3db5b94bca6161266c7573ae802d6949.ppt
- Количество слайдов: 26
Malware K. Salah 1
Malcode Taxonomy K. Salah 2
K. Salah 3
K. Salah 4
The Ten Most Common Critical Cyber Security Threats 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Malware attack with Social Engineering Tactics SPAM Do. S and DDo. S attack Phishing and Pharming (identity theft) Botnets IM and P 2 P attack Mobile and Wireless attack (Wi-Fi and Bluetooth) Rootkits Web Application Hacking with Google K. Salah 5
Most Advanced Critical Cyber Security Threats 1. 2. 3. 4. 5. Zero Day Attack Web 2. 0 Attack Vo. IP Attack Web Services Attack USB Attack K. Salah 6
Attack on the Critical Infrastructure l Government Operations l Telecommunications l Electrical Energy l Gas & Oil Storage and Delivery l Water Supply Systems l Banking & Finance l Transportation K. Salah 7
Virus, Spam and Spyware Relationship Spam Antispam Worm Antiviru s Virus Zombie/ Trojan K. Salah Phish/ Adware Antispy ware Spyware 8
Digital Forensics Analysis 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. Incident Notification Understand Nature of Incident Interview Obtain Authorization Verify Scope Team Assembly Document work area Document Incident Equipment Move Equipment Prepare two images Preserve/ Protect First Image Use second Image for restoration and Examination Data Extraction and Analysis Watch Assumptions – Date /time Review Log / Interview Analysis Prepare findings K. Salah Lesson Learned 9
Anti-forensic techniques try to frustrate forensic investigators and their techniques 1. Overwriting Data and Metadata l 1. 2. 3. 2. Cryptography, Steganography, and other Data Hiding Approaches 1. 2. 3. 4. 5. l Secure Data Deletion Overwriting Metadata Preventing Data Creation Encrypted Data Encrypted Network Protocols Program Packers Steganography Generic Data Hiding Examples ¡ ¡ Timestomp l Changes the dates of computer files (4 timestamps of NTFS). Encase shows blanks. Slacker l Store files in the slack of disk blocks K. Salah 10
Virus Techniques l TSR ¡ l Virus can hide in memory even if program has stopped or been detected Stealth Viruses ¡ ¡ ¡ Execute original code Size of file stays the same after infection Hide in memory within a system process l l Virus infects OS so that if a user examines the infected file, it appears normal Encrypted/Polymorphic Viruses ¡ ¡ To hide virus signatures encrypt the code Have the code mutate to prevent signatures scanning K. Salah 11
Polymorphic Viruses K. Salah 12
Virus Cleaning l Remove virus from file l Requires skills in software reverse engineering l Identify beginning/end of payload and restore to original K. Salah 13
How hard is it to write a virus? l Simple Google search for “virus construction toolkit” l www. pestpatrol. com l Tons of others l Conclusion: Not hard K. Salah 14
Attaching code K. Salah 15
Integrate itself K. Salah 16
Completely replace K. Salah 17
Boot Sector Virus K. Salah 18
How viruses work l Attach l Append to program, e-mail Executes with program l Surrounds program Executes before and after program Erases its tracks l l Gain control l l Integrates or replaces program code Virus replaces target Reside l l In boot sector Memory Application program Libraries K. Salah 19
Cont’d l Detection l l l Virus signatures Storage patterns Execution patterns Transmission patterns Prevention l l l l Don’t share executables Use commercial software from reliable sources Test new software on isolated computers Open only safe attachments Keep recoverable system image in safe place Backup executable system file copies Use virus detectors Update virus detectors often K. Salah 20
Virus Effects and Causes Virus Effect How it is caused Attach to executable l. Modify file directory Attach to data/control file l. Modify directory l. Write to executable program file l. Rewrite data l. Append to data l. Append data to self Remain in memory l. Intercept interrupt by modifying interrupt handler address table Infect disks l. Intercept interrupt l. Load self in non-transient memory area l. Intercept OS call (to format disk, for example) l. Modify system file l. Modify ordinary executable program Conceal self Intercept system calls that would reveal self and falsify results Classify self as “hidden” file Spread self l. Infect boot sector l. Infect systems program l. Infect ordinary program l. Infect data ordinary program reads to control its executable l. Activate before deactivating program and block deactivation Prevent deactivation l. Store copy to reinfect after deactivation K. Salah 21
Virus vs. Worm l Both are Malicious Code ¡ ¡ Virus does harm Worm consumes resources K. Salah 22
Exploitation of Flaws: Targeted Malicious Code l Trapdoors l l l Undocumented entry point in code Program stubs during testing Intentionally or unintentionally left Forgotten Left for testing or maintenance Left for covert access l Salami attack l l Merges inconsequential pieces to get big results A salami attack is a series of minor data-security attacks that together results in a larger attack. • For example, a fraud activity in a bank where an employee steals a small amount of funds from several accounts, can be considered a salami attack, i. e. deliberate diversion of fractional cents l Too difficult to audit K. Salah 23
Exploitation of Flaws: Targeted Malicious Code (cont’d. ) l Covert Channels An example of human/student covert channel l Programs that leak information Trojan horse l Discovery l Analyze system resources for patterns Flow analysis from a program’s syntax (automated) l Difficult to close Not much documented Potential damage is extreme K. Salah 24
File lock covert channel K. Salah 25
Race Conditions l In wu-ftpd v 2. 4 l Allows root access l Signal handling ¡ SIGPIPE EUID=user changes to EUID=root to logout the user and access privileged operations and files l It takes some time to do this l ¡ SIGURG l Logging out is broken/stopped and prompt is gotten back with EIUD=root K. Salah 26