Wachache tulioshiriki katika zoezi lakuhamia majengo mapya
by
HILARY MEDIA
on
01:37
TAZAMA MY POOR MUSIC
DOWNLOAD YOUR PHOTOS FROM VC.COM
Jumanne, 17 Februari 2015
Alhamisi, 25 Desemba 2014
by
HILARY MEDIA
on
19:32
mpoto akiwa na wanadira group katika siku ya choo,mazingira na kunawa mikono duniani.
Jumanne, 11 Novemba 2014
tvw
by
HILARY MEDIA
on
06:17
Naketa Cornegay
Caty
Murray������������
Michael Shiroya
TROJANS, VIRUSES, AND WORMS
Trojans, Viruses,
and Worms are all damaging to your
computer system. If you do not know any basic knowledge on these three things,
it can be harmful. If you do not know how to protect your
computer these things can be harmful also. So to give you some more
information, we will be talking about Trojans, viruses, and worms in our paper.
Trojan Horses are
files that claim to be harmless but, in fact, are nasty. You may think it is
safe, but hidden inside is usually something harmful, probably a worm or a
virus. The bait of Trojans is that you may download a file or an email
attachment, believing that it is harmless, but once you run the file, the worm
or virus then infects your computer. An important distinction between Trojan
horse programs and true viruses is that they do not replicate themselves. An
example of a Trojan is the PWSteal.Trojan.
����������� Worms,
unlike Trojans, are programs that duplicate themselves from system to system
without the use of a host file. An important difference between worms and
viruses is that viruses require the spreading of an infected host file.
Furthermore, worms and viruses use the host file differently. A worm will
release a file that already has the �worm� macro within the document. The
entire file will them travel in the network from computer to computer. Bearing
this in mind, the file itself should therefore be considered the worm. Worms
generally come through email attachments; however computers can also get
infected if they accept a Trojan file which has a worm as the payload.� If one was to receive a worm program via
email, and run it, the program will send the worm file to everyone on the
person�s address book. The person who receives the file will fall into the same
situation and so the cycle of infection and multiplication continues.
����������� A
virus is a program that alters the way a computer operates, without the consent
or knowledge of the user. Viruses are spread through executable files we get
from. Viruses are often disguised under Trojans, which are carriers of the
virus. For a program to be classified as a virus it must execute itself,
replicate itself, and often place their own code in
the path of execution of another program. For example, it may replace other
executable files with a copy of the virus infected file, damage the computer by
damaging programs, deleting files, or reformat the hard disk. Some viruses are
not programmed to do any damage, but simply to replicate themselves and show
their presence by presenting text, video, and audio messages; and in the
process they take up memory that would have otherwise been used by legitimate
programs. Consequently, they often result in erratic behavior and in system
crashes. Moreover, many viruses are bug-ridden, and these bugs may also cause
system crashes and loss of valuable data.
����������� There
are five types of viruses: file infector, boot sector, master boot record,
multi-partite, and macro viruses. File infector viruses infect program files.
They infect executable code, for instance .com and .exe files. They can infect
other files when an infected program is run from a floppy disk, hard drive, or
from a network. These viruses reside in memory so that once the memory is
infected; all other non infected executable files that run become infected.
Examples of file infector viruses include Jerusalem
and Cascade.
����������� Boot
sector viruses infect the boot record on floppy disks and hard disks. Boot
sector viruses attach themselves to the system area of a disk and activate when
the user attempts to open from the infected disk; usually all that is required
to become infected is to attempt to start up your computer with an infected
floppy disk. Like file infector viruses, boot sector viruses are also memory
resident that is, the virus remains in memory. Therefore all files that are not
writing protected will become infected once the floppy disk is accessed.
Examples of boot sector viruses include Michelangelo and Stoned.
����������� Master
boot record viruses are also memory resident viruses and infect disks in the
same way as boot sector viruses. The distinction between these two virus types
lies in is location of the viral code. Master boot record infectors save copy
of the master boot record in a different location. Windows NT computers that
become infected by either boot sector viruses or master boot sector viruses
will not boot. This is due to the difference in how the operating system
accesses its boot information, as compared to Windows 95/98. If your Windows NT
system is formatted with FAT partitions you can usually remove the virus by
booting to DOS and using antivirus software. If the boot partition is NTFS, the
system must be recovered by using the three Windows NT Setup disks. Examples of
master boot record infectors include AntiExe, and
Unashamed.
����������� Multi-partite
viruses are also known as poly-partite viruses and they infect both boot
records and program files. They are difficult to repair. If the boot area is
cleaned, but the files are not cleaned, the boot area will be re-infected with
the virus. This will also be the case for cleaning infected files. If the virus
is not removed from the boot area, any files were cleaned will be re-infected.
Examples of poly-partite viruses include Anthrax and Tequilla.
