DOCSLIB.ORG

Cyber Security: Threats and Challenges

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Alarming Trends in Cyber Attacks z Large increases in Cybersecurity spending z Factor of 10+ increase in the past ten years Cyber Security: z Yet, security incidents continue to sky- rocket Threats and Challenges z Incidents reported by CERT Coordination Center increased by a factor of 120 in the past decade R. Sekar z 97% of participants in 2003 FBI/CSI survey reported attacks [email protected] z Malicious attacks cost companies tens of billions to clean up [Computer Economics, Trend Micro] z Many small/medium businesses are victims of cyber extortion z 17% of companies surveyed by CMU and Information Week Secure Systems Laboratory 2 Evolution of Threats Evolution of Modern Threats z World War II and earlier z First generation z Break secret messages during transmission z break into high-value systems (e.g., banks) through z Primarily the domain of nation states proprietary networks z Modern cryptography has all but eliminated this threat z criminal elements as well as rogue nations z Modern era z Second generation z Focus shifts from altering messages to breaking end- z Malware that spreads due to information sharing systems that store and process these messages z Viruses and worms z Perpetrated by hackers as a “hobby” z Third generation z Malware that spreads via the Internet z Email viruses and Internet worms z Still, no evidence of organized or criminal elements Secure Systems Laboratory 3 Secure Systems Laboratory 4 1 Traditional Threats - Examples Current Threats (Fourth generation) z 1989 z Steal confidential information z Hackers in West Germany broke into US government z Credit-card/bank account #s, passwords, … and corporate computers and selling operating system z Trade secrets and other proprietary information source code to the Soviet KGB z Security-sensitive information z Useful for breaching physical world security z 1994 z Establish base for future operations z Russian crackers siphoned $10 million from Citibank z Conduit for future attacks and transferred the money to bank accounts around the z Surveillance world z Capture keystrokes, microphone or camera input z Reveal information about software installed z Snoop on web sites visited Secure Systems Laboratory 5 Secure Systems Laboratory 6 Current Threats (Continued) Current Threats (Continued) z Driven by commercialization of Malware zSpecialization and commoditization z Thriving black-market for exploits zExploit tools and techniques z Zero-day exploits have arrived zcompromise z “Bot”-centric model for cyber crime zpayload z Relay spam (e-mail scam, phishing) z Extortion (using DDoS or targeted attacks) zTargeting information z Focus on desktop (rather than server) vulnerabilities zBotnet management and leasing z Profit-driven adware and spyware zBrokers z Customer-profiling, niche-marketing z IP protection (digital rights management) zEmployment of botnets z aggressive installation, stealth (rootkits, spyware) zCash-out zthe step that most closely relates to things outside the cyber world 2 Modern Threats: Enablers Modern Threats: A Glance z High connectivity z Viruses z Home users with always-on broadband connectivity z Increasing adoption of the Net in day-to-day activities z Worms z Software homogeneity z DDoS and Botnet z Find single bug, own millions of computers! z Spyware z Inherent complexity of modern software z Short-term thinking by vendors z Spam z “Feature obsession” and cost-cutting z Phishing z shoddy software quality + code bloat z Result: security bugs are all over the place and easy to find! z Online extortion z Lack of user awareness z Find millions of trusting users and own their computers! z Lack of traceability and attribution z Conduct your attack and disappear! Secure Systems Laboratory 9 Secure Systems Laboratory 10 Computer Virus Well-Known Computer Viruses z Properties z 1982, Elk Cloner z Replicates itself z First virus in the wild z Attaches to other non-malicious code z Targeting Apple II z Examples z 1986, (c)Brain z Boot sector virus (difficult on OS with memory z First virus for IBM PC protection) z A boot sector virus z Other OS level virus z 1995, Concept virus z Virus that attaches to programs, scripts, libraries z First Macro virus z Macro virus z 1998, CIH z Mail attachments / active web content z One of the most harmful widely circulated viruses z Overwrites both hard disks (data loss) and Flash BIOS (hardware damage) Secure Systems Laboratory 11 Secure Systems Laboratory 12 3 Macro Virus CIH Virus z Written in a macro language. z Spreads via Portable Executable files under Windows 95/98/Me. z Macros can perform operations that the software can do. z Damages: z Overwriting the first 1024KB of the hard drive with z To date, only Microsoft Office products are zeroes Î vulnerable to this kind of virus. Loss of data on the entire hard drive z Simple solution: turning off the macro feature z Overwriting the Flash BIOS with junk code Î Computers cannot boot any more z Activated in the public eye on April 26, 1999 z An untold number of computers worldwide were affected, much in Asia Secure Systems Laboratory 13 Secure Systems Laboratory 14 Melissa ILOVEYOU z Found on March 26, 1999 z First appeared on May 3, 2000 z Targetting Microsoft Word and Outlook-based systems, and creating considerable network traffic z Caused widespread e-mail outages, an z Shut down many Internal mail systems estimated $10 billion in economic damage z That got clogged with infected e-mails propagating from the worm z Inside a file called “List.DOC” z Written in VBScript z Spread on Microsoft Word 97 and Word 2000. z E-mail z Can mass-mail itself from email client Microsoft Outlook 97 or Outlook 98. z Subject: “ILOVEYOU” z Attempts to mass mail itself once an infected Word z Attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” document is opened. z Overwrote important files with a copy of itself z Sent out itself to everyone in a user’s contact list Secure Systems Laboratory 15 Secure Systems Laboratory 16 4 Computer Worm Timeline of Notable Worms (1) z Replicates over the network (usually by itself) z Nov 1988, Morris worm z First worm appeared at Xerox PARC in 1978 z First well-known worm z What a worm can do? z March 1999, Melissa (E-mail worm) z Targeting Microsoft Word & Outlook-based systems z Replicates itself, and thus consumes network bandwidth z z Deletes files on a host system May 2000, VBS/Loveletter or ILOVEYOU (E-mail worm) z Caused an estimated $10 billion in economic damage z Sends documents via e-mail z Carries other executables as a payload z July 2001, Code Red (Exploited IIS bugs) z Installs a backdoor in an infected computer (zombie computer) z Considerably slowed down Internet traffic z Modern worms z Jan 2003, SQL Slammer (Exploited MS SQL Server bugs) z Very fast: infected most of its 75,000 victims within ten minutes z Large scale infection z Amazingly small, only 376 bytes z Fast spread rate z spread over the Internet within a second Secure Systems Laboratory 17 Secure Systems Laboratory 18 Timeline of Notable Worms (2) Code Red z Released on July 13, 2001 z Aug 2003, Blaster, Welchia (Nachi), SoBig z Considerably slowed down the Internet traffic z Blaster (Exploited DCOM RPC bugs) z Details: z Coded to start a SYN flood on Aug 15 against windowsupdate.com z Attacked computers running Microsoft’s IIS web server z Welchia (Nachi) z Defaced the affected web site z A goodwill worm to remove Blaster and patch Windows z Tried to spread itself by looking for more IIS servers on z SoBig (E-mail worm) the Internet z Infected millions of Windows computers in Aug 2003 z Waited 20-27 days after it was installed to launch DoS z Microsoft wanted information of the worm creator for $250,000 attacks on several fixed IP addresses, including White House. z Apr 2004, Sasser (Exploited LSASS bugs) z Exploited a buffer overflow vulnerability in IIS; z Affected: Used illegal GET requests to trigger the vulnerability Secure Systems Laboratory 19 Secure Systems Laboratory 20 5 SLAMMER Blaster z January 2003 z Spread during August 2003 (first noticed on z Caused DoS on some Internet hosts and dramatically August 11, peaked on August 13) slowed down general Internet traffic z Fast z Programmed to start a SYN flood on August 15 z Infect most of its 75,000 victims within ten minutes against port 80 of windowsupdate.com. z A buffer overflow based attack targeting Microsoft SQL z Exploited a buffer overflow in the DCOM RPC Server service on the affected Windows operating z Amazingly small, only 376 bytes z Generate random IP addresses and send itself out to systems those addresses. z If the selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server, the host immediately becomes infected and begin spraying the Internet with more copies of the worm program. z Only stays in memory. Secure Systems Laboratory 21 Secure Systems Laboratory 22 Welchia (Nachi) SoBig z Welchia (Nachi), a worm that tries to remove the Blaster worm and patch Windows z Consequences: z Infected millions of Microsoft Windows computers in August 2003 z Discovered in August 18, 2003 z Microsoft wanted information of the worm creator for $250,000 z Details: z Not good z Appear as an e-mail with one of the following subjects: z Re: Approved Re: Details Re: Thank you … z Create vast amount of network traffic, thereby slowing down the Internet z Contain the text: “See the attached file for details” or the like z Contain an attachment by one of the following names: z Make the system unstable (e.g.
Recommended publications
  • Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis Daniel Bilar Wellesley College (Wellesley, MA) Colby College (Waterville, ME) bilar <at> alum dot dartmouth dot org Why Structural Fingerprinting? Goal: Identifying and classifying malware Problem: For any single fingerprint, balance between over-fitting (type II error) and under- fitting (type I error) hard to achieve Approach: View binaries simultaneously from different structural perspectives and perform statistical analysis on these ‘structural fingerprints’ Different Perspectives Idea: Multiple perspectives may increase likelihood of correct identification and classification Structural Description Statistical static / Perspective Fingerprint dynamic? Assembly Count different Opcode Primarily instruction instructions frequency static distribution Win 32 API Observe API calls API call vector Primarily call made dynamic System Explore graph- Graph structural Primarily Dependence modeled control and properties static Graph data dependencies Fingerprint: Opcode frequency distribution Synopsis: Statically disassemble the binary, tabulate the opcode frequencies and construct a statistical fingerprint with a subset of said opcodes. Goal: Compare opcode fingerprint across non- malicious software and malware classes for quick identification and classification purposes. Main result: ‘Rare’ opcodes explain more data variation then common ones Goodware: Opcode Distribution 1, 2 ---------.exe Procedure: -------.exe 1. Inventoried PEs (EXE, DLL, ---------.exe etc) on XP box with Advanced Disk Catalog 2. Chose random EXE samples size: 122880 with MS Excel and Index totalopcodes: 10680 3, 4 your Files compiler: MS Visual C++ 6.0 3. Ran IDA with modified class: utility (process) InstructionCounter plugin on sample PEs 0001. 002145 20.08% mov 4. Augmented IDA output files 0002. 001859 17.41% push with PEID results (compiler) 0003. 000760 7.12% call and general ‘functionality 0004.
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • Exploring Corporate Decision Makers' Attitudes Towards Active Cyber

