Transcript Document
CIT 616 Fundamentals of Computer Security Mohammed A. Saleh http://ifm.ac.tz/staff/msaleh/CIT616.html 1 Malware Malware is also referred to as malicious code, which can be in terms of viruses, worms, trojans, backdoors and other malicious software Famous attacks such as Melissa, ExploreZip, MiniZip, Code Red, NIMDA, BubbleBoy, I LoveYou, NewLove, KillerResume, Kournikova, NakedWife, or Klez A virus or worm could even be active in your machine right now, lying dormant until some trigger activates it. 2 Scenario 3 Scenario 4 A Malware Taxonomy Malicious Programs Needs Host Program Trapdoors Logic Bombs Independent Trojan Horses Viruses Worms Replicate Zombies Rootkits Terminologies Denial of service attack (DoS) Distributed DoS attack (DDoS) Denial of service (DoS) attack attempts to make a server or other network device unavailable by flooding it with requests After a short time, the server runs out of resources and can no longer function Attacks originate from a single computer to a targeted system Instead of using one computer, DDoS attack is launched from many different computers. Attacks sent from hundreds or thousands of computers Exploit Malware that capitalizes on known or undiscovered vulnerabilities, which are bugs or weakness in software applications or operating systems. 6 Cont … Rootkit Script Malware, usually a small suite of programs, that install a new account or steal an existing one, and then elevate the security level of that account to the highest degree So that attackers can do their will without obstruction. File containing specific instructions of the attacker and commands to make them occur. Sniffer An attack, usually a Trojan horse, that monitors computer transactions or keystrokes. A keystroke logger, for instance, detects sensitive information by monitoring the user's keystrokes. 7 Cont … Trojan horse Malware named for its method of getting past computer defenses by pretending to be something useful. Zombie A corrupted computer that is waiting for instructions and commands from its master, the attacker. 8 Viruses 9 Symptoms of Virus-Like Attacks 10 Virus Hoax 11 Terminologies 12 How is a worm different? 13 Indications of a Virus Attack 14 Virus History 15 Virus Damage 16 Effects of Virus on Business 17 Access Methods of a Virus 18 Mode of Virus Infection 19 Lifecycle of a Virus 20 Virus Classification 21 What does a Virus Infect? 22 How does a Virus Infect? 23 Cont … Polymorphic Virus Stealth Virus These are files which will not necessary infect with every execution, could after running the program for five time or so. Armored Virus Nature of infection Sparse Virus Run undetected Fast and Slow Virus Viruses that change themselves or change their codes in the cause of hiding from an anti-virus Protect themselves from anti-virus programs, they may even disable an anti virus program 24 Multipartite – they usually have multiple parts that affect Cont … Multipartite Virus Cavity (Space filler) Virus Take up the empty space at the end of files, for instance the host file, they do this so they remain undetected within the file itself Tunneling Virus They usually have multiple parts that affect both the boot sectors of different machines as well as the executables Work at the lower levels of the OS, may be beneath the OS at the kernel level or even at the device driver level Camouflage Virus Make themselves as legitimate files or programs 25 Famous Viruses and Worms W32.CIH.Spacefiller 26 Win 32 Explore.Zip Virus 27 I Love You Virus 28 Melissa Virus 29 Pretty Park 30 Code Red Worm 31 W32/Klez 32 Bug Bear 33 SirCam 34 Nimda 35 SQL Slammer Worm 36 Writing a Simple Virus Program 37 Virus Detection Methods 38 Virus Incident Response 39 Prevention is Better than Cure 40 Remedies There are many programs that can help you keep viruses Known as virus protection programs These products, and the system administration procedures that go along with them, have two overlapping goals: 41 they don't let you run a program that's infected they keep infected programs from damaging your system. Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer Unwanted programs are the malware; viruses and worms Hardware Firewalls Software Firewalls 42 Protect an entire network Implemented on the router level Usually more expensive, harder to configure Protect a single computer Usually less expensive, easier to configure How does a software firewall work? 43 Inspects each individual “packet” of data as it arrives at either side of the firewall A packet is a message containing the source address (sender address) and destination address (recipient address). Inbound to or outbound from your computer Determines whether it should be allowed to pass through or if it should be blocked Firewall Rules Allow – traffic that flows automatically because it has been deemed as “safe” (Ex. Meeting Maker, Eudora, etc.) Block – traffic that is blocked because it has been deemed dangerous to your computer Ask – asks the user whether or not the traffic is allowed to pass through Examples of personal firewalls ZoneAlarm <www.zonelabs.com> BlackICE Defender <http://blackice.iss.net> Tiny Personal Firewall <www.tinysoftware.com> Norton Personal Firewall www.symantec.com ***Please be sure to read the license agreement carefully to verify that 44 the firewall can be legally used at home and/or the office. Anti-virus This a software used to prevent, detect and remove malware, including viruses, worms and Trojan horses Virus protection software uses two main techniques Signature-based detection Heuristic-based detection 45 It hides in the background watching files come and go until it detects a pattern that aligns with one of its stored signatures And then it sounds the alarm and maybe isolates or quarantines the code Removes known viruses One that periodically scan the various disks and memories of the computer Identifies unknown viruses detecting and reporting suspicious code segments, and placing them in quarantine. Anti-virus (cont…) Problems with Signature-based Virus Protection Programs They require a constant flow of new signatures in response to evolving attacks As the number of viruses increases he tables get progressively larger This is particularly a problem in the case of memory-limited devices such as palm-top computers or intelligent cell phones Zero Day problem 46 Their publishers stay alert for new viruses, determine the signatures and make them available as updated virus definition tables to their users. Occurs when a user trips over a new virus before the publisher discovers it and can issue an updated signature Drawbacks Anti-virus 1. 2. 3. Antivirus software can degrade computer performance if it is not designed efficiently Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with The success of heuristic-based detection depends on whether it achieves the right balance between false positives and false negative 47 In one case, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot Effectiveness 48 Studies in December 2007 have shown that the effectiveness of antivirus software has decreased in recent years, particularly against unknown or zero day attacks. Detection rates for these threats had dropped from 4050% in 2006 to 20-30% in 2007. [from the German computer magazine] At the time, the only exception was the NOD32 antivirus, which managed a detection rate of 68% Online Detection Some antivirus vendors maintain websites with free online scanning capability of the entire computer, critical areas only, local disks, folders or files. Examples include Some other online sites provide only scanning of files uploaded by users. These online sites use multiple virus scanners and provide a report to the user about the uploaded file. e.g. 49 Kaspersky Online Scanner ESET Online Scanner Jotti’s malware scan COMODO Automated Analysis System Virustotal.com Popular Antivirus Packages 50 Summary Viruses and worms enter networks from the outside i.e., connected networks or the Internet and they enter networks the inside i.e., from computers and media that users bring home Viruses exist as a chance for programmers to demonstrate skills. Viruses can be 51 from from from their Devastating, robbing network owners of massive amounts of bandwidth, stealing secrets, defeating security, corrupting data or holding it hostage, even taking down entire systems These extreme examples demonstrate how creating and propagating viruses and worms can be criminal, even terroristic, in scope Effective computer security policies and practices can do much to eliminate the spread of viruses and worms In the end, however, nothing can do more to stop the spread of pathogenic programs than educating and training users in virus prevention. Summary 52 Questions