����������� Macro
viruses infect data files. They are the most common of all the virus types.
Macro virus can be programmed such that they not only infect data files, but
can also possibly infect other files as well. All of these viruses use another
program�s internal programming language, created to allow users to mechanize
certain tasks within that program. These viruses can be created relatively
easily and hence they are many of them circulation around today. Examples of
macro viruses include W97M.Melissa and W97M. Groov.
����������� There
are many ways to protect your computer. Some ways are as follows: Do not accept
files from anyone you do not know; do not run or even peek at files you receive
through email from people you don�t know. Purchase a good, recent anti-virus
software program. Encourage your acquaintances, business
associates and other people you regularly exchange emails with to send messages
as rich "text format" files instead of Word documents. In this way
the document�s appearance will be preserved without concealing malicious code. Be
wary of friends who pass along funny video clips via e-mail; neither of you
know the origin of this software and whether it is bug free. Be careful about
disks from other computers. Since not everybody uses anti-virus software
programs, before using a disk, one should run a virus scan on it. Set up a
regular time to update the virus scans and follow up on those times. You should
backup important files regularly. Avoid pornography sites, game sites, and web
sites that offer free screen savers or share-ware, they are often key breeding
grounds of Trojan horses.
����������� In
conclusion, viruses, Trojans, and worms can be damaging to your computer. If
you follow safe and precise steps you can prevent your computer from getting
infected. Also just having basic knowledge of these things could help out also.
by
HILARY MEDIA
on
06:12
Malware:
Malicious Software
10/21/2010 Malware 1
Viruses, Worms, Trojans, Rootkits
• Malware can be classified into several categories, depending
on propagation and concealment
• Propagation
– Virus: human-assisted propagation (e.g., open email attachment)
– Worm: automatic propagation without human assistance
• Concealment
– Rootkit: modifies operating system to hide its existence
– Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime
10/21/2010 Malware 2
Insider Attacks
• An insider attack is a security breach that is
caused or facilitated by someone who is a part
of the very organization that controls or builds
the asset that should be protected.
• In the case of malware, an insider attack refers
to a security hole that is created in a software
system by one of its programmers.
10/21/2010 Malware 3
Backdoors
• A backdoor, which is also sometimes called a
trapdoor, is a hidden feature or command in a
program that allows a user to perform actions he
or she would not normally be allowed to do.
• When used in a normal way, this program
performs completely as expected and advertised.
• But if the hidden feature is activated, the program
does something unexpected, often in violation of
security policies, such as performing a privilege
escalation.
• Benign example: Easter Eggs in DVDs and software
10/21/2010 Malware 4
Logic Bombs
• A logic bomb is a program that performs a malicious action as
a result of a certain logic condition.
• The classic example of a logic bomb is a programmer coding
up the software for the payroll system who puts in code that
makes the program crash should it ever process two
consecutive payrolls without paying him.
• Another classic example combines a logic bomb with a
backdoor, where a programmer puts in a logic bomb that will
crash the program on a certain date.
10/21/2010 Malware 5
The Omega Engineering Logic Bomb
• An example of a logic bomb that was actually
triggered and caused damage is one that
programmer Tim Lloyd was convicted of using
on his former employer, Omega Engineering
Corporation. On July 31, 1996, a logic bomb
was triggered on the server for Omega
Engineering’s manufacturing operations,
which ultimately cost the company millions of
dollars in damages and led to it laying off
many of its employees.
10/21/2010 Malware 6
The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the
following strings:
• 7/30/96
– Event that triggered the bomb
• F:
– Focused attention to volume F, which had critical files
• F:\LOGIN\LOGIN 12345
– Login a fictitious user, 12345 (the back door)
• CD \PUBLIC
– Moves to the public folder of programs
• FIX.EXE /Y F:\*.*
– Run a program, called FIX, which actually deletes everything
• PURGE F:\/ALL
– Prevent recovery of the deleted files
10/21/2010 Malware 7
Defenses against Insider Attacks
• Avoid single points of failure.
• Use code walk-throughs.
• Use archiving and reporting tools.
• Limit authority and permissions.
• Physically secure critical systems.
• Monitor employee behavior.
• Control software installations.
10/21/2010 Malware 8
Computer Viruses
• A computer virus is computer code that can
replicate itself by modifying other files or
programs to insert code that is capable of further
replication.
• This self-replication property is what
distinguishes computer viruses from other kinds
of malware, such as logic bombs.
• Another distinguishing property of a virus is that
replication requires some type of user assistance,
such as clicking on an email attachment or
sharing a USB drive.
