Malwares
Trapdoor
Secret entry point into a system
Specific user identifier or password that circumvents normal security procedures.
Logic Bomb
Embedded in legitimate programs Activated when specified conditions met
E.g., presence/absence of some file; Particular date/time or particular user
Trojan Horse
Example: Attacker: Program with an overt (expected) and covert effect Place the following file
Appears normal/expected Covert effect violates security policy
Virus
Self-replicating code
Like replicating Trojan horse Alters normal code with infected version
No overt action
Generally tries to remain undetected
Virus Properties
Terminate and Stay Resident
Stays active in memory after application complete Allows infection of previously unknown files Trap calls that execute a program
Stealth
Conceal Infection Trap read and disinfect Let execute call infected file Encrypt virus Prevents signature to detect virus Polymorphism Change virus code to prevent signature
Worm
Runs independently
Does not require a host program
Propagates a fully working version of itself to other machines Carries a payload performing hidden tasks
Backdoors, spam relays, DDoS agents;
Phases
Probing Exploitation Replication Payload
Fast spreading
1 Attacker scans
Unsecured Computers
Internet
2 Attacker secretly
Internet
3 Zombie agents
Zombies
Master Server
Internet
Zombies
Master Server
Internet
5 Master Server
Zombies
Internet
Targeted System System
6 Targeted system is
Zombies
Internet
Request Denied Targeted System System
User
Botnet
Using peer-to-peer structure, rather than a central command & control Encrypting/authenticating communications.
A botnet is a collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party. Each such compromised device, known as a "bot", is created when a computer is penetrated by software from a malware distribution; otherwise known as malicious software. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standardsbased network protocols such as IRC (Internet Relay Chat) and HTTP (Hypertext Transfer Protocol)
Rootkit
Software used after system compromise to:
Hide the attackers presence Provide backdoors for easy reentry
Simple rootkits:
Modify user programs (ls, ps) Detectable by tools like Tripwire
Sophisticated rootkits:
Modify the kernel itself Hard to detect from userland
A rootkit is a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system , behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialised equipment.
Rootkit Classification
Application-level Rootkit
Evil Program Trojan login Trojan Trojan ps ifconfig good tripwire good login good ps good good ifconfig tripwire
Traditional RootKit
Kernel-level RootKit
Kernel
Hxdef, NTIllusion
Kernel
Lrk5, t0rn
Kernel
Rootkit Classification
Under-Kernel RootKit
good login
good ps
Kernel
Evil VMM
Hypervisor Hardware/firmwar e
Spyware
Malware that collects little bits of information at a time about users without their knowledge
Keyloggers: May also tracking browsing habit May also re-direct browsing and display ads
The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
Scareware
Software
with malicious payloads, or of limited or no benefit Sold by social engineering to cause shock, anxiety, or the perception of a threat
Rapidly increasing
Anti-Phishing Working Group: # of scareware packages rose from 2,850 to 9,287 in 2nd half of 2008. In 1st half of 2009, the APWG identified a 583% increase in scareware programs.
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user.
Ransomware
Holds a computer system, or the data it contains, hostage against its user by demanding a ransom.
Disable an essential system service or lock the display at system startup Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms
Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed