DOCSLIB.ORG

Malicious Code Threat Model Code  Survey of Malicious Code  Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Malicious Code Threat Model Code  Survey of Malicious Code  Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio Topics Malicious Introduction Malicious Code Threat Model Code Survey of Malicious Code Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio CSH6 Chapter 16: “Malicious Code” 1 Copyright © 2014 M. E. Kabay. All rights reserved. 2 Copyright © 2014 M. E. Kabay. All rights reserved. Introduction Malicious-Code Threat Model (1) Malicious code / logic ACTOR ACCESS ASSET ACTION OUTCOME Malware Hardware, software or firmware Actor: structured or unstructured threats intentionally included or inserted Individuals, organizations, nation-states in system for unauthorized purpose Access: allowed physical or logical path Classification may be difficult Asset: resource of interest Categories overlap because malware may have Action: execution of malicious code or logic multiple functions and attributes Outcome E.g., virus / worm / Trojan horse / spyware Intelligence, surveillance, reconnaissance Disruption of operations Some code may not be intended as malware by creators Destruction of assets Publicity for cause Context and intent determine whether code is Negative publicity against victim viewed as malicious 3 Copyright © 2014 M. E. Kabay. All rights reserved. 4 Copyright © 2014 M. E. Kabay. All rights reserved. Malicious Code Threat Model (2) Self-replicating Code Not inherently malicious Self-replicating Code Early experiments (1960s) Actors: Origin of Malicious had no evil intent Code Threats Darwin (1961) involved Actors: Structured Threats memory worms Actors: Unstructured Self-replicating code Threats Competition → resource exhaustion Access vs Action: Vector vs Payload 5 Copyright © 2014 M. E. Kabay. All rights reserved. 6 Copyright © 2014 M. E. Kabay. All rights reserved. Is a Beneficial Virus Is Writing Malware Illegal Possible? in US? Ideas for beneficial self-propagating code: No explicit law against writing malicious code Distribute antivirus programs No illegality even in sharing such code automatically through Internet among willing recipients Install patches on servers in networks Current efforts to define statutes Distribute useful information automatically Based on laws banning Consensus on Problems Preventing Use: possession of burglary tools (e.g., lock picks) What if there’s a bug or incompatibility in the self-propagating code? Require registration and licensing of locksmiths What if the patches are not appropriate for a specific Would treat malware and Trojans in same server or network? way What if the owner/user does No significant progress to date not see the patch as useful? 7 Copyright © 2014 M. E. Kabay. All rights reserved. 8 Copyright © 2014 M. E. Kabay. All rights reserved. Actors: Origin of Actors: Structured Threats Malicious Code Threats Well-funded, systematic Structured threats Industrial espionage, information operations, large- scale fraud & theft Nation-states Organized crime responsible for 90% malware Corporate criminals Extortionists target online gambling Organized crime Pump ‘n’ dump schemes cost $B Unstructured threats Industrial espionage using spyware growing Rogue actors; e.g., China major player Individuals Major source of attacks Script kiddies PRC PLA doctrine emphasizes asymmetric warfare using information technology Total government control over hacking 9 Copyright © 2014 M. E. Kabay. All rights reserved. 10 Copyright © 2014 M. E. Kabay. All rights reserved. Access vs Action: Actors: Unstructured Threats Vector vs Payload Random Vector Relatively limited Agent is avenue of access Does not target national Physical access via people who can enter security premises Relatively minor Network access via Web server, client systems, e-mail attachment, portable device (e.g., infected USB flash drive) Payload Function (action) inserted in system Malicious logic, remote access software, remote control software 11 Copyright © 2014 M. E. Kabay. All rights reserved. 12 Copyright © 2014 M. E. Kabay. All rights reserved. Survey of Malicious Code Virus Mechanisms Viruses Worms Boot sector: sector 0 of disk Trojans File infector: inserts JUMP instruction, adds code, returns to original location and Spyware & Adware continues loading Rootkits Macro virus: exploits weakness of MS Bots & Botnets scripting language in Word, Malicious Mobile Code PowerPoint, Excel, Access etc. 13 Copyright © 2014 M. E. Kabay. All rights reserved. 14 Copyright © 2014 M. E. Kabay. All rights reserved. Viruses (1) Viruses (2) Boot sector Program infectors 15 Copyright © 2014 M. E. Kabay. All rights reserved. 16 Copyright © 2014 M. E. Kabay. All rights reserved. 1995-1996: Early Macro Viruses (3) Viruses Macro MS-Word macro virus (concept) released Aug 95 MS-Word macro viruses reached more than half all infections in the wild by 2009 About 1000 types of macro viruses of all types known to date (Sep 2013) MS-Excel virus discovered June 96 Anti-virus available within days Spreading more slowly than Word macro viruses because of lower rate of exchange of spreadsheets 17 Copyright © 2014 M. E. Kabay. All rights reserved. 18 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-03: Melissa Virus Viruses (4) Logic Bombs Friday 26 March: CERT-CC initial reports of fast-spreading new MS-Word macro virus Any malicious code, replicating or not, that Melissa written to infect Word documents delivers a payload as a result of a logic test (e.g., Uses victim's MAPI-standard e-mail address specific date, absence of employee record) book Time bombs (set off on a date or category of Sends copies of itself to first 50 people on list date) are a subset of logic bombs E-mail message w/ subject line "Important Cross-site scripting malware Message From <name>” Exploit flaws in Web application servers & client Spread faster than any previous virus code Followed by similar e-mail-enabled viruses In 2005, “Samy” created script that generated >1M “friends” on MySpace using flaw in Internet Explorer to use JavaScript insertion exploit Sentenced to 3 years probation, 90 days 19 Copyright © 2014 M. E. Kabay. All rights reserved. 