other:

• The Doctor

– The Defender/Analyst

• The Patient

– The User /Soldier

• The Virus/Bacteria

– The Malware/Attacker

Together, we could propose an Interdisciplinary approach.







PROPAGATION: Worm







Worms

• Autonomous, active code that can replicate to remote hosts without any triggering

– Replicating but not infecting program

• Because they propagate autonomously, they can spread much more quickly than viruses!

• Speed and general lack of user interaction make them the most significant threats







Worms

• replicating program that propagates over net

– using email, remote exec, remote login

• has phases like a virus:

– dormant, propagation, triggering, execution

– propagation phase: searches for other systems, connects to it, copies self to it and runs

• may disguise itself as a system process

• concept seen in Brunner’s “Shockwave Rider”

• implemented by Xerox Palo Alto labs in 1980’s







+

Attacker Target

Discovery

Carrier

Activation

Payload

Worm Overview







Target

Discovery

• Brute Force Port Scanning

• Sequential: working through an address block

• Random

•Target Lists

• Externally generated through Meta servers

• Internal target list

• Passive worms







External Target Lists: Metaserver Worms

• Many systems use a "metaserver", a server for information about other servers

– Games: Use as a matchmaker for local servers

– Google: Query google to find web servers

– Windows Active Directory: Maintains the "Network Neighborhood"

• Worm can leverage these services

– Construct a query to find new targets

– Each new victim also constructs queries

• Creates a divide-and-conquer infection strategy

• Original strategy, not yet seen

Metaserver

Server

Server

Server

Server

Server

Server

Server

Server







How Fast Are Metaserver Worms?

• Game Metaserver: Used to attack a small population (eg, all Half-Life servers) – ~1 minute to infect all targets

• Google: Used to enhance a scanning web worm – Each worm conducts initial queries to find URLs

0%

20%

40%

60%

80%

100%

0 1 2 3 4 5 6

Time (Hours)

Perc

en

t In

fecte

d

No Acceleration

Metaserver Acceleration







Worm Propagation Model







Internal Target Lists: Topological Information

• Look for local information to find new targets

– URLs on disk and in caches

– Mail addresses

– .ssh/known_hosts

• Ubiquitous in mail worms

– More recent mail worms are more aggressive at finding new addresses

• Basis of the Morris worm (1988)

– Address space was too sparse for scanning to work







How Fast are Topological Worms?

• Depends on the topology G = (V, E) – Vulnerable machines are vertices,

edges are local information

– Time to infect is a function of the shortest paths from the initial point of infection

• Power law or similar graph (KaZaA) – Depends greatly on the parameters,

but generally very, VERY fast







Activation







Activation

• Human activation – Needs social engineering, especially for email worms

• Melissa – “Attached is an important message for you!”

• Iloveyou – “Open this message to see who loves you!”

• Human activity-based activation – E.g. logging in, rebooting (Nimda’s secondary propagation)

• Scheduled process activation – E.g. updates, backup etc.

• Self activation, most common – E.g. Code Red exploit the IIS web servers







Payload







Payloads

• None/nonfunctional

– Most common

– Still can have significant effects through traffic and machine load (e.g., Morris worm)

• Internet Remote Control

– Code Red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code

• Internet Denial of Service (DOS)

– E.g., Code Red, Yaha

• Data Collection

• Data Damage: Klez

• Worm maintenance







Attacker

• Experimental Curiosity, e.g., I Love You worm

• Pride and Power

• Commercial Advantage

• Extortion and Criminal Gain

• Terrorism

• Cyber Warfare







Serangan Cacing







Teknologi Cacing







Cacing Telepon Bergerak







Countermeasure Cacing







Sistem Kekebalan Digital







Proactive Worm Containment







Arsitektur Pemantauan Cacing







PROPAGATION: Trojan







Spyware/Adware

• Hidden but not self-replicating

• Tracks web activity for marketing, shows popup ads, etc.

• Usually written by businesses: Legal gray area







Efek Spyware







Kuda Trojan







Kuda Trojan: Program Utility







Kuda Trojan: Trik Instalasi







Browser Hijack

• An extremely nasty adware

• Resets homepage to a particular site

– Ads, porn – something you don’t want

– Any change you make doesn’t affect it

• Software running on your machine

– Does the usual adware/spyware stuff

– Also changes your browser settings

– Runs when system starts – changes the settings back







Spyware is a Common Problem!

• Recall earlier study of users:

80% had spyware on their PCs

• (What about you?)







Solutions

• Anti-spyware software

– Scans your system, removes problems

– Some have real-time protection, most don’t.

• Important (again): run “update” on these to get most recent spyware definitions

• Another option: Security Suites ($60-$70)

– Include antivirus, maybe anti-spyware software

– Also includes a firewall (explained later)

– May include spam filtering, parental control







(detailed discussion next week)

Distributed Denial of Service







Denial-of-service

• Denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space

• Attacks (overload or invalid request services that consume significant resources)

– network bandwidth

– system resources

– application resources

• Have been an issue for some time (25% of respondents to an FBI survey)







Classic DoS attacks

• Flooding ping command – Aim of this attack is to overwhelm the capacity of the

network connection to the target organization

– Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases

• Source of the attack is clearly identified unless a spoofed address is used

• Network performance is noticeably affected







Classic DoS attacks







Soal

• Kata sandi (password) sebagai pengaman otentikasi lapis aplikasi

– Jika kata sandi memiliki panjang 3 karakter alphabet huruf besar, maka berapa lama waktu yang dibutuhkan untuk memecahkan kata sandi tertentu secara brute-force, asumsikan pengujian sebuah kata sandi membutuhkan waktu 8 detik?

– Jika batas antara kondisi “insecure” dan “secure” adalah selama x satuan waktu, maka berapa sebaiknya nilai y (panjang kata sandi)? Sebutkan dan jelaskan justifikasi dari asumsi tersebut dengan mempertimbangkan himpunan karakter pembentuk kata sandi dan waktu yang dibutuhkan untuk menguji sebuah kata sandi tunggal! Petunjuk: himpunan karakter dapat berupa huruf besar, huruf kecil, angka, dan tanda baca.







Soal

• The Internet is, slowly, transitioning from the version of the TCP/IP protocol suite currently in use IPv4 to a new version, IPv6. Unlike IPv4 IP addresses, which are 32 bits long (e.g., 192.168.10.1), IPv6 IP addresses are 128 bits long (e.g., 2001:1890:1112:0001:0000:0000:0000:0020).

• a. Consider random-scanning Internet worms. These worms spread by choosing a random IP address, connecting to any host answering to that address, and attempting to infect it. Is the random-scanning strategy feasible if the Internet switches from IPv4 to IPv6? Why or why not?

• b. On the IPv6 Internet, try to give three different ways that a worm, executing on a compromised computer, can discover IP addresses of other hosts to try to infect.







• B. Thuraisingham, “Reactively Adaptive Malware”, University of Texas, 2013

• H. Saiedian, “Denial-of-Service Attacks”, University of Kansas, 2014

• Y. Chen, “Information Security & Assurance: Malcode”, Northwestern University, 2016

Daftar Pustaka







THANK YOU ! QUESTIONS ?






perangkat lunak berbahaya (malware malicious software) · •one of oldest types of malicious...

Documents