AVOIDIT: a Cyber Attack Taxonomy
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Cyber Threat Metrics
SANDIA REPORT SAND2012-2427 Unlimited Release Printed March 2012 Cyber Threat Metrics Mark Mateski, Cassandra M. Trevino, Cynthia K. Veitch, John Michalski, J. Mark Harris, Scott Maruoka, Jason Frye Prepared by Sandia National Laboratories Albuquerque, New Mexico 87185 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. Approved for public release; further dissemination unlimited Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Government, any agency thereof, or any of their contractors. Printed in the United States of America. This report has been reproduced from the best available copy. -
Containing Conficker to Tame a Malware
#5###4#(#%#5#6#%#5#&###,#'#(#7#5#+###9##:65#,-;/< Know Your Enemy: Containing Conficker To Tame A Malware The Honeynet Project http://honeynet.org Felix Leder, Tillmann Werner Last Modified: 30th March 2009 (rev1) The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download from [9], including source code. !"#$%&'()*+&$(% The big years of wide-area network spreading worms were 2003 and 2004, the years of Blaster [1] and Sasser [2]. About four years later, in late 2008, we witnessed a similar worm that exploits the MS08-067 server service vulnerability in Windows [3]: Conficker. Like its forerunners, Conficker exploits a stack corruption vulnerability to introduce and execute shellcode on affected Windows systems, download a copy of itself, infect the host and continue spreading. SRI has published an excellent and detailed analysis of the malware [4]. The scope of this paper is different: we propose ideas on how to identify, mitigate and remove Conficker bots. -
Techniques of Adware and Spyware
Techniques of Techniques and Adware Spyware Eric Chien SecuritySymantec Response From theauthor. proceedingsthe of permission with Used of the VB2005 Conference. WHITE PAPER: SYMANTEC SECURITY RESPONSE White Paper: Symantec Security Response Techniques of Adware and Spyware Contents Abstract.......................................................................................................................................6 Background................................................................................................................................. 6 Delivery vectors...........................................................................................................................8 Social engineering banner ads...................................................................................................8 Drive by Downloads.................................................................................................................... 9 Automatic refresh....................................................................................................................... 9 Active X........................................................................................................................................10 Continual Prompting...................................................................................................................11 Bundled and chained installs..................................................................................................... 11 Peer to peer installation............................................................................................................ -
The Ghost in the Browser Analysis of Web-Based Malware
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. {niels, deanm, panayiotis, kewang, ngm}@google.com Abstract tions of exploits against any user who visits the infected As more users are connected to the Internet and conduct page. their daily activities electronically, computer users have be- In most cases, a successful exploit results in the auto- come the target of an underground economy that infects hosts matic installation of a malware binary, also called drive-by- with malware or adware for financial gain. Unfortunately, download. The installed malware often enables an adversary even a single visit to an infected web site enables the attacker to gain remote control over the compromised computer sys- to detect vulnerabilities in the user’s applications and force tem and can be used to steal sensitive information such as the download a multitude of malware binaries. Frequently, banking passwords, to send out spam or to install more ma- this malware allows the adversary to gain full control of the licious executables over time. Unlike traditional botnets [4] compromised systems leading to the ex-filtration of sensitive that use push-based infection to increase their population, information or installation of utilities that facilitate remote web-based malware infection follows a pull-based model and control of the host. We believe that such behavior is sim- usually provides a looser feedback loop. However, the popu- ilar to our traditional understanding of botnets. However, lation of potential victims is much larger as web proxies and the main difference is that web-based malware infections are NAT-devices pose no barrier to infection [1]. -
