Malware
Páginas: 19 (4580 palabras)
Publicado: 29 de noviembre de 2010
TDC588: Advanced Network Defense Systems
Lecture 2:
Network Security Attacks II: Malware
Professor Ehab Al-Shaer
School of Computer Science, Telecommunications & Information Systems DePaul University, Chicago, IL
Outline
FBI Attack Survey Attacking Steps Crypto Attacks Infrastructure Attacks: DNS, ARP, routing protocols, TCP Network Bandwidth DoS and DDoS DDoS Application Attacks(c) Prof. Ehab Al-Shaer, DePaul University
2
Outline
Classification of Malware Exploit Techniques
Buffer overflow, Heap Overflow, String replacement
Worms & Viruses User-mode & Kernel-mode Rook Kits SPAM & Phishing
(c) Prof. Ehab Al-Shaer, DePaul University
3
Classification of Malware
Password cracker Trojan Horse Backdoor Exploit vs. vulnerability Worms and viruses Downloader:install other programs Dialers: dial into bulletin boards and charge the user/victim, or does transactions Injectors: injects malicious code into a remote system Spammer programs: to send email regularly. Flooders: used to launch DOS Keyloggers: capture and send key strokes Adware and Spyware: collect informant about user activities (adware) and sends it our (spyware)
(c) Prof. Ehab Al-Shaer,DePaul University
4
Classification of Malware
What is a backdoor?
A backdoor is a way in to the system that allows an attacker admission whenever they want (e.g., Netcat and VNC toots)
Trojans
What are they? Trojan horse programs are programs that claim to perform some desirable or necessary function but also perform some function that the individual who runs the program would not expector want Classic example: Replace /bin/login - lets users log in to system but saves passwords for later analysis Trojan Backdoor: Combination of a backdoor hiding inside
of a Trojan program (c) Prof. Ehab Al-Shaer, DePaul University
5
Classification of Malware
Rootkits: set of tools used after the attacker has broken into the system and gained a root access. It is used to install amodified version of the common tools in user-mode or kernel-mode (like Adore http://lwn.net/Articles/75990/ ) to hide the malware. The last one is more dangerous.
Even more powerful:
Kernel-mode rootkits can intercept the native API and also directly manipulate kernel-mode data structures.
Revealed by:
Applications like RootkitRevealer: Take high level Windows API scan and compare it with lowestlevel raw contents of file system volume registry. Any discrepancy (c) Prof. Ehab Al-Shaer, DePaul the application as hidden 6 can be seen by University from the API.
Malware Statistics
Current Statistics on Trojans, Rootkit and Bot Activity – June 2006
http://www.eweek.com/article2/0,1895,1974620,00.asp
“Since January 2005, Microsoft has removed 16 million instances of malicioussoftware from 5.7 million unique Windows machines. The most significant threat is clearly from backdoor Trojans While rootkits are an emerging threat, only 17% of computers were infected with rootkits at this time”
7
(c) Prof. Ehab Al-Shaer, DePaul University
Overflow Exploits- 101 Hacking
(c) Prof. Ehab Al-Shaer, DePaul University
8
Software vulnerabilities
Software vulnerabilities areweaknesses, being introduced during the “software engineering” process, that can potentially be exploited by attackers.
OS kernels, device drivers, applications…
Vulnerability
the “weak” points in the software applications or even the kernel itself This talk “control flow hijack” based on buffer overflow.
Exploit
the attack code utilizing one or more vulnerabilities
(c) Prof. EhabAl-Shaer, DePaul University
9
Types of Exploitation Techniques
Exploitation is the root of the problems attacks leads to ALL
Buffer overflow occurs when a program attempts to store data in a buffer and the data is larger than the size of the buffer the data can overflow into adjacent memory locations, corrupting these locations and possibly hijacking the execution path.
Stack overflow Heap...
Lecture 2:
Network Security Attacks II: Malware
Professor Ehab Al-Shaer
School of Computer Science, Telecommunications & Information Systems DePaul University, Chicago, IL
Outline
FBI Attack Survey Attacking Steps Crypto Attacks Infrastructure Attacks: DNS, ARP, routing protocols, TCP Network Bandwidth DoS and DDoS DDoS Application Attacks(c) Prof. Ehab Al-Shaer, DePaul University
2
Outline
Classification of Malware Exploit Techniques
Buffer overflow, Heap Overflow, String replacement
Worms & Viruses User-mode & Kernel-mode Rook Kits SPAM & Phishing
(c) Prof. Ehab Al-Shaer, DePaul University
3
Classification of Malware
Password cracker Trojan Horse Backdoor Exploit vs. vulnerability Worms and viruses Downloader:install other programs Dialers: dial into bulletin boards and charge the user/victim, or does transactions Injectors: injects malicious code into a remote system Spammer programs: to send email regularly. Flooders: used to launch DOS Keyloggers: capture and send key strokes Adware and Spyware: collect informant about user activities (adware) and sends it our (spyware)
(c) Prof. Ehab Al-Shaer,DePaul University
4
Classification of Malware
What is a backdoor?
A backdoor is a way in to the system that allows an attacker admission whenever they want (e.g., Netcat and VNC toots)
Trojans
What are they? Trojan horse programs are programs that claim to perform some desirable or necessary function but also perform some function that the individual who runs the program would not expector want Classic example: Replace /bin/login - lets users log in to system but saves passwords for later analysis Trojan Backdoor: Combination of a backdoor hiding inside
of a Trojan program (c) Prof. Ehab Al-Shaer, DePaul University
5
Classification of Malware
Rootkits: set of tools used after the attacker has broken into the system and gained a root access. It is used to install amodified version of the common tools in user-mode or kernel-mode (like Adore http://lwn.net/Articles/75990/ ) to hide the malware. The last one is more dangerous.
Even more powerful:
Kernel-mode rootkits can intercept the native API and also directly manipulate kernel-mode data structures.
Revealed by:
Applications like RootkitRevealer: Take high level Windows API scan and compare it with lowestlevel raw contents of file system volume registry. Any discrepancy (c) Prof. Ehab Al-Shaer, DePaul the application as hidden 6 can be seen by University from the API.
Malware Statistics
Current Statistics on Trojans, Rootkit and Bot Activity – June 2006
http://www.eweek.com/article2/0,1895,1974620,00.asp
“Since January 2005, Microsoft has removed 16 million instances of malicioussoftware from 5.7 million unique Windows machines. The most significant threat is clearly from backdoor Trojans While rootkits are an emerging threat, only 17% of computers were infected with rootkits at this time”
7
(c) Prof. Ehab Al-Shaer, DePaul University
Overflow Exploits- 101 Hacking
(c) Prof. Ehab Al-Shaer, DePaul University
8
Software vulnerabilities
Software vulnerabilities areweaknesses, being introduced during the “software engineering” process, that can potentially be exploited by attackers.
OS kernels, device drivers, applications…
Vulnerability
the “weak” points in the software applications or even the kernel itself This talk “control flow hijack” based on buffer overflow.
Exploit
the attack code utilizing one or more vulnerabilities
(c) Prof. EhabAl-Shaer, DePaul University
9
Types of Exploitation Techniques
Exploitation is the root of the problems attacks leads to ALL
Buffer overflow occurs when a program attempts to store data in a buffer and the data is larger than the size of the buffer the data can overflow into adjacent memory locations, corrupting these locations and possibly hijacking the execution path.
Stack overflow Heap...
Leer documento completo
Regístrate para leer el documento completo.