10/21/2010 Malware 9
Biological Analogy
• Computer viruses share some properties with
Biological viruses
10/21/2010 Malware 10
Attack Penetration
Replication and assembly
Release
Early History
1972 sci-fi novel “When HARLIE Was One” features a
program called VIRUS that reproduces itself
First academic use of term virus by PhD student Fred
Cohen in 1984, who credits advisor Len Adleman with
coining it
In 1982, high-school student Rich Skrenta wrote first
virus released in the wild: Elk Cloner, a boot sector
virus
(c)Brain, by Basit and Amjood Farooq Alvi in 1986,
credited with being the first virus to infect PCs
10/21/2010 Malware 11
Virus Phases
• Dormant phase. During this phase, the virus just exists—
the virus is laying low and avoiding detection.
• Propagation phase. During this phase, the virus is
replicating itself, infecting new files on new systems.
• Triggering phase. In this phase, some logical condition
causes the virus to move from a dormant or propagation
phase to perform its intended action.
• Action phase. In this phase, the virus performs the
malicious action that it was designed to perform, called
payload.
– This action could include something seemingly innocent, like
displaying a silly picture on a computer’s screen, or something
quite malicious, such as deleting all essential files on the hard
drive.
10/21/2010 Malware 12
Infection Types
• Overwriting
– Destroys original code
• Pre-pending
– Keeps original code, possibly
compressed
• Infection of libraries
– Allows virus to be memory
resident
– E.g., kernel32.dll
• Macro viruses
– Infects MS Office documents
– Often installs in main
document template
10/21/2010 Malware 13
virus
compressed
original code
Degrees of Complication
• Viruses have various degrees of complication in how
they can insert themselves in computer code.
10/21/2010 Malware 14
Concealment
• Encrypted virus
– Decryption engine + encrypted body
– Randomly generate encryption key
– Detection looks for decryption engine
• Polymorphic virus
– Encrypted virus with random variations of the decryption engine (e.g.,
padding code)
– Detection using CPU emulator
• Metamorphic virus
– Different virus bodies
– Approaches include code permutation and instruction replacement
– Challenging to detect
10/21/2010 Malware 15
Computer Worms
• A computer worm is a malware program that spreads
copies of itself without the need to inject itself in other
programs, and usually without human interaction.
• Thus, computer worms are technically not computer
viruses (since they don’t infect other programs), but
some people nevertheless confuse the terms, since
both spread by self-replication.
• In most cases, a computer worm will carry a malicious
payload, such as deleting files or installing a backdoor.
10/21/2010 Malware 16
Early History
First worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
CHRISTMA EXEC written in REXX, released in
December 1987, and targeting IBM VM/CMS
systems was the first worm to use e-mail service
The first internet worm was the Morris Worm,
written by Cornell student Robert Tappan Morris
and released on November 2, 1988
10/21/2010 Malware 17
a
th
Worm Development
• Identify vulnerability still
unpatched
• Write code for
– Exploit of vulnerability
– Generation of target list
• Random hosts on the internet
• Hosts on LAN
• Divide-and-conquer
– Installation and execution of
payload
– Querying/reporting if a host is
infected
• Initial deployment on a private
network
• Worm template
– Generate target list
– For each host on target
list
• Check if infected
• Check if vulnerable
• Infect
• Recur
10/21/2010 Malware 18
Worm Propagation
• Worms propagate by finding and infecting vulnerable hosts.
– They need a way to tell if a host is vulnerable
– They need a way to tell if a host is already infected.
10/21/2010 Malware 19
initial infection
Propagation: Theory
Classic epidemic model
– N: total number of vulnerable
hosts
– I(t): number of infected hosts
at time t
– S(t): number of susceptible
hosts at time t
– I(t) + S(t) N
– : infection rate
Differential equation for I(t):
dI dt I(t) S(t)
More accurate models adjust
propagation rate over time
10/21/2010 Malware 20
Source:
Cliff C. Zou,WeiboGong, Don Towsley,
and LixinGao. The Monitoring and Early
Detection of Internet Worms, IEEE/ACM
Transactions on Networking, 2005.
Propagation: Practice
• Cumulative total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001
10/21/2010 Malware 21
Source:
David Moore, Colleen
Shannon, and Jeffery
Brown. Code-Red: a
case study on the spread
and victims of an Internet
worm, CAIDA, 2002
Trojan Horses
• A Trojan horse (or Trojan) is a malware program that
appears to perform some useful task, but which also
does something with negative consequences (e.g.,
launches a keylogger).
• Trojan horses can be installed as part of the payload of
other malware but are often installed by a user or
administrator, either deliberately or accidentally.
10/21/2010 Malware 22
Current Trends
• Trojans currently have largest infection potential
– Often exploit browser vulnerabilities
– Typically used to download other malware in multi-stage attacks
10/21/2010 Malware 23
Source:
Symantec Internet
Security Threat
Report, April 2009
Rootkits
• A rootkit modifies the operating system to hide its
existence
– E.g., modifies file system exploration utilities
– Hard to detect using software that relies on the OS itself
• RootkitRevealer
– By Bryce Cogswell and Mark Russinovich (Sysinternals)
– Two scans of file system
– High-level scan using the Windows API
– Raw scan using disk access methods
– Discrepancy reveals presence of rootkit
– Could be defeated by rootkit that intercepts and modifies
results of raw scan operations
10/21/2010 Malware 24
Malware Zombies
• Malware can turn a computer in to a zombie, which is
a machine that is controlled externally to perform
malicious attacks, usually as a part of a botnet.
10/21/2010 25
BotnetController (Attacker)
Victim
Botnet:
Attack Commands
Attack Actions
ontroller
Financial Impact
Malware often affects a large user
population
Significant financial impact, though
estimates vary widely, up to $100B
per year (mi2g)
Examples
LoveBug (2000) caused $8.75B in
damages and shut down the
British parliament
In 2004, 8% of emails infected by
W32/MyDoom.A at its peak
In February 2006, the Russian
Stock Exchange was taken down by
a virus.
10/21/2010 Malware 26
Economics of Malware
• New malware threats
have grown from 20K to
1.7M in the period 2002-
2008
• Most of the growth has
been from 2006 to 2008
• Number of new threats
per year appears to be
growing an exponential
rate.
10/21/2010 Malware 27
Source:
Symantec Internet
Security Threat
Report, April 2009
Professional Malware
• Growth in professional cybercrime
and online fraud has led to demand
for professionally developed
malware
• New malware is often a customdesigned
variations of known
exploits, so the malware designer
can sell different “products” to
his/her customers.
• Like every product, professional
malware is subject to the laws of
supply and demand.
– Recent studies put the price of a
software keystroke logger at $23 and
a botnet use at $225.
10/21/2010 Malware 28
Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg
used by permission under the CreativeCommons Attribution ShareAlike 3.0 License
Adware
10/21/2010 Malware 29
Adware software payload
Adware engine infects
a user’s computer
Computer user
Adware agent
Adware engine requests
advertisements
from adware agent
Advertisers
Advertisers contract with
adware agent for content
Adware agent delivers
ad content to user
Spyware
10/21/2010 Malware 30
Spyware software payload
1. Spyware engine infects
a user’s computer.
Computer user
Spyware data collection agent
2. Spyware process collects
keystrokes, passwords,
and screen captures.
3. Spyware process
periodically sends
collected data to
spyware data collection
agent.
p
Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of
signatures
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for
each virus
– Different from a digital signature
• A file is infected if there is a signature inside its code
– Fast pattern matching techniques to search for signatures
• All the signatures together create the malware
database that usually is proprietary
10/21/2010 Malware 31
Signatures Database
• Common Malware
Enumeration (CME)
– aims to provide
unique, common
identifiers to new virus
threats
– Hosted by MITRE
– http://cme.mitre.org/d
ata/list.html
•
Digital Immune
System (DIS)
– Create automatically
new signatures
10/21/2010 Malware 32
White/Black Listing
• Maintain database of cryptographic hashes for
– Operating system files
– Popular applications
– Known infected files
• Compute hash of each file
• Look up into database
• Needs to protect the integrity of the database
10/21/2010 Malware 33
Heuristic Analysis
• Useful to identify new and “zero day” malware
• Code analysis
– Based on the instructions, the antivirus can determine
whether or not the program is malicious, i.e., program
contains instruction to delete system files,
• Execution emulation
– Run code in isolated emulation environment
– Monitor actions that target file takes
– If the actions are harmful, mark as virus
• Heuristic methods can trigger false alarms
10/21/2010 Malware 34
Shield vs. On-demand
• Shield
– Background process
(service/daemon)
– Scans each time a file is
touched (open, copy,
execute, etc.)
10/21/2010 Malware 35
On-demand
• Scan on explicit user
request or according to
regular schedule
• On a suspicious file,
directory, drive, etc.