Threats and Attacks
Threats and Attacks CSE 4471: Information Security Instructor: Adam C. Champion, Ph.D. CSE 4471: Information Security Prof. Dong Xuan and Adam C. Champion Terminology (1) • Vulnerability: Weakness or fault that can lead to an exposure • Threat: Generic term for objects, people who pose potential danger to assets (via attacks) • Threat agent: Specific object, person who poses such a danger (by carrying out an attack) – DDoS attacks are a threat – If a hacker carries out a DDoS attack, he’s a threat agent • Risk: Probability that “something bad” happens times expected damage to the organization – Unlike vulnerabilities/exploits; e.g., a web service running on a server may have a vulnerability, but if it’s not connected to the network, risk is 0.0 • Exposure: a successful attack • Vector: how the attack was carried out, e.g., malicious email attachment 2 Terminology (2) • Malware: malicious code such as viruses, worms, Trojan horses, bots, backdoors, spyware, adware, etc. • Disclosure: responsible, full, partial, none, delayed, etc. • Authentication: determining the identity of a person, computer, or service on a computer • Authorization: determining whether an entity (person, program, computer) has access to object – Can be implicit (email account access) or explicit (attributes specifying users/groups who can read/write/execute file) • Incident: definitions vary – Any attack, all attacks using vulnerability X, etc. – Anything resulting in service degradation other than problem mgmt., service request fulfillment 3 Threats (1) • Threat: an object, person, or other entity that represents a constant danger to an asset • Management must be informed of the different threats facing the organization • By examining each threat category, management effectively protects information through policy, education, training, and technology controls 4 Threats (2) • 2004 Computer Security Institute (CSI) / Federal Bureau of Investigation (FBI) survey found: – 79% of organizations reported cyber security breaches within the last 12 months – 54% of those orgs. -
Bluvector Threat Report Q1 2018
BluVector Threat Report Q1 2018 While 2018 began with the massive revelation of Meltdown and Spectre, news about any malware threats that specifically target these CPU vulnerabilities has not yet been reported or confirmed. However, the first quarter has shown that while malware prevention solutions are improving for known threats, adversaries continue to evolve their craft to create attacks that circumvent these solutions. As the financial reward for attackers increases, we expect money to remain the primary driving force throughout the year. Which leads directly into Threat Report’s new category… TABLE OF CONTENTS 3 Threat Report Q1 2018 Threat Chart RANSOMWARE Q1 2018 4 Summary 16 RANSOMWARE: AVCrypt APTs Q1 2018 17 RANSOMWARE: BitPaymer/FriedEx APT: HackingTeam RANSOMWARE: GlobeImposter & 5 18 GandCrab 6 APT: OceanLotus 19 RANSOMWARE: SamSam 7 APT: PZChao 8 APT: Slingshot NOTABLE Q4 2017 THREATS TROJANS Q1 2018 TROJANS Q4 2017 9 TROJAN: AndroRAT 21 TROJAN: ExpensiveWall & Hancitor 10 TROJAN: Dridex 22 TROJAN: Iced Id 11 TROJAN: GhostTeam 23 TROJAN: Marcher 12 TROJAN: LockPOS 24 TROJAN: Orcus Rat 13 TROJAN: OylmpicDestroyer 25 TROJAN: Scarab 14 TROJAN: Snojan RANSOMWARE Q4 2017 MINERS Q1 2018 26 RANSOMWARE: Bad Rabbit RANSOMWARE: DoubleLocker 15 MINER: Smominru 27 Android Threat Report Q1 2018 APTs BitPaymer/ GlobeImposter PZChao 51 Months FriedEx in advance 19 Months 29 Months HackingTeam in advance in advance 21 Months in advance Slingshot Double 34 Months SamSam Locker in advance 12 Months 10 Months in advance in advance OceanLotus -
Empirical Study of Drive-By-Download Spyware Mark A
