Malicious software
rajakhurram
13,562 views
67 slides
Dec 11, 2012
Slide 1 of 67
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
About This Presentation
No description available for this slideshow.
Slide Content
Raja$M.$Khurram$Shahzad$
1!
MALICIOUS$SOFTWARE$
1!
MALICIOUS$SOFTWARE$
Overview$
! IntroducAon$
! Virus$
! Worm$
! Other$Malicious$SoEware$
o $$Backdoor/Trapdoor$
o $$Logic$Bomb$
o $$Trojan$Horse$
! DDoS$ANack$
o $$DDos$DescripAon$
o $$ConstrucAon$of$ANack$
2!
! IntroducAon$
! Virus$
! Worm$
! Other$Malicious$SoEware$
o $$Backdoor/Trapdoor$
o $$Logic$Bomb$
o $$Trojan$Horse$
! DDoS$ANack$
o $$DDos$DescripAon$
o $$ConstrucAon$of$ANack$
2!
Program DefiniAon$
A$computer$program$tells$a$computer$$
what%to%do%and%how%to%do%it%
%
• Computer$viruses,$network$worms,$$and$$
Trojan$Horse$are$$
computer$programs.$$
$$
3!
A$computer$program$tells$a$computer$$
what%to%do%and%how%to%do%it%
%
• Computer$viruses,$network$worms,$$and$$
Trojan$Horse$are$$
computer$programs.$$
$$
3!
Malicious$soEware$?$
• Malicious$SoEware$(Malware)$is$a$soEware$that$is$included$or$
inserted$in$a$system$for$harmful$purposes.$
!
OR!!
!
• A$Malware$is$a$set$of$instrucAons$that$run$on$your$computer$
and$make$your$system$do$something$that$an$aNacker$wants$it$
to$do.$
$
4!
• Malicious$SoEware$(Malware)$is$a$soEware$that$is$included$or$
inserted$in$a$system$for$harmful$purposes.$
!
OR!!
!
• A$Malware$is$a$set$of$instrucAons$that$run$on$your$computer$
and$make$your$system$do$something$that$an$aNacker$wants$it$
to$do.$
$
4!
The$Malware$Zoo$
• Virus$$
• Worms$
• Logic$Bomb$
• Trojan$horse$
• Zoombie$
• Scareware$
• Adware$
• Backdoor$/$Trapdoors$
5!
• Virus$$
• Worms$
• Logic$Bomb$
• Trojan$horse$
• Zoombie$
• Scareware$
• Adware$
• Backdoor$/$Trapdoors$
5!
Taxonomy$of$Malicious$Programs$
6!
Need Host Program! Independent!
Trapdoors!
!
Logic
Bombs!
Trojan!
Horses!
Viruses!
!
Zombies!
!
Worms!
!
Malicious Programs!
Most current malicious code mixes all capabilities!
6!
Need Host Program! Independent!
Trapdoors!
!
Logic
Bombs!
Trojan!
Horses!
Viruses!
!
Zombies!
!
Worms!
!
Malicious Programs!
Most current malicious code mixes all capabilities!
What$it$is$good$for$?$
• Steal$personal$informaAon$
• Delete$files$
• Click$fraud$$
• Steal$soEware$serial$numbers$
7!
• Steal$personal$informaAon$
• Delete$files$
• Click$fraud$$
• Steal$soEware$serial$numbers$
7!
What$to$Infect$
• Executable$
• Interpreted$file$
• Kernel$
• Service$
• Master$Boot$Record$$
8!
• Executable$
• Interpreted$file$
• Kernel$
• Service$
• Master$Boot$Record$$
8!
Virus$
• SelfYreplicaAng$code,$aNaches$itself$to$another$program$
and$executes$secretly$when$the$host$program$is$executed.$
• No$Hidden$acAon$
– Generally$tries$to$remain$undetected,$but$what$about$acAviAes,$
such$as$deleted$files$?$
9!
• SelfYreplicaAng$code,$aNaches$itself$to$another$program$
and$executes$secretly$when$the$host$program$is$executed.$
• No$Hidden$acAon$
– Generally$tries$to$remain$undetected,$but$what$about$acAviAes,$
such$as$deleted$files$?$
9!
