Transcript Malware Fundamentals Workshop
Slide 1
Malware
Fundamentals
POLITEHNICA University of Bucharest
14th of January 2015
Ionuţ – Daniel BARBU
Slide 2
Agenda
• Evolution
• Security implementations in Operating Systems
• Historical facts
• Malware types
Source of the information: Wikipedia.org
Slide 3
Evolution
Source: theusindependent.com
Slide 4
Operating Systems
Windows NT
•Designed for security but not for the INTERNET
Windows 9x
•Offered the option of multi profiles but not of multi – users
•Partial memory protection
•No Access Privileges Concept
Newer Versions
•XP
•limited accounts
•Vista
•User Account Control
•The first user was administrator by default – Removed
•7
•BitLocker Drive Encryption and Biometrics
•Improved Windows Firewall, Microsoft Security Essentials & Windows
Defender
•8
•New authentication methods
Windows
Patch
Tuesday
“Consumer versions of Windows were originally designed for ease-of-use on a single-user PC
without a network connection, and did not have security features built in from the outset.” , Wikipedia
Slide 5
Malware
…is any software used to disrupt computer operation, gather
sensitive information, or gain access to private computer systems.
Regin
Stuxnet
CryptoLocker
Reversed in November
2014
Worm discovered in
2010
Ransomware Trojan
Samples date from
2003
Attacked industrial
programmable logic
controllers
Discovered by Dell
SecureWorks
Customized Spying
Ruined 20% of Iran’s
nuclear centrifuges
Propagated via e-mail
attachments or botnets
Stealthy
Cause harm
Encrypts
Steal Information
Sabotage
Money Extortion Bitcoin
Slide 6
History
1949 – John von Neumann introduces the theory of self replicating
programs
Early
Stages
1972 – Veith RISAK
writes an article
describing a fully
functional virus for
SIEMENS 4004/35
1980 - Jürgen KRAUS: “
computer programs
can behave in a way
similar to biological
viruses”
First
Computer
Viruses
1971 – Creeper Virus –
ARPANET “I’m the
creeper, catch me if
you can!”
The Reaper worm was
design to catch it – it
did!
1982 – ELK Cloner – first
personal computer
virus – displayed a
poem
1992 – first Windows
Virus - WinVir
Source: ajovomultja.hu
Slide 7
When infected:
Steals hard disk space of CPU time
Access private information, corrupts data
Keystroke logging
“the defining characteristic of viruses
is that they are self-replicating
computer programs which install
themselves without the user's
consent.”
Viruses
When executed, it replicates
by inserting copies of self in
other programs etc.
Replication Techniques:
Motivation:
Seek profit
Message
Conveying
Sabotage
Denial of
Service
Resident (after
installation it remains in
RAM) vs. non-resident
(scans for targets,
infects and exits)
Macro virus (embedded
in macro containing
documents)
Boot sector
Anti - virus
Open Source
Proprietary
Methods:
Social Engineering
Security
Vulnerabilities
Often use of complex antidetection/stealth strategies to evade
antivirus software.
Keep the same “last modification date”,
file size or try to kill detection tasks
Read requests intercept, self
modification, encrypted viruses,
polymorphic vs metamorphic code
Slide 8
Unlike a virus, it does
not need to attach itself
to an existing program.
At least some harm is caused due to
bandwidth consumption.
Worms
…standalone malware
computer program that
replicates itself in order to
spread to other computers
The payload
is usually
designed to
delete files,
encrypt or
send docs
via mail.
Packet filters
ACL
Patching
Firewall
Backdoors represent a
known payload and
they usually lead to
Zombie computers
and further to botnets
Many of them are payload free, however even
these cause major disruption: Morris Worm 1988
(first distributed worm via Internet from MIT)
Slide 9
Zeus / Zbot
Microsoft Windows OS
Steal banking information
Man-in-the-browser
Keystroke logging
Distributes also CryptoLocker
carries out actions determined by its
nature…
Trojan Horse
….is a generally non-selfreplicating type of malware
program containing malicious
code
remote
access
hack
data theft or
loss
can act as a
backdoor
Protection:
IPS
Interesting
use:
anonymizer
proxy!
system harm
IDS
Beasts 2.07
Content Filtering
Source: megasecurity.org
Slide 10
Others
Backdoor
Method of
bypassing normal
authentication
Basic example of
backdoor:
default password
Rootkit
Spyware
& Adware
Hide existence of
certain processes
or programs
Aids in gathering
information
about a person
or organization
without their
knowledge
Enables
continued
privileges to a
computer
Automatically
renders
advertisements in
order to generate
revenue for its
author
Slide 11
Antivirus
software
signatures
are not yet
available
Sandbox
Zero
- Day
Zero – Day
Vulnerability
& Exploit
Behavior
signatures
Slide 12
“If you think technology can solve your security problems, then you
don’t understand the problems and you don’t understand the technology.”
