WYŻSZA SZKOŁA BIZNESU W DĄBROWIE GÓRNICZEJ 2015

Computer Security threats Język angielski

Lektor:

mgr Iwona Choryń

Krzysztof Milanowski

Informatyka studia II stopnia

semestrIV

Krzysztof Milanowski

� Protects computer-based data fromsoftware-based and communications-basedthreats.threats.

� programs exploiting system vulnerabilities.

� Also known as malware.

� Types:◦ program fragments that need a host program

� e.g. viruses, logic bombs, and backdoors � e.g. viruses, logic bombs, and backdoors

◦ independent self-contained programs

� e.g. worms, bots

◦ replicating or not

� sophisticated threat to computer systems !

� In 1983, graduate student Fred Cohenfirst used the term virus in a paperdescribing a program that can spread byinfecting other computers with copies ofitself !itself !

� In 1986, The Brain virus was the first virusdesigned to infect personal computersystems.◦ by infecting floppyfloppy disksdisks !!

� piece of software that infects programs(host)◦ modifying them to include a copy of the virus

◦ so it executes secretly when host program is run

� Usually specific to operating system◦ taking advantage of their details and weaknesses◦ taking advantage of their details and weaknesses

� a typical virus goes through phasesphases of:◦ Dormant: idle (not found in all virus)

◦ Propagation: copy itself into other programs/disk areas

◦ Triggering: activated ( date, file, disk limit)

◦ Execution: perform the intended function(message, damage..

� components:◦ Infect - enables replication◦ Trigger - event that makes payload activate◦ Payload - what it does

� prepended / postpended / embedded � prepended / postpended / embedded

� when infected program invoked, executes virus code then original program code

� Signatures –sequence of bits that can be used to accurately identify the presence of a particular virus.

� The code consists of three stages,◦ activation/trigger , ◦ activation/trigger ,

◦ replication/infect , and

◦ Operation/payload

� malicious “task” of a virus.

� performed when the triggering condition is satisfied.

� types :◦ display a message, such as “Gotcha,” a ◦ display a message, such as “Gotcha,” a

political slogan, or a commercial advertisement

◦ read a certain sensitive or private file. Such a virus is in fact spyware.

◦ slow the computer down by monopolizing and exhausting limited resources.

◦ completely deny any services to the user.

� erase all the files on the host computer

� select some files at random and change several bits in each file, also at random. ◦ referred to as data diddling, may be more serious,

because it results in problems that seem to be caused by hardware failures, not by a virus.by hardware failures, not by a virus.

� One step beyond data diddling is random deletion of files

� random change of permissions.

� Produce sounds, animation.

two types :

� Nonresident viruses:◦ search for other hosts that can be infected,

◦ infect those targets,

◦ transfers control to the infected program

� Resident viruses◦ do not search for hosts when they are started. ◦ do not search for hosts when they are started.

Instead, it loads itself into memory on execution and transfers control to the host program.

◦ The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself

� Date or time

� Number of boots

� Generation counter of the virus

� Number of keypresses on the keyboard

� Amount of free space on the hard drive

Amount of minutes the machine has been idle� Amount of minutes the machine has been idle

� Name of an executed program

� Basically any event it the PC can be used as a trigger by a virus !.

By target� boot sector: Infects a master boot record

or boot record and spreads when a system is booted from the disk containing the virus.

� file infector: Infects executable files

� macro virus: Infects files with macro code that is interpreted by an application.

By Hiding Methods� encrypted virus: creates a random encryption

key, stored with the virus, and encrypts the remainder of the virus. Then, the virus uses the stored random key to decrypt the virus . virus replicates, a different random key is virus replicates, a different random key is selected.

� stealth virus: designed to hide itself from detection by antivirus software.

� By restoring the size, modification date, and checksum of the infected file

� Polymorphic virus: mutates and infects each new file as a different string of bits making detection by the “signature” of the virus impossible.

� Metamorphic virus: As with a polymorphic virus ,a metamorphic virus polymorphic virus ,a metamorphic virus mutates with every infection.

