DOCSLIB.ORG

Limiting Vulnerability Exposure Through Effective Patch Management: Threat Mitigation Through Vulnerability Remediation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Limiting Vulnerability Exposure Through Effective Patch Management: Threat Mitigation Through Vulnerability Remediation Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation Submitted in fulfilment of the requirements of the degree MASTER OF SCIENCE in the Department of Computer Science of Rhodes University Dominic Stjohn Dolin White <[email protected]> January 2006 Abstract This document aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management. Understanding these allows the fol- lowing chapters to present both policy and technical solutions to the problem. The policy lays out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, manag- ing risk, strategies for reducing downtime and vulnerability and generating patch metrics. It then discusses how best a vendors should implement a related patch release policy that will allow end-users to most effectively and timeously mitigate vulnerabilities. The next chapter discussed the technical aspect of automating parts of such a policy and how defence in depth can be ap- plied to the field of patch management. The document then concludes that patch management is becoming more difficult and the guidelines described will go a long way into creating a workable and effective means for mitigating exposure to vulnerabilities. However, more research is needed into vulnerabilities, exploits and particularly into threats. Contents 1 Introduction 1 1.1 Backgrounds .................................... 1 1.2 PatchManagement ................................. 3 1.2.1 Definitions ................................. 4 1.3 TheNeedforPatchManagement. ... 6 1.4 Objectives...................................... 7 1.5 Methodology .................................... 8 1.6 Conclusion ..................................... 10 2 Vulnerability and Patch Management 11 2.1 Introduction.................................... 11 2.2 TheVulnerabilityLife-Cycle . ...... 12 2.3 Vulnerabilities,Malware and ExploitationTrends . ............. 16 2.3.1 Increasingnumberofvulnerabilities . ....... 16 2.3.2 Increasingnumberofattacks . ... 18 2.3.3 Exploitwindowshrinking . 21 2 CONTENTS 3 2.4 ProblemswithPatches ............................. .. 22 2.4.1 UnpredictablePatches . 23 2.4.2 TooManyPatches ............................. 24 2.4.3 WindowtoPatchisShrinking . 25 2.4.4 ComplexPatches .............................. 26 2.4.5 Hardtoobtainpatches . 26 2.4.6 ProblemPatchExamples. 28 2.4.6.1 SQLSlammer/SapphireWorm . 28 2.4.6.2 GDI+JPEGVulnerability . 30 2.5 Conclusion ..................................... 31 3 Policy Solutions 33 3.1 Introduction.................................... 33 3.2 PatchManagementPolicy . .. 34 3.2.1 PatchandVulnerabilityGroup . ... 35 3.2.2 Security, Stability, Functionality Patches and Workarounds . 36 3.2.3 Policy.................................... 38 3.2.3.1 InformationGathering. 40 3.2.3.2 RiskAssessment. 47 3.2.3.3 SchedulingandPatchingStrategy . 53 3.2.3.4 Testing.............................. 57 3.2.3.5 Planning&ChangeManagement . 61 CONTENTS 4 3.2.3.6 Deployment,InstallationandRemediation . .... 64 3.2.3.7 Verification&Reporting . 65 3.2.3.8 Maintenance........................... 71 3.2.3.9 Summary............................. 72 3.3 Conclusion ..................................... 73 4 Vendor Patch Release Policy 75 4.1 Introduction.................................... 75 4.2 StateoftheArt ................................... 76 4.3 Ananalysisofpatchschedules . ..... 78 4.3.1 TheDisclosureDebate . 79 4.3.1.1 DelayedDisclosure . 80 4.3.1.2 InstantaneousDisclosure . 81 4.3.2 PatchSchedulesandDelayedDisclosure . ..... 82 4.3.3 Patch Schedules and InstantaneousDisclosure . ......... 83 4.3.3.1 Quality.............................. 84 4.3.3.2 PlannedDeployment . 87 4.3.3.3 Examples ............................ 88 4.3.4 Conclusion ................................. 90 4.4 AdviceforimplementingaPatchReleaseSchedule . .......... 90 4.4.1 DualSchedulesandSeparationCriteria . ...... 91 4.4.2 PredictablePatchReleaseSchedule . ..... 92 CONTENTS 5 4.4.3 CriticalPatchRelease . 94 4.4.4 EncouragingDelayedDisclosure. .... 