Parts$of$a$Virus$
• Three$Parts$
– InfecAon$Mechanism:$The$means$by$which$a$virus$
spreads,$enabling$it$to$replicate,$also$referred$as$
InfecAon$Vector.$$
– Trigger:$The$event$or$condiAon$that$determines$when$
the$payload$is$acAvated$or$delivered.$$
– Payload:$The$payload$may$involve$damage$or$may$
involve$benign$but$NOTICEABLE$acAvity.$$
• Three$Parts$
– InfecAon$Mechanism:$The$means$by$which$a$virus$
spreads,$enabling$it$to$replicate,$also$referred$as$
InfecAon$Vector.$$
– Trigger:$The$event$or$condiAon$that$determines$when$
the$payload$is$acAvated$or$delivered.$$
– Payload:$The$payload$may$involve$damage$or$may$
involve$benign$but$NOTICEABLE$acAvity.$$
Phases$–$Life$Cycle$
• Dormant!phase$Y$the$virus$is$idle$
• Propaga1on!phase$Y$the$virus$places$an$idenAcal$copy$of$
itself$into$other$programs$
• Triggering!phase!–!the$virus$is$acAvated$to$perform$the$
funcAon$for$which$it$was$intended$
• Execu1on!phase$–$$
the$funcAon$is$performed!
11!
• Dormant!phase$Y$the$virus$is$idle$
• Propaga1on!phase$Y$the$virus$places$an$idenAcal$copy$of$
itself$into$other$programs$
• Triggering!phase!–!the$virus$is$acAvated$to$perform$the$
funcAon$for$which$it$was$intended$
• Execu1on!phase$–$$
the$funcAon$is$performed!
11!
Virus$Structure$
12!
12!
OperaAon$rouAne$
• Operates$ when$ infected$ code$ executed$ (execuAon$
sequence)$
– Jump$to$Main$Virus$program$
– If$spread$(infecAon)$condiAon$then$
{$
$For$target$files$:$if$not$infected,$then$alter$file$to$include$virus$
}$
– Perform$malicious$acAon$
– Transfer$control$back$
– Execute$normal$program$
• If$the$infecAon$phase$is$rapid,$user$will$not$noAce$any$
difference$between$the$execuAon$of$infected$program$and$
uninfected$program.$$
• Operates$ when$ infected$ code$ executed$ (execuAon$
sequence)$
– Jump$to$Main$Virus$program$
– If$spread$(infecAon)$condiAon$then$
{$
$For$target$files$:$if$not$infected,$then$alter$file$to$include$virus$
}$
– Perform$malicious$acAon$
– Transfer$control$back$
– Execute$normal$program$
• If$the$infecAon$phase$is$rapid,$user$will$not$noAce$any$
difference$between$the$execuAon$of$infected$program$and$
uninfected$program.$$
Types$of$Viruses$
• On$the$basis$of$target$
• Boot!Sector!Infector:!Infects$master$boot$record$/$boot$record$(boot$
sector)$of$a$disk$and$spreads$when$a$system$is$booted$with$an$infected$
disk$(original$DOS$viruses).$They$are$Memory@resident!Virus.!$$
• File!Infector$:$Infects$executable$files,$they$are$also$called$Parasi1c!Virus$
as$they$aNach$their$self$to$executable$files$as$part$of$their$code.$$Runs$
whenever$the$host$program$is$executed.$$
• Macro!Virus$–Infects$files$with$macro$code$that$is$interpreted$by$the$
relevant$applicaAon,$such$as$doc$or$excel$files.$$
$
14!
• On$the$basis$of$target$
• Boot!Sector!Infector:!Infects$master$boot$record$/$boot$record$(boot$
sector)$of$a$disk$and$spreads$when$a$system$is$booted$with$an$infected$
disk$(original$DOS$viruses).$They$are$Memory@resident!Virus.!$$
• File!Infector$:$Infects$executable$files,$they$are$also$called$Parasi1c!Virus$
as$they$aNach$their$self$to$executable$files$as$part$of$their$code.$$Runs$
whenever$the$host$program$is$executed.$$
• Macro!Virus$–Infects$files$with$macro$code$that$is$interpreted$by$the$
relevant$applicaAon,$such$as$doc$or$excel$files.$$
$
14!
Types$of$Viruses$
• On$the$basis$of$concealment$strategy$
• Encrypted!Virus!–!A$porAon$of$virus$creates$a$random$encrypAon$key$and$
encrypts$the$remainder$of$the$virus.$The$key$is$stored$with$the$virus.$
When$the$virus$replicates,$a$different$random$key$is$generated.$$
• Stealth!Virus$Y$explicitly$designed$to$hide$from$Virus$Scanning$programs.$
• Polymorphic!Virus$Y$mutates$with$every$new$host$to$prevent$signature$
detecAon,$signature$detecAon$is$useless.$$
• Metamorphic!Virus!–$Rewrites$itself$completely$with$every$new$host,$may$
change$their$behavior$and$appearance.$$
$
$
15!
