X

Download Malware PowerPoint Presentation

SlidesFinder-Advertising-Design.jpg

Login   OR  Register
X


Iframe embed code :



Presentation url :

Home / Computers & Web / Computers & Web Presentations / Malware PowerPoint Presentation

Malware PowerPoint Presentation

Ppt Presentation Embed Code   Zoom Ppt Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Malware powerpoint presentation easily and in no time. This helps you give your presentation on Malware in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Malware powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by presentationlove in Computers & Web ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

Malware Presentation Transcript

Slide 1 - CS155 Spring 2009 Elie Bursztein Malware
Slide 2 - Welcome to the zoo What malware are How do they infect hosts How do they hide How do they propagate Zoo visit ! How to detect them Worms
Slide 3 - What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
Slide 4 - What it is good for ? Steal personal information Delete files Click fraud Steal software serial numbers Use your computer as relay
Slide 5 - The Malware Zoo Virus Backdoor Trojan horse Rootkit Scareware Adware Worm
Slide 6 - What is a Virus ? a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983
Slide 7 - Some Virus Type Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) Methamorpic : Change after each infection
Slide 8 - What is a trojan A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia
Slide 9 - What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine Symantec
Slide 10 - What is a worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.
Slide 11 - Almost 30 years of Malware From Malware fighting malicious code
Slide 12 - History Melissa spread by email and share Knark rootkit made by creed demonstrate the first ideas love bug vb script that abused a weakness in outlook Kernl intrusion by optyx gui and efficent hidding mechanims 1981 First reported virus 1983 Virus get defined 1986 First PC virus MS DOS 1988 First worm : Morris worm 1990 First polymorphic virus 1998 First Java virus 1998 Back orifice 1999 Melissa virus 1999 Zombie concept 1999 Knark rootkit 2000 love bug 2001 Code Red Worm 2001 Kernel Intrusion System 2001 Nimda worm 2003 SQL Slammer worm
Slide 13 - Number of malware signatures Symantec report 2009
Slide 14 - Malware Repartition Panda Q1 report 2009
Slide 15 - Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
Slide 16 - What to Infect Executable Interpreted file Kernel Service MBR Hypervisor
Slide 17 - Overwriting malware Targeted Executable Malware Malware
Slide 18 - prepending malware Targeted Executable Malware Infected host Executable Malware
Slide 19 - appending malware Targeted Executable Malware Infected host Executable Malware
Slide 20 - Cavity malware Targeted Executable Infected host Executable Malware Malware
Slide 21 - Multi-Cavity malware Targeted Executable Malware Malware Malware Malware
Slide 22 - Packers Malware Infected host Executable Packer Payload
Slide 23 - Packer functionalities Compress Encrypt Randomize (polymorphism) Anti-debug technique (int / fake jmp) Add-junk Anti-VM Virtualization
Slide 24 - Auto start Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu\Programs\Startup Win.ini : run=[backdoor]" or "load=[backdoor]". System.ini : shell=”myexplorer.exe” Wininit Config.sys
Slide 25 - Auto start cont. Assign know extension (.doc) to the malware Add a Registry key such as HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\Run Add a task in the task scheduler Run as service
Slide 26 - Unix autostart Init.d /etc/rc.local .login .xsession crontab crontab -e /etc/crontab
Slide 27 - Macro virus Use the builtin script engine Example of call back used (word) AutoExec() AutoClose() AutoOpen() AutoNew()
Slide 28 - Document based malware MS Office Open Office Acrobat
Slide 29 - Userland root kit Perform login sshd passwd Hide activity ps netstat ls find du
Slide 30 - Subverting the Kernel Kernel task Process management File access Memory management Network management What to hide Process Files Network traffic
Slide 31 - Kernel rootkit PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit
Slide 32 - Subverting techniques Kernel patch Loadable Kernel Module Kernel memory patching (/dev/kmem)
Slide 33 - Windows Kernel P1 P2 Pn Csrss.exe Win32 subsystem DLLs User32.dll, Gdi32.dll and Kernel32.dll Other Subsytems (OS/2 Posix) Ntdll.dll ntoskrnl.exe Hardware Abstraction Layer (HAL.dll) Hardware Underlying kernel Executive
Slide 34 - Kernel Device driver P2 Win32 subsystem DLLs Ntdll.dll ntoskrnl.exe Interrupt Hook System service dispatcher System service dispatch table Driver Overwriting functions Driver Replacing Functions New pointer A C B
Slide 35 - MBR/Bootkit Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
Slide 36 - BIOS MBR VBS NT Boot Sector BOOTMGR.EXE WINLOAD.EXE Windows 7 kernel HAL.DLL
Slide 37 - Vboot Work on every Windows (vista,7) 3ko Bypass checks by letting them run and then do inflight patching Communicate via ping
Slide 38 - Hypervisor rootkit Target OS Hardware App App
Slide 39 - Hypervisor rootkit Target OS Hardware App App Virtual machine monitor Host OS Rogue app
Slide 40 - Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
Slide 41 - Shared folder
Slide 42 - Email propagation from pandalab blog
Slide 43 - Valentine day ... Waledac malicious domain from pandalab blog
Slide 44 - Email again Symantec 2009
Slide 45 - Fake codec
Slide 46 - Fake antivirus from pandalab blog
Slide 47 - Hijack you browser from pandalab blog
Slide 48 - Fake page ! from pandalab blog
Slide 49 - P2P Files Popular query 35.5% are malwares (Kalafut 2006)
Slide 50 - Basic InfectedHost Attacker TCP
Slide 51 - Reverse InfectedHost Attacker TCP
Slide 52 - covert InfectedHost Attacker ICMP
Slide 53 - Rendez vous backdoor InfectedHost Attacker RDV Point
Slide 54 - Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
Slide 55 - Adware
Slide 56 - BackOrifice Defcon 1998 new version in 2000
Slide 57 - Netbus 1998 Used for “prank”
Slide 58 - Symantec pcAnywhere
Slide 59 - Browser Toolbar ...
Slide 60 - Toolbar again