Performance test of scan techniques
o Comparative: check the number of already known viruses that are
found and the time to perform the scan
o Retrospective: test the proactive detection of the scanner for unknown
viruses, to verify which vendor uses better heuristics
Anti-viruses are ranked using both parameters:
http://www.av-comparatives.org/
Online vs Offline Anti Virus Software
Online
• Free browser plug-in
• Authentication through third
party certificate (i.e. VeriSign)
• No shielding
• Software and signatures update
at each scan
• Poorly configurable
• Scan needs internet connection
• Report collected by the company
that offers the service
Offline
• Paid annual subscription
• Installed on the OS
• Software distributed securely by
the vendor online or a retailer
• System shielding
• Scheduled software and
signatures updates
• Easily configurable
• Scan without internet connection
• Report collected locally and may
be sent to vendor
10/21/2010 Malware 36
Quarantine
• A suspicious file can be isolated in a folder called quarantine:
– E.g,. if the result of the heuristic analysis is positive and you are
waiting for db signatures update
• The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false positive
– Interacting with a file in quarantine it is possible only through the
antivirus program
• The file in quarantine is harmless because it is encrypted
• Usually the quarantine technique is proprietary and the details are
kept secret
10/21/2010 Malware 37
Static vs. Dynamic Analysis
Static Analysis
• Checks the code without trying to
execute it
• Quick scan in white list
• Filtering: scan with different antivirus
and check if they return same result
with different name
• Weeding: remove the correct part of
files as junk to better identify the
virus
• Code analysis: check binary code to
understand if it is an executable, e.g.,
PE
• Disassembling: check if the byte code
shows something unusual
Dynamic Analysis
• Check the execution of codes inside a
virtual sandbox
• Monitor
– File changes
– Registry changes
– Processes and threads
– Networks ports
10/21/2010 Malware 38
Virus Detection is Undecidable
• Theoretical result by Fred
Cohen (1987)
• Virus abstractly modeled
as program that
eventually executes infect
• Code for infect may be
generated at runtime
• Proof by contradiction
similar to that of the
halting problem
• Suppose program
isVirus(P) determines
whether program P is a
virus
• Define new program Q
as follows:
if (not isVirus(Q))
infect
stop
• Running isVirus on Q
achieves a contradiction
10/21/2010 Malware 39
Other Undecidable Detection Problems
• Detection of a virus
– by its appearance
– by its behavior
• Detection of an evolution of a known virus
• Detection of a triggering mechanism
– by its appearance
– by its behavior
• Detection of a virus detector
– by its appearance
– by its behavior
• Detection of an evolution of
– a known virus
– a known triggering mechanism
– a virus detector
10/21/2010 Malware 40
Resources
• Computer Emergency Response Team
– Research center funded by the US federal government
– Vulnerabilities database
• Symantec
– Reports on malware trends
– Database of malware
• Art of Computer Virus Research and Defense by Peter Szor
10/21/2010 Malware 41
Malicious Software
10/21/2010 Malware 1
Viruses, Worms, Trojans, Rootkits
• Malware can be classified into several categories, depending
on propagation and concealment
• Propagation
– Virus: human-assisted propagation (e.g., open email attachment)
– Worm: automatic propagation without human assistance
• Concealment
– Rootkit: modifies operating system to hide its existence
– Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime
10/21/2010 Malware 2
Insider Attacks
• An insider attack is a security breach that is
caused or facilitated by someone who is a part
of the very organization that controls or builds
the asset that should be protected.
• In the case of malware, an insider attack refers
to a security hole that is created in a software
system by one of its programmers.
10/21/2010 Malware 3
Backdoors
• A backdoor, which is also sometimes called a
trapdoor, is a hidden feature or command in a
program that allows a user to perform actions he
or she would not normally be allowed to do.
• When used in a normal way, this program
performs completely as expected and advertised.
• But if the hidden feature is activated, the program
does something unexpected, often in violation of
security policies, such as performing a privilege
escalation.
• Benign example: Easter Eggs in DVDs and software
10/21/2010 Malware 4
Logic Bombs
• A logic bomb is a program that performs a malicious action as
a result of a certain logic condition.
• The classic example of a logic bomb is a programmer coding
up the software for the payroll system who puts in code that
makes the program crash should it ever process two
consecutive payrolls without paying him.
• Another classic example combines a logic bomb with a
backdoor, where a programmer puts in a logic bomb that will
crash the program on a certain date.
10/21/2010 Malware 5
The Omega Engineering Logic Bomb
• An example of a logic bomb that was actually
triggered and caused damage is one that
programmer Tim Lloyd was convicted of using
on his former employer, Omega Engineering
Corporation. On July 31, 1996, a logic bomb
was triggered on the server for Omega
Engineering’s manufacturing operations,
which ultimately cost the company millions of
dollars in damages and led to it laying off
many of its employees.
10/21/2010 Malware 6
The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the
following strings:
• 7/30/96
– Event that triggered the bomb
• F:
– Focused attention to volume F, which had critical files
• F:\LOGIN\LOGIN 12345
– Login a fictitious user, 12345 (the back door)
• CD \PUBLIC
– Moves to the public folder of programs
• FIX.EXE /Y F:\*.*
– Run a program, called FIX, which actually deletes everything
• PURGE F:\/ALL
– Prevent recovery of the deleted files
10/21/2010 Malware 7
Defenses against Insider Attacks
• Avoid single points of failure.
• Use code walk-throughs.
• Use archiving and reporting tools.
• Limit authority and permissions.
• Physically secure critical systems.
