DOCSLIB.ORG

Desktop Security for Everyone

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

DesktopDesktop SecuritySecurity forfor EveryoneEveryone TylerTyler FarmerFarmer –– [email protected]@microsoft.com Sr.Sr. TechnologyTechnology SpecialistSpecialist IIII EducationEducation SolutionsSolutions GroupGroup MicrosoftMicrosoft CorporationCorporation AgendaAgenda StateState ofof thethe IndustryIndustry todaytoday Viruses,Viruses, WormsWorms && SpiesSpies –– ohoh my!my! HowHow toto ProtectProtect YourselfYourself StateState ofof thethe IndustryIndustry TodayToday ThreatThreat FollowsFollows ValueValue The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because, “That’s where the money is.” Today, the money is in Cyberspace The Internet provides for criminals the two capabilities most required for the conduct of criminal activities: Anonymity & Mobility DoDo TheThe MathMath SoBigSoBig virusvirus spammedspammed mailmail toto overover 100100 millionmillion inboxesinboxes IfIf 10%10% readread thethe mailmail andand clickedclicked thethe linklink = 10 million people IfIf 1%1% ofof peoplepeople whowho wentwent toto sitesite signedsigned upup forfor 33-- daysdays freefree trialtrial = (100,000 people) x ($0.50) = $50,000 IfIf 1%1% ofof freefree trialstrials signsign upup forfor 11 yearyear = (1,000 people) x ($144/yr) = $144,000/yr OpportunitiesOpportunities AreAre LimitlessLimitless NeedNeed Traffic?Traffic? BuyBuy it!it! NeedNeed AA FamilyFamily Business?Business? Situation:Situation: ItIt isis gettinggetting scary!scary! WhyMost does attacks this occurgap exist? here Product Vulnerability Component Patch Patch deployed ship discovered modified released at customer site ExploitExploit TimelineTimeline exploit patch code Why does this gap exist? Days between patch and exploit Days From Patch to Exploit 331331 The average is now nine days for a patch to be reverse- engineered 180180 151151 engineered As this cycle keeps getting shorter, patching is a less 2525 effective defense in large Nimda SQL Welchia/ Blaster organizations Slammer Nachi TheThe ForensicsForensics ofof aa VirusVirus July 1 July 16 July 25 Aug 11 Vulnerability Bulletin & patch Exploit code in reported to us / available Worm in the world public Patch in progress No exploit Report Bulletin Exploit Worm z Vulnerability in z MS03-026 delivered z X-focus published z Blaster worm RPC/DDOM to customers exploit tool discovered –; reported (7/16/03) z MS heightened variants and other z MS activated z Continued outreach efforts to get viruses hit highest level to analysts, press, information to simultaneously (i.e. emergency community, customers “SoBig”) response process partners, government agencies BlasterBlaster showsshows thethe complexcomplex interplayinterplay betweenbetween securitysecurity researchers,researchers, softwaresoftware companies,companies, andand hackershackers Viruses,Viruses, WormsWorms && SpiesSpies Virus:Virus: OldOld ““traditionaltraditional”” virusesviruses usuallyusually requirerequire humanhuman interactioninteraction YouYou havehave toto savesave it,it, runrun it,it, shareshare floppyfloppy disks,disks, etc.etc. EE--mailingmailing aa programprogram // document,document, withoutwithout knowingknowing itit isis infectedinfected TypicallyTypically justjust attachattach themselvesthemselves toto programsprograms && documents,documents, andand thenthen dependdepend onon humanshumans toto propagatepropagate ThisThis isis changingchanging…… Worms:Worms: SubSub--classclass ofof VirusVirus ReplicatedReplicated AutomaticallyAutomatically withoutwithout humanhuman helphelp ExampleExample isis ee--mailmail addressaddress bookbook attackattack BogsBogs downdown networksnetworks andand InternetInternet ThinkThink ofof aa multimulti--levellevel marketingmarketing company!company! Sasser,Sasser, BlasterBlaster areare examplesexamples Worms:Worms: ScaryScary partpart –– youyou dondon’’tt havehave toto dodo anythinganything butbut turnturn youryour computercomputer on!on! TrojanTrojan HorseHorse ProgramProgram thatthat appearsappears toto bebe aa ““goodgood”” program,program, butbut isnisn’’tt MightMight dodo whatwhat itit isis supposedsupposed to,to, plusplus more!more! SomeSome SpywareSpyware fallsfalls inin thisthis categorycategory Spyware:Spyware: DefinedDefined asas softwaresoftware thatthat collectscollects informationinformation aboutabout you.you. ThisThis mightmight bebe OK,OK, itit mightmight notnot WebWeb pagepage collectingcollecting anonymousanonymous ““clickclick”” datadata RecordingRecording youryour bankbank ## andand passwordpassword ManyMany ofof thesethese areare notnot badbad YouYou signsign upup forfor aa musicmusic service,service, itit gathersgathers webweb sitesite data,data, thenthen sendssends youyou targetedtargeted advertisementsadvertisements thatthat youyou mightmight likelike Spyware:Spyware: MuchMuch ofof itit isis badbad Example:Example: ToolbarToolbar programsprograms OnceOnce thethe toolbartoolbar programprogram isis installed,installed, itit cancan collectcollect anythinganything itit wantswants to.to. RecordRecord youryour keystrokes,keystrokes, thenthen ““phonephone homehome”” RecordRecord websites,websites, namesnames && passwordspasswords EvenEven ifif youyou removeremove them,them, theythey leaveleave ““breadbread crumbscrumbs”” soso thatthat theythey rere--installinstall themselvesthemselves Spyware:Spyware: EverEver getget poppop--upsups thatthat constantlyconstantly askask forfor youyou toto clickclick ““OKOK”” andand wonwon’’tt gogo away?away? ThisThis isis SpywareSpyware oror aa virusvirus ofof somesome sortsort Phishing:Phishing: NotNot aa virus,virus, butbut waysways toto tricktrick youyou intointo givinggiving upup personalpersonal informationinformation SeeSee http://www.antiphishing.orghttp://www.antiphishing.org forfor aa lotlot ofof examplesexamples Visible link: http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify Called link: http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm HowHow ItIt SpreadsSpreads