• On$the$basis$of$concealment$strategy$
• Encrypted!Virus!–!A$porAon$of$virus$creates$a$random$encrypAon$key$and$
encrypts$the$remainder$of$the$virus.$The$key$is$stored$with$the$virus.$
When$the$virus$replicates,$a$different$random$key$is$generated.$$
• Stealth!Virus$Y$explicitly$designed$to$hide$from$Virus$Scanning$programs.$
• Polymorphic!Virus$Y$mutates$with$every$new$host$to$prevent$signature$
detecAon,$signature$detecAon$is$useless.$$
• Metamorphic!Virus!–$Rewrites$itself$completely$with$every$new$host,$may$
change$their$behavior$and$appearance.$$
$
$
15!
Recent$addiAon:$
$Email$Virus$
• Moves$around$in$eYmail$messages,$triggered$when$user$
opens$aNachment$
• Do$local$damages$on$the$user’s$system$
• Propagates$very$quickly$
• Replicates$itself$by$automaAcally$mailing$itself$to$dozens$$
$of$people$in$the$vicAm’s$$
eYmail$address$book$
$
16!
$Email$Virus$
• Moves$around$in$eYmail$messages,$triggered$when$user$
opens$aNachment$
• Do$local$damages$on$the$user’s$system$
• Propagates$very$quickly$
• Replicates$itself$by$automaAcally$mailing$itself$to$dozens$$
$of$people$in$the$vicAm’s$$
eYmail$address$book$
$
16!
Examples$of$risky$file$types$
• The$following$file$types$should$never$be$opened$if…$
– .EXE$
– .PIF$
– .BAT$
– .VBS$
– .COM$
17!
• The$following$file$types$should$never$be$opened$if…$
– .EXE$
– .PIF$
– .BAT$
– .VBS$
– .COM$
17!
Viruses$PropagaAon$
• Virus$wriNen$in$some$language$e.g.$C,$C++,$Assembly$
etc.$
• Inserted$into$another$program$
– use$tool$called$a$“dropper”$
• Virus$dormant$unAl$program$executed$
– then$infects$other$programs$
– eventually$executes$its$“payload”$
18!
• Virus$wriNen$in$some$language$e.g.$C,$C++,$Assembly$
etc.$
• Inserted$into$another$program$
– use$tool$called$a$“dropper”$
• Virus$dormant$unAl$program$executed$
– then$infects$other$programs$
– eventually$executes$its$“payload”$
18!
Viruses$PropagaAon$
• An$executable$program$
• With$a$virus$at$the$front$(File$size$is$increased)$
• With$the$virus$at$the$end$(File$size$is$increased)$
• With$a$virus$spread$over$free$space$within$program$
$
19!
• An$executable$program$
• With$a$virus$at$the$front$(File$size$is$increased)$
• With$the$virus$at$the$end$(File$size$is$increased)$
• With$a$virus$spread$over$free$space$within$program$
$
19!
Viruses$PropagaAon$
(a)$A$program$
(b)$Infected$$program$
(c)$Compressed$infected$program$
(d)$Encrypted$virus$
(e)$Compressed$virus$with$encrypted$compression$code$
20!
(a)$A$program$
(b)$Infected$$program$
(c)$Compressed$infected$program$
(d)$Encrypted$virus$
(e)$Compressed$virus$with$encrypted$compression$code$
20!
AnAYvirus$
• It$is$not$possible$to$build$a$perfect$virus/malware$
detector.$
• Analyze$system$behavior$
• Analyze$binary$to$decide$if$it$a$virus$
• Type$:$
– Scanner$
– Real$Ame$monitor$
21!
• It$is$not$possible$to$build$a$perfect$virus/malware$
detector.$
• Analyze$system$behavior$
• Analyze$binary$to$decide$if$it$a$virus$
• Type$:$
– Scanner$
– Real$Ame$monitor$
21!
AnAYvirus$
• Scanners$
– First$GeneraAon,$relied$on$signature.$$
– Second$ GeneraAon,$ relied$ on$ heurisAc$ rules$ or$ integrity$
checking$(e.g.$checksum$appended$to$a$program).$
• Real$Ame$Monitors$
• Third$GeneraAon,$memory$resident$and$idenAfy$virus$by$its$
acAons$(behaviour).$
• Fourth$GeneraAon,$combinaAon$of$different$capabiliAes.$$
22!
