Praca Zaliczeniowa
-
Upload
krzysztof-mila-milanowski -
Category
Documents
-
view
217 -
download
0
description
Transcript of Praca Zaliczeniowa
WYŻSZA SZKOŁA BIZNESU W DĄBROWIE GÓRNICZEJ 2015
Computer Security threats Język angielski
Lektor:
mgr Iwona Choryń
Krzysztof Milanowski
Informatyka studia II stopnia
semestrIV
Krzysztof Milanowski
� Protects computer-based data fromsoftware-based and communications-basedthreats.threats.
� programs exploiting system vulnerabilities.
� Also known as malware.
� Types:◦ program fragments that need a host program
� e.g. viruses, logic bombs, and backdoors � e.g. viruses, logic bombs, and backdoors
◦ independent self-contained programs
� e.g. worms, bots
◦ replicating or not
� sophisticated threat to computer systems !
� In 1983, graduate student Fred Cohenfirst used the term virus in a paperdescribing a program that can spread byinfecting other computers with copies ofitself !itself !
� In 1986, The Brain virus was the first virusdesigned to infect personal computersystems.◦ by infecting floppyfloppy disksdisks !!
� piece of software that infects programs(host)◦ modifying them to include a copy of the virus
◦ so it executes secretly when host program is run
� Usually specific to operating system◦ taking advantage of their details and weaknesses◦ taking advantage of their details and weaknesses
� a typical virus goes through phasesphases of:◦ Dormant: idle (not found in all virus)
◦ Propagation: copy itself into other programs/disk areas
◦ Triggering: activated ( date, file, disk limit)
◦ Execution: perform the intended function(message, damage..
� components:◦ Infect - enables replication◦ Trigger - event that makes payload activate◦ Payload - what it does
� prepended / postpended / embedded � prepended / postpended / embedded
� when infected program invoked, executes virus code then original program code
� Signatures –sequence of bits that can be used to accurately identify the presence of a particular virus.
� The code consists of three stages,◦ activation/trigger , ◦ activation/trigger ,
◦ replication/infect , and
◦ Operation/payload
� malicious “task” of a virus.
� performed when the triggering condition is satisfied.
� types :◦ display a message, such as “Gotcha,” a ◦ display a message, such as “Gotcha,” a
political slogan, or a commercial advertisement
◦ read a certain sensitive or private file. Such a virus is in fact spyware.
◦ slow the computer down by monopolizing and exhausting limited resources.
◦ completely deny any services to the user.
� erase all the files on the host computer
� select some files at random and change several bits in each file, also at random. ◦ referred to as data diddling, may be more serious,
because it results in problems that seem to be caused by hardware failures, not by a virus.by hardware failures, not by a virus.
� One step beyond data diddling is random deletion of files
� random change of permissions.
� Produce sounds, animation.
two types :
� Nonresident viruses:◦ search for other hosts that can be infected,
◦ infect those targets,
◦ transfers control to the infected program
� Resident viruses◦ do not search for hosts when they are started. ◦ do not search for hosts when they are started.
Instead, it loads itself into memory on execution and transfers control to the host program.
◦ The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself
� Date or time
� Number of boots
� Generation counter of the virus
� Number of keypresses on the keyboard
� Amount of free space on the hard drive
Amount of minutes the machine has been idle� Amount of minutes the machine has been idle
� Name of an executed program
� Basically any event it the PC can be used as a trigger by a virus !.
By target� boot sector: Infects a master boot record
or boot record and spreads when a system is booted from the disk containing the virus.
� file infector: Infects executable files
� macro virus: Infects files with macro code that is interpreted by an application.
By Hiding Methods� encrypted virus: creates a random encryption
key, stored with the virus, and encrypts the remainder of the virus. Then, the virus uses the stored random key to decrypt the virus . virus replicates, a different random key is virus replicates, a different random key is selected.
� stealth virus: designed to hide itself from detection by antivirus software.
� By restoring the size, modification date, and checksum of the infected file
� Polymorphic virus: mutates and infects each new file as a different string of bits making detection by the “signature” of the virus impossible.