� The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection

� A virus can modify itself and become a different string of bits simply by inserting several nop instructions in its code.

� A nop (no operation) is an instruction that does nothing.does nothing.

� Compression virus: In addition to mutating, avirus may hide itself in a compressed file insuch a way that the bits with the virus partdepend on the rest of the infected file and aretherefore always different.therefore always different.

� more recent development

� e.g. Melissa◦ exploits MS Word macro in attached doc

◦ if attachment opened, macro activates

◦ sends email to all on users address list◦ sends email to all on users address list

◦ and does local damage

� then saw versions triggered reading email

� hence much faster propagation

� Anti-virus

� prevention - ideal solution but difficult

� realistically need:◦ detection

◦ identification◦ identification

◦ removal

� if detect but can’t identify or remove, must discard and replace infected program

� virus & antivirus tech have both evolved� early viruses simple code, easily removed� as become more complex, so must the

countermeasures� generations� generations◦ first - signature scanners◦ second – heuristics rule (structure)◦ third - identify actions◦ fourth - combination packages

� Using infected programs. the virus is executed every time the program is executed.

� Using interrupts that occurs each time an external disk drive or a DVD is inserted into a USB port. Once this interrupt occurs, the virus is executed as part of the interrupt-handling routine and it tries to infect the newly inserted volume.to infect the newly inserted volume.

� As an email attachment.� Through infected softwares. useful program (a

calculator, a nice clock, or a beautiful screen saver), embed a virus or a Trojan horse in it.

� Usually Sharing: Each time users share a computing resource such as a disk, a file, or a library routine, there is the risk of infection

� Self-replicating program,similar to virus, but is self-contained.

� Usually propagates overnetwork.network.

◦ using email, remote exec, remotelogin

� by exploiting servicevulnerabilities.

� It often creates denial of service

� has phases like a virus:◦ dormant, propagation, triggering, execution

◦ propagation phase: searches for other systems,connects to it, copies self to it and runs

� 1st implemented by Xerox Palo� 1st implemented by Xerox PaloAlto labs in 1980’s◦ search for idle systems to use to run a

computationally intensive task.

� A virus propagates when users send email, launch programs, or carry storage media between computers.

� A worm propagates itself throughout the Internet by

� A worm propagates itself throughout the Internet by exploiting security weaknesses in applications and protocols we all use.

� Has the highest speed of propagation.

� future worms may pose athreat to the Internet, to E-commerce, and to computercommunications and thiscommunications and thisthreat may be much greaterand much more dangerousthan that posed by other typesof malicious software.

� Worm that has infected severalmillion computers on theInternet may have the potentialfor a global catastrophe.for a global catastrophe.◦ could launch vast DoS attacks . That can bring

down not only E-commerce sites, but sensitivemilitary sites or the root domain name serversof the Internet.

� one of best know worms� released by Robert Morris in 1988� various attacks on UNIX systems◦ discover other hosts◦ cracking password file to use login/password to

logon to other systemslogon to other systems◦ exploiting a bug in the finger protocol◦ exploiting a bug in sendmail.

� if succeed have remote shell access◦ sent bootstrap program to copy worm over

� Code Red: July 2001◦ exploiting Microsoft Internet Information Server

(IIS) bug to penetrate and spread◦ probes random IP address◦ does DDoS attack ◦ activities and reactivates periodically◦ activities and reactivates periodically◦ consumes significant net capacity when active◦ infected nearly 360,000 servers in 14 hours

� Code Red II variant includes backdoor◦ allowing a hacker to direct activities of victim

computers

� SQL Slammer: early 2003◦ attacks MS SQL Server◦ compact and very rapid spread

� Mydoom: 2004◦mass-mailing e-mail worm

Mydoom: 2004◦mass-mailing e-mail worm◦ installed remote access backdoor in infected systems◦ flooded the Internet with 100 million 100 million infected messages in infected messages in 36hrs36hrs

