FOCUS
•
What malware are
•
Types of malware
•
How do they infect hosts
•
How do they propagate
•
How do they hide
WHAT IS A MALWARE ?
•
A Malware is a set of instructions that run
on your computer and make your system
do something that an attacker wants it to
do.
WHAT IT IS GOOD FOR ?
• Steal personal information
• Steal valuable data
• Destroy data
• Denial of Service
VIRUSES
• A malicious piece of code that spreads itself from file to file
• A virus needs a host file
• Requires user interaction
– Like opening a file • Different types of viruses
– Program viruses – Boot viruses – Macro viruses Infected File Virus as payload
WORMS
• A malicious piece of code that spreads itself from computer to computer by exploiting vulnerabilities
– A worm needs no host file
– Spreads without user interaction
• Can spread via
– e-mail attachments
– LAN or Internet
• 2nd generation of worms automatically search for vulnerable computers and
infect them
MALICIOUS SCRIPTS
• Malicious scripts written in JavaScript, VBScript, ActiveX, Flash, etc
• Can be hidden in e-mails or websites
– Flash banners and included JavaScript files
– Cross Site Script (XSS)
TROJANS
• “Trojan Horse”
• Programs with hidden malicious functionalities
• Appear to be screen savers, games, or other “useful” programs
– “There’s an app for that!”
BACKDOORS & ROOTKITS
• A secret entry point into a program/system that allows someone
aware of the trap door to gain access without going through the usual security access procedures
• Backdoors
– Usually left by programmers for debugging and testing purposes, intentionally or unintentionally
• Rootkits ةيفخلا روذجلا
– Usually installed by an attacker after having gained root/administrator access
LOGICAL BOMBS
• Malicious code programmed to be activated on a specific date, time or circumstances
• Action could be everything from formatting hard drive to display a silly message on the user’s screen
BLENDED THREATS
ةطولخملا تاديدهتلا
• Advanced malicious software that combines the characteristics of viruses, worms, trojans and
malicious scripts are sometimes called “Blended Threats”
– It’s hard to know where to draw the line
• Exploits one or many vulnerabilities in programs or operating system
VIRUSES
•
4 phases:
–
Dormant phase
: It is idle, waiting for some
event
ثادحلأا ضعب راظتنا يف ، لماخ هنإ
:
ةلماخلا ةلحرملا
–
Triggering phase
: activated to perform some
intended actions
ضعب ذيفنتل اهليعفت متي
:
ليغشتلا ةلحرم
ةدوصقملا تاءارجلإا
–
Propagation phase
: Copy itself into other
programs
ىرخأ
جمارب يف اهسفن
خسن
:
راشتنلاا ةلحرم
–
Execution phase
: execute the payload
ذيفنتلا ةلحرم
:
LIFECYCLE OF VIRUS
•
A virus gets created and released
•
The virus infects several machines
•
Samples are sent to anti-virus companies
•
Records a signature from the virus
•
The companies include the new signature in
their database
VIRUS HIDDEN MECHANISMS
• Encrypt virus code with random generated keys
• What happens if the boot area is encrypted?
Virus program and host file (plaintext)
Decrypt routine Header
VIRUS HIDDEN MECHANISMS (2)
•
Polymorphism: randomly changes the
encryption/decryption portion of a virus
–
Change key each time the virus starts
–
Change the range of plaintext
–
Change the location of encryption subroutine
•
Countermeasure: scan in RAM (after
VIRUS HIDDEN MECHANISMS (3)
• Entry point changes
• Random execution (JMP) Original Program File Virus code Header
Header Original Program File (1)
Original Program File (2)
Original Program File Header
Header Original Program File (1)
Original Program File (2)
MACRO VIRUSES
•
Macro: an executable program embedded in a
document to automate repetitive tasks. (save
keystrokes)
•
Application-dependent, e.g., MS office
•
Cross the O.S. platform
•
Why virus writers like macro viruses?
– Easy to learn
– Easy to write
WORM
•
Worm: self-replicating over networks, but
not infecting program and
files
STATE OF WORM
TECHNOLOGY
• Multiplatform: Windows, unix, mac, …
• Multiexploit: web server, browser, email,…
• Ultrafast spreading: host/port scanning
• Polymorphic: Each copy has new code generated by equivalent instructions and encryption techniques.
• Metamorphic: different behavior patterns
• Transport vehicles: for the payloads (spread attacking tools and zombies)
DISCUSSION
TROJAN
•
A program with hidden side-effects that are
not specified in the program documentation
and are not intended by the user executing the
program
WHAT A TROJAN CAN DO
• Remote administration trojans: attackers get the
complete control of a PC
• Backdoor: steal data and files
• Distributed attacks: zombie network
• Password stealers: capture stored passwords
• Audio, video capturing: control devices
• Keyloggers: capture inputting passwords
• Adware: popup advertisements
• Logic bomb: only executed when a specific trigger
FAMILIAR WITH YOUR PC
• Startup
programs/services
• Frequently used IP ports
– 20/21 FTP
– 23 Telnet
– 25 SMTP
– 80 WWW
MALWARE IN MOBILE PHONES
• Mobile phones are computers with great connectivity– Internet
– WLAN
– Bluetooth
– Regular phone network (SMS, MMS)