� Metamorphic virus: As with a polymorphic virus ,a metamorphic virus polymorphic virus ,a metamorphic virus mutates with every infection.
� The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection
� A virus can modify itself and become a different string of bits simply by inserting several nop instructions in its code.
� A nop (no operation) is an instruction that does nothing.does nothing.
� Compression virus: In addition to mutating, avirus may hide itself in a compressed file insuch a way that the bits with the virus partdepend on the rest of the infected file and aretherefore always different.therefore always different.
� more recent development
� e.g. Melissa◦ exploits MS Word macro in attached doc
◦ if attachment opened, macro activates
◦ sends email to all on users address list◦ sends email to all on users address list
◦ and does local damage
� then saw versions triggered reading email
� hence much faster propagation
� Anti-virus
� prevention - ideal solution but difficult
� realistically need:◦ detection
◦ identification◦ identification
◦ removal
� if detect but can’t identify or remove, must discard and replace infected program
� virus & antivirus tech have both evolved� early viruses simple code, easily removed� as become more complex, so must the
countermeasures� generations� generations◦ first - signature scanners◦ second – heuristics rule (structure)◦ third - identify actions◦ fourth - combination packages
� Using infected programs. the virus is executed every time the program is executed.
� Using interrupts that occurs each time an external disk drive or a DVD is inserted into a USB port. Once this interrupt occurs, the virus is executed as part of the interrupt-handling routine and it tries to infect the newly inserted volume.to infect the newly inserted volume.
� As an email attachment.� Through infected softwares. useful program (a
calculator, a nice clock, or a beautiful screen saver), embed a virus or a Trojan horse in it.
� Usually Sharing: Each time users share a computing resource such as a disk, a file, or a library routine, there is the risk of infection
� Self-replicating program,similar to virus, but is self-contained.
� Usually propagates overnetwork.network.
◦ using email, remote exec, remotelogin
� by exploiting servicevulnerabilities.
� It often creates denial of service
� has phases like a virus:◦ dormant, propagation, triggering, execution
◦ propagation phase: searches for other systems,connects to it, copies self to it and runs
� 1st implemented by Xerox Palo� 1st implemented by Xerox PaloAlto labs in 1980’s◦ search for idle systems to use to run a
computationally intensive task.
� A virus propagates when users send email, launch programs, or carry storage media between computers.
� A worm propagates itself throughout the Internet by
� A worm propagates itself throughout the Internet by exploiting security weaknesses in applications and protocols we all use.
� Has the highest speed of propagation.
� future worms may pose athreat to the Internet, to E-commerce, and to computercommunications and thiscommunications and thisthreat may be much greaterand much more dangerousthan that posed by other typesof malicious software.
� Worm that has infected severalmillion computers on theInternet may have the potentialfor a global catastrophe.for a global catastrophe.◦ could launch vast DoS attacks . That can bring
down not only E-commerce sites, but sensitivemilitary sites or the root domain name serversof the Internet.
� one of best know worms� released by Robert Morris in 1988� various attacks on UNIX systems◦ discover other hosts◦ cracking password file to use login/password to
logon to other systemslogon to other systems◦ exploiting a bug in the finger protocol◦ exploiting a bug in sendmail.