96 4.5 Conclusion ..................................... 97 5 Practical Solutions 98 5.1 Introduction.................................... 98 5.2 PatchManagementSoftware . ... 98 5.2.1 Functionality and Classification of Patching Tools . ........... 99 5.2.1.1 Notification ...........................103 5.2.1.2 InventoryManagement . .104 5.2.1.3 VulnerabilityScanner . .105 5.2.1.4 PatchTesting. .106 5.2.1.5 PatchPackaging . .107 5.2.1.6 PatchDistribution . .111 5.2.1.7 Reporting ............................111 5.2.1.8 Summary.............................112 5.2.2 Architecture.................................112 5.2.2.1 Agentless ............................112 5.2.2.2 Agent ..............................114 5.2.3 AvailableTools...............................115 5.2.3.1 Evolution ............................115 5.2.3.2 Examples ............................117 CONTENTS 6 5.3 DefenceinDepth .................................. 119 5.3.1 FirewallsandAnti-Virus . 119 5.3.2 IntrusionDetection/PreventionSystems . ........120 5.3.2.1 VirtualPatching . .121 5.3.3 OtherHardening ..............................122 5.3.4 SoftwareSelection . .. .. .. .. .. .. .. .. 122 5.4 Conclusion .....................................124 6 Conclusion 126 6.1 Introduction.................................... 126 6.2 Objectives...................................... 126 6.2.1 Summary ..................................128 6.3 ProblemsandSolutions. 129 6.4 FutureWork.....................................129 6.4.1 ThreatManagement ............................129 6.4.2 VulnerabilityDetailandTrendTracking . .......130 6.4.3 OptimalTimetoPatchforLargeVendors . .130 6.4.4 PatchStandards...............................131 6.5 FinalWord .....................................131 Bibliography 133 References 133 CONTENTS 7 A Time-line of Notable Worms and Viruses 157 A.1 Introduction.................................... 157 A.2 Time-line ......................................157 A.2.1 2006 ....................................157 A.2.2 2005 ....................................157 A.2.3 2004 ....................................158 A.2.4 2003 ....................................158 A.2.5 2001 ....................................159 A.2.6 1999 ....................................159 A.2.7 1998 ....................................160 A.2.8 1995 ....................................160 A.2.9 1992 ....................................160 A.2.101989 ....................................160 A.2.111988 ....................................160 A.2.121987 ....................................160 A.2.131982 ....................................161 B Analysis of WSUS 162 B.1 Introduction.................................... 162 B.2 What’sNew.....................................163 B.3 Installation .................................... 164 B.3.1 Topology ..................................164 CONTENTS 8 B.3.1.1 Default..............................164 B.3.1.2 Grouping.............................164 B.3.1.3 Chaining.............................166 B.3.1.4 ClientDownload. .166 B.3.2 Requirements................................167 B.3.3 Server....................................168 B.3.4 Client....................................169 B.4 Configuration .................................... 169 B.4.1 Server....................................169 B.4.2 ClientSide .................................174 B.5 Patching.......................................177 B.5.1 Synchronisation ..............................177 B.5.2 Approval ..................................177 B.5.3 Detection ..................................179 B.5.4 Distribution.................................180 B.5.5 Installation .................................180 B.5.6 Verification .................................180 B.6 Reporting ......................................180 B.7 PacketCapture ................................... 181 B.7.1 StepsPerformed ..............................181 B.7.2 ResultingNetworkTraffic . 184 CONTENTS 9 B.7.3 Analysis ..................................187 B.7.4 PacketCaptureSummary. 189 B.7.4.1 Interface .............................189 B.7.4.2 Security .............................189 B.8 Resources......................................189 B.9 Conclusion .....................................190 List of Figures 2.1 TheorisedVulnerabilityLife-Cycle[1] . .......... 