DOCSLIB.ORG

Active Worms, Buffer Overflows, and BGP Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Active Worms, Buffer Overflow Attacks, and BGP Attacks CSE 4471: Information Security Instructor: Adam C. Champion, Ph.D. Course Coordinator: Prof. Dong Xuan This lecture uses materials from U. of Washington [15], U. Central Florida [16], Clarkson U. [17], Princeton U. [19], and U. of Pennsylvania [20]. We gratefully acknowledge their contributions. 1 Outline • Active Worms • Buffer Overflow Attacks • BGP Attacks 2 Active Worm vs. Virus • Active Worm – A program that propagates itself over a network, reproducing itself as it goes • Virus – A program that searches out other programs and infects them by embedding a copy of itself in them 3 Active Worm vs. DDoS • Propagation – Active worm: from few hosts to many targets – DDoS: from many hosts to few targets • Relationship – Active worm can be used for network reconnaissance, preparation for DDoS 4 Instances of Active Worms (1) • Morris Worm (1988) [1] – First active worm; took down several thousand UNIX machines on Internet • Code Red v2 (2001) [2] – Targeted, spread via MS Windows IIS servers – Launched DDoS attacks on White House, other IP addresses • Nimda (2001, NetBIOS, UDP) [3] – Targeted IIS servers; slowed down Internet traffic • SQL Slammer (2003, UDP) [4] – Targeted MS SQL Server, Desktop Engine – Substantially slowed down Internet traffic • MyDoom (2004–2009, TCP) [5] • Fastest spreading email worm (by some estimates) • Launched DDoS attacks on SCO Group 5 Instances of Active Worms (2) • Jan. 2007: Storm [6] – Email attachment downloaded malware – Infected machine joined a botnet • Nov. 2008–Apr. 2009: Conficker [7] – Spread via vulnerability in MS Windows servers – Also had botnet component • Jun.–Jul. 2009, Mar.–May 2010: Stuxnet [8–9] – Aim: destroy centrifuges at Natanz, Iran nuclear facility – “Escaped” into the wild in 2010 • Aug. 2011: Morto [10] – Spread via Remote Desktop Protocol – OSU Security shut down RDP to all OSU computers 6 How an Active Worm Spreads • Autonomous: human interaction unnecessary (1) Scan (2) Probe (3) Transfer copy Infected machine machine 7 Conficker Worm Spread Data normalized for each country. Source: [7] 8 Scanning Strategies • Random scanning – Probes random addresses in the IP address space (Code Red v2) • Hitlist scanning – Probes addresses from an externally supplied list • Topological scanning – Uses information on compromised host (Email worms, Stuxnet) • Local subnet scanning – Preferentially scans targets that reside on the same subnet. (Code Red v2, Nimda) 9 Techniques for Exploiting Vulnerabilities • Morris Worm – fingerd (buffer overflow) – sendmail (bug in “debug mode”) – rsh/rexec (guess weak passwords) • Code Red, Nimda, etc. (buffer overflows) • Tricking users into opening malicious email attachments 10 Worm Exploit Techniques • Case study: Conficker worm – Issues malformed RPC (TCP, port 445) to Server service on MS Windows systems – Exploits buffer overflow in unpatched systems – Worm installs backdoor, bot software invisibly – Downloads executable file from server, updates itself • Workflow: see backup slides (1), (2) 11 Worm Behavior Modeling (1) • Propagation model mirrors epidemic: V : total # of vulnerable nodes N : size of address space i(t): percentage of infected nodes among V r : an infected node’s scanning speed 12 Worm Behavior Modeling (2) Multiply (*) by V ⋅ dt and collect terms: The total number of newly infected nodes The total number of scans launched by infected nodes The percentage of vulnerable uninfected nodes 13 Modeling the Conficker Worm • This model’s predicted worm propagation where k = βNsimilar. Using the same to value Conficker’sk =1.8 as what used actual propagation in [31], the dynamic curve of a(t) is plotted in Fig. 4. Conficker’s propagation Classical simple epidemic model 1 0.9 0.8 0.7 a(t) 0.6 0.5 0.4 0.3 0.2 0.1 0 Figure 3: Observed Code Red propagation — num- 0 5 10 15 20 25 30 35 40 time: t ber of deactivated hosts (from Caida.org) Figure 4: Classical simple epidemic model (k =1.8) In epidemiology area, both stochastic models and deter- Sources: [7], Fig. 2; [8], Fig. 4 ministic models exist for modeling the spreading of infec- Let S(t)=N J(t)denotethenumberofsusceptible − tious diseases [1, 2, 3, 15]. Stochastic models are suitable hosts at time t.ReplaceJ(t)in(1)byN S(t) and we get 14 − for small-scale system with simple virus dynamics; deter- dS(t) ministic models are suitable for large-scale system under the = βS(t)[N S(t)]. (3) dt − − assumption of mass action, relying on the law of large num- ber [2]. When we model Internet worms propagation, we Equation (1) is identical with (3) except for a minus sign. consider a large-scale network with thousands to millions of Thus the curve in Fig. 4 will remain the same when we computers. Thus we will only consider and use determinis- rotate it 180 degrees around the (thalf , 0.5) point where tic models in this paper. In this