際際滷

際際滷Share a Scribd company logo

10 malware

Download as PPT, PDF
Suresh Palace
Suresh Palace

This document provides an overview of different types of malware, how they infect systems, and how to detect them. It discusses various malware like viruses, trojans, worms, and rootkits. It explains how viruses and worms can propagate through systems. The document also outlines methods of malware detection like using anti-virus software to analyze systems and traffic, as well as techniques like honeypots and scan suppressors. Historical examples of notable worms are also presented.

1 of 27
Download to read offline
WELCOME Submitted by, Devika.S Social Science Mannam Foundation Centre for Education Technology Reg. No: 16915373002
Malware
Welcome to the zoo What malware are How do they infect hosts Zoo visit ! How to detect them Worms
What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
What it is good for ? Steal personal information Delete files Click fraud Steal software serial numbers Use your computer as relay
The Malware Zoo Virus Backdoor Trojan horse Rootkit Scareware Adware Worm
What is a Virus ? a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983
Some Virus Type Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) Methamorpic : Change after each infection
What is a trojan A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia
What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine Symantec
What is a worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.
Macro virus Use the builtin script engine Example of call back used (word) AutoExec() AutoClose() AutoOpen() AutoNew()
MBR/Bootkit Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
Detection
Outline What malware are Zoo visit ! How to detect them Worms
Anti-virus Analyze system behavior Analyze binary to decide if it a virus Type : Scanner Real time monitor
Worms
Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
19 Some historical worms of note Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to nearby sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth Kienzle and Elder
20 How do worms propagate? Scanning worms : Worm chooses random address Coordinated scanning : Different worm instances scan different addresses Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for powered by phpbb) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH known hosts) Contagion worm : Propagate parasitically along with normally initiated communication
Consequences ATM systems not available Phone network overloaded (no 911!) 5 DNS root down Planes delayed
22 Worm Detection and Defense Detect via honeyfarms: collections of honeypots fed by a network telescope. Any outbound connection from honeyfarm = worm. (at least, thats the theory) Distill signature from inbound/outbound traffic. If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 5 minutes to several weeks to write a signature Several hours or more for testing
23 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
24 1 (A)1 (C) 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 1 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
25 1 (A)1 (C) 2 (B,D)2 (A,B) Address Dispersion Table Sources Destinations 1 2 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
26 Challenges Computation To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet State On a fully-loaded 1Gbps link a na誰ve implementation can easily consume 100MB/sec for table Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)
Thank You

More Related Content

10 malware

  • 1. WELCOME Submitted by, Devika.S Social Science Mannam Foundation Centre for Education Technology Reg. No: 16915373002
  • 3. Welcome to the zoo What malware are How do they infect hosts Zoo visit ! How to detect them Worms
  • 4. What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
  • 5. What it is good for ? Steal personal information Delete files Click fraud Steal software serial numbers Use your computer as relay
  • 6. The Malware Zoo Virus Backdoor Trojan horse Rootkit Scareware Adware Worm
  • 7. What is a Virus ? a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983
  • 8. Some Virus Type Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) Methamorpic : Change after each infection
  • 9. What is a trojan A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia
  • 10. What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine Symantec
  • 11. What is a worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.
  • 12. Macro virus Use the builtin script engine Example of call back used (word) AutoExec() AutoClose() AutoOpen() AutoNew()
  • 13. MBR/Bootkit Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
  • 15. Outline What malware are Zoo visit ! How to detect them Worms
  • 16. Anti-virus Analyze system behavior Analyze binary to decide if it a virus Type : Scanner Real time monitor
  • 17. Worms
  • 18. Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms
  • 19. 19 Some historical worms of note Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to nearby sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, Scalper 6/02 11 days after announcement of vulnerability; peer-to-peer network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth Kienzle and Elder
  • 20. 20 How do worms propagate? Scanning worms : Worm chooses random address Coordinated scanning : Different worm instances scan different addresses Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for powered by phpbb) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH known hosts) Contagion worm : Propagate parasitically along with normally initiated communication
  • 21. Consequences ATM systems not available Phone network overloaded (no 911!) 5 DNS root down Planes delayed
  • 22. 22 Worm Detection and Defense Detect via honeyfarms: collections of honeypots fed by a network telescope. Any outbound connection from honeyfarm = worm. (at least, thats the theory) Distill signature from inbound/outbound traffic. If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 5 minutes to several weeks to write a signature Several hours or more for testing
  • 23. 23 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
  • 24. 24 1 (A)1 (C) 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 1 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
  • 25. 25 1 (A)1 (C) 2 (B,D)2 (A,B) Address Dispersion Table Sources Destinations 1 2 Prevalence Table Detector in network A B cnn.com C DE (Stefan Savage, UCSD *)
  • 26. 26 Challenges Computation To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet State On a fully-loaded 1Gbps link a na誰ve implementation can easily consume 100MB/sec for table Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)