151682582.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

151682582.Pdf CYBER SECURITY ESSENTIALS CYBER SECURITY ESSENTIALS Edited by James Graham Richard Howard Ryan Olson Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-5126-5 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com Contents A N ot e f ro m t h e e x e c u t i v e e d ito rs xi A b o u t t h e Au t h o rs xiii c o N t ri b u to rs xv c h A p t e r 1 C y b e r s e c u rit y fu N dA m e N tA l s 1 1.1 Network and Security Concepts 1 1.1.1 Information Assurance Fundamentals 1 1.1.1.1 Authentication 1 1.1.1.2 Authorization 2 1.1.1.3 Nonrepudiation 3 1.1.1.4 Confidentiality 3 1.1.1.5 Integrity 4 1.1.1.6 Availability 5 1.1.2 Basic Cryptography 6 1.1.3 Symmetric Encryption 11 1.1.3.1 Example of Simple Symmetric Encryption with Exclusive OR (XOR) 12 1.1.3.2 Improving upon Stream Ciphers with Block Ciphers 14 1.1.4 Public Key Encryption 16 1.1.5 The Domain Name System (DNS) 20 1.1.5.1 Security and the DNS 24 1.1.6 Firewalls 25 1.1.6.1 History Lesson 25 1.1.6.2 What’s in a Name? 25 1.1.6.3 Packet-Filtering Firewalls 27 © 2011 by Taylor & Francis Group, LLC v vi Contents 1.1.6.4 Stateful Firewalls 28 1.1.6.5 Application Gateway Firewalls 29 1.1.6.6 Conclusions 29 1.1.7 Virtualization 30 1.1.7.1 In the Beginning, There Was Blue … 31 1.1.7.2 The Virtualization Menu 31 1.1.7.3 Full Virtualization 33 1.1.7.4 Getting a Helping Hand from the Processor 34 1.1.7.5 If All Else Fails, Break It to Fix It 35 1.1.7.6 Use What You Have 35 1.1.7.7 Doing It the Hard Way 36 1.1.7.8 Biting the Hand That Feeds 37 1.1.7.9 Conclusion 38 1.1.8 Radio-Frequency Identification 38 1.1.8.1 Identify What? 39 1.1.8.2 Security and Privacy Concerns 41 1.2 Microsoft Windows Security Principles 43 1.2.1 Windows Tokens 43 1.2.1.1 Introduction 43 1.2.1.2 Concepts behind Windows Tokens 43 1.2.1.3 Access Control Lists 46 1.2.1.4 Conclusions 47 1.2.2 Window Messaging 48 1.2.2.1 Malicious Uses of Window Messages 49 1.2.2.2 Solving Problems with Window Messages 51 1.2.3 Windows Program Execution 51 1.2.3.1 Validation of Parameters 52 1.2.3.2 Load Image, Make Decisions 55 1.2.3.3 Creating the Process Object 56 1.2.3.4 Context Initialization 57 1.2.3.5 Windows Subsystem Post Initialization 58 1.2.3.6 Initial Thread … Go! 60 1.2.3.7 Down to the Final Steps 61 1.2.3.8 Exploiting Windows Execution for Fun and Profit 63 1.2.4 The Windows Firewall 64 References 70 c h A p t e r 2 At tAc k e r te c h N i q u e s an d m ot i vAt i o N s 75 2.1 How Hackers Cover Their Tracks (Antiforensics) 75 2.1.1 How and Why Attackers Use Proxies 75 © 2011 by Taylor & Francis Group, LLC Contents vii 2.1.1.1 Types of Proxies 76 2.1.1.2 Detecting the Use of Proxies 78 2.1.1.3 Conclusion 79 2.1.2 Tunneling Techniques 80 2.1.2.1 HTTP 81 2.1.2.2 DNS 83 2.1.2.3 ICMP 85 2.1.2.4 Intermediaries, Steganography, and Other Concepts 85 2.1.2.5 Detection and Prevention 86 2.2 Fraud Techniques 87 2.2.1 Phishing, Smishing, Vishing, and Mobile Malicious Code 87 2.2.1.1 Mobile Malicious Code 88 2.2.1.2 Phishing against