    Exploring Corporate Decision Makers' Attitudes Towards Active Cyber

    Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option by Patrick Neal A Dissertation Submitted to the College of Interdisciplinary Studies in Partial Fulfilment of the Requirements for the Degree of DOCTOR OF SOCIAL SCIENCES Royal Roads University Victoria, British Columbia, Canada Supervisor: Dr. Bernard Schissel February, 2019 Patrick Neal, 2019 COMMITTEE APPROVAL The members of Patrick Neal’s Dissertation Committee certify that they have read the dissertation titled Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option and recommend that it be accepted as fulfilling the dissertation requirements for the Degree of Doctor of Social Sciences: Dr. Bernard Schissel [signature on file] Dr. Joe Ilsever [signature on file] Ms. Bessie Pang [signature on file] Final approval and acceptance of this dissertation is contingent upon the candidate’s submission of the final copy of the dissertation to Royal Roads University. The dissertation supervisor confirms to have read this dissertation and recommends that it be accepted as fulfilling the dissertation requirements: Dr. Bernard Schissel[signature on file] Creative Commons Statement This work is licensed under the Creative Commons Attribution-NonCommercial- ShareAlike 2.5 Canada License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ . Some material in this work is not being made available under the terms of this licence: • Third-Party material that is being used under fair dealing or with permission. • Any photographs where individuals are easily identifiable. Contents Creative Commons Statement............................................................................................
  • GQ: Practical Containment for Measuring Modern Malware Systems

    GQ: Practical Containment for Measuring Modern Malware Systems

    GQ: Practical Containment for Measuring Modern Malware Systems Christian Kreibich Nicholas Weaver Chris Kanich ICSI & UC Berkeley ICSI & UC Berkeley UC San Diego [email protected] [email protected] [email protected] Weidong Cui Vern Paxson Microsoft Research ICSI & UC Berkeley [email protected] [email protected] Abstract their behavior, sometimes only for seconds at a time (e.g., to un- Measurement and analysis of modern malware systems such as bot- derstand the bootstrapping behavior of a binary, perhaps in tandem nets relies crucially on execution of specimens in a setting that en- with static analysis), but potentially also for weeks on end (e.g., to ables them to communicate with other systems across the Internet. conduct long-term botnet measurement via “infiltration” [13]). Ethical, legal, and technical constraints however demand contain- This need to execute malware samples in a laboratory setting ex- ment of resulting network activity in order to prevent the malware poses a dilemma. On the one hand, unconstrained execution of the from harming others while still ensuring that it exhibits its inher- malware under study will likely enable it to operate fully as in- ent behavior. Current best practices in this space are sorely lack- tended, including embarking on a large array of possible malicious ing: measurement researchers often treat containment superficially, activities, such as pumping out spam, contributing to denial-of- sometimes ignoring it altogether. In this paper we present GQ, service floods, conducting click fraud, or obscuring other attacks a malware execution “farm” that uses explicit containment prim- by proxying malicious traffic.
  • Workaround for Welchia and Sasser Internet Worms in Kumamoto University