Empirical Study Of Drive-By-Download Spyware Mark A. Barwinski1, Cynthia E. Irvine2, Tim E. Levin3 Department of Computer Science Naval Postgraduate School 833 Dyer Road Monterey, California, USA 1E-mail: [email protected]; 2E-mail: [email protected]; 3E-mail: [email protected]; 1. Abstract The ability of spyware to circumvent common security practices, surreptitiously exporting confidential information to remote parties and illicitly consuming system resources, is a rising security concern in government, corporate, and home computing environments. While it is the common perception that spyware infection is the result of high risk Internet surfing behavior, our research shows main-stream web sites listed in popular search engines contribute to spyware infection irrespective of patch levels and despite “safe” Internet surfing practices. Experiments conducted in July of 2005 revealed the presence of spyware in several main-stream Internet sectors as evidenced in the considerable infection of both patched and unpatched Windows XP test beds. Although the experiment emulated conservative web surfing practices by not interacting with web page links, images, or banner advertisements, spyware infection of Internet Explorer based test beds occurred swiftly through cross- domain scripting and ActiveX exploits. As many as 71 different spyware programs were identified among 6 Internet sectors. Real-estate and online travel-related web sites infected the test beds with as many as 14 different spyware programs and one bank-related web site appeared to be the source of a resource consuming dialing program. Empirical analysis suggests that spyware infection via drive-by-download attacks has thus far been unabated by security patches or even prudent web surfing behavior. -
Malware: Viruses and Worms Lecture Notes on “Computer and Network
Lecture 22: Malware: Viruses and Worms Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) April 8, 2021 5:19pm ©2021 Avinash Kak, Purdue University Goals: • Attributes of a virus • Educational examples of a virus in Perl and Python • Attributes of a worm • Educational examples of a worm in Perl and Python • Some well-known worms of the past • The Conficker and Stuxnet worms • The WannaCry worm and the DoublePulsar backdoor • How afraid should we be of viruses and worms? CONTENTS Section Title Page 22.1 Viruses 3 22.2 The Anatomy of a Virus with Working 7 Examples in Perl and Python — the FooVirus 22.3 Worms 14 22.4 Working Examples of a Worm in 17 Perl and Python — the AbraWorm 22.5 Morris and Slammer Worms 34 22.6 The Conficker Worm 37 22.6.1 The Anatomy of the Conficker Worm 46 22.7 The Stuxnet Worm 52 22.8 The WannaCry Worm and the DoublePulsar 56 Backdoor 22.9 How Afraid Should We Be of Viruses 61 and Worms 22.10 Homework Problems 67 2 Computer and Network Security by Avi Kak Lecture 22 Back to TOC 22.1 VIRUSES • A computer virus is a malicious piece of executable code that propagates typically by attaching itself to a host document that will generally be an executable file. [In the context of talking about viruses, the word “host” means a document or a file. As you’ll recall from our earlier discussions, in the context of computer networking protocols, a “host” is typically a digital device capable of communicating with other devices. -
Malicious Software Trojan Horse
4/18/16 Outline • Malicious logic ■ Trojan horses ■ Computer viruses CSCI 454/554 Computer and Network ■ Worms Security ■ Rabbits and bacteria ■ Logic bombs Topic 8.5 Malicious Logic ■ Trapdoor ■ DDoS • Defenses against malicious logic 1 2 Malicious Software Trojan Horse ■ program with hidden side-effects ■ which is usually superficially attractive ■ eg game, s/w upgrade etc ■ when run performs some additional tasks ■ allows attacker to indirectly gain access they do not have directly ■ often used to propagate a virus/worm or install a backdoor ■ or simply to destroy data An Introductory Trojan Horse Example Trojan Horses • Assume the following UNIX script is named ls and • A Trojan horse is a program with an overt (documented or is placed in a directory. known) effect and a covert (undocumented or unexpected) effect. • Assume “.” is in the path environment. • What happens if the user tries to ls this Principal A ACL directory? executes A:r cp /bin/sh /tmp/.xxsh read File F chmod o+s+w+x /tmp/.xxsh Program Goodies A:w rm ./ls ls $* Trojan Horse B:r A malicious logic is a set of intrusions that cause a site’s File G A:w security policy to be violated. write 5 6 1 4/18/16 Computer Viruses Types of Viruses • A computer virus is a program that inserts itself ! boot sector infector virus into one or more files and then performs some ! Executable infectors virus (possibly null) action. ! memory-resident virus ■ both propagates itself & carries a payload ! TSR virus ■ carries code to make copies of itself ! ■ as well as code to perform some covert task Stealth virus • Two phases ! polymorphic/metamorphic virus ■ Insertion phase ! macro virus ■ The virus inserts itself into a file (or files) ! email virus ■ Execution phase ■ The virus executes 7 Boot Sector Infector Virus Boot Sector Infector Virus (Cont’d) ■ The boot sector is the part of a disk used to bootstrap the system. -
Virus, Worms and Trojan