Bruce Schneier
Thank you!
Malware
Fundamentals
POLITEHNICA University of Bucharest
14th of January 2015
Ionuţ – Daniel BARBU
Slide 2
Agenda
• Evolution
• Security implementations in Operating Systems
• Historical facts
• Malware types
Source of the information: Wikipedia.org
Slide 3
Evolution
Source: theusindependent.com
Slide 4
Operating Systems
Windows NT
•Designed for security but not for the INTERNET
Windows 9x
•Offered the option of multi profiles but not of multi – users
•Partial memory protection
•No Access Privileges Concept
Newer Versions
•XP
•limited accounts
•Vista
•User Account Control
•The first user was administrator by default – Removed
•7
•BitLocker Drive Encryption and Biometrics
•Improved Windows Firewall, Microsoft Security Essentials & Windows
Defender
•8
•New authentication methods
Windows
Patch
Tuesday
“Consumer versions of Windows were originally designed for ease-of-use on a single-user PC
without a network connection, and did not have security features built in from the outset.” , Wikipedia
Slide 5
Malware
…is any software used to disrupt computer operation, gather
sensitive information, or gain access to private computer systems.
Regin
Stuxnet
CryptoLocker
Reversed in November
2014
Worm discovered in
2010
Ransomware Trojan
Samples date from
2003
Attacked industrial
programmable logic
controllers
Discovered by Dell
SecureWorks
Customized Spying
Ruined 20% of Iran’s
nuclear centrifuges
Propagated via e-mail
attachments or botnets
Stealthy
Cause harm
Encrypts
Steal Information
Sabotage
Money Extortion Bitcoin
Slide 6
History
1949 – John von Neumann introduces the theory of self replicating
programs
Early
Stages
1972 – Veith RISAK
writes an article
describing a fully
functional virus for
SIEMENS 4004/35
1980 - Jürgen KRAUS: “
computer programs
can behave in a way
similar to biological
viruses”
First
Computer
Viruses
1971 – Creeper Virus –
ARPANET “I’m the
creeper, catch me if
you can!”
The Reaper worm was
design to catch it – it
did!
1982 – ELK Cloner – first
personal computer
virus – displayed a
poem
1992 – first Windows
Virus - WinVir
Source: ajovomultja.hu
Slide 7
When infected:
Steals hard disk space of CPU time
Access private information, corrupts data
Keystroke logging
“the defining characteristic of viruses
is that they are self-replicating
computer programs which install
themselves without the user's
consent.”
Viruses
When executed, it replicates
by inserting copies of self in
other programs etc.
Replication Techniques:
Motivation:
Seek profit
Message
Conveying
Sabotage
Denial of
Service
Resident (after
installation it remains in
RAM) vs. non-resident
(scans for targets,
infects and exits)
Macro virus (embedded
in macro containing
documents)
Boot sector
Anti - virus
Open Source
Proprietary
Methods:
Social Engineering
Security
Vulnerabilities
Often use of complex antidetection/stealth strategies to evade
antivirus software.
Keep the same “last modification date”,
file size or try to kill detection tasks
Read requests intercept, self
modification, encrypted viruses,
polymorphic vs metamorphic code
Slide 8
Unlike a virus, it does
not need to attach itself
to an existing program.
At least some harm is caused due to
bandwidth consumption.
Worms
…standalone malware
computer program that
replicates itself in order to
spread to other computers
The payload
is usually
designed to
delete files,
encrypt or
send docs
via mail.
Packet filters
ACL
Patching
Firewall
Backdoors represent a
known payload and
they usually lead to
Zombie computers
and further to botnets
Many of them are payload free, however even
these cause major disruption: Morris Worm 1988
(first distributed worm via Internet from MIT)
Slide 9
Zeus / Zbot
Microsoft Windows OS
Steal banking information
Man-in-the-browser
Keystroke logging
Distributes also CryptoLocker
carries out actions determined by its
nature…
Trojan Horse
….is a generally non-selfreplicating type of malware
program containing malicious
code
remote
access
hack
data theft or
loss
can act as a
backdoor
Protection:
IPS
Interesting
use:
anonymizer
proxy!
system harm
IDS
Beasts 2.07
Content Filtering
Source: megasecurity.org
Slide 10
Others
Backdoor
Method of
bypassing normal
authentication
Basic example of
backdoor:
default password
Rootkit
Spyware
& Adware
Hide existence of
certain processes
or programs
Aids in gathering
information
about a person
or organization
without their
knowledge
Enables
continued
privileges to a
computer
Automatically
renders
advertisements in
order to generate
revenue for its
author
Slide 11
Antivirus
software
signatures
are not yet
available
Sandbox
Zero
- Day
Zero – Day
Vulnerability
& Exploit
Behavior
signatures
Slide 12
“If you think technology can solve your security problems, then you
don’t understand the problems and you don’t understand the technology.”
Bruce Schneier
Thank you!