Mobile Devices 89 2.2.1.3 Conclusions 91 2.2.2 Rogue Antivirus 92 2.2.2.1 Following the Money: Payments 95 2.2.2.2 Conclusion 95 2.2.3 Click Fraud 96 2.2.3.1 Pay-per-Click 97 2.2.3.2 Click Fraud Motivations 98 2.2.3.3 Click Fraud Tactics and Detection 99 2.2.3.4 Conclusions 101 2.3 Threat Infrastructure 102 2.3.1 Botnets 102 2.3.2 Fast-Flux 107 2.3.3 Advanced Fast-Flux 111 References 116 c h A p t e r 3 E x p lo itAt i o N 119 3.1 Techniques to Gain a Foothold 119 3.1.1 Shellcode 119 3.1.2 Integer Overflow Vulnerabilities 124 3.1.3 Stack-Based Buffer Overflows 128 3.1.3.1 Stacks upon Stacks 128 3.1.3.2 Crossing the Line 130 3.1.3.3 Protecting against Stack-Based Buffer Overflows 132 3.1.3.4 Addendum: Stack-Based Buffer Overflow Mitigation 132 3.1.4 Format String Vulnerabilities 133 3.1.5 SQL Injection 138 3.1.5.1 Protecting against SQL Injection 140 3.1.5.2 Conclusion 141 3.1.6 Malicious PDF Files 142 3.1.6.1 PDF File Format 143 © 2011 by Taylor & Francis Group, LLC viii Contents 3.1.6.2 Creating Malicious PDF Files 144 3.1.6.3 Reducing the Risks of Malicious PDF Files 145 3.1.6.4 Concluding Comments 147 3.1.7 Race Conditions 147 3.1.7.1 Examples of Race Conditions 148 3.1.7.2 Detecting and Preventing Race Conditions 151 3.1.7.3 Conclusion 152 3.1.8 Web Exploit Tools 152 3.1.8.1 Features for Hiding 153 3.1.8.2 Commercial Web Exploit Tools and Services 154 3.1.8.3 Updates, Statistics, and Administration 157 3.1.8.4 Proliferation of Web Exploit Tools Despite Protections 158 3.1.9 DoS Conditions 159 3.1.10 Brute Force and Dictionary Attacks 164 3.1.10.1 Attack 168 3.2 Misdirection, Reconnaissance, and Disruption Methods 171 3.2.1 Cross-Site Scripting (XSS) 171 3.2.2 Social Engineering 176 3.2.3 WarXing 182 3.2.4 DNS Amplification Attacks 186 3.2.4.1 Defeating Amplification 190 References 191 c h A p t e r 4 M A li c i o u s c o d e 195 4.1 Self-Replicating Malicious Code 195 4.1.1 Worms 195 4.1.2 Viruses 198 4.2 Evading Detection and Elevating Privileges 203 4.2.1 Obfuscation 203 4.2.2 Virtual Machine Obfuscation 208 4.2.3 Persistent Software Techniques 213 4.2.3.1 Basic Input–Output System (BIOS)/Complementary Metal- Oxide Semiconductor (CMOS) and Master Boot Record (MBR) Malicious Code 213 4.2.3.2 Hypervisors 214 4.2.3.3 Legacy Text Files 214 4.2.3.4 Autostart Registry Entries 215 4.2.3.5 Start Menu “Startup” Folder 217 4.2.3.6 Detecting Autostart Entries 217 © 2011 by Taylor & Francis Group, LLC Contents ix 4.2.4 Rootkits 219 4.2.4.1 User Mode Rootkits 219 4.2.4.2 Kernel Mode Rootkits 221 4.2.4.3 Conclusion 223 4.2.5 Spyware 223 4.2.6 Attacks against Privileged User Accounts and Escalation of Privileges 227 4.2.6.1 Many Users Already Have Administrator Permissions 228 4.2.6.2 Getting Administrator Permissions 229 4.2.6.3 Conclusion 230 4.2.7 Token Kidnapping 232 4.2.8 Virtual Machine Detection 236 4.2.8.1 Fingerprints Everywhere! 