1 / 21

Understanding Viruses and Malware: Types, Characteristics, and Remediation

Learn about the different types of viruses and malware, their characteristics and behaviors, and effective ways to remediate and protect against them. Also, explore web-based application attacks and their top 10 vulnerabilities according to OWASP.

hargrave
Télécharger la présentation

Understanding Viruses and Malware: Types, Characteristics, and Remediation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses

  2. Malware • Malware, or malicious software, takes on many forms, among them viruses, worms, spyware, Trojan horses, etc. • Like a biological virus, computer viruses replicate between hosts, delivering their payload (malicious action). • Symptoms of malware include file size increases, unusual disk or CPU activity, increase in disk space use, unusual slowness

  3. Malware Characteristics • Malware can be defined by certain behaviors, among them: • Insertion – how the code installs itself on the victim’s system • Avoidance – acts the malware takes to avoid detection from anti-virus software (stealthiness). Polymorphic viruses change their code routinely • Eradication – steps the virus takes to eliminate traces after delivering the payload • Replication – how the code copies itself to other systems • Trigger – what actions result in the virus delivering its payload • Payload- the end action (deleting files, sending email, installing a backdoor)

  4. Worms and Viruses • Viruses are malware that replicate after some user action, such as opening a file. • Unlike viruses, worms do not need user action to replicate. Worms spread autonomously, seeking and exploiting specific vulnerabilities to load onto systems and replicate to other systems.

  5. Worms and Viruses • Viruses are strings of malware dependent on human action to execute • Unlike viruses, worms do not need user action to replicate. Worms spread autonomously, seeking and exploiting specific vulnerabilities to load onto systems and replicate to other systems. • Examples of worms are: • Morris Worm, Melissa, Nimda, Sobig

  6. Logic Bombs • Logic bombs execute a program, or string of code, when certain conditions are met. For instance, a payroll checking program that checks for the presence of an employees name on the payroll each pay. If that employee is not there – it executes and does damage • Time bombs, on the other hand, is malware that executes at a specific time.

  7. Trojan Horses • Trojan horses offer a little “something extra” with what looks to be a useful utility, such as an online mortgage calculator or video/music file. • When the program is run, the Trojan executes and runs in the background • More than 40% of files on peer-to-peer sites were found to be infected with Trojan Horses – most with malicious spyware and keyloggers.

  8. A Word on Antivirus Software • Antivirus software attempts to detect and prevent malware infections by matching behavior to known malware • Types: • Signature-based – only as good as the latest signatures. Inspects file system, registry, service behavior for known characteristics. Doesn’t work as well with polymorphic or zero-day viruses • Heuristic – analyzes overall structure of the code in context of the actual code • Virtual machine – isolates code in a sandbox, of sorts, to test its behavior before allowing it to access the system. Uses dynamic analysis, whereas others use static analysis to analyze code

  9. Ransomware • Ransomware is malicious software that disables the user’s access to the data until an extortion (ransom) is paid to the attacker - usually in bitcoin. • While there are different types of ransomware, some that just post bogus notices from the FBI on the computer, the more malicious strongly encrypt all files on the drive such that the user must purchase the key to decrypt the files. • A new form of ransomware, doxware, is being circulated that also threatens to post the contents of the drive to the Internet if the victim doesn’t pay the extortion fee.

  10. Malware Remediation • Anti-virus software remains one of the most effective malware controls. It is only as effective, however, as its last update, as almost 1 million pieces of malware are created each day. • Disable pop-up blockers and ActiveX controls in the untrusted, Internet zone. • Backup all personal data to either a cloud solution or local external drive. • Encrypt all sensitive data on the drive.

  11. Web-Based Application Attacks

  12. OWASP Top 10 Attacks • The Open Web Application Security Project (OWASP) at www.owasp.org provides periodic lists of the top 10 Most Critical Web Application Security Risks. • Among these attacks, several make the list each time the list is updated, including the following that will be examined in this module: • Injection attacks • Broken Authentication and Session Management attacks • Cross-Site Scripting attacks

  13. Injection Attacks • Injection attacks occur when applications provide for untrusted input from a user, through a web application interface to a database, for example, as with SQL and LDAP Injections, allowing the attacker to send commands that are executed at the database server, providing the attacker with access or the ability to delete/modify information. • The most common of these attacks is SQL Injection. In 2014, a Russian criminal group known as “CyberVor” attack U.S. businesses and collection over a billion usernames and passwords using SQL Injection.

  14. SQL Injection • SQL commands can be injected at the login screens, using user input, inserted into cookies, through machine variables that are then processed at the server. • The vulnerability that enables the attack occurs when developers do not properly validate user input, for instance, validating it “client side” in the browser, rather than at the server, before passing it to the database server from processing.

  15. Broken Authentication and Session Management Attacks • In a Broken Authentication and Session Management attack, attackers attack poorly developed (weak) or managed (improperly stored) authentication credentials or session management IDs. • As an example, a poorly designed Web application might pass session IDs to the server in the URLs, where they are visible. If the URL is distributed to an attacker, the attacker can use the session ID to assume that user’s session at the server.

  16. Cross-Site Scripting Attacks • Cross-Site Scripting (XSS) attacks are among some of the most prevalent attacks against Web applications and occur when malicious scripts are injected into a victim’s Web site. This, then, attacks users visiting the infected site. • Two different types: • Stored (persistent) – Malicious scripts are permanently stored on the server, sometimes in forums, visitor logs, etc. • Reflected (non-persistent) – Most frequent type, occurring when the attacker injects malicious script (e.g. JavaScript) into input sent to the server that is then reflected from the server back to the user in its HTTP response. Users might click on a malicious link sent to them in an email , as an example.

  17. Remediating Web Application Risks • All input to a web server should be validated at the server. • Use parametrized queries, or drop-down menus, wherever possible to minimize user input. • Train users to not click on links in emails. • Do not store passwords in plain text at the server. Ensure that passwords use hashing algorithms that “salt” the stored result (using a pseudo-random injection of characters into the hash).

  18. Phishing

  19. Phishing • Phishing is a social engineering technique where unsuspecting users are tricked into clicking on a link in an email in an attempt to gain the individual’s user id and password, credit card information, or other sensitive information. • Often these emails are sent from a seemingly trusted site that has been “spoofed”, such as a bank or common trusted service (e.g. Amazon). • Many use a sense of urgency, or create panic, by leading the user to believe their financial information has been compromised and they must immediately change their passwords.

  20. Types of Phishing • Spearphishing – target phishing attacks. As an example, spoofing emails as coming from a college IT Help Desk to students and faculty. • Whaling – phishing targeted to financially “high gain” targets, such as C-Suite (CIO, CISO, CEO) employees. This requires more research, for instance, coming from a common club at which they golf or lunch. • Vishing, or VoIP phishing – fraudulent phone calls, for instance from Microsoft tech support or the IRS, that trick the user into providing sensitive information, such as SSNs or credit card numbers.

  21. Phishing Remediation • Enable the use of blacklisting or whitelisting filters at the email server. • As most phishing emails are sent from spoofed sites, resolve email headers. This places a lot of overhead on a server and so is not done to any great extent. • Enable spam filters. • Phishing is a social engineering attack and, while there are some technical controls available, awareness training is the most effective control against it.

More Related