14 2.2 GeneralisedModelofEmpiricalFindings . ........ 16 3.1 Hypothetical graph of the risk of compromise and patching[2]........... 55 3.2 Patch application and its impact on Availability [3] ................ 56 3.3 DiagramoftheproposedPatchManagementpolicy . ......... 73 4.1 Delayed Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 81 4.2 Instantaneous Disclosure and its effects on vulnerable machines and exploitation Source:ModifiedfromRescorla[4] . .. 82 5.1 Graphoftheeffectivenessofbinarypatchtools . ...........110 5.2 Graph of the number of vulnerabilities in different Linux kernel versions per year. Source:CVE[5] ..................................124 B.1 DefaultTopology ................................. 165 B.2 GroupedTopology ................................. 165 B.3 ChainedTopology................................. 166 1 LIST OF
Load more

Recommended publications
  • Storm: When Researchers Collide 7 Based on the Kademlia DHT Algorithm [5]
    When It comes to Internet threats, B R a n d o n E n R i g h t, g E o ff V o E l k er , few topics get researchers and the media as Stefan SaVagE, ChRiS kaniCh, and kiRill LevchEnko excited as the propagation speed and vital- ity of modern malware. One such example is the SQL Slammer worm, which was the first so-called Warhol Worm, a term used to Storm: when describe worms that get their “15 minutes of fame” by spreading at an exponential researchers collide rate—infecting every vulnerable machine Brandon Enright is a network security analyst at in under 15 minutes [1]. It is ironic, then, that the University of California, San Diego. He is pri- the latest malware to capture the attention marily interested in malware and exploit research. of researchers is not one of the shortest- [email protected] lived but one of the longest, largest, and most successful bots ever: Storm. Geoff Voelker is an associate professor of computer science at the University of California, San Diego. He works in computer systems and networking. Storm got its name from a particular self-propa- [email protected] gation spam email subject line used in early 2007: “230 dead as storm batters Europe.” Storm, also known as the Storm worm, is not actually a worm. It is hybrid malware: part worm, part bot (a pro- Stefan Savage is an associate professor of computer gram designed to perform automated tasks), part science at the University of California, San Diego.
    [Show full text]
  • Tangled Web : Tales of Digital Crime from the Shadows of Cyberspace
    TANGLED WEB Tales of Digital Crime from the Shadows of Cyberspace RICHARD POWER A Division of Macmillan USA 201 West 103rd Street, Indianapolis, Indiana 46290 Tangled Web: Tales of Digital Crime Associate Publisher from the Shadows of Cyberspace Tracy Dunkelberger Copyright 2000 by Que Corporation Acquisitions Editor All rights reserved. No part of this book shall be reproduced, stored in a Kathryn Purdum retrieval system, or transmitted by any means, electronic, mechanical, pho- Development Editor tocopying, recording, or otherwise, without written permission from the Hugh Vandivier publisher. No patent liability is assumed with respect to the use of the infor- mation contained herein. Although every precaution has been taken in the Managing Editor preparation of this book, the publisher and author assume no responsibility Thomas Hayes for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Project Editor International Standard Book Number: 0-7897-2443-x Tonya Simpson Library of Congress Catalog Card Number: 00-106209 Copy Editor Printed in the United States of America Michael Dietsch First Printing: September 2000 Indexer 02 01 00 4 3 2 Erika Millen Trademarks Proofreader Benjamin Berg All terms mentioned in this book that are known to be trademarks or ser- vice marks have been appropriately capitalized. Que Corporation cannot Team Coordinator attest to the accuracy of this information. Use of a term in this book should Vicki Harding not be regarded as affecting the validity of any trademark or service mark. Design Manager Warning and Disclaimer Sandra Schroeder Every effort has been made to make this book as complete and as accurate Cover Designer as possible, but no warranty or fitness is implied.
    [Show full text]
  • Patch Control Mechanism for Large Scale Software
    The following paper was originally presented at the Ninth System Administration Conference (LISA ’95) Monterey, California, September 18-22, 1995 Patch Control Mechanism for Large Scale Software Atsushi Futakata Central Research Institute of Electric Power Industry (CRIEPI) For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL: http://www.usenix.org Patch Control Mechanism for Large Scale Software Atsushi Futakata – Central Research Institute of Electric Power Industry (CRIEPI) ABSTRACT Applying patches to large scale software is often difficult because unofficial patches and user modifications conflict with any ‘‘official’’ patches. Version control systems such as RCS[1], CVS[2], and configuration management[3,4,5] are useful solutions for this problem when the baseline of the software is fixed. However, an official patch that is developed externally changes the baseline and any local changes based on this become obsolete. Thus we must re-apply various unofficial patches and modifications, identify the causes of conflict, change or remove patches, and repeat the patch and unpatch operations. This paper presents a mechanism for (1) managing versions of a software package based on patches, (2) automating the application of unofficial patches and modifications by the user, and (3) rebuilding the package using file versions instead of timestamps. Using this mechanism, it becomes easy to apply patches and re-build software. Introduction Configuration management systems such as Aegis[7], CMS/MMS[8] are useful for version con- We have spent a lot of time installing and trol and building software for multi-user develop- patching large scale software packages such as the ment.
    [Show full text]
  • Detection, Propagation Modeling and Designing of Advanced Internet Worms
    DETECTION, PROPAGATION MODELING AND DESIGNING OF ADVANCED INTERNET WORMS By PARBATI KUMAR MANNA A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2008 1 °c 2008 Parbati Kumar Manna 2 To my family, friends, and teachers 3 ACKNOWLEDGMENTS I want to take this opportunity to thank all the people who helped me during my doctoral sojourn. I understand that it is rather late to acknowledge their contributions, but as the saying goes, better late than never! First, I want to thank my committee, starting with my advisor and Chair, Dr. Sanjay Ranka. He expressed his intention to work with me during my very first week of class at University of Florida, and has been a true guide to me in every aspect since then. He offered me complete freedom in pursuing my research in any area that I felt passionate about, and provided ample research direction from time to time. I am truly thankful and honored to work as his student for the past six years. It has also been a pleasure to work with Dr. Shigang Chen, who served as my co-chair. A stalwart in the network research community, he has been instrumental in providing his domain expertise to my research area in a very big way. Without his help, I can barely imagine myself to be where I am now. I would also like to thank Dr. Alin Dobra, Dr. Christopher Germaine, Dr. Sartaj Sahni and Dr. Malay Ghosh who helped me in various academic as well as non-academic matters throughout my stay at Gainesville.
    [Show full text]
  • The Norman Book on Computer Viruses Ii Z the Norman Book on Computer Viruses
    The Norman Book on Computer Viruses ii z The Norman Book on Computer Viruses Norman ASA is not liable for any other form of loss or damage arising from use of the documentation or from errors or deficiencies therein, including but not limited to loss of earnings. In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, Norman ASA will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages. The information in this document as well as the functionality of the software is subject to change without notice. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser's personal use, without the explicit written permission of Norman ASA. Contributors to The Norman Book on Viruses: Snorre Fagerland, Sylvia Moon, Kenneth Walls, Carl Bretteville Edited by Camilla Jaquet and Yngve Ness The Norman logo is a registered trademark of Norman ASA. Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only. Norman documentation is Copyright © 1990-2002 Norman ASA. All rights reserved. October 2001 Copyright © 1990-2002 Norman z iii Norman Offices Norman Data Defense Systems Pty Ltd 6 Sarton Road, Clayton, Victoria, 3168 Australia. Tel: +61 3 9562 7655 Fax: +61 3 9562 9663 E-mail: [email protected] Web: http://www.norman.com.au Norman Data Defense Systems A/S Dronningensgade 23, DK-5000 Odense C, Denmark Tel.
