Hands-On Network Security: Practical Tools & Methods

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2012

Hands-On Network Security

Module 5 Viruses & Worms, Botnets,

Today’s Threats

Viruses & Worms

Viruses

•  Program that copies itself to other programs   In the same directory   In a fixed directory

•  Virus spreads by the copying of files   By users, typically

•  When program invoked   Virus executes first

 Copies itself to other programs  Optionally, performs some malicious action

  Then executes host program •  Example:

  W97M.Marker

4 04/12 cja 2012

Worms

•  Viruses that use network to replicate •  No dependence on copying files •  Worm generates its own targets

  Via self-stored data   Via host-stored data   Randomly   Combinations thereof

•  Example:   Blaster

5 04/12 cja 2012

Types of Viruses

•  Boot sector •  Executable infector •  Multipartite •  TSR •  Stealth •  Encrypted •  Polymorphic •  Metamorphic

6 04/12 cja 2012

Macro Viruses

•  Virus instructions are interpreted   Platform independent

•  Infect common applications  Microsoft Excel, …

•  Easily spread •  Easily defeated

  Prohibit automatic execution of code

7 04/12 cja 2012

Virus distribution

•  Sophos study (2002)   26.1% macro viruses   26.1% Trojan horses   19.2% executable viruses   6.8% script viruses   21.8% other (Unix, boot sector, worms, file,

Macintosh, multipartite)

8 04/12 cja 2012

Malicious code types, 2010

9

Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011

04/12 cja 2012

Antiviral approaches

•  Detection   Scan for virus code “signatures”   More difficult for encrypting viruses

 Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically

 Metamorphic - harder •  Identification

  Vendor databases •  Removal

  Quarantine  render harmless by encryption or compression  copy to quarantine area

  Delete

10 04/12 cja 2012

Anti-virus

•  Detection and removal tools   Microsoft Security essentials  http://www.microsoft.com/security_essentials/

  McAfee Virus Scan  http://www.mcafee.com

11 04/12 cja 2012

12

U-M Anti-virus

•  http://safecomputing.umich.edu/antivirus/ •  Free Microsoft Security Essentials for personally-owned Windows

machines •  Microsoft Forefront Endpoint Protection for university owned

Windows machines   32- and 64-bit versions

•  Free Sophos Anti-Virus for Mac OS X machines   All versions of OS X up to and including 10.7 (Lion)

•  Good, concise security recommendations   http://www.safecomputing.umich.edu/tools/security_shorts.html"  http://www.safecomputing.umich.edu/MDS/   http://www.safecomputing.umich.edu/students.php

•  More information   http://www.safecomputing.umich.edu/

04/12 cja 2012

Spyware

•  Generic name for software that tracks users’ behavior •  Wide range of activities

  Keystroke loggers   Tracking cookies   File inspectors   Location awareness   Remote video & audio recording

•  Store-and-forward   As hard to detect remotely as botnets are

13 04/12 cja 2012

Spyware

•  Detection and removal tools   Windows Defender (née Microsoft AntiSpyware)

 http://www.microsoft.com/athome/security/spyware/software/default.mspx

  Lavasoft Ad-Aware  http://www.lavasoftusa.net/

  Spybot Search&Destroy  http://www.safer-networking.org/

14 04/12 cja 2012

Botnets

Botnets

•  Malware installed on victim machines listens for transmitted instructions   Attack other machines   Transmit spam   Participate in DDOS attacks   Crack passwords   …

•  Installed via well-known vectors •  Communicate with command and control host(s) via

anonymous message services   Typically irc   Typically encrypted   Typically silent, so hard to find

16 04/12 cja 2012

Botnets

•  Emerging as one of the major threats   Large increase in 4Q2006 spam traffic  30-450% increase

  Very large botnets  1.5 x 106 bots in Dutch botnet (2005)

  Very old botnets   2 x 106 bots in CoreFlood (2011)

» Operating for 8+ years

17 04/12 cja 2012

18

Botnets

•  One of the major threats   Large increase in 4Q2006 spam traffic  30-450% increase

  Very large botnets  1.5 x 106 bots in Dutch botnet (2005)  5 x 106 bots in Conficker (2009)

»  Encrypted & authenticated »  Some recent progress in detection

 2 x 106 bots in CoreFlood (2011) » Operating for 8+ years

04/12 cja 2012

Microsoft Security Intelligence Report 1H2011

04/12 19 http://www.microsoft.com/security/sir/default.aspx cja 2012

Today’s Threats

Today’s Threats

•  Targeted attacks continue to evolve   Hydraq, Stuxnet

•  Social Networking   Target research -> effective social engineering attacks

•  0day vulnerabilities + rootkits   Get inside an organization & stay hidden

•  Boosted attack kits   Innovations from targeted attacks -> toolkits -> massive attacks

•  Mobile threats   Attacks moving to mobile divices

04/12 21

Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011

cja 2012

Today’s Threats

04/12 22

Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011

cja 2012

Today’s Threats

23

Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011

04/12 cja 2012

Today’s Threats

04/12 24

Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011

cja 2012

Today’s Threats

04/12 25

Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011

Spam from botnets as a percentage of total email

cja 2012

References

•  http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

•  Symantec Internet Security Threat Report, Volume XVI, April 2011

04/12 26 cja 2012