• Scanners$
– First$GeneraAon,$relied$on$signature.$$
– Second$ GeneraAon,$ relied$ on$ heurisAc$ rules$ or$ integrity$
checking$(e.g.$checksum$appended$to$a$program).$
• Real$Ame$Monitors$
• Third$GeneraAon,$memory$resident$and$idenAfy$virus$by$its$
acAons$(behaviour).$
• Fourth$GeneraAon,$combinaAon$of$different$capabiliAes.$$
22!
Worm$
23!
A computer worm is a self-replicating computer
virus. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.!
23!
A computer worm is a self-replicating computer
virus. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.!
Comparision$of$Worm$Features$
24!
1)$$Computer$Virus:$• Needs$a$host$file$
2)$$Network$Worm:$• No$host$(selfYcontained)$$
• Copies$itself$$$
• Executable$
• Copies$itself$
• Executable$
3)$$Trojan$Horse:$• $No$host$(selfYcontained)$
• Does$not$copy$itself$
• Imposter$Program$
24!
1)$$Computer$Virus:$• Needs$a$host$file$
2)$$Network$Worm:$• No$host$(selfYcontained)$$
• Copies$itself$$$
• Executable$
• Copies$itself$
• Executable$
3)$$Trojan$Horse:$• $No$host$(selfYcontained)$
• Does$not$copy$itself$
• Imposter$Program$
Worm:$History$
• Runs$independently$$
– Does$not$require$a$host$program$
• Propagates$a$fully$working$version$of$itself$to$other$machines$
! History$
◦ Morris$worm$was$one$of$the$first$worms$distributed$over$Internet$
! Two$examples$$
◦ Morris$–$1998,$
◦ Slammer$–$2003$
25!
• Runs$independently$$
– Does$not$require$a$host$program$
• Propagates$a$fully$working$version$of$itself$to$other$machines$
! History$
◦ Morris$worm$was$one$of$the$first$worms$distributed$over$Internet$
! Two$examples$$
◦ Morris$–$1998,$
◦ Slammer$–$2003$
25!
Worm$OperaAon$
• Worm$has$similar$phases$like$a$virus:$
• Dormant$(inacAve;$$rest)$
• PropagaAon$
• Search$for$other$systems$to$infect$
• Establish$connecAon$to$target$remote$system$
• Replicate$self$onto$$
remote$system$
– Triggering$
– ExecuAon$
26!
• Worm$has$similar$phases$like$a$virus:$
• Dormant$(inacAve;$$rest)$
• PropagaAon$
• Search$for$other$systems$to$infect$
• Establish$connecAon$to$target$remote$system$
• Replicate$self$onto$$
remote$system$
– Triggering$
– ExecuAon$
26!
Morris$Worm$
• Best$known$classic$worm$
• Released$by$Robert%Morris%in$1988$
• Targeted$Unix$systems$
• Using$several$propagaAon$techniques$
• If$any$aNack$succeeds$then$replicated$self$
27!
• Best$known$classic$worm$
• Released$by$Robert%Morris%in$1988$
• Targeted$Unix$systems$
• Using$several$propagaAon$techniques$
• If$any$aNack$succeeds$then$replicated$self$
27!
Slammer$(Sapphire)$Worm$
• When$
• Jan$25$2003$
• How$
• Exploit$BufferYoverflow$with$MS$SQL$
• Random$Scanning$
• Randomly$select$IP$addresses$
• Cost$
• Caused$~$$2.6$Billion$in$damage$
$
28!
• When$
• Jan$25$2003$
• How$
• Exploit$BufferYoverflow$with$MS$SQL$
• Random$Scanning$
• Randomly$select$IP$addresses$
• Cost$
• Caused$~$$2.6$Billion$in$damage$
$
28!
Slammer$Scale$
29!
The$diameter$of$each$circle$is$a$funcAon$of$the$number$of$infected$machines,$so$
large$circles$visually$under$represent$the$number$of$infected$cases$in$order$to$
minimize$overlap$with$adjacent$locaAons$$
29!
