Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Hands-On Network Security: Practical Tools & Methods
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2012
Hands-On Network Security
Module 5 Viruses & Worms, Botnets,
Today’s Threats
Viruses & Worms
Viruses
• Program that copies itself to other programs In the same directory In a fixed directory
• Virus spreads by the copying of files By users, typically
• When program invoked Virus executes first
Copies itself to other programs Optionally, performs some malicious action
Then executes host program • Example:
W97M.Marker
4 04/12 cja 2012
Worms
• Viruses that use network to replicate • No dependence on copying files • Worm generates its own targets
Via self-stored data Via host-stored data Randomly Combinations thereof
• Example: Blaster
5 04/12 cja 2012
Types of Viruses
• Boot sector • Executable infector • Multipartite • TSR • Stealth • Encrypted • Polymorphic • Metamorphic
6 04/12 cja 2012
Macro Viruses
• Virus instructions are interpreted Platform independent
• Infect common applications Microsoft Excel, …
• Easily spread • Easily defeated
Prohibit automatic execution of code
7 04/12 cja 2012
Virus distribution
• Sophos study (2002) 26.1% macro viruses 26.1% Trojan horses 19.2% executable viruses 6.8% script viruses 21.8% other (Unix, boot sector, worms, file,
Macintosh, multipartite)
8 04/12 cja 2012
Malicious code types, 2010
9
Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011
04/12 cja 2012
Antiviral approaches
• Detection Scan for virus code “signatures” More difficult for encrypting viruses
Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically
Metamorphic - harder • Identification
Vendor databases • Removal
Quarantine render harmless by encryption or compression copy to quarantine area
Delete
10 04/12 cja 2012
Anti-virus
• Detection and removal tools Microsoft Security essentials http://www.microsoft.com/security_essentials/
McAfee Virus Scan http://www.mcafee.com
11 04/12 cja 2012
12
U-M Anti-virus
• http://safecomputing.umich.edu/antivirus/ • Free Microsoft Security Essentials for personally-owned Windows
machines • Microsoft Forefront Endpoint Protection for university owned
Windows machines 32- and 64-bit versions
• Free Sophos Anti-Virus for Mac OS X machines All versions of OS X up to and including 10.7 (Lion)
• Good, concise security recommendations http://www.safecomputing.umich.edu/tools/security_shorts.html" http://www.safecomputing.umich.edu/MDS/ http://www.safecomputing.umich.edu/students.php
• More information http://www.safecomputing.umich.edu/
04/12 cja 2012
Spyware
• Generic name for software that tracks users’ behavior • Wide range of activities
Keystroke loggers Tracking cookies File inspectors Location awareness Remote video & audio recording
• Store-and-forward As hard to detect remotely as botnets are
13 04/12 cja 2012
Spyware
• Detection and removal tools Windows Defender (née Microsoft AntiSpyware)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Lavasoft Ad-Aware http://www.lavasoftusa.net/
Spybot Search&Destroy http://www.safer-networking.org/
14 04/12 cja 2012
Botnets
Botnets
• Malware installed on victim machines listens for transmitted instructions Attack other machines Transmit spam Participate in DDOS attacks Crack passwords …
• Installed via well-known vectors • Communicate with command and control host(s) via
anonymous message services Typically irc Typically encrypted Typically silent, so hard to find
16 04/12 cja 2012
Botnets
• Emerging as one of the major threats Large increase in 4Q2006 spam traffic 30-450% increase
Very large botnets 1.5 x 106 bots in Dutch botnet (2005)
Very old botnets 2 x 106 bots in CoreFlood (2011)
» Operating for 8+ years
17 04/12 cja 2012
18
Botnets
• One of the major threats Large increase in 4Q2006 spam traffic 30-450% increase
Very large botnets 1.5 x 106 bots in Dutch botnet (2005) 5 x 106 bots in Conficker (2009)
» Encrypted & authenticated » Some recent progress in detection
2 x 106 bots in CoreFlood (2011) » Operating for 8+ years
04/12 cja 2012
Microsoft Security Intelligence Report 1H2011
04/12 19 http://www.microsoft.com/security/sir/default.aspx cja 2012
Today’s Threats
Today’s Threats
• Targeted attacks continue to evolve Hydraq, Stuxnet
• Social Networking Target research -> effective social engineering attacks
• 0day vulnerabilities + rootkits Get inside an organization & stay hidden
• Boosted attack kits Innovations from targeted attacks -> toolkits -> massive attacks
• Mobile threats Attacks moving to mobile divices
04/12 21
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
Today’s Threats
04/12 22
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
Today’s Threats
23
Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011
04/12 cja 2012
Today’s Threats
04/12 24
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
Today’s Threats
04/12 25
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
Spam from botnets as a percentage of total email
cja 2012
References
• http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
• Symantec Internet Security Threat Report, Volume XVI, April 2011
04/12 26 cja 2012