237 4.2.8.2 Understanding the Rules of the Neighborhood 238 4.2.8.3 Detecting Communication with the Outside World 240 4.2.8.4 Putting It All Together 241 4.2.8.5 The New Hope 243 4.2.8.6 Conclusion 243 4.3 Stealing Information and Exploitation 243 4.3.1 Form Grabbing 243 4.3.2 Man-in-the-Middle Attacks 248 4.3.2.1 Detecting and Preventing MITM Attacks 251 4.2.3.2 Conclusion 252 4.3.3 DLL Injection 253 4.3.3.1 Windows Registry DLL Injection 254 4.3.3.2 Injecting Applications 256 4.3.3.3 Reflective DLL Injections 258 4.3.3.4 Conclusion 259 4.3.4 Browser Helper Objects 260 4.3.4.1 Security Implications 261 References 264 c h A p t e r 5 D e f e N s e an d A na lys i s te c h N i q u e s 267 5.1 Memory Forensics 267 5.1.1 Why Memory Forensics Is Important 267 5.1.2 Capabilities of Memory Forensics 268 5.1.3 Memory Analysis Frameworks 268 5.1.4 Dumping Physical Memory 270 5.1.5 Installing and Using Volatility 270 5.1.6 Finding Hidden Processes 272 5.1.7 Volatility Analyst Pack 275 5.1.8 Conclusion 275 © 2011 by Taylor & Francis Group, LLC x Contents 5.2 Honeypots 275 5.3 Malicious Code Naming 281 5.3.1 Concluding Comments 285 5.4 Automated Malicious Code Analysis Systems 286 5.4.1 Passive Analysis 287 5.4.2 Active Analysis 290 5.4.3 Physical or Virtual Machines 291 5.5 Intrusion Detection Systems 294 References 301 c h A p t e r 6 i d e f e N s e s p e c i A l fi l e iN v e s t i g At i o N to o l s 305 © 2011 by Taylor & Francis Group, LLC A Note from the Executive Editors This is not your typical security book.
Recommended publications
  • Differential Fuzzing the Webassembly
    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
    [Show full text]
  • Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’S Topics
    IGME-330 Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’s topics • Tools we’ll use – what’s the IDE we’ll be using? (hint: none) • This class is about “Rich Media” – we’ll need a “Rich client” – what’s that? • Rich media Plug-ins v. Native browser support for rich media • Who’s in charge of the HTML5 browser API? (hint: no one!) • Where did HTML5 come from? • What are the capabilities of an HTML5 browser? • Browser layout engines • JavaScript Engines Tools we’ll use • Browsers: • Google Chrome - assignments will be graded on Chrome • Safari • Firefox • Text Editor of your choice – no IDE necessary • Adobe Brackets (available in the labs) • Notepad++ on Windows (available in the labs) • BBEdit or TextWrangler on Mac • Others: Atom, Sublime • Documentation: • https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model • https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide What is a “Rich Client” • A traditional “web 1.0” application needs to refresh the entire page if there is even the smallest change to it. • A “rich client” application can update just part of the page without having to reload the entire page. This makes it act like a desktop application - see Gmail, Flickr, Facebook, ... Rich Client programming in a web browser • Two choices: • Use a plug-in like Flash, Silverlight, Java, or ActiveX • Use the built-in JavaScript functionality of modern web browsers to access the native DOM (Document Object Model) of HTML5 compliant web browsers.