20 community Copyrightservice © 2014 M. E. Kabay. All rights reserved. Viruses (5) Viruses vs Worms Polymorphic viruses Viruses integrate into host code Intended to defeat signature- Replicate upon execution of infected code based antivirus tools Worms are free-standing code Modify themselves at time of Replicate via networks replication Polymorphic Engine E-mail (e.g., Outlook) especially common vector Encrypts code Some worms have viral properties Includes self-decryption capability Integrate themselves into e-mail Dark Avenger wrote MtE (aka messages and convert them to Mutation Engine) in late 1980s executable files Programmer from Sofia, Bulgaria Frequently conceal executable file type Detested Vesselin Bontchev, famous AV expert Depend on default suppression of file Also attacked researcher Sarah Gordon by suffix (e.g., AnnaKournikova.jpg.vbs.txt) name 21 Copyright © 2014 M. E. Kabay. All rights reserved. 22 Copyright © 2014 M. E. Kabay. All rights reserved. 1987: IBM Christmas Tree Worm 1988: The Morris Worm E-mail sent via IBM internal e-mail network Robert T. Morris (not a “Robert T. Morris, Jr”!) Included program to draw ASCII Christmas tree on screen Cornell University grad student Son of famed NSA cryptographer Used recipient’s e-mail address book to Robert H. Morris mail itself to everyone on the network Wrote paper on sendmail and fingerd No mechanism to prevent vulnerabilities on UNIX systems superinfection Seems to have intended to Overloaded worldwide IBM networks demonstrate significance Messages escaped from IBM into Released a defective version of his demo worm BITNET Originally intended to replicate slowly, avoid superinfection In fact grew fast and superinfected systems worldwide 23 Copyright © 2014 M. E. Kabay. All rights reserved. 24 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-12 W.95.Babylonia Morris Worm (cont’d) Virus/Worm Launched Worm at 17:00 on 2 November 1988 Extensible virus By 06:00 next morning the Internet was effectively Payload modified remotely down Trojan virus-dropper ~6,000-9,000 systems crashed or taken offline Disguised as Y2K bug fix for internet relay Computer scientists worked feverishly all night chat (IRC) users analyzing the Worm Sent itself other users Distributed fixes by telephone and fax (no ‘Net) Polled Internet site in Japan Led to formation of CERT-CC® in Dec 1988 Looked for updated plugins Morris convicted of violating 1986 Computer Fraud and Abuse Act (18 USC §1030) 400 hours community service + $10K fine 25 Copyright © 2014 M. E. Kabay. All rights reserved. 26 Copyright © 2014 M. E. Kabay. All rights reserved. 2000-05: ILOVEYOU 2000-06: Timofonica Worm Worm E-mail subject ILOVEYOU E-mail attachment E-mail enabled malware LOVE-LETTER-FOR-YOU.TEXT.vbs Automatically sent pager Used all addresses in address book message to block of Telefonica cell phones Became #1 infectious code in Europe, Asia, USA Tried to delete all data on Variants appeared quickly hard disk Created by 27-yr-old Filipino computer student Onel de Guzman No local laws against spreading viruses Creator given job as programmer! 27 Copyright © 2014 M. E. Kabay. All rights reserved. 28 Copyright © 2014 M. E. Kabay. All rights reserved. 2001-03: SirCam Worm 2001-06: CodeRed Worm Propagated on Windows systems Infected vulnerable Web servers Used standard e-mail address books Windows NT or Windows 2000 or CISCO equipment running MS-IIS software that has
Load more

Recommended publications
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Infosec Year in Review -- 1999
    InfoSec Year In Review -- 1999 M. E. Kabay, PhD, CISSP. Security Leader, INFOSEC Group, AtomicTangerine Inc. Category 11 Breaches of confidentiality Date 1999-01-29 Keyword data leakage privacy confidentiality control Web Source, Vol, No. RISKS 20 18 The Canadian consumer-tracking service Air Miles inadvertently left 50,000 records of applicants for its loyalty program publicly accessible on their Web site for an undetermined length of time. The Web site was offline as of 21 January until the problem was fixed. Date 1999-02-03 Keyword data leakage Web script QA vulnerability confidentiality Source, Vol, No. WIRED via PointCast An error in the configuration or programming of the F. A. O. Schwarz Web site resulted paradoxically in weakening the security of transactions deliberately completed by FAX instead of through SSL. Customers who declined to send their credit-card numbers via SSL ended up having their personal details — address and so forth — stored in a Web page that could be accessed by anyone entering a URL with an appropriate (even if randomly chosen) numerical component. Date 1999-02-10 Keyword e-commerce credit card personal information password privacy Source, Vol, No. RISKS 20 20 Prof. Ross Anderson of Cambridge University analyzed requirements on the AMAZON.COM online bookstore for credit card number, password, and personal details such as phone number. He identified several risks: (1) merchant retention of credit card numbers poses a far higher risk of capture than of capture in transit; (2) adding a password increases the likelihood of compromise because so many naïve users choose bad passwords and then write them down; (3) even the British site for Amazon contravenes European rules on protecting consumer privacy; (3) such practices make it easier for banks to reject their clients' claims of fraudulent use of their credit-card numbers.