• Monitor employee behavior.
• Control software installations.
10/21/2010 Malware 8
Computer Viruses
• A computer virus is computer code that can
replicate itself by modifying other files or
programs to insert code that is capable of further
replication.
• This self-replication property is what
distinguishes computer viruses from other kinds
of malware, such as logic bombs.
• Another distinguishing property of a virus is that
replication requires some type of user assistance,
such as clicking on an email attachment or
sharing a USB drive.
10/21/2010 Malware 9
Biological Analogy
• Computer viruses share some properties with
Biological viruses
10/21/2010 Malware 10
Attack Penetration
Replication and assembly
Release
Early History
1972 sci-fi novel “When HARLIE Was One” features a
program called VIRUS that reproduces itself
First academic use of term virus by PhD student Fred
Cohen in 1984, who credits advisor Len Adleman with
coining it
In 1982, high-school student Rich Skrenta wrote first
virus released in the wild: Elk Cloner, a boot sector
virus
(c)Brain, by Basit and Amjood Farooq Alvi in 1986,
credited with being the first virus to infect PCs
10/21/2010 Malware 11
Virus Phases
• Dormant phase. During this phase, the virus just exists—
the virus is laying low and avoiding detection.
• Propagation phase. During this phase, the virus is
replicating itself, infecting new files on new systems.
• Triggering phase. In this phase, some logical condition
causes the virus to move from a dormant or propagation
phase to perform its intended action.
• Action phase. In this phase, the virus performs the
malicious action that it was designed to perform, called
payload.
– This action could include something seemingly innocent, like
displaying a silly picture on a computer’s screen, or something
quite malicious, such as deleting all essential files on the hard
drive.
10/21/2010 Malware 12
Infection Types
• Overwriting
– Destroys original code
• Pre-pending
– Keeps original code, possibly
compressed
• Infection of libraries
– Allows virus to be memory
resident
– E.g., kernel32.dll
• Macro viruses
– Infects MS Office documents
– Often installs in main
document template
10/21/2010 Malware 13
virus
compressed
original code
Degrees of Complication
• Viruses have various degrees of complication in how
they can insert themselves in computer code.
10/21/2010 Malware 14
Concealment
• Encrypted virus
– Decryption engine + encrypted body
– Randomly generate encryption key
– Detection looks for decryption engine
• Polymorphic virus
– Encrypted virus with random variations of the decryption engine (e.g.,
padding code)
– Detection using CPU emulator
• Metamorphic virus
– Different virus bodies
– Approaches include code permutation and instruction replacement
– Challenging to detect
10/21/2010 Malware 15
Computer Worms
• A computer worm is a malware program that spreads
copies of itself without the need to inject itself in other
programs, and usually without human interaction.
• Thus, computer worms are technically not computer
viruses (since they don’t infect other programs), but
some people nevertheless confuse the terms, since
both spread by self-replication.
• In most cases, a computer worm will carry a malicious
payload, such as deleting files or installing a backdoor.
10/21/2010 Malware 16
Early History
First worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
CHRISTMA EXEC written in REXX, released in
December 1987, and targeting IBM VM/CMS
systems was the first worm to use e-mail service
The first internet worm was the Morris Worm,
written by Cornell student Robert Tappan Morris
and released on November 2, 1988
10/21/2010 Malware 17
a
th
Worm Development
• Identify vulnerability still
unpatched
• Write code for
– Exploit of vulnerability
– Generation of target list
• Random hosts on the internet
• Hosts on LAN
• Divide-and-conquer
– Installation and execution of
payload
– Querying/reporting if a host is
infected
• Initial deployment on a private
network
• Worm template
– Generate target list
– For each host on target
list
• Check if infected
• Check if vulnerable
• Infect
• Recur
10/21/2010 Malware 18
Worm Propagation
• Worms propagate by finding and infecting vulnerable hosts.
– They need a way to tell if a host is vulnerable
– They need a way to tell if a host is already infected.
10/21/2010 Malware 19
initial infection
Propagation: Theory
Classic epidemic model
– N: total number of vulnerable
hosts
– I(t): number of infected hosts
at time t
– S(t): number of susceptible
hosts at time t
– I(t) + S(t) N
– : infection rate
Differential equation for I(t):
dI dt I(t) S(t)
More accurate models adjust
propagation rate over time
10/21/2010 Malware 20
Source:
Cliff C. Zou,WeiboGong, Don Towsley,
and LixinGao. The Monitoring and Early
Detection of Internet Worms, IEEE/ACM
Transactions on Networking, 2005.
Propagation: Practice
• Cumulative total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001
10/21/2010 Malware 21
Source:
David Moore, Colleen
Shannon, and Jeffery
Brown. Code-Red: a
case study on the spread
and victims of an Internet
worm, CAIDA, 2002
Trojan Horses
• A Trojan horse (or Trojan) is a malware program that
appears to perform some useful task, but which also
does something with negative consequences (e.g.,
launches a keylogger).