VirtuallyVirtually allall wormsworms andand trojantrojan horses,horses, etc.etc. areare spreadspread throughthrough ee--mailmail OneOne personperson gets,gets, theythey telltell allall theirtheir friends,friends, theythey telltell allall theirtheir friends,friends, etc.etc. EverEver seenseen ““MyMy Picture.jpgPicture.jpg .exe.exe”” UsersUsers getget trickedtricked intointo clickingclicking OKOK HowHow toto ProtectProtect YourselfYourself PracticePractice GoodGood SurfingSurfing SenseSense YouYou knowknow therethere areare badbad partsparts ofof towntown thatthat youyou dondon’’tt gogo toto TheThe InternetInternet isis thethe samesame wayway –– bebe wary!wary! #1#1 RuleRule NeverNever downloaddownload oror openopen something,something, ifif youyou dondon’’tt knowknow whatwhat itit isis EvenEven ifif youyou knowknow thethe sendersender byby name,name, checkcheck withwith themthem toto seesee ifif theythey sentsent youyou somethingsomething TrueTrue companycompany--basedbased ee--mailsmails nevernever sendsend attachmentsattachments Make sure the link actually goes to their site & not a spoofed one! OnlyOnly downloaddownload whatwhat youyou trust,trust, andand eveneven thenthen bebe wary!wary! PointsPoints toto PonderPonder HaveHave youyou everever receivedreceived anan ee--mailmail tellingtelling youyou thatthat youyou havehave aa virus?virus? YouYou might,might, oror mightmight notnot…… YourYour addressaddress couldcould’’veve beenbeen spoofedspoofed toto someonesomeone elseelse CouldCould bebe aa tricktrick toto getget youyou toto installinstall somesome ““antianti-- virusvirus”” oror ““patchpatch”” (which(which isis reallyreally aa virusvirus itself!)itself!) HowHow toto GetGet Secure,Secure, StayStay SecureSecure StepStep 11 –– DonDon’’tt changechange InternetInternet ExplorerExplorer ““ZoneZone”” settingssettings belowbelow ““MediumMedium”” StepStep 22 –– DonDon’’tt taketake downloadsdownloads fromfrom strangersstrangers Only install what you trust “free” music & file sharing programs are wide open doors for hackers StepStep 33 –– TryTry toto seesee ifif youyou havehave anyany issuesissues alreadyalready Does your browser open to a new home page, or search page? Increase in advertisements & pop-ups? Computer seems sluggish? HowHow toto GetGet Secure,Secure, StayStay SecureSecure StepStep 44 –– GetGet aa detectdetect && removalremoval tooltool forfor spywarespyware (Spybot(Spybot SearchSearch && DestroyDestroy isis good)good) StepStep 55 –– GetGet somesome antivirusantivirus softwaresoftware (Norton,(Norton, McAfee,McAfee, etc.)etc.) StepStep 66 –– GetGet aa FirewallFirewall (Service(Service PackPack 22 oror somesome other)other) StepStep 77 –– KeepKeep everythingeverything upup--toto--date!date! Windows Automatic Updates, Anti-virus, Spyware WhatWhat isis MicrosoftMicrosoft DoingDoing toto Help?Help? BlockBlock HTMLHTML inin ee--mailmail byby defaultdefault .EXE,.EXE, .BAT,.BAT, etcetc filesfiles areare blockedblocked WarningsWarnings whenwhen ee--mailmail isis sentsent automaticallyautomatically BehaviorBehavior BlockingBlocking technologiestechnologies ServiceService PackPack 22 onon WindowsWindows XPXP Firewall,Firewall, poppop--upup blocker,blocker, othersothers WorkingWorking withwith LawLaw EnforcementEnforcement RewardReward moneymoney $250,000$250,000 forfor SasserSasser paid!paid! ResourcesResources General http://www.microsoft.com/security Consumers http://www.microsoft.com/protect IT Professionals http://www.microsoft.com/technet/security Patch Management http://www.microsoft.com/technet/security/topics/patch Info on Virus, Worms, etc. http://www.microsoft.com/athome/security/viruses/virus101.mspx Info on Spyware http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx http://www.microsoft.com/windowsxp/using/security/expert/honeycutt_spy ware.mspx NowNow forfor thethe GentleGentle Q&AQ&A…… © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary..
Recommended publications
  • Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis Daniel Bilar Wellesley College (Wellesley, MA) Colby College (Waterville, ME) bilar <at> alum dot dartmouth dot org Why Structural Fingerprinting? Goal: Identifying and classifying malware Problem: For any single fingerprint, balance between over-fitting (type II error) and under- fitting (type I error) hard to achieve Approach: View binaries simultaneously from different structural perspectives and perform statistical analysis on these ‘structural fingerprints’ Different Perspectives Idea: Multiple perspectives may increase likelihood of correct identification and classification Structural Description Statistical static / Perspective Fingerprint dynamic? Assembly Count different Opcode Primarily instruction instructions frequency static distribution Win 32 API Observe API calls API call vector Primarily call made dynamic System Explore graph- Graph structural Primarily Dependence modeled control and properties static Graph data dependencies Fingerprint: Opcode frequency distribution Synopsis: Statically disassemble the binary, tabulate the opcode frequencies and construct a statistical fingerprint with a subset of said opcodes. Goal: Compare opcode fingerprint across non- malicious software and malware classes for quick identification and classification purposes. Main result: ‘Rare’ opcodes explain more data variation then common ones Goodware: Opcode Distribution 1, 2 ---------.exe Procedure: -------.exe 1. Inventoried PEs (EXE, DLL, ---------.exe etc) on XP box with Advanced Disk Catalog 2. Chose random EXE samples size: 122880 with MS Excel and Index totalopcodes: 10680 3, 4 your Files compiler: MS Visual C++ 6.0 3. Ran IDA with modified class: utility (process) InstructionCounter plugin on sample PEs 0001. 002145 20.08% mov 4. Augmented IDA output files 0002. 001859 17.41% push with PEID results (compiler) 0003. 000760 7.12% call and general ‘functionality 0004.
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Exploring Corporate Decision Makers' Attitudes Towards Active Cyber