    [Show full text]
  • UTTARAKHAND OPEN UNIVERSITY Teen Pani Bypass Road, Near Transport Nagar, Haldwani -263139 Phone No- 05946 - 261122, 261123 Toll Free No
    CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [1] CYL- 104 Cyber Crimes And Consumer Protection in Cyber Space School of Law UTTARAKHAND OPEN UNIVERSITY Teen Pani Bypass Road, Near Transport Nagar, Haldwani -263139 Phone No- 05946 - 261122, 261123 Toll Free No. 18001804025 Fax No.- 05946-264232, Email- [email protected], http://uou.ac.in Uttarakhand Open University CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [2] BOARD OF STUDIES Professor Girija Prasad Pande, Director, School of Law, Uttarakhand Open University, Haldwani, Nainital. Professor J.S.Bisht, Faculty of Law,S.S. Jeena Campus, Almora,Kumaun University, Nainital, Uttarakhand. Professor B.P. Maithani, Former RTI Advisor, Government of Uttarakhand Mr. Deepankur Joshi, Coordinator School of Law, Uttarakhand Open University, Haldwani, (Nainital). UNIT WRITING UNIT WRITERS UNIT [1] Dr. Razit Sharma, Assistant Professor, Unit- 1,2,3,4 Law College, Uttaranchal University, Dehradun Uttarakhand [2] Ms. Sapna Agarwal, Advocate High Court of Uttarakhand, Unit- 5,6,7 Nainital [3 Mr. Rajeev Bhatt, Advocate High Court of Uttarakhand, Ex. RTI Advisor Kumaun University Nainital, Ex. Assistant Professor Unity Unit- 8 ,9,10 Law College Rudrapur [4] Dr. Sushim Shukla, Assistant Professor, Unit- 11, 12, 13 Law College, Uttaranchal University, Dehradun Uttarakhand EDITOR Mr. Deepankur Joshi, Coordinator, School of Law, Uttarakhand Open University, Haldwani, (Nainital) Copyright © Uttarakhand Open University, Haldwani, Nainital Edition- 2018, Pre Publication copy for Limited Circulation ISBN- Publication- Directorate of Studies and Publication, Uttarakhand Open University, Haldwani, Nainital. E- Mail: [email protected] . Uttarakhand Open University CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [3] POST GRADUATE DIPLOMA IN CYBER LAW CYL- 104 CYBERCRIMES AND CONSUMER PROTECTION IN CYBER SPACE INDEX S.
    [Show full text]
  • "Year 2000 Y2K" December 28, 1999
    NIPC ADVISORY 99-031 "Year 2000 Y2K" December 28, 1999 Introduction Large-scale U.S. infrastructure disruptions are not expected from "Y2K failures" during the Y2K transition period. However we are prepared for a possible increase in real or reported criminal cyber activity (such as hacking and spreading computer viruses), considering the heightened awareness of and media focus on malicious activity during the Y2K period. Any increased criminal activity during the Y2K period could raise the level of problems in infrastructure systems, adding to genuine Y2K-generated issues and the normal level of infrastructure concerns. We anticipate encountering both known and new viruses and hacking exploits. We could see the dissemination of several new and possibly destructive viruses, and the successful exploitation of both corporate and government information systems. But even these possibilities reflect only a larger assembly of the same kinds of malicious activity seen and addressed every day. Finally, known and possible extremist or apocalyptic terrorist activity in the United States by individuals or groups suggests the possibility of threats to domestic infrastructures. For example, the media have reported arrests of certain individuals allegedly planning violent actions against electric power and oil and gas facilities. These indications of possible threats to our infrastructures warrant an increased vigilance to protect against both cyber and physical threats to our nation's critical infrastructures. Summary The Y2K Transition might be seen by potential malefactors as an unprecedented opportunity for malicious code release and associated publicity, where a new and significant exploit can achieve a widespread notoriety in the information security and hacker world.
    [Show full text]
  • Chapter 3: Viruses, Worms, and Blended Threats
    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
    [Show full text]
  • A Research on Different Types of Malware and Detection Techniques
    International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-8 Issue-2S8, August 2019 A Research on Different Types of Malware and Detection Techniques Chandini S B, Rajendra A B,Nitin Srivatsa G Abstract—Malware has become a serious threat. Malware that load on to memory by inserting infected code into an analysis is one of the challenging domain. The increase in the executable file. malware exploitation has made the detailed study of the malware, understand the different types of malware and its behavior model Resident Virus and analyze the existing detection system with their short comes to This type of virus hides within the computer memory and identify the research gaps [8] to solve the specific problem. So in gets activated whenever the operating system starts or this paper, we have presented the different malware taxonomy and different malware detection techniques with its features and also execute a specific action. presented the malware model and the research gaps in the Non-resident Virus malware analysis domain. This type of virus does not reside in memory. It infects the Keywords: Polymorphic virus, Malware genesis, target and transfers the control to the infected application Self-replicating cellular automata, Zero-day threat, obfuscation program. It consists of finder module and replicating modules technique, and Anomaly-based detection. finder will find the new targets to infect the new file and the replicates will infect the file. I. INTRODUCTION Macro Virus Malware is a malicious code which comes with the intention to destruct the system [1]. Some of the symptoms of This virus is written in a macro language.