• Trojan horses can be installed as part of the payload of
other malware but are often installed by a user or
administrator, either deliberately or accidentally.
10/21/2010 Malware 22
Current Trends
• Trojans currently have largest infection potential
– Often exploit browser vulnerabilities
– Typically used to download other malware in multi-stage attacks
10/21/2010 Malware 23
Source:
Symantec Internet
Security Threat
Report, April 2009
Rootkits
• A rootkit modifies the operating system to hide its
existence
– E.g., modifies file system exploration utilities
– Hard to detect using software that relies on the OS itself
• RootkitRevealer
– By Bryce Cogswell and Mark Russinovich (Sysinternals)
– Two scans of file system
– High-level scan using the Windows API
– Raw scan using disk access methods
– Discrepancy reveals presence of rootkit
– Could be defeated by rootkit that intercepts and modifies
results of raw scan operations
10/21/2010 Malware 24
Malware Zombies
• Malware can turn a computer in to a zombie, which is
a machine that is controlled externally to perform
malicious attacks, usually as a part of a botnet.
10/21/2010 25
BotnetController (Attacker)
Victim
Botnet:
Attack Commands
Attack Actions
ontroller
Financial Impact
Malware often affects a large user
population
Significant financial impact, though
estimates vary widely, up to $100B
per year (mi2g)
Examples
LoveBug (2000) caused $8.75B in
damages and shut down the
British parliament
In 2004, 8% of emails infected by
W32/MyDoom.A at its peak
In February 2006, the Russian
Stock Exchange was taken down by
a virus.
10/21/2010 Malware 26
Economics of Malware
• New malware threats
have grown from 20K to
1.7M in the period 2002-
2008
• Most of the growth has
been from 2006 to 2008
• Number of new threats
per year appears to be
growing an exponential
rate.
10/21/2010 Malware 27
Source:
Symantec Internet
Security Threat
Report, April 2009
Professional Malware
• Growth in professional cybercrime
and online fraud has led to demand
for professionally developed
malware
• New malware is often a customdesigned
variations of known
exploits, so the malware designer
can sell different “products” to
his/her customers.
• Like every product, professional
malware is subject to the laws of
supply and demand.
– Recent studies put the price of a
software keystroke logger at $23 and
a botnet use at $225.
10/21/2010 Malware 28
Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg
used by permission under the CreativeCommons Attribution ShareAlike 3.0 License
Adware
10/21/2010 Malware 29
Adware software payload
Adware engine infects
a user’s computer
Computer user
Adware agent
Adware engine requests
advertisements
from adware agent
Advertisers
Advertisers contract with
adware agent for content
Adware agent delivers
ad content to user
Spyware
10/21/2010 Malware 30
Spyware software payload
1. Spyware engine infects
a user’s computer.
Computer user
Spyware data collection agent
2. Spyware process collects
keystrokes, passwords,
and screen captures.
3. Spyware process
periodically sends
collected data to
spyware data collection
agent.
p
Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of
signatures
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for
each virus
– Different from a digital signature
• A file is infected if there is a signature inside its code
– Fast pattern matching techniques to search for signatures
• All the signatures together create the malware
database that usually is proprietary
10/21/2010 Malware 31
Signatures Database
• Common Malware
Enumeration (CME)
– aims to provide
unique, common
identifiers to new virus
threats
– Hosted by MITRE
– http://cme.mitre.org/d
ata/list.html
•
Digital Immune
System (DIS)
– Create automatically
new signatures
10/21/2010 Malware 32
White/Black Listing
• Maintain database of cryptographic hashes for
– Operating system files
– Popular applications
– Known infected files
• Compute hash of each file
• Look up into database
• Needs to protect the integrity of the database
10/21/2010 Malware 33
Heuristic Analysis
• Useful to identify new and “zero day” malware
• Code analysis
– Based on the instructions, the antivirus can determine
whether or not the program is malicious, i.e., program
contains instruction to delete system files,
• Execution emulation
– Run code in isolated emulation environment
– Monitor actions that target file takes
– If the actions are harmful, mark as virus
• Heuristic methods can trigger false alarms
10/21/2010 Malware 34
Shield vs. On-demand
• Shield
– Background process
(service/daemon)
– Scans each time a file is
touched (open, copy,
execute, etc.)
10/21/2010 Malware 35
On-demand
• Scan on explicit user
request or according to
regular schedule
• On a suspicious file,
directory, drive, etc.
