Docstoc

Chapter 7 - Malicious Software

Document Sample
Chapter 7 - Malicious Software Powered By Docstoc
					                               Chapter 7 - Malicious Software

                                              Dr. Daniel A. Ray
                                             (Stallings & Brown)



                                              October 7, 2009




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   1 / 17
  Outline




   1    Virus Countermeasures


   2    Advanced Antivirus Techniques


   3    Worms




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   2 / 17
  Antivirus Approaches




           Ideally, we would prevent all viruses – not a likely successful strategy
           Instead, try the following:




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   3 / 17
  Antivirus Approaches




           Ideally, we would prevent all viruses – not a likely successful strategy
           Instead, try the following:
                  Detection - once infected, determine this and locate the virus




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   3 / 17
  Antivirus Approaches




           Ideally, we would prevent all viruses – not a likely successful strategy
           Instead, try the following:
                  Detection - once infected, determine this and locate the virus
                  Indetification - once detected, identify the particular virus




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   3 / 17
  Antivirus Approaches




           Ideally, we would prevent all viruses – not a likely successful strategy
           Instead, try the following:
                  Detection - once infected, determine this and locate the virus
                  Indetification - once detected, identify the particular virus
                  Removal - once identified, remove the virus from infected code and
                  restore; hunt down the virus in the system (if removal is impossible,
                  then replacing the infected file is another optionn)




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   3 / 17
  Historical Perspective: Antivirus Software

           First Gen: Simple Scanners
                  requires a virus to have a signature (any signature will do)
                  only works for known viruses
           Second Gen: Heuristic Scanners
                  uses heuristic rules to scan for probable virus activity
                  i.e. - look for a segment of code known to be used by viruses (an
                  encryption loop, for instance)
                  or - use a check sum to to integrity checking for vulnerable files
                  (maybe use an encrypted hash value)
           Third Gen: Activity Traps
                  rather than look for signatures (of which there are a wide variety), look
                  for virus-like activity
           Fourth Gen: Full-featured protection
                  combinations of all of the above with the addition of better
                  (augmented?) access control approaches

Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   4 / 17
  Outline




   1    Virus Countermeasures


   2    Advanced Antivirus Techniques


   3    Worms




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   5 / 17
  Generic Decryption


           Goal: allow anti-virus to detect even advanced polymorphic viruses
           while maintaining high scan speeds
           Polymorphic viruses must decrypt themselves to run: detect such
           structures by running executables through GD scanner
           Generic Decryption (GD) Scanner components:
                  CPU emulator: A software-based virtual computer (run things in a
                  “sandbox” virtual computer
                  Virus signature scanner: scan target code looking for known signatures
                  Emulation control module: controls execution of target code
           Run the viruses, let them decrypt themselves, they cause no harm and
           reveal themselves to the signature scanner




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   6 / 17
  Digital Immune System
           Due to the Internet (integrated mail systems, mobile-program
           systems) it’s difficult to keep anti-virus software ahead of the curve




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   7 / 17
  Digital Immune System
           Due to the Internet (integrated mail systems, mobile-program
           systems) it’s difficult to keep anti-virus software ahead of the curve
           Enter the digital immune system: Goal- provide rapid response to
           stamp out viruses quickly
   See Fig 7.4 on pg 229
     1 a heuristic based monitor exists on each machine; forwards copy of

       suspected infection to an administrative machine
     2 sample is encrypted and sent to a virus analysis machine

     3 analysis machine sandboxes the virus and analyzes it (automatically)

       → produces a prescription
     4 prescription sent back to administrative machine

     5 administrative machine forwards prescription to clients (including the

       infected machine)
     6 subscribers around the world receive regular virus updates to protect

       them from newly identified threats
Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   7 / 17
  Behavior-Blocking Software




      1    Integrates with the OS and monitors program behavior in real time
      2    Blocks potentially dangerous actions by programs
      3    Blocked actions can include: file access, unrecoverable disk ops
           (formats, etc), modifying logic of executables and macros, etc.
   See Fig 7.5 – behavior-blockingn software can work on either servers or on
   the desktop




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   8 / 17
  Outline




   1    Virus Countermeasures


   2    Advanced Antivirus Techniques


   3    Worms




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   9 / 17
  Worms


   Worm
   a program that can replicate itself and send copies from computer to
   computer across network connections.