Slide 61 - Ransomware Trj/SMSlock.A Russian ransomware April 2009 To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog
Slide 62 - Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
Slide 63 - Anti-virus Analyze system behavior Analyze binary to decide if it a virus Type : Scanner Real time monitor
Slide 64 - Impossibility result It is not possible to build a perfect virus/malware detector (Cohen)
Slide 65 - Impossibility result Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread
Slide 66 - Virus signature Find a string that can identify the virus Fingerprint like
Slide 67 - Heuristics Analyze program behavior Network access File open Attempt to delete file Attempt to modify the boot sector
Slide 68 - Checksum Compute a checksum for Good binary Configuration file Detect change by comparing checksum At some point there will more malware than “goodware” ...
Slide 69 - Sandbox analysis Running the executable in a VM Observe it File activity Network Memory
Slide 70 - Dealing with Packer Launch the exe Wait until it is unpack Dump the memory
Slide 71 - Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
Slide 72 - 72 Worm A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously
Slide 73 - 73 Cost of worm attacks Morris worm, 1988 Infected approximately 6,000 machines 10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion Statistics: Computer Economics Inc., Carlsbad, California
Slide 74 - 74 Internet Worm (First major attack) Released November 1988 Program spread through Digital, Sun workstations Exploited Unix security vulnerabilities VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences No immediate damage from program itself Replication and threat of damage Load on network, systems used in attack Many systems shut down to prevent further attack
Slide 75 - 75 Some historical worms of note Kienzle and Elder
Slide 76 - 76 Increasing propagation speed Code Red, July 2001 Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability Server Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10 minutes
Slide 77 - 77 Code Red Initial version released July 13, 2001 Sends its code as an HTTP request HTTP request exploits buffer overflow Malicious code is not stored in a file Placed in memory and then run When executed, Worm checks for the file C:\Notworm If file exists, the worm thread goes into infinite sleep state Creates new threads If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses
Slide 78 - 78 Code Red of July 13 and July 19 Initial release of July 13 1st through 20th month: Spread via random scan of 32-bit IP addr space 20th through end of each month: attack. Flooding attack against 198.137.240.91 (www.whitehouse.gov) Failure to seed random number generator ⇒ linear growth Revision released July 19, 2001. White House responds to threat of flooding attack by changing the address of www.whitehouse.gov Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded Slides: Vern Paxson
Slide 79 - 79 Infection rate
Slide 80 - 80 Measuring activity: network telescope Monitor cross-section of Internet address space, measure traffic “Backscatter” from DOS floods Attackers probing blindly Random scanning from worms LBNL’s cross-section: 1/32,768 of Internet UCSD, UWisc’s cross-section: 1/256.
Slide 81 - 81 Spread of Code Red Network telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT) Course of infection fits classic logistic. Note: larger the vulnerable population, faster the worm spreads. That night (⇒ 20th), worm dies … … except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st … Slides: Vern Paxson
Slide 82 - 82 Slides: Vern Paxson
Slide 83 - 83 Code Red 2 Released August 4, 2001. Comment in code: “Code Red 2.” But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses. Kills Code Red 1. Safety valve: programmed to die Oct 1, 2001. Slides: Vern Paxson
Slide 84 - 84 Striving for Greater Virulence: Nimda Released September 18, 2001. Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem! Leaped across firewalls. Slides: Vern Paxson
Slide 85 - 85 Code Red 2 kills off Code Red 1 Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed CR 1 returns thanks to bad clocks Slides: Vern Paxson
Slide 86 - 86 How do worms propagate? Scanning worms : Worm chooses “random” address Coordinated scanning : Different worm instances scan different addresses Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) Contagion worm : Propagate parasitically along with normally initiated communication
Slide 87 - slammer 01/25/2003 Vulnerability disclosed : 25 june 2002 Better scanning algorithm UDP Single packet : 380bytes
Slide 88 - Slammer propagation
Slide 89 - Number of scan/sec
Slide 90 - Packet loss
Slide 91 - A server view
Slide 92 - Consequences ATM systems not available Phone network overloaded (no 911!) 5 DNS root down Planes delayed
Slide 93 - 93 Worm Detection and Defense Detect via honeyfarms: collections of “honeypots” fed by a network telescope. Any outbound connection from honeyfarm = worm. (at least, that’s the theory) Distill signature from inbound/outbound traffic. If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 5 minutes to several weeks to write a signature Several hours or more for testing
Slide 94 - 94 Signature inference Challenge need to automatically learn a content “signature” for each new worm – potentially in less than a second! Some proposed solutions Singh et al, Automated Worm Fingerprinting, OSDI ’04 Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec ‘04
Slide 95 - 95 Signature inference Monitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content filtering Slide: S Savage
Slide 96 - 96 Content sifting Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) Two consequences Content Prevalence: W will be more common in traffic than other bitstrings of the same length Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic Slide: S Savage
Slide 97 - 97 Observation: High-prevalence strings are rare (Stefan Savage, UCSD *) Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute
Slide 98 - 98 Challenges Computation To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps… Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet State On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)