� first appeared on mobile phones in 2004◦ target smartphone which can install software

� they communicate via Bluetooth or MMS

� disable phone, delete data on phone, � disable phone, delete data on phone, or send premium-priced messages

� E.g. CommWarrior, launched in 2005◦ replicates using Bluetooth to nearby phones◦ and via MMS using address-book numbers◦ copies itself to the removable memory card

� anti-virus� worms also cause significant net activity� worm defense approaches include:◦ signature-based worm scan filtering◦ filter-based worm containment: content/code◦ payload-classification-based worm containment� examine packets using anomalyanomaly detection techniques◦ threshold random walk scan detection◦ threshold random walk scan detection� exploits randomnessrandomness in picking destinations to connect◦ rate limiting and rate halting� limits the rate of scanlike traffic from an infected host� immediately blocks outgoing traffic when a threshold is

exceeded

� apparently useful , program with hidden side-effects

� which is usually superficially attractive◦ E.g. game, software upgrade, screen saver

etc

when run performs some additional tasks� when run performs some additional tasks� Usually designed primarily to give

hackers access to system � often used to propagate a virus/worm or

install a backdoor� or simply to destroy data

� Download files to the infected computer.

� Make registry changes to the infected computer.

� Delete files on the infected computer.

� Disable a keyboard, mouse, or other peripherals.peripherals.

� Shut down or reboot the infected computer.

� Run selected applications or terminate open applications.

� Disable virus protection or other computer security software

� Back doors/Trap doors◦ It is a program that allows attackers to access a

system, bypassing the normal authentication mechanisms

� Bomb

◦ It is a program which lies dormant until a ◦ It is a program which lies dormant until a particulate date/time or a program logic is activated

◦ Logic bomb or Time bomb

36

� Spywares◦ are programs, cookies, or registry entries that track

your activity and send that data off to someone who collects this data for their own purposes◦ The type of information stolen varies considerably� email login details� email login details

� IP and DNS addresses of the computer

� users’ Internet habits

� bank details used to access accounts or make online purchases etc…

37

� Adware◦ is software that is installed on your computer to show you

advertisements

◦ These may be in the form of pop-ups, pop-unders, advertisements embedded in programs, or placed on top of ads in web sites, etcof ads in web sites, etc

� Key logger◦ is a program that captures and records user keystrokes

◦ E.g. whenever a user enters a password, bank account numbers, credit card number, or other information, the program logs the keystroke

◦ The keystrokes are often sent over the Internet to the hacker

38

� Dialers◦ are programs that set up your modem connection to

connect to the Internet often to charge illicit phone usage fees◦ are targeted to users of dial up internet services

� Spam◦ is unsolicited bulk e-mail which is sent in massive ◦ is unsolicited bulk e-mail which is sent in massive

quantities to unsuspecting Internet email users. ◦ Most spam tries to

� Sell products and services. ◦ A more dangerous category of spam tries to

� Convince the recipient to share their bank account numbers, credit card numbers, or logins & passwords to their online banking systems/services

◦ It is also used for phishing and to spread malicious code

39

� Rootkit◦ is a set of tools and utilities that a hacker can use to

maintain access once they have hacked a system. ◦ The rootkit tools allow them conceal their actions by

hiding their files and processes and erasing their activity

Bot/Zombie� Bot/Zombie◦ These are small programs that are inserted on

computers by attackers to allow them to control the system remotely without the user’s consent or knowledge◦ Botnets :groups of computers infected by bots and

controlled remotely by the owner of the bots◦ Computers that are infected with a bot are generally

referred to as zombies

40

� Exploit◦ it a piece of software, a command, or a

methodology that attacks particular security vulnerability◦ takes advantage of a particular weakness e.g. OS,

application programs� Phishing� Phishing◦ is not an application. It's the process of attempting

to acquire sensitive user information with fake websites.◦ It's an example of social engineering techniques

used to fool users◦ Common targets for phishing

� Online payment systems such as e-bank, e-commerce are

41