section, we introduce two J(thalf )=S(thalf )=N/2. Fig. 4 and Eq. (2) show that classical deterministic epidemic models, which are the bases at the beginning when 1 a(t) is roughly equal to 1, the − of our two-factor Internet worm model. We also point out number of infectious hosts is nearly exponentially increased. their problems when we try to use them to model Internet The propagation rate begins to decrease when about 80% of worm propagation. all susceptible hosts have been infected. In epidemiology modeling, hosts that are vulnerable to Staniford et al. [31] presented a Code Red propagation be infected by virus are called susceptible hosts; hosts that model based on the data provided by Eichman [18] up to have been infected and can infect others are called infectious 21:00 UTC July 19th. The model captures the key behavior hosts; hosts that are immune or dead such that they can’t of the first half part of the Code Red dynamics. It is essen- be infected by virus are called removed hosts, no matter tially the classical simple epidemic model (1). We provide, whether they have been infected before or not. A host is in this paper, a more detailed analysis that accounts for two called an infected host at time t if it has been infected by important factors involved in Code red spreading. Part of virus before t,nomatterwhetheritisstillinfectiousoris our effort is to explain the evolution of Code Red spreading removed [2] at time t. In this paper, we will use the same after the beginning phase of its propagation. Although the terminology for computer worms modeling. classical epidemic model can match the beginning phase of Code Red spreading, it can’t explain the later part of Code 3.1 Classical simple epidemic model Red propagation: during the last five hours from 20:00 to In classical simple epidemic model, each host stays in one 00:00 UTC, the worm scans kept decreasing (Fig. 1). of two states: susceptible or infectious. The model assumes From the simple epidemic model (Fig. 4), the authors in that once a host is infected by a virus, it will stay in infec- [31] concluded that Code Red came to saturating around tious state forever. Thus state transition of any host can 19:00 UTC — almost all susceptible IIS servers online on only be: susceptible infectious [15]. The classical simple July 19th had been infected around that time. The numer- epidemic model for a→ finite population is ical solution of our model in Section 6, however, shows that only about 60% of all susceptible IIS servers online have dJ(t) been infected around 19:00 UTC on July 19th. = βJ(t)[N J(t)], (1) dt − 3.2 Classical general epidemic model: Kermack- where J(t)isthenumberofinfectedhostsattimet; N is the Mckendrick model size of population; and β is the infection rate. At beginning, In epidemiology area, Kermack-Mckendrick model consid- t =0,J(0) hosts are infectious and the other N J(0) hosts − ers the removal process of infectious hosts [15]. It assumes are all susceptible. that during an epidemic of a contagious disease, some infec- Let a(t)=J(t)/N be the fraction of the population that tious hosts either recover or die; once a host recovers from 2 is infectious at time t .Dividingbothsidesof(1)byN the disease, it will be immune to the disease forever — the yields the equation used in [31]: hosts are in “removed” state after they recover or die from da(t) the disease. Thus each host stays in one of three states at = ka(t)[1 a(t)], (2) dt − any time: susceptible, infectious, removed. Any host in the Practical Considerations • This model assumes machine state: vulnerable → infected – In reality, countermeasures slow worm infection • Infected machines can be “cleaned” (removed from epidemic) • State: vulnerable → infected → removed – Attackers may limit, vary worm scan rate – Complicates mathematical models • Need time-varying parameters for number of removed hosts R(t), worm scan rate r(t) • Resulting differential equations are complex, cannot be solved using calculus alone 15 Summary: Active Worms • Worms can spread quickly: – 359,000 hosts in under 14 hours • Home / small business hosts play significant role in global internet health – No system administrator ⇒ slow response – Can’t estimate infected machines by # of unique IP addresses: DHCP effect apparently real, significant • Active Worm Modeling 16 Outline • Active Worms • Buffer Overflow Attacks • BGP Attacks 17 What is a Buffer Overflow? • Intent – Arbitrary code execution • Spawn a remote shell or infect with worm/virus – Denial of service • Cause software to crash – E.g., ping of death attack • Steps – Inject attack code into buffer – Overflow return address – Redirect control flow to attack code – Execute18 attack code Attack Possibilities • Targets – Stack, heap, static area – Parameter modification (non-pointer data) • Change parameters for existing call to exec() • Change privilege control variable • Injected code vs.
Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • Undergraduate Report

