Outline Malicious Software Trojan (Horse)

Outline Malicious Software Trojan (Horse)

Outline CSci 5271 Malware and the network Introduction to Computer Security Malware and Denial of Service Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Denial of service and the network Malicious software Trojan (horse) Shortened to Mal. ware Software whose inherent goal is Looks benign, has secret malicious malicious functionality Not just used for bad purposes Key technique: fool users into Strong adversary installing/running High visibility Concern dates back to 1970s, MLS Many types (Computer) viruses Worms Attaches itself to other software Completely automatic self-propagation Propagates when that program runs Requires remote security holes Once upon a time: floppy disks Classic example: 1988 Morris worm More modern: macro viruses “Golden age” in early 2000s Have declined in relative importance Internet-level threat seems to have declined Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can Pre-scan list of likely targets Accelerate cold-start phase deceive normal code Permutation-based sampling Rootkit: hide malware by changing Systematic but not obviously patterned kernel behavior Pseudorandom permutation MBR virus: take control early in boot Approximate time: 15 minutes Blue-pill attack: malware is a VMM “Warhol worm” Too fast for human-in-the-loop response running your system Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial Modest-size industry credentials Competition and specialization Ransomware Also significant: nation-states Application of public-key encryption Industrial espionage Malware encrypts user files Stuxnet (not officially acknowledged) Only $300 for decryption key Bots and botnets Bot monetization Bot: program under control of remote attacker Click (ad) fraud Botnet: large group of bot-infected Distributed DoS (next section) computers with common “master” Bitcoin mining Command & control network protocol Once upon a time: IRC Pay-per-install (subcontracting) Now more likely custom and obfuscated Spam sending Centralized ! peer-to-peer Gradually learning crypto and protocol lessons Malware/anti-virus arms race Signature-based AV “Anti-virus” (AV) systems are really Similar idea to signature-based IDS general anti-malware Would work well if malware were static Clear need, but hard to do well In reality: No clear distinction between benign Large, changing database and malicious Frequent updated from analysts Not just software, a subscription Endless possibilities for deception Malware stays enough ahead to survive Emulation and AV Polymorphism Simple idea: run sample, see if it does Attacker makes many variants of something evil starting malware Obvious limitation: how long do you Different code sequences, same wait? behavior Simple version can be applied online One estimate: 30 million samples More sophisticated emulators/VMs observed in 2012 used in backend analysis But could create more if needed Packing Fake anti-virus Sounds like compression, but real goal Major monentization strategy recently is obfuscation Your system is infected, pay $19.95 for Static code creates real code on the fly cleanup tool Or, obfuscated bytecode interpreter For user, not fundamentally Outsourced to independent “protection” distinguishable from real AV tools Outline Note to early readers Malware and the network This is the section of the slides most likely to change in the final version Announcements intermission If class has already happened, make sure you have the latest slides for Denial of service and the network announcements Outline DoS versus other vulnerabilities Effect: normal operations merely Malware and the network become impossible Software example: crash as opposed Announcements intermission to code injection Less power that complete compromise, Denial of service and the network but practical severity can vary widely Airplane control DoS, etc. When is it DoS? Algorithmic complexity attacks Very common for users to affect Can an adversary make your algorithm others’ performance have worst-case behavior? O(n2) Focus is on unexpected and unintended quicksort effects Hash table with all entries in one bucket Unexpected channel or magnitude Exponential backtracking in regex matching XML entity expansion Compression DoS XML entities (c.f. HTML &lt) are like C macros Some formats allow very high compression ratios #define B (A+A+A+A+A) Simple attack: compress very large input #define C (B+B+B+B+B) More powerful: nested archives #define D (C+C+C+C+C) Also possible: “zip file quine” #define E (D+D+D+D+D) decompresses to itself #define F (E+E+E+E+E) DoS against network services Tiny bit of queueing theory Common example: keep legitimate Mathematical theory of waiting in line users from viewing a web site Simple case: random arrival, sequential Easy case: pre-forked server supports fixed-time service M/D/1 100 simultaneous connections If arrival rate service rate, expected Fill them with very very slow downloads queue length grows without bound SYN flooding SYN cookies SYN is first of three packets to set up Change server behavior to stateless new connection approach Traditional implementation allocates Embed small amount of needed space for control data information in fields that will be echoed in third packet However much you allow, attacker fills MAC-like construction with unfinished connections Other disadvantages, so usual Early limits were very low (10-100) implementations used only under attack DoS against network links Traffic multipliers Third party networks (not attacker or Try to use all available bandwidth, victim) crowd out real traffic One input packet causes n output Brute force but still potentially effective packets Baseline attacker power measured by Commonly, victim’s address is forged packet sending rate source, multiply replies Misuse of debugging features “Smurf” broadcast ping Distributed DoS Many attacker machines, one victim ICMP echo request with forged source Easy if you own a botnet Sent to a network broadcast address Impractical to stop bots one-by-one Every recipient sends reply May prefer legitimate-looking traffic Now mostly fixed by disabling this over weird attacks feature Main consideration is difficulty to filter Next time Network anonymity with overlay networks.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us