    [Show full text]
  • Flash Player and Linux
    Flash Player and Linux Ed Costello Engineering Manager Adobe Flash Player Tinic Uro Sr. Software Engineer Adobe Flash Player 2007 Adobe Systems Incorporated. All Rights Reserved. Overview . History and Evolution of Flash Player . Flash Player 9 and Linux . On the Horizon 2 2007 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Yesterday 3 2006 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Today 4 2006 Adobe Systems Incorporated. All Rights Reserved. A Brief History of Flash Player Flash Flash Flash Flash Linux Player 5 Player 6 Player 7 Player 9 Feb 2001 Dec 2002 May 2004 Jan 2007 Win/ Flash Flash Flash Flash Flash Flash Flash Mac Player 3 Player 4 Player 5 Player 6 Player 7 Player 8 Player 9 Sep 1998 Jun 1999 Aug 2000 Mar 2002 Sep 2003 Aug 2005 Jun 2006 … Vector Animation Interactivity “RIAs” Developers Expressive Performance & Video & Standards Simple Actions, ActionScript Components, ActionScript Filters, ActionScript 3.0, Movie Clips, 1.0 Video (H.263) 2.0 Blend Modes, New virtual Motion Tween, (ECMAScript High-!delity machine MP3 ed. 3), text, Streaming Video (ON2) video 5 2007 Adobe Systems Incorporated. All Rights Reserved. Widest Reach . Ubiquitous, cross-platform, rich media and rich internet application runtime . Installed on 98% of internet- connected desktops1 . Consistently reaches 80% penetration within 12 months of release2 . Flash Player 9 reached 80%+ penetration in <9 months . YUM-savvy updater to support rapid/consistent Linux penetration 1. Source: Millward-Brown September 2006. Mature Market data. 2. Source: NPD plug-in penetration study 6 2007 Adobe Systems Incorporated. All Rights Reserved.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software
    Scuola Politecnica e delle Scienze di Base Corso di Laurea Magistrale in Ingegneria Informatica Tesi di laurea magistrale in Calcolatori Elettronici II Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software Anno Accademico 2018/2019 CERN-THESIS-2019-152 //2019 relatori Ch.mo prof. Nicola Mazzocca Ch.mo prof. Pasquale Arpaia correlatore Ing. Laurent Deniau PhD candidato Dario d’Andrea matr. M63000695 Acknowledgements Firstly, I would like to thank my supervisor at CERN, Laurent Deniau, for his daily support and his useful suggestions throughout the work described in this thesis. I would like to express my gratitude to both my university supervisors, Nicola Mazzocca and Pasquale Arpaia, for their helpfulness during this work and for their support during the past years at university. I feel privileged of being allowed to work with such inspiring mentors. This thesis would not have been possible without the help from the community of the LuaJIT project including all the useful insights contained in its mailing list, specially by its author, Mike Pall, who worked for many years accomplishing an amazing job. A special acknowledgement should be addressed to my family. I thank my father Guido and my mother Leda who guided me with love during my education and my life. I am grateful to my brother Fabio, my grandmother Tina, and my uncle Nicola, for their support during the past years. I also want to remember my uncle Bruno who inspired me for my academic career. I wish to express my deepest gratitude to Alicia for her unconditional encour- agement.
    [Show full text]
  • Technical White Paper: Running Applications Under
    Technical White Paper: Running Applications Under CrossOver: An Analysis of Security Risks Running Applications Under CrossOver: An Analysis of Security Risks Wine, Viruses, and Methods of Achieving Security Overview: Wine is a Windows compatibility technology that allows a wide variety of Windows Running Windows software to run as-if-natively on Unix-based software via CrossOver operating systems like Linux and Mac OS X. From a theoretical standpoint, Wine should is, on average, much safer also enable malware and viruses to run, thereby than running them under (unfortunately) exposing Wine users to these same Windows hazards. However, CrossOver (based on Wine) also incorporates security features that bring this risk down to almost zero. This White Paper examines the reasons behind the enhanced safety that CrossOver provides. With the increasing popularity of running Windows software on Linux and Mac OS X via compatibility solutions such as Wine, VMWare, and Parallels, users have been able to enjoy a degree of computing freedom heretofore unseen. Yet with that freedom has come peril. As many VMWare and Parallels users have discovered, running applications like Outlook and IE under those PC emulation solutions also opens up their machine to the same viruses and malware they faced under Windows. Indeed, one of the first things any VMWare or Parallels customer should do upon is install a commercial anti-virus package. Failure to do so can result in a host of dire consequences for their Windows partition, just as it would if they were running a Windows PC. Not surprisingly, a question we sometimes hear is whether or not Wine exposes users to the same level of risk.