Performance test of scan techniques
o Comparative: check the number of already known viruses that are
found and the time to perform the scan
o Retrospective: test the proactive detection of the scanner for unknown
viruses, to verify which vendor uses better heuristics
Anti-viruses are ranked using both parameters:
http://www.av-comparatives.org/
Online vs Offline Anti Virus Software
Online
• Free browser plug-in
• Authentication through third
party certificate (i.e. VeriSign)
• No shielding
• Software and signatures update
at each scan
• Poorly configurable
• Scan needs internet connection
• Report collected by the company
that offers the service
Offline
• Paid annual subscription
• Installed on the OS
• Software distributed securely by
the vendor online or a retailer
• System shielding
• Scheduled software and
signatures updates
• Easily configurable
• Scan without internet connection
• Report collected locally and may
be sent to vendor
10/21/2010 Malware 36
Quarantine
• A suspicious file can be isolated in a folder called quarantine:
– E.g,. if the result of the heuristic analysis is positive and you are
waiting for db signatures update
• The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false positive
– Interacting with a file in quarantine it is possible only through the
antivirus program
• The file in quarantine is harmless because it is encrypted
• Usually the quarantine technique is proprietary and the details are
kept secret
10/21/2010 Malware 37
Static vs. Dynamic Analysis
Static Analysis
• Checks the code without trying to
execute it
• Quick scan in white list
• Filtering: scan with different antivirus
and check if they return same result
with different name
• Weeding: remove the correct part of
files as junk to better identify the
virus
• Code analysis: check binary code to
understand if it is an executable, e.g.,
PE
• Disassembling: check if the byte code
shows something unusual
Dynamic Analysis
• Check the execution of codes inside a
virtual sandbox
• Monitor
– File changes
– Registry changes
– Processes and threads
– Networks ports
10/21/2010 Malware 38
Virus Detection is Undecidable
• Theoretical result by Fred
Cohen (1987)
• Virus abstractly modeled
as program that
eventually executes infect
• Code for infect may be
generated at runtime
• Proof by contradiction
similar to that of the
halting problem
• Suppose program
isVirus(P) determines
whether program P is a
virus
• Define new program Q
as follows:
if (not isVirus(Q))
infect
stop
• Running isVirus on Q
achieves a contradiction
10/21/2010 Malware 39
Other Undecidable Detection Problems
• Detection of a virus
– by its appearance
– by its behavior
• Detection of an evolution of a known virus
• Detection of a triggering mechanism
– by its appearance
– by its behavior
• Detection of a virus detector
– by its appearance
– by its behavior
• Detection of an evolution of
– a known virus
– a known triggering mechanism
– a virus detector
10/21/2010 Malware 40
Resources
• Computer Emergency Response Team
– Research center funded by the US federal government
– Vulnerabilities database
• Symantec
– Reports on malware trends
– Database of malware
• Art of Computer Virus Research and Defense by Peter Szor
10/21/2010 Malware 41
it
by
HILARY MEDIA
on
06:06
What is Malware?
Malware is a type of software designed to take over and/or damage your computer's operating system. Once installed, it is often very difficult to remove, and depending on the severity of the program installed, its handiwork can range in degree from the slightly annoying (such as unwanted pop-up ads), to irreparable damage requiring the reformatting of the hard drive.
The most common types of malware include:
- Virus - A parasitic program written intentionally to enter a computer without the users permission or knowledge. The word parasite is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some virus's do little but replicate, others can cause serious damage or effect program and system performance.
- Worms - Similar to viruses but are stand-alone software and thus do not require host files (or other types of host code) to spread themselves. They do modify their host operating system, however, at least to the extent that they are started as part of the boot process.
- Wabbit - Self-replicating malware. Unlike viruses, they do not infect host programs but repeatedly replicates itself on a local computer
- Trojan - Harmful software that is disguised as legitimate software.
- Backdoor - Software that allows access to the computer system bypassing the normal authentication procedures
- Spyware - Software that collects and sends information (such as browsing patterns in the more benign cases or credit card numbers in more malicious cases) about users or, more precisely, the results of their computer activity
- Key Logger - Software that copies a computer user's keystrokes to a file, which it may send to a hacker at a later time.
- Root kit - Software inserted onto a computer's system after an attacker has gained control of the system.
- Exploit - Software that attacks a particular operating system or application security vulnerability.
- Browser Hijacker - A program designed to alter a computer user's browser settings (bookmarks, homepage, etc.). They can also produce pop-up ads and, in the worst case, redirect your browser to undesirable websites.
Opening and running unknown e-mail or Instant Messaging (IM) attachments is the most common way to become infected.
Other common methods of spreading malware are:- Downloading infected files using Peer-to-Peer file sharing programs (e.g. Kazaa).
- Downloading infected files from the web.
- Putting an infected computer disk (floppy, CD, USB Memory stick, or DVD) into your computer.
- Clicking on a web site dialog box.
- Connecting an unsecure computer to the network.