    Workaround for Welchia and Sasser Internet Worms in Kumamoto University

    Workaround for Welchia and Sasser Internet Worms in Kumamoto University Yasuo Musashi, Kenichi Sugitani,y and Ryuichi Matsuba,y Center for Multimedia and Information Technologies, Kumamoto University, Kumamoto 860-8555 Japan, E-mail: [email protected], yE-mail: [email protected], yE-mail: [email protected] Toshiyuki Moriyamaz Department of Civil Engineering, Faculty of Engineering, Sojo University, Ikeda, Kumamoto 860-0081 Japan, zE-mail: [email protected] Abstract: The syslog messages of the iplog-2.2.3 packet capture in the DNS servers in Ku- mamoto University were statistically investigated when receiving abnormal TCP packets from PC terminals infected with internet worms like W32/Welchia and/or W32/Sasser.D worms. The inter- esting results are obtained: (1) Initially, the W32/Welchia worm-infected PC terminals for learners (920 PCs) considerably accelerates the total W32/Welchia infection. (2) We can suppress quickly the W32/Sasser.D infection in our university when filtering the access between total and the PC terminal’s LAN segments. Therefore, infection of internet worm in the PC terminals for learners should be taken into consideration to suppress quickly the infection. Keywords: Welchia, Sasser, internet worm, system vulnerability, TCP port 135, TCP port 445, worm detection 1. Introduction defragmentation, TCP stream reassembling (state- less/stateful), and content matcher (detection engine). Recent internet worms (IW) are mainly categorized The other is iplog[11], a packet logger that is not so into two types, as follows: one is a mass-mailing-worm powerful as Snort but it is slim and light-weighted so (MMW) which transfers itself by attachment files of that it is useful to get an IP address of the client PC the E-mail and the other is a system-vulnerability- terminal.
  • Shoot the Messenger: IM Worms Infectionvectors.Com June 2005

    Shoot the Messenger: IM Worms Infectionvectors.Com June 2005

    Shoot the Messenger: IM Worms infectionvectors.com June 2005 Overview Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms. Messaging Overview Instant messaging generically refers to real-time text communications between two or more clients (although, it is important to note many new services such as video and voice are available through these clients). Generally, messages are passed from a client to a server and vice versa. Some IM clients are capable of transmitting files between one another without a central server (once a communications channel is established) and can allow for a remarkable degree of command execution. This is represented simply below: Messaging Server Presence data transferred to clients from servers. Message/file transfer. Compatible Clients Shoot the Messenger: IM Worms 2 IM protocols range from relatively simple to quite complex and generally include some form of “presence” detection and notification (the ability to indicate whether a contact is online at any given time).
  • The Blaster Worm: Then and Now

    The Blaster Worm: Then and Now

    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
  • Adversarial Web Search by Carlos Castillo and Brian D

    Adversarial Web Search by Carlos Castillo and Brian D

    Foundations and TrendsR in Information Retrieval Vol. 4, No. 5 (2010) 377–486 c 2011 C. Castillo and B. D. Davison DOI: 10.1561/1500000021 Adversarial Web Search By Carlos Castillo and Brian D. Davison Contents 1 Introduction 379 1.1 Search Engine Spam 380 1.2 Activists, Marketers, Optimizers, and Spammers 381 1.3 The Battleground for Search Engine Rankings 383 1.4 Previous Surveys and Taxonomies 384 1.5 This Survey 385 2 Overview of Search Engine Spam Detection 387 2.1 Editorial Assessment of Spam 387 2.2 Feature Extraction 390 2.3 Learning Schemes 394 2.4 Evaluation 397 2.5 Conclusions 400 3 Dealing with Content Spam and Plagiarized Content 401 3.1 Background 402 3.2 Types of Content Spamming 405 3.3 Content Spam Detection Methods 405 3.4 Malicious Mirroring and Near-Duplicates 408 3.5 Cloaking and Redirection 409 3.6 E-mail Spam Detection 413 3.7 Conclusions 413 4 Curbing Nepotistic Linking 415 4.1 Link-Based Ranking 416 4.2 Link Bombs 418 4.3 Link Farms 419 4.4 Link Farm Detection 421 4.5 Beyond Detection 424 4.6 Combining Links and Text 426 4.7 Conclusions 429 5 Propagating Trust and Distrust 430 5.1 Trust as a Directed Graph 430 5.2 Positive and Negative Trust 432 5.3 Propagating Trust: TrustRank and Variants 433 5.4 Propagating Distrust: BadRank and Variants 434 5.5 Considering In-Links as well as Out-Links 436 5.6 Considering Authorship as well as Contents 436 5.7 Propagating Trust in Other Settings 437 5.8 Utilizing Trust 438 5.9 Conclusions 438 6 Detecting Spam in Usage Data 439 6.1 Usage Analysis for Ranking 440 6.2 Spamming Usage Signals 441 6.3 Usage Analysis to Detect Spam 444 6.4 Conclusions 446 7 Fighting Spam in User-Generated Content 447 7.1 User-Generated Content Platforms 448 7.2 Splogs 449 7.3 Publicly-Writable Pages 451 7.4 Social Networks and Social Media Sites 455 7.5 Conclusions 459 8 Discussion 460 8.1 The (Ongoing) Struggle Between Search Engines and Spammers 460 8.2 Outlook 463 8.3 Research Resources 464 8.4 Conclusions 467 Acknowledgments 468 References 469 Foundations and TrendsR in Information Retrieval Vol.
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems

    Effective Malicious Features Extraction and Classification for Incident Handling Systems

    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
  • A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III Department of Computer Science University of New Orleans New Orleans, LA 70148 Email: [email protected] Abstract most operating systems courses, but for reverse engi- neering, the devil really is in the details. For example, While short training courses in reverse engineering are to understand an offensive technique like Shadow frequently offered at meetings like Blackhat and Walker [13], which relies on de-synchronization of the through training organizations such as SANS, there are data and instruction TLBs in Intel’s split-TLB design virtually no reverse engineering courses offered in aca- to hide code and data, it’s not enough to have seen a demia. This paper discusses possible reasons for this Powerpoint slide depicting the abstract functionality of situation, emphasizes the importance of teaching re- a TLB—that’s a good start, but both more details and verse engineering (and applied computer security edu- hands-on experience are needed. Furthermore, assem- cation in general), and presents the overall design of a bler language courses, if they exist at all as independ- semester-long course in reverse engineering malware, ent courses in a modern computing curriculum, tend to recently offered by the author at the University of New be much weaker than in the past, often emphasizing the Orleans. use of High Level Assembler (HLA) [4] and develop- 1 Introduction ment of toy applications. In many curricula, the as- sembler language course of old has been folded into the Reverse engineering of software involves detailed undergraduate architecture class.
  • Nusikaltimai Elektroninėje Erdvėje Ir Jų Tyrimo Metodikos Nikolaj Goranin Dalius Mažeika

    Nusikaltimai Elektroninėje Erdvėje Ir Jų Tyrimo Metodikos Nikolaj Goranin Dalius Mažeika

    Nikolaj Goranin Dalius Mažeika NUSIKALTIMAI elektroninėje erDvėje ir jų tyriMo MetoDikos Nikolaj Goranin Dalius Mažeika NUSIKALTIMAI ELEKTRONINĖJE ERDVĖJE IR JŲ TYRIMO METODIKOS MOKOMOJI KNYGA Projektas „Aukštojo mokslo I ir II pakopų informatikos ir informatikos inžinerijos krypčių studijų programų atnaujinimas bei naujų sukūrimas ir įgyvendinimas (AMIPA)“, kodas VP1–2.2–ŠMM–09–V–01–003, finansuojamas iš Europos socialinio fondo ir Lietuvos valstybės biudžeto lėšų. Recenzavo: prof. dr. V. Jusas doc. dr. K. Driaunys © N. Goranin, D. Mažeika, 2011 © KTU Informatikos fakultetas, 2011 © VGTU Fundamentaliųjų mokslų fakultetas, 2011 © UAB TEV, 2011 ISBN 978-609-433-055-1 TURINYS ĮVADAS ........................................................................................................................7 1. NUSIKALTIMAI ELEKTRONINĖJE ERDVĖJE ...................................................9 1.1. Nusikaltimų elektroninėje erdvėje apibrėžimas ir jų tipai ................................9 1.2. Informacinis karas ...........................................................................................11 1.3. Savikontrolės klausimai ..................................................................................14 2. NEE TEISINIAI ASPEKTAI ..................................................................................15 2.1. Teisinė nusikaltimų elektroninėje erdvėje samprata .......................................15 2.2. Elektroninių nusikaltimų kategorijos ..............................................................17 2.3. Tarptautiniai