    Exploring Corporate Decision Makers' Attitudes Towards Active Cyber

    Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option by Patrick Neal A Dissertation Submitted to the College of Interdisciplinary Studies in Partial Fulfilment of the Requirements for the Degree of DOCTOR OF SOCIAL SCIENCES Royal Roads University Victoria, British Columbia, Canada Supervisor: Dr. Bernard Schissel February, 2019 Patrick Neal, 2019 COMMITTEE APPROVAL The members of Patrick Neal’s Dissertation Committee certify that they have read the dissertation titled Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option and recommend that it be accepted as fulfilling the dissertation requirements for the Degree of Doctor of Social Sciences: Dr. Bernard Schissel [signature on file] Dr. Joe Ilsever [signature on file] Ms. Bessie Pang [signature on file] Final approval and acceptance of this dissertation is contingent upon the candidate’s submission of the final copy of the dissertation to Royal Roads University. The dissertation supervisor confirms to have read this dissertation and recommends that it be accepted as fulfilling the dissertation requirements: Dr. Bernard Schissel[signature on file] Creative Commons Statement This work is licensed under the Creative Commons Attribution-NonCommercial- ShareAlike 2.5 Canada License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ . Some material in this work is not being made available under the terms of this licence: • Third-Party material that is being used under fair dealing or with permission. • Any photographs where individuals are easily identifiable. Contents Creative Commons Statement............................................................................................
  • GQ: Practical Containment for Measuring Modern Malware Systems