[ VOLUME 6 I ISSUE 1 I JAN.– MARCH 2019] E ISSN 2348 –1269, PRINT ISSN 2349-5138 Taxonomy of Malware: Virus, Worms and Trojan Jasmeet Kaur Assistant Professor, Computer Science, Innocent Hearts Group of Institutions, Jalandhar, India Received: January 16, 2019 Accepted: February 24, 2019 ABSTRACT: A computer Malware is a code that can be placed in a remote computer and can reproduce itself to other programs in the computer and other computers in the network, when executed. This paper aspires to discuss the modern situation of Malware, propose theoretically about latest categories of computer viruses, project potential in computer viruses and discover new capabilities in computer virus defense. Key Words: Current viruses, new types of viruses, immune system, Malware threats etc. I. INTRODUCTION The word 'malware' is an abbreviation of the term 'malicious software'. This includes such program code classes as computer viruses, computer worms, and Trojan horses. This list may not be exclusive [1]. Computer virus is a term on which there are no exact definitions, but computer anti-virus researchers have been generally known regarding every kind of program cipher and software. A program (set of instructions) that is designed can be deemed either as precarious or precious, depending on the use. Virus can lift user data, remove or change files & documents, records keystrokes & web sessions of a client. It can also lift or smash up hard disk space, and slowdown CPU processing. II. TAXONOMY OF MALWARE: S. Taxonomy of Description No Malware 1 Computer Refers to a program code which has a capacity to replicate recursively by itself. -
August 2010 Feature Article: the Other Face of Facebook
August 2010 Feature Article: The Other Face of Facebook Table of Contents Feature Article: The Other Face of Facebook .............................................................................................................3 Spanair Issue ...............................................................................................................................................................5 Stuxnet: summary of a 0-day attack ...........................................................................................................................6 Zeus ............................................................................................................................................................................7 ESET on the conference circuit ...................................................................................................................................7 The Top Ten Threats ...................................................................................................................................................8 Top Ten Threats at a Glance (graph) ....................................................................................................................... 11 About ESET .............................................................................................................................................................. 12 Additional resources ............................................................................................................................................... -
Spyware Detection Using Data Mining for Windows Portable Executable
Islamic University of Gaza Deanery of Higher Studies Information Technology program Spyware Detection Using Data Mining for Windows Portable Executable Files By: Fadel Omar Shaban 120091437 Supervised by: Dr. Tawfiq S. Barhoom A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science In Information Technology 2013-1434H ِ ِ ِ ِ َِِّ ِ ﴿قُ ْل إ َّن َصﻻتي َونُ ُسكي َوَم ْحيَا َي َوَمَماتي لله َر ِّب الَْعالَمي َن ﻻ ِ ِ ِ ِِ ( اﻷنعام - 261، 261.) َشِري َك لَهُ َوب َذل َك أُمْر ُت َوأَنَا أََّوُل الُْم ْسلمي َن﴾ ACKNOWLEDGMENTS First and Foremost, I am very grateful to almighty ALLAH whose blessings have always been source of encouragement for me and who gave me the ability to complete this task. This thesis would not exist without the help, advice, support, guidance, and encouragement of many people. In particular, I wish to express my sincere appreciation to my supervisor Dr. Tawfiq S. Barhoom, without his help, guidance, and continuous follow-up; this research would never have been. Also I would like to extend my thanks to the academic staff of the Faculty of Information Technology who taught me different courses and helped me during my Master’s study. Special greetings to my family, especially my parents, who have always kept me in their prayers, who have suffered a lot to make me happy. Last but not least, I wish to express my sincere thanks to all those who have one way or another helped me in making this study a success. I TABLE OF CONTENTS ACKNOWLEDGMENTS ............................................................................................................................