    Undergraduate Report

    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights

    Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights

    LexisNexis® Congressional Copyright 2003 FDCHeMedia, Inc. All Rights Reserved. Federal Document Clearing House Congressional Testimony September 10, 2003 Wednesday SECTION: CAPITOL HILL HEARING TESTIMONY LENGTH: 4090 words COMMITTEE: HOUSE GOVERNMENT REFORM SUBCOMMITTEE: TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS, AND CENSUS HEADLINE: COMPUTER VIRUS PROTECTION TESTIMONY-BY: RICHARD PETHIA, DIRECTOR AFFILIATION: CERT COORDINATION CENTER BODY: Statement of Richard Pethia Director, CERT Coordination Center Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on House Government Reform September 10, 2003 Introduction Mr. Chairman and Members of the Subcommittee: My name is Rich Pethia. I am the director of the CERTO Coordination Center (CERT/CC). Thank you for the opportunity to testify on the important issue of cyber security. Today I will discuss viruses and worms and the steps we must take to protect our systems from them. The CERT/CC was formed in 1988 as a direct result of the first Internet worm. It was the first computer security incident to make headline news, serving as a wake-up call for network security. In response, the CERT/CC was established by the Defense Advanced Research Projects Agency at Carnegie Mellon University's Software Engineering Institute, in Pittsburgh. Our mission is to serve as a focal point to help resolve computer security incidents and vulnerabilities, to help others establish incident response capabilities, and to raise awareness of computer security issues and help people understand the steps they need to take to better protect their systems. We activated the center in just two weeks, and we have worked hard to maintain our ability to react quickly.
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
  • Computer Security CS 426 Lecture 15

    Computer Security CS 426 Lecture 15

    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
  • Using Malware's Self-Defence Mechanism to Harden

    Using Malware's Self-Defence Mechanism to Harden

    Using Malware’s Self-Defence Mechanism to Harden Defence and Remediation Tools Jonathan Pan Wee Kim Wee School of Communication and Information, Nanyang Technological University, Singapore [email protected] Abstract— Malware are becoming a major problem to every them to completely bypass the protection of Firewall and individual and organization in the cyber world. They are Anti-Virus. According to Filiol [30], Malware detection is a advancing in sophistication in many ways. Besides their NP-hard problem. Besides the fact that these defences are advanced abilities to penetrate and stay evasive against detection becoming ineffective against Malware, these defences are also and remediation, they have strong resilience mechanisms that becoming victims of attacks by Malware as part of the latter’s are defying all attempts to eradicate them. Malware are also attacking defence of the systems and making them defunct. self-preservation strategy [21], [27]. The starting point of this When defences are brought down, the organisation or individual cyber problem with Malware is their ability to infiltrate. This will lose control over the IT assets and defend against the is typically done through the weakest link in the defence Malware perpetuators. In order to gain the capability to defend, strategy due to humans are involved. One went as far as to it is necessary to keep the defences or remediation tools active comment that it is people’s stupidity that led to security lapses and not defunct. Given that Malware have proven to be resilient [7]. Malware will inevitably infiltrate past the defences and against deployed defences and remediation tools, the proposed when they do, it is essential to quickly contain these Malware research advocates to utilize the techniques used by Malware to before they induce greater damages to the organizations.
  • Wannacry Ransomware

    Wannacry Ransomware

    KNOW THE UNKNOWN® Success Story: WannaCry Ransomware WHITE PAPER Challenge Stopping a Worm & Saving Millions Worms like WannaCry and Petya operate as essentially Even the most recent of these attacks like WannaCry and zero-day attacks: they can lie dormant on our networks Petya still echo the basic principles of past-worms, and as and then rapidly spread between devices upon waking up. such, they are both preventable and stoppable. During The consequences of being hit by one is dramatic: precious the Code Red, Nimda, and ILOVEYOU attacks of the early- data is either ransom-locked or wiped and thus often 2000s, businesses that had invested in a NIKSUN-like irrecoverable. This means millions in lost data, restoration solution were able to run a rapid report to get a list of fees, public relations, and stock-holder confidence. all infected devices and cut them off from their network. Instead of thousands of machines being affected, they When FedEx was hit by Petya, for example, their subsidiary were able to resolve the incident with minor losses of TNT Express experienced “widespread service delays” and hundreds or less. This process takes a mere few minutes were unable to “fully restore all of the affected systems and thus could have saved Reckitt Benckiser from their and recover all of the critical business data that was hour-long attack. encrypted by the virus.”1 Shares in the company dropped 3.4% in the wake of the attack.2 Total, 100% visibility is simply the only way to stop these worms from becoming too damaging.
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
  • Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................