    GQ: Practical Containment for Measuring Modern Malware Systems

    GQ: Practical Containment for Measuring Modern Malware Systems Christian Kreibich Nicholas Weaver Chris Kanich ICSI & UC Berkeley ICSI & UC Berkeley UC San Diego [email protected] [email protected] [email protected] Weidong Cui Vern Paxson Microsoft Research ICSI & UC Berkeley [email protected] [email protected] Abstract their behavior, sometimes only for seconds at a time (e.g., to un- Measurement and analysis of modern malware systems such as bot- derstand the bootstrapping behavior of a binary, perhaps in tandem nets relies crucially on execution of specimens in a setting that en- with static analysis), but potentially also for weeks on end (e.g., to ables them to communicate with other systems across the Internet. conduct long-term botnet measurement via “infiltration” [13]). Ethical, legal, and technical constraints however demand contain- This need to execute malware samples in a laboratory setting ex- ment of resulting network activity in order to prevent the malware poses a dilemma. On the one hand, unconstrained execution of the from harming others while still ensuring that it exhibits its inher- malware under study will likely enable it to operate fully as in- ent behavior. Current best practices in this space are sorely lack- tended, including embarking on a large array of possible malicious ing: measurement researchers often treat containment superficially, activities, such as pumping out spam, contributing to denial-of- sometimes ignoring it altogether. In this paper we present GQ, service floods, conducting click fraud, or obscuring other attacks a malware execution “farm” that uses explicit containment prim- by proxying malicious traffic.
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
  • Workaround for Welchia and Sasser Internet Worms in Kumamoto University

    Workaround for Welchia and Sasser Internet Worms in Kumamoto University

    Workaround for Welchia and Sasser Internet Worms in Kumamoto University Yasuo Musashi, Kenichi Sugitani,y and Ryuichi Matsuba,y Center for Multimedia and Information Technologies, Kumamoto University, Kumamoto 860-8555 Japan, E-mail: [email protected], yE-mail: [email protected], yE-mail: [email protected] Toshiyuki Moriyamaz Department of Civil Engineering, Faculty of Engineering, Sojo University, Ikeda, Kumamoto 860-0081 Japan, zE-mail: [email protected] Abstract: The syslog messages of the iplog-2.2.3 packet capture in the DNS servers in Ku- mamoto University were statistically investigated when receiving abnormal TCP packets from PC terminals infected with internet worms like W32/Welchia and/or W32/Sasser.D worms. The inter- esting results are obtained: (1) Initially, the W32/Welchia worm-infected PC terminals for learners (920 PCs) considerably accelerates the total W32/Welchia infection. (2) We can suppress quickly the W32/Sasser.D infection in our university when filtering the access between total and the PC terminal’s LAN segments. Therefore, infection of internet worm in the PC terminals for learners should be taken into consideration to suppress quickly the infection. Keywords: Welchia, Sasser, internet worm, system vulnerability, TCP port 135, TCP port 445, worm detection 1. Introduction defragmentation, TCP stream reassembling (state- less/stateful), and content matcher (detection engine). Recent internet worms (IW) are mainly categorized The other is iplog[11], a packet logger that is not so into two types, as follows: one is a mass-mailing-worm powerful as Snort but it is slim and light-weighted so (MMW) which transfers itself by attachment files of that it is useful to get an IP address of the client PC the E-mail and the other is a system-vulnerability- terminal.
  • Shoot the Messenger: IM Worms Infectionvectors.Com June 2005