           Worms, in addition to replication, will often carry some nefarious
           payload
           A worm, unlike a virus, actively seeks out more machines to infect
           First Worm: Xerox Palo Alto Reserch Complex (PARC):
           Non-malicious program seeking idle processing power
           Worms use network connectivity (particularly IP) to transfer from
           computer to computer



Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   10 / 17
  Worms continued

           Network Vehicles include (but are not limited to):
                  Electronic mail facility: a worm mails a copy of itself to other systems
                  Remote execution capability: a worm executes a copy of itself on
                  another system either using explicit remote execution capabilities or by
                  leveraging a flaw in a network service
                  Logs onto a remote sytem as a user and then uses commands to copy
                  itself from one system to the other
           Worms exhibit the same life-cycle as viruses: the propogation phase is
           changed:
                  Search for other systems to infect by examining host tables or the like
                  for remote system addresses
                  Establish a connection with a remote system
                  Copy itself and trigger the copy
                  Note: Some worms may also attempt to determine if the remote
                  system is already infected before copying


Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   11 / 17
  Worm Propogation Model




           a model that describes the spread of infection (# of infected hosts
           over the time since the worm was introduced
           3 Apparent Phases
                  Slow Start Phase:
                  Fast Spread Phase: exponential growth can occur
                  Slow Finish Phase:




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   12 / 17
  Recent Worm Attacks


           Code Red Worm – July 2001
                  exploits the IIS – uses random scanning to find hosts, spreads and then
                  activates for DDoS
           SQL Slammer – early 2003
                  exploits buffer overflow in MS SQL server – infected 90% of vulnerable
                  hosts in 10 minutes
           Mydoom – 2004
                  mass-mailing e-mail worm– installs backdoor, replicated 1000 times per
                  minute, reportedly 100 Million infected messages in 36 hours
           Warezov family of worms – 2006
                  creates a Windows registry entry and sets itself to run every time
                  Windows starts
                  scans for e-mail addresses and sends itself in an e-mail message



Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   13 / 17
  The State of Worm Technology

           Multiplatform: leveraging shifts in popularity away from Windows
           Multiexploit: not relying on just one way to attack a system
           Ultrafast spreading: do pre-scanning
           Polymorphic: each copy has new code generated on the fly using
           funtionally equivalent instructions
           Metamorphic: pick from a set of predefined behavior patterns for your
           copies self
           Transport vehicles: worms are ideal for spreading other attacks
           Zero-day exploits: a worm that exploits an unknown vulnerability
           (only discovered by the network community when the worm is
           launched)
           Mobile Phone Worms: communicate through Bluetooth or MMS,
           targets smart phones (CommWarrior – 2005)

Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   14 / 17
  Worm Countermeasures



           Requirements:
                  Generality: handle a wide variety of worms
                  Timeliness: respond quickly so as to limite the number of infected
                  systems
                  Resiliency: be resistant to anti-anti-worm measures
                  Minimal DoS Costs: can’t be too expensive to run
                  Transparency: can’t be obnoxious (or even noticeable)
                  Global and Local Coverage: deal with attacks from both inside and
                  outside the local network
   Note: Generally a blending of anti-worm technologies is required to meet
   all of these requirements




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   15 / 17
  Countermeasure Approaches



           Signature-based worm scan filtering: realize and prevent the kind of
           scans that worms use
           Filter-based worm containment: realize worm content and capture the
           worm
           Payload-classification-based: network-based techniques examine
           packets for worms (avoid false positives/negatives)
           Rate limiting: limit the rate that scan-like traffic can be processed
           Rate halting: block all traffic once a scan threshold is met
           Network-based Worm Defense: See Fig 7.8




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   16 / 17
  Review




Dr. Daniel A. Ray (Stallings & Brown)   ()   Chapter 7 - Malicious Software   October 7, 2009   17 / 17

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:8/1/2011
language:English
pages:21