    [Show full text]
  • Bâtisseurs Depuis 1959
    SABINE BLANC - OPHELIA NooR HACKERS: BÂTISSEURS DEPUIS 1959 Livre numérique BELLES HISTOIRES HACKERS : BÂTISSEURS DEPUIS 1959 SABINE BLANC - OPHELIA NooR HACKERS : BÂTISSEURS DEPUIS 1959 “Le contournement intelligent des limites imposées, qu’elles le soient par votre gouvernement, vos propres capacités ou les lois de la physique.” Jude Milhon, “St. Jude”, patronne des hackers, 1939-2003 OWNI EDITIONS PAGE 2 BELLES HISTOIRES HACKERS : BÂTISSEURS DEPUIS 1959 PRÉLIMINaire DIS, C’EST QUOI UN HACKER ? Chapitres I. DES LABORATOIRES AUX GARAGES • Les défricheurs du MiT • faiTes des ordinaTeurs, pas La guerre II. EN RÉSISTANCE • Les peTiTs cons en prison • hacker La Loi • Libre ! III. INTERNET, TERRAIN DE BATAILLE GRAND PUBLIC • Libres sous TouTes ses forMes • exTension du doMaine du piraTage • L’essor de L’hackTivisMe iv. hackers on pLaneT earTh • “La prochaine révoLuTion ? faiTes-La vous-MêMe” • “ce réseau de hackerspaces va changer Le Monde coMMe jaMais” • L’hackTivisMe en ouverTure des jT • hacker La déMocraTie posTface de MiTch aLTMan références REMERCIEMENTS Textes par Sabine Blanc et photographies par Ophelia Noor OWNI EDITIONS PAGE 3 BELLES HISTOIRES HACKERS : BÂTISSEURS DEPUIS 1959 Soulever le capot, un des fondement de la culture hacker. Un nombreux robots du Tetalab (THSF), hackerspace Toulouse, dans ses locaux partagés avec collectif d’artistes Mix’art Myris. OWNI EDITIONS PAGE 4 BELLES HISTOIRES HACKERS : BÂTISSEURS DEPUIS 1959 DIS, C’EST QUOI UN HACKER ? Les hackers n’ont pas de chance : toute communauté a ses brebis galeuses, sans pour autant que les brebis galeuses ne finissent par devenir, dans l’opinion, la communauté en elle-même. Un peu comme si médecin avait fini par signifier “charlatan”.Assimilé à des actes répréhensibles, comme le médiatique piratage de carte bleue, le hacking est désormais entendu comme une pratique négative.
    [Show full text]
  • A Summary of Hacking Organizations, Conferences, Publications, and E
    A Summary of Hacking Organizations, Conferences, Publications, and E... http://www.cse.wustl.edu/~jain/cse571-07/ftp/hacking_orgs/ A Summary of Hacking Organizations, Conferences, Publications, and Effects on Society Alisha Cecil [[email protected]] Abstract Since the early 1970's, hackers have been prevalent throughout the computing world. Two main categories of Hackers have evolved: the Open Source and Free Software group and the Security Hackers group. This paper details some of the more notable groups and individuals of each 'category' of hackers, the effects of hacking on society, as well as conferences and publications that they are responsible for that have contributed to the modern hacking world. Table of Contents 1.0 Introduction 2.0 Hacking Sytles 3.0 Hacker Etiquette & Ethics 4.0 Hacking Groups & Individuals 4.1 Open Source & Free Software Hackers 4.2 Security Hackers 4.2.1 Chaos Computer Club (CCC) 4.2.2 Legion of Doom (LoD) 4.2.3 The Mentor 4.2.4 cDc Communications 4.2.5 Shadow Crew 5.0 Hacker Conferences 5.1 Chaos Communication Congress 5.2 SummerCon 5.3 HoHoCon (or Xmas Con) 5.4 DEF CON 5.5 Hackers on Planet Earth (H.O.P.E.) 5.6 Black Hat Briefiengs 6.0 Hacker Publications 6.1 2600: Hacker Quarterly 6.2 Phrack 7.0 Hackers Effects on Society 8.0 Summary List of Acronyms References 1.0 Introduction Since the early 1970's, hackers have been prevalent throughout the computing world. They come in all shapes, 1 of 16 12/19/2007 5:12 PM A Summary of Hacking Organizations, Conferences, Publications, and E..
    [Show full text]