    Shoot the Messenger: IM Worms Infectionvectors.Com June 2005

    Shoot the Messenger: IM Worms infectionvectors.com June 2005 Overview Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms. Messaging Overview Instant messaging generically refers to real-time text communications between two or more clients (although, it is important to note many new services such as video and voice are available through these clients). Generally, messages are passed from a client to a server and vice versa. Some IM clients are capable of transmitting files between one another without a central server (once a communications channel is established) and can allow for a remarkable degree of command execution. This is represented simply below: Messaging Server Presence data transferred to clients from servers. Message/file transfer. Compatible Clients Shoot the Messenger: IM Worms 2 IM protocols range from relatively simple to quite complex and generally include some form of “presence” detection and notification (the ability to indicate whether a contact is online at any given time).
  • The Blaster Worm: Then and Now

    The Blaster Worm: Then and Now

    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
  • The Ecology of Malware

    The Ecology of Malware

    The Ecology of Malware Jedidiah R. Crandall Roya Ensafi Stephanie Forrest University of New Mexico University of New Mexico University of New Mexico Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science Mail stop: MSC01 1130 Mail stop: MSC01 1130 Mail stop: MSC01 1130 1 University of New Mexico 1 University of New Mexico 1 University of New Mexico Albuquerque, NM 87131-0001 Albuquerque, NM 87131-0001 Albuquerque, NM 87131-0001 [email protected] [email protected] [email protected] Joshua Ladau Bilal Shebaro Santa Fe Institute University of New Mexico 1399 Hyde Park Road Dept. of Computer Science Santa Fe, New Mexico 87501 Mail stop: MSC01 1130 [email protected] 1 University of New Mexico Albuquerque, NM 87131-0001 [email protected] ABSTRACT General Terms The fight against malicious software (or malware, which includes Security everything from worms to viruses to botnets) is often viewed as an “arms race.” Conventional wisdom is that we must continu- Keywords ally “raise the bar” for the malware creators. However, the mul- titude of malware has itself evolved into a complex environment, malware ecology, malware analysis, worms, viruses, botnets and properties not unlike those of ecological systems have begun to emerge. This may include competition between malware, fa- 1. INTRODUCTION cilitation, parasitism, predation, and density-dependent population regulation. Ecological principles will likely be useful for under- Modern malware defense involves a variety of activities and is standing the effects of these ecological interactions, for example, quickly becoming unsustainable. So many malware samples are carrying capacity, species-time and species-area relationships, the collected from the wild each day that triaging is necessary to deter- unified neutral theory of biodiversity, and the theory of island bio- mine which samples warrant further analysis.
  • Emerging ICT Threats

    Emerging ICT Threats

    SEVENTH FRAMEWORK PROGRAMME Information & Communication Technologies Secure, dependable and trusted Infrastructures COORDINATION ACTION Grant Agreement no. 216331 Deliverable D3.1: White book: Emerging ICT threats Contractual Date of Delivery 31/12/2009 Actual Date of Delivery 17/01/2010 Deliverable Security Class Public Editor FORWARD Consortium Contributors FORWARD Consortium Quality Control FORWARD Consortium The FORWARD Consortium consists of: Technical University of Vienna Coordinator Austria Institut Eurecom´ Principal Contractor France Vrije Universiteit Amsterdam Principal Contractor The Netherlands ICS/FORTH Principal Contractor Greece IPP/BAS Principal Contractor Bulgaria Chalmers University Principal Contractor Sweden Keyword cloud image on cover created by Wordle.net. D3.1: White book: Emerging ICT threats 2 Contents 1 Executive Summary and Main Recommendations 7 2 Introduction: Threat List 11 3 Threat Category: Networking 15 3.1 Overview . 15 3.2 Routing infrastructure . 17 3.3 IPv6 and direct reachability of hosts . 18 3.4 Naming (DNS) and registrars . 20 3.5 Wireless communication . 22 3.6 Denial of service . 24 4 Threat Category: Hardware and Virtualization 27 4.1 Overview . 27 4.2 Malicious hardware . 27 4.3 Virtualization and cloud computing . 29 5 Threat Category: Weak Devices 31 5.1 Overview . 31 5.2 Sensors and RFID . 32 5.3 Mobile device malware . 34 6 Threat Category: Complexity 39 6.1 Overview . 39 6.2 Unforeseen cascading effects . 39 6.3 Threats due to scale . 41 6.4 System maintainability and verifiability . 43 6.5 Hidden functionality . 44 6.6 Threats due to parallelism . 45 7 Threat Category: Data Manipulation 47 7.1 Overview . 47 7.2 Privacy and ubiquitous sensors .
  • Computer Viruses, in Order to Detect Them

    Computer Viruses, in Order to Detect Them

    Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57