� if succeed have remote shell access◦ sent bootstrap program to copy worm over
� Code Red: July 2001◦ exploiting Microsoft Internet Information Server
(IIS) bug to penetrate and spread◦ probes random IP address◦ does DDoS attack ◦ activities and reactivates periodically◦ activities and reactivates periodically◦ consumes significant net capacity when active◦ infected nearly 360,000 servers in 14 hours
� Code Red II variant includes backdoor◦ allowing a hacker to direct activities of victim
computers
� SQL Slammer: early 2003◦ attacks MS SQL Server◦ compact and very rapid spread
� Mydoom: 2004◦mass-mailing e-mail worm
Mydoom: 2004◦mass-mailing e-mail worm◦ installed remote access backdoor in infected systems◦ flooded the Internet with 100 million 100 million infected messages in infected messages in 36hrs36hrs
� first appeared on mobile phones in 2004◦ target smartphone which can install software
� they communicate via Bluetooth or MMS
� disable phone, delete data on phone, � disable phone, delete data on phone, or send premium-priced messages
� E.g. CommWarrior, launched in 2005◦ replicates using Bluetooth to nearby phones◦ and via MMS using address-book numbers◦ copies itself to the removable memory card
� anti-virus� worms also cause significant net activity� worm defense approaches include:◦ signature-based worm scan filtering◦ filter-based worm containment: content/code◦ payload-classification-based worm containment� examine packets using anomalyanomaly detection techniques◦ threshold random walk scan detection◦ threshold random walk scan detection� exploits randomnessrandomness in picking destinations to connect◦ rate limiting and rate halting� limits the rate of scanlike traffic from an infected host� immediately blocks outgoing traffic when a threshold is
exceeded
� apparently useful , program with hidden side-effects
� which is usually superficially attractive◦ E.g. game, software upgrade, screen saver
etc
when run performs some additional tasks� when run performs some additional tasks� Usually designed primarily to give
hackers access to system � often used to propagate a virus/worm or
install a backdoor� or simply to destroy data
� Download files to the infected computer.
� Make registry changes to the infected computer.
� Delete files on the infected computer.
� Disable a keyboard, mouse, or other peripherals.peripherals.
� Shut down or reboot the infected computer.
� Run selected applications or terminate open applications.
� Disable virus protection or other computer security software
� Back doors/Trap doors◦ It is a program that allows attackers to access a
system, bypassing the normal authentication mechanisms
� Bomb
◦ It is a program which lies dormant until a ◦ It is a program which lies dormant until a particulate date/time or a program logic is activated
◦ Logic bomb or Time bomb
36
� Spywares◦ are programs, cookies, or registry entries that track
your activity and send that data off to someone who collects this data for their own purposes◦ The type of information stolen varies considerably� email login details� email login details
� IP and DNS addresses of the computer
� users’ Internet habits
� bank details used to access accounts or make online purchases etc…
37
� Adware◦ is software that is installed on your computer to show you
advertisements
◦ These may be in the form of pop-ups, pop-unders, advertisements embedded in programs, or placed on top of ads in web sites, etcof ads in web sites, etc
� Key logger◦ is a program that captures and records user keystrokes
◦ E.g. whenever a user enters a password, bank account numbers, credit card number, or other information, the program logs the keystroke
◦ The keystrokes are often sent over the Internet to the hacker
38
� Dialers◦ are programs that set up your modem connection to
connect to the Internet often to charge illicit phone usage fees◦ are targeted to users of dial up internet services
� Spam◦ is unsolicited bulk e-mail which is sent in massive ◦ is unsolicited bulk e-mail which is sent in massive
quantities to unsuspecting Internet email users. ◦ Most spam tries to
� Sell products and services. ◦ A more dangerous category of spam tries to
� Convince the recipient to share their bank account numbers, credit card numbers, or logins & passwords to their online banking systems/services
◦ It is also used for phishing and to spread malicious code
39
� Rootkit◦ is a set of tools and utilities that a hacker can use to
maintain access once they have hacked a system. ◦ The rootkit tools allow them conceal their actions by
hiding their files and processes and erasing their activity
Bot/Zombie� Bot/Zombie◦ These are small programs that are inserted on
computers by attackers to allow them to control the system remotely without the user’s consent or knowledge◦ Botnets :groups of computers infected by bots and
controlled remotely by the owner of the bots◦ Computers that are infected with a bot are generally
referred to as zombies
40
� Exploit◦ it a piece of software, a command, or a
methodology that attacks particular security vulnerability◦ takes advantage of a particular weakness e.g. OS,
application programs� Phishing� Phishing◦ is not an application. It's the process of attempting
to acquire sensitive user information with fake websites.◦ It's an example of social engineering techniques
used to fool users◦ Common targets for phishing
� Online payment systems such as e-bank, e-commerce are
41