    [Show full text]
  • Mozilla Source Tree Docs Release 50.0A1
    Mozilla Source Tree Docs Release 50.0a1 August 02, 2016 Contents 1 SSL Error Reporting 1 2 Firefox 3 3 Telemetry Experiments 11 4 Build System 17 5 WebIDL 83 6 Graphics 85 7 Firefox for Android 87 8 Indices and tables 99 9 Localization 101 10 mach 105 11 CloudSync 113 12 TaskCluster Task-Graph Generation 119 13 Crash Manager 133 14 Telemetry 137 15 Crash Reporter 207 16 Supbrocess Module 211 17 Toolkit modules 215 18 Add-on Manager 221 19 Linting 227 20 Indices and tables 233 21 Mozilla ESLint Plugin 235 i 22 Python Packages 239 23 Managing Documentation 375 24 Indices and tables 377 Python Module Index 379 ii CHAPTER 1 SSL Error Reporting With the introduction of HPKP, it becomes useful to be able to capture data on pin violations. SSL Error Reporting is an opt-in mechanism to allow users to send data on such violations to mozilla. 1.1 Payload Format An example report: { "hostname":"example.com", "port":443, "timestamp":1413490449, "errorCode":-16384, "failedCertChain":[ ], "userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0", "version":1, "build":"20141022164419", "product":"Firefox", "channel":"default" } Where the data represents the following: “hostname” The name of the host the connection was being made to. “port” The TCP port the connection was being made to. “timestamp” The (local) time at which the report was generated. Seconds since 1 Jan 1970, UTC. “errorCode” The error code. This is the error code from certificate veri- fication. Here’s a small list of the most commonly-encountered errors: https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox In theory many of the errors from sslerr.h, secerr.h, and pkixnss.h could be encountered.
    [Show full text]
  • An Analysis of the Asprox Botnet
    An Analysis of the Asprox Botnet Ravishankar Borgaonkar Technical University of Berlin Email: [email protected] Abstract—The presence of large pools of compromised com- motives. Exploitable vulnerabilities may exist in the Internet puters, also known as botnets, or zombie armies, represents a infrastructure, in the clients and servers, in the people, and in very serious threat to Internet security. This paper describes the way money is controlled and transferred from the Internet the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines into traditional cash. Many security firms and researchers are the two threat vectors of forming a botnet and of generating working on developing new methods to fight botnets and to SQL injection attacks. The main features of the Asprox botnet mitigate against threats from botnets [7], [8], [9]. are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service Unfortunately, there are still many questions that need to networks, use of SQL injection attacks for recruiting new bots be addressed to find effective ways of protecting against the and social engineering tricks to spread malware binaries. The threats from botnets. In order to fight against botnets in future, objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern it is not enough to study the botnets of past. Botnets are botnet designs in general. This knowledge can be used to develop constantly evolving, and we need to understand the design more effective methods for detecting botnets, and stopping the and structure of the emerging advanced botnets.