    [Show full text]
  • Computer Viruses and Malware Advances in Information Security
    Computer Viruses and Malware Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: [email protected] The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional tities in the series: HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G. Gouda; ISBN-10: 0-387-22426-3 PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael Zhu; ISBN-10: 0-387- 25886-8 BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY.'Enabled Information Small-Medium Enterprises (TEISMES) by Charles A.
    [Show full text]
  • Reversing Malware [Based on Material from the Textbook]
    SoftWindows 11/23/05 Reversing Malware [based on material from the textbook] Reverse Engineering (Reversing Malware) © SERG What is Malware? • Malware (malicious software) is any program that works against the interest of the system’s user or owner. • Question: Is a program that spies on the web browsing habits of the employees of a company considered malware? • What if the CEO authorized the installation of the spying program? Reverse Engineering (Reversing Malware) © SERG Reversing Malware • Revering is the strongest weapon we have against the creators of malware. • Antivirus researchers engage in reversing in order to: – analyze the latest malware, – determine how dangerous the malware is, – learn the weaknesses of malware so that effective antivirus programs can be developed. Reverse Engineering (Reversing Malware) © SERG Distributed Objects 1 SoftWindows 11/23/05 Uses of Malware • Why do people develop and deploy malware? – Financial gain – Psychological urges and childish desires to “beat the system”. – Access private data – … Reverse Engineering (Reversing Malware) © SERG Typical Purposes of Malware • Backdoor access: – Attacker gains unlimited access to the machine. • Denial-of-service (DoS) attacks: – Infect a huge number of machines to try simultaneously to connect to a target server in hope of overwhelming it and making it crash. • Vandalism: – E.g., defacing a web site. • Resource Theft: – E.g., stealing other user’s computing and network resources, such as using your neighbors’ Wireless Network. • Information Theft: – E.g., stealing other user’s credit card numbers. Reverse Engineering (Reversing Malware) © SERG Types of Malware • Viruses • Worms • Trojan Horses • Backdoors • Mobile code • Adware • Sticky software Reverse Engineering (Reversing Malware) © SERG Distributed Objects 2 SoftWindows 11/23/05 Viruses • Viruses are self-replicating programs that usually have a malicious intent.
    [Show full text]
  • Topics in Malware What Is Malware?
    Topics in Malware What is Malware? • Malware (malicious software) is any program that works against the interest of the system’s user or owner. • Question: Is a program that spies on the web browsing habits of the employees of a company considered malware? • What if the CEO authorized the installation of the spying program? Uses of Malware • Why do people develop and deploy malware? – Financial gain – Psychological urges and childish desires to “beat the system”. – Access private data – … Typical purposes of Malware • Backdoor access: – Attacker gains unlimited access to the machine. • Denial-of-service (DoS) attacks: – Infect a huge number of machines to try simultaneously to connect to a target server in hope of overwhelming it and making it crash. • Vandalism: – E.g., defacing a web site. • Resource Theft: – E.g., stealing other user’s computing and network resources, such as using your neighbors’ Wireless Network. • Information Theft: – E.g., stealing other user’s credit card numbers. Types of Malware • Viruses • Worms • Trojan Horses • Backdoors • Mobile code • Adware • Sticky software Metamorphic viruses • Instead of encrypting the program’s body and making slight alterations in the decryption engine, alter the entire program each time it is replicated. • This makes it extremely difficult for antivirus writers to use signature-matching techniques to identify malware. • Metamorphism requires a powerful code analysis engine that needs to be embedded into the malware. Metamorphic viruses: Operation • Metamorphic engine scans the code and generates a different version of it every time the program is duplicated. • The metamorphic engine performs a wide variety of transformations on the malware and on the engine itself.
    [Show full text]