Upload
douglas-moore
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
CS 510 : Malicious Code and Forensics
About the course
Syllabus atSyllabus at http://thefengs.com/wuchang/work/courses/cs410
Textbook
Required:Required:
Malware – Fighting MaliciousMalware – Fighting Malicious
Code, Ed SkoudisCode, Ed Skoudis
ISBN: 0131014056 ISBN: 0131014056
Other material (optional)
Hacking - The Art of Exploitation, Jon Erickson, ISBN: Hacking - The Art of Exploitation, Jon Erickson, ISBN: 1-59327-007-0 1-59327-007-0
The Shellcoder's Handbook - Discovering and The Shellcoder's Handbook - Discovering and exploiting Security Holes, Koziol et al., ISBN: 0-7645-exploiting Security Holes, Koziol et al., ISBN: 0-7645-4468-3 4468-3
Trojans, Worms, and Spyware: A Computer Security, M. Trojans, Worms, and Spyware: A Computer Security, M. Erbschloe, ISBN0750678488 Erbschloe, ISBN0750678488
The Giant Black Book of Computer Viruses, M. Ludwig The Giant Black Book of Computer Viruses, M. Ludwig ISBN: 0929408233 ISBN: 0929408233
Ethics
Exploring malwareExploring malware
Do it on your own computer, or somewhere you have Do it on your own computer, or somewhere you have permission topermission to
Don’t run vulnerability scanners on other people’s Don’t run vulnerability scanners on other people’s machinesmachines
What is Malware?
Malware – set of instructions that run on your computer Malware – set of instructions that run on your computer and make your system do something that an attacker and make your system do something that an attacker wants it to dowants it to do Delete files to render your computer inoperable Infect other systems (worms, viruses) Monitor activity (webcams, keystroke loggers) Gather information on you, your habits, web sites you visit Provide unauthorized access (trojans, backdoors) Steal files (credit card data) Store illicit files (copyrighted material) Send spam or attack other systems Stepping stone to launder activity (frame you for a crime) Hide activity (rootkits)
Why make malware?
For kicksFor kicks
For profitFor profit Commercial-grade malware
Unprecedented ConnectivityUnprecedented Connectivity
Huge clueless userbaseHuge clueless userbase
Increasingly generic softwareIncreasingly generic software
Homogeneous architecturesHomogeneous architectures
Mature toolkitsMature toolkits
Data/Instruction mix (.. more)Data/Instruction mix (.. more)
Why is it so prevalent?
Mixing Data & Code
What’s the difference between code and data?What’s the difference between code and data? Data is information that your CPU acts on Code tells your CPU to take action (danger!)
To a computer, what’s the difference between code and To a computer, what’s the difference between code and data?data?
… …. Not much *. Not much *
Data & code are intermixed these daysData & code are intermixed these days ELF, .exe, .html, .doc ….
Mixing Data & Code
Developers do it becauseDevelopers do it because Cool – Dynamic,interactive environment (eg HTML) Flexible – Extended functionality (eg .doc) Efficient – Flexible software building blocks (eg .js) Market share – Features increase usage
Types of malware
VirusesViruses
WormsWorms
Malicious mobile codeMalicious mobile code
BackdoorsBackdoors
TrojansTrojans
Rootkits (user & kernel level)Rootkits (user & kernel level)
Viruses
Infects a host fileInfects a host file
Self-replicatesSelf-replicates
Spreads via secondary storage or networkSpreads via secondary storage or network
Human interaction usually requiredHuman interaction usually required
ExamplesExamples Michelangelo, stoned, CIH
Worms
Spreads across a networkSpreads across a network
Self-replicatesSelf-replicates
Human interaction not usually requiredHuman interaction not usually required
ExamplesExamples Morris Worm, Code Red, SQL Slammer
Malicious Mobile Code
LightweightLightweight
Downloaded and executed locallyDownloaded and executed locally
Human interaction minimalHuman interaction minimal
Javascript, VBScript, Java, ActiveX, FlashJavascript, VBScript, Java, ActiveX, Flash
ExamplesExamples Cross Site Scripting, Drive-by downloads, Cross-site
Request Forging
Backdoor
Bypasses normal security controls to give an attacker Bypasses normal security controls to give an attacker accessaccess
Can have dual uses (for good and evil)Can have dual uses (for good and evil)
ExamplesExamples Netcat, VNC, Back Orifice
Trojan Horse
Disguised as useful file/programDisguised as useful file/program
Performs malicious purpose such as launching other Performs malicious purpose such as launching other programs or capturing user informationprograms or capturing user information Eg. Setiri, Hydan
Rootkits
Tools to hide presence of attacker/other malware on Tools to hide presence of attacker/other malware on systemsystem
User-level rootkitUser-level rootkit Replaces utilities on host system
Kernel-level rootkitKernel-level rootkit Manipulates operating system directly
Others
SpywareSpyware Monitors a system’s activity and reports it to attacker
Others
AdwareAdware Software to continually display advertisements to users
Others
ScarewareScareware Software that scares users to purchase or install software
they do not want or need
Others
RansomwareRansomware Software that attempts to force users to pay hacker money