    [Show full text]
  • Windows Legacy Application Support Under Wine
    White Paper: Windows Legacy Application Support Under Wine Windows Legacy Application Support Under Wine Windows Legacy Application Support Under Wine Overview: With the constant pressure from Microsoft to migrate to newer versions of Windows, many users are left with unpalatable options for running their older applications. Wine Wine offers a viable offers a viable, inexpensive alternative for keeping alternative for keeping these legacy applications functioning in perpetuity. legacy Windows apps It is a truism that the needs of customers and vendors are often at running in perpetuity. cross-purposes. Nowhere has this been more vividly demonstrated than in the forced upgrade cycles of the Microsoft Windows platform, which have completely reversed the leverage customers normally wield over their suppliers. In many cases, end-users have seen little utility in switching to newer versions of Windows, but have been left with essentially zero choice in the matter. Forced OS upgrades have, in turn, forced the migration of many legacy applications. These older Windows programs—which in many cases are still perfectly functional—must either be redeveloped for a newer Windows platform, or replaced. This places yet another cost on top of the cost of the OS upgrade. However, this cycle, which once appeared unbreakable, now seems to be weakening. For one thing, Windows is no longer as dominant as it once was on the desktop. The rise of both Mac OS X and Linux have begun eating into the monopolistic power of Microsoft to dictate these cycles. Second is the fact that users now have a realistic alternative The MS OS forced- for running their legacy apps.
    [Show full text]
  • C&C Botnet Detection Over
    C&C Botnet Detection over SSL Riccardo Bortolameotti University of Twente - EIT ICT Labs masterschool [email protected] Dedicated to my parents Remo and Chiara, and to my sister Anna 2 Abstract Nowadays botnets are playing an important role in the panorama of cyber- crime. These cyber weapons are used to perform malicious activities such fi- nancial frauds, cyber-espionage, etc... using infected computers. This threat can be mitigated by detecting C&C channels on the network. In literature many solutions have been proposed. However, botnet are becoming more and more complex, and currently they are trying to move towards encrypted solutions. In this work, we have designed, implemented and validated a method to detect botnet C&C communication channels over SSL, the se- curity protocol standard de-facto. We provide a set of SSL features that can be used to detect malicious connections. Using our features, the results indicate that we are able to detect, what we believe to be, a botnet and ma- licious connections. Our system can also be considered privacy-preserving and lightweight, because the payload is not analyzed and the portion of an- alyzed traffic is very small. Our analysis also indicates that 0.6% of the SSL connections were broken. Limitations of the system, its applications and possible future works are also discussed. 3 4 Contents 1 Introduction 7 1.1 Problem Statement . .9 1.2 Research questions . 10 1.2.1 Layout of the thesis . 11 2 State of the Art 13 2.1 Preliminary concepts . 13 2.1.1 FFSN .
    [Show full text]
  • Comparing Javascript Engines
    Comparing Javascript Engines Xiang Pan, Shaker Islam, Connor Schnaith Background: Drive-by Downloads 1. Visiting a malicious website 2. Executing malicious javascript 3. Spraying the heap 4. Exploiting a certain vulnerability 5. Downloading malware 6. Executing malware Background: Drive-by Downloads 1. Visiting a malicious website 2. Executing malicious javascript 3. Spraying the heap 4. Exploiting a certain vulnerability 5. Downloading malware 6. Executing malware Background: Drive-by Downloads Background: Drive-by Downloads Setup: Making the prototype null while in the prototype creates a pointer to something random in the heap. Background: Drive-by Downloads Environment: gc( ) is a function call specific to Firefox, so the attacker would want to spray the heap with an exploit specific to firefox. Background: Drive-by Downloads Obfuscation: If the browser executing the javascript it firefox,the code will proceed to the return statement. Any other browser will exit with an error due to an unrecognized call to gc( ). Background: Drive-by Downloads Download: The return will be to a random location in the heap and due to heap-spraying it will cause shell code to be executed. Background: Goal of Our Project ● The goal is to decode obfuscated scripts by triggering javascript events ● The problem is when triggering events, some errors, resulting from disparity of different engines or some other reasons, may occur and terminate the progress ● We need to find ways to eliminate the errors and Ex 1therefore generate more de-obfuscated scripts <script> function f(){ //some codes gc(); var x=unescape(‘%u4149%u1982%u90 […]’)); eval(x); } </script> Ex 2 <script type="text/javascript" src="/includes/jquery/jquery.js"></script> Project Overview - Part One ● Modify WebKit engine so that it can generate error informations.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]