Download
malicious code n.
Skip this Video
Loading SlideShow in 5 Seconds..
Malicious Code PowerPoint Presentation
Download Presentation
Malicious Code

Malicious Code

530 Vues Download Presentation
Télécharger la présentation

Malicious Code

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Malicious Code

  2. Program Flaws Taxonomy of flaws: • how (genesis) • when (time) • where (location) the flaw was introduced into the system CSCE 522 - Farkas/Eastman -- Fall 2005

  3. Security Flaws by Genesis • Genesis • Intentional • Inadvertent CSCE 522 - Farkas/Eastman -- Fall 2005

  4. Intentional Genesis • Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels • Non-malicious CSCE 522 - Farkas/Eastman -- Fall 2005

  5. Inadvertent Genesis • Validation error • Domain error • Serialization error • Identification/authentication error • Other error CSCE 522 - Farkas/Eastman -- Fall 2005

  6. Kinds of Malicious Codes • Virus • Rabbit (Bacteria) • Worm • Trojan horse • Logic bomb (Time bomb) • Trapdoor CSCE 522 - Farkas/Eastman -- Fall 2005

  7. Virus • A program that attaches copies of itself into other programs • Propagates and performs some unwanted function CSCE 522 - Farkas/Eastman -- Fall 2005

  8. Rabbit • Program that consumes system resources by replicating itself • Also known as bacteria • The Trouble with Tribbles (Star Trek) CSCE 522 - Farkas/Eastman -- Fall 2005

  9. Worm • A program that propagates copies of itself through the network • Usually performs some unwanted function • Does not attach to other programs CSCE 522 - Farkas/Eastman -- Fall 2005

  10. Trojan Horse • Secret, undocumented routine embedded within a useful program • Execution of the program results in execution of secret code. CSCE 522 - Farkas/Eastman -- Fall 2005

  11. Logic Bomb • Logic embedded in a program that checks for a certain set of conditions to be present in the system • When these conditions are present, some malicious code is executed • Also known as time bomb CSCE 522 - Farkas/Eastman -- Fall 2005

  12. Trapdoor • Secret, undocumented entry point into a program • Used to grant access without normal methods of access authentication CSCE 522 - Farkas/Eastman -- Fall 2005

  13. Virus Lifecycle • Dormant phase: the virus is idle • Propagation phase: the virus places an identical copy of itself into other programs • Triggering phase: virus is activated • Execution phase: the function is performed CSCE 522 - Farkas/Eastman -- Fall 2005

  14. Virus Types • Transient (parasitic) virus • Memory resident virus • Boot sector virus • Stealth virus • Polymorphic virus CSCE 522 - Farkas/Eastman -- Fall 2005

  15. Transient Virus • Most common form. • Attaches itself to a file • Replicates when the infected program is executed CSCE 522 - Farkas/Eastman -- Fall 2005

  16. Memory Resident Virus • Lodged in main memory as part of a resident system program • May infect every program that executes CSCE 522 - Farkas/Eastman -- Fall 2005

  17. Boot Sector Virus • Infects the boot record • Spreads when system is booted • Gains control of machine before the virus detection tools can act • Very hard to notice • Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS CSCE 522 - Farkas/Eastman -- Fall 2005

  18. Stealth Virus • A form of virus explicitly designed to hide from detection by antivirus software CSCE 522 - Farkas/Eastman -- Fall 2005

  19. Polymorphic Virus • Mutates with every infection • Detection by the “signature” of the virus difficult CSCE 522 - Farkas/Eastman -- Fall 2005

  20. How Viruses Attach • Append to file • Surround file • Integrate into file CSCE 522 - Farkas/Eastman -- Fall 2005

  21. Append to File + = virus virus Original program Original program Virus appended to program CSCE 522 - Farkas/Eastman -- Fall 2005

  22. Surround the File + = Virus-1 virus Original program Original program Virus-2 Virus surrounding a program CSCE 522 - Farkas/Eastman -- Fall 2005

  23. Virus-1 Virus-2 Virus-3 Virus-4 Integrate into File + = virus Original program Original program Virus integrated into program CSCE 522 - Farkas/Eastman -- Fall 2005

  24. How Viruses Spread • Executable code (exe) • Data files • Word documents • Databases • Presentations • File sharing CSCE 522 - Farkas/Eastman -- Fall 2005

  25. Assume that, if you can install or use it on your computer, it might have a virus CSCE 522 - Farkas/Eastman -- Fall 2005

  26. How Viruses Gain Control • Virus V has to be invoked instead of target T. • V overwrite T • V changes pointers from T to V CSCE 522 - Farkas/Eastman -- Fall 2005

  27. High Risk Virus Properties • Hard to detect • Hard to destroy • Spread infection widely • Can re-infect • Easy to create • Machine independent CSCE 522 - Farkas/Eastman -- Fall 2005

  28. Preventing Virus Infections Prevention: • Good source of software installed • Isolated testing phase • Use virus detectors Limit damage: • Make bootable diskette • Make and retain backup copies important resources CSCE 522 - Farkas/Eastman -- Fall 2005

  29. Antivirus Approaches • Detection: determine infection and locate the virus. • Identification: identify the specific virus. • Removal: remove the virus from all infected systems, so the disease cannot spread further. • Recovery: restore the system to its original state. CSCE 522 - Farkas/Eastman -- Fall 2005

  30. Virus Signatures • Storage pattern • Code always located at a specific address • Increased file size • Execution pattern • Transmission pattern • Polymorphic Viruses CSCE 522 - Farkas/Eastman -- Fall 2005

  31. Antivirus Programs • Look for virus signatures • Look for changes in file size • Need to be updated regularly as new viruses appear • Eliminate viruses found • Attempt to undo virus damage CSCE 522 - Farkas/Eastman -- Fall 2005

  32. More on Worms • Characteristics • Phases • Propagation CSCE 522 - Farkas/Eastman -- Fall 2005

  33. Worm Characteristics • Self-replicating (like virus) • Objective: system penetration (intruder) CSCE 522 - Farkas/Eastman -- Fall 2005

  34. Worm Phases • Dormancy • Propagation • Triggering • Execution CSCE 522 - Farkas/Eastman -- Fall 2005

  35. Worm Propagation • Searches for other systems to infect • Establishes connection with remote system • Copies itself to remote system • Executes CSCE 522 - Farkas/Eastman -- Fall 2005

  36. Some Examples • The Brain Virus • The Internet Worm • Code Red CSCE 522 - Farkas/Eastman -- Fall 2005

  37. The Brain Virus • Changes label of infected disk to Brain • Locates in upper memory and traps disk reads • Upon read to boot sector takes over • Marks its sectors faulty • Looks for uninfected disks to infect CSCE 522 - Farkas/Eastman -- Fall 2005

  38. The Internet Worm • Caused 6,000 installations to shut down or disconnect from the Internet • Created by Robert T. Morris at Cornell • Attacked Unix machines • Found new machines by password guessing, exploiting finger, and using a trapdoor in sendmail • Tried to remain undiscovered CSCE 522 - Farkas/Eastman -- Fall 2005

  39. Code Red • Infected more than 250,000 machines in nine hours • Attacked machines running Microsoft IIS software • Spread to random or target IP addresses • Dormant after infection phase CSCE 522 - Farkas/Eastman -- Fall 2005

  40. USC Security Measures • Gamecock, September 3, 2004 • Smart Enforcer • Checks for needed updates to OS (Microsoft) and antivirus programs (McAfee) before network access is allowed • Why? Students do not always make needed updates CSCE 522 - Farkas/Eastman -- Fall 2005

  41. A “Good” Parasite/Virus • Does not kill its host • Lives off host resources • Uses host resources to propagate itself • May change host behavior • May be dormant after infection phase • May enter into a symbiotic relationship • Many biological parallels CSCE 522 - Farkas/Eastman -- Fall 2005