The$diameter$of$each$circle$is$a$funcAon$of$the$number$of$infected$machines,$so$
large$circles$visually$under$represent$the$number$of$infected$cases$in$order$to$
minimize$overlap$with$adjacent$locaAons$$
The$worm$itself$…$
! System$load$
◦ InfecAon$generates$a$number$of$processes$
◦ Password$cracking$uses$lots$of$resources$
◦ Thousands$of$systems$were$shut$down$
• Tries$to$infect$as$many$other$hosts$as$possible$
– When$worm$successfully$connects,$leaves$a$child$to$conAnue$the$infecAon$
while$the$parent$keeps$trying$new$hosts$
– find$targets$using$several$mechanisms:$'netstat$Yr$Yn‘,$/etc/hosts,$$
• Worm$DO$NOT:$
– Delete$system's$files,$modify$exisAng$files,$install$Trojan$horses,$record$or$
transmit$decrypted$passwords,$capture$super$user$privileges$
30!
! System$load$
◦ InfecAon$generates$a$number$of$processes$
◦ Password$cracking$uses$lots$of$resources$
◦ Thousands$of$systems$were$shut$down$
• Tries$to$infect$as$many$other$hosts$as$possible$
– When$worm$successfully$connects,$leaves$a$child$to$conAnue$the$infecAon$
while$the$parent$keeps$trying$new$hosts$
– find$targets$using$several$mechanisms:$'netstat$Yr$Yn‘,$/etc/hosts,$$
• Worm$DO$NOT:$
– Delete$system's$files,$modify$exisAng$files,$install$Trojan$horses,$record$or$
transmit$decrypted$passwords,$capture$super$user$privileges$
30!
Backdoor$or$Trapdoor$
! Secret$entry$point$into$a$program$
! Allows$those$who$know$access$by$passing$usual$security$
procedures$
! Remains$hidden$to$casual$inspecAon$
! Can$be$a$new$program$to$be$installed$
! Can$modify$an$exisAng$program$
! Trap$doors$can$provide$access$to$a$system$for$
unauthorized$procedures$
! Very$hard$to$block$in$O/S$
31!
! Secret$entry$point$into$a$program$
! Allows$those$who$know$access$by$passing$usual$security$
procedures$
! Remains$hidden$to$casual$inspecAon$
! Can$be$a$new$program$to$be$installed$
! Can$modify$an$exisAng$program$
! Trap$doors$can$provide$access$to$a$system$for$
unauthorized$procedures$
! Very$hard$to$block$in$O/S$
31!
Trap$Door$Example$
(a)$Normal$code.$$
(b)$Code$with$a$trapdoor$inserted$
32!
(a)$Normal$code.$$
(b)$Code$with$a$trapdoor$inserted$
32!
Logic$Bomb$
• One$of$oldest$types$of$malicious$soEware$
• Piece$of$code$that$executes$itself$when$preYdefined$condiAons$are$
met$
• Logic$Bombs$that$execute$on$certain$days$are$known$as$Time$
Bombs$
• AcAvated$when$specified$condiAons$met$
– E.g.,$presence/absence$of$some$file$
– parAcular$date/Ame$
– parAcular$user$
• When$triggered$typically$damage$system$
– modify/delete$files/disks,$halt$machine,$etc.$
33!
• One$of$oldest$types$of$malicious$soEware$
• Piece$of$code$that$executes$itself$when$preYdefined$condiAons$are$
met$
• Logic$Bombs$that$execute$on$certain$days$are$known$as$Time$
Bombs$
• AcAvated$when$specified$condiAons$met$
– E.g.,$presence/absence$of$some$file$
– parAcular$date/Ame$
– parAcular$user$
• When$triggered$typically$damage$system$
– modify/delete$files/disks,$halt$machine,$etc.$
33!
Tracing$Logic$Bombs$
• Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system
functions, the hardware, the hardware/software/firmware/
operating system interface, and the communications functions
inside and outside the computer
• Example of benign logical fun
– http://googletricks.com/top-25-fun-google-tricks/
– Type zerg rush in google
$
34!
• Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system
functions, the hardware, the hardware/software/firmware/
operating system interface, and the communications functions
inside and outside the computer
• Example of benign logical fun
– http://googletricks.com/top-25-fun-google-tricks/
– Type zerg rush in google
$
34!
Trojan$Horse$
35!
35!
Trojan$Horse$
• Trojan!horse$is$a$malicious$program$$that$is$designed$as$
authenAc,$$real$and$genuine$soEware.$$
$
• Like$the$giE$horse$leE$outside$the$gates$of$Troy$by$the$
Greeks,$ Trojan$ Horses$ appear$ to$ be$ useful$ or$
interesAng$to$an$unsuspecAng$user,$but$are$actually$
harmful.$
36!
• Trojan!horse$is$a$malicious$program$$that$is$designed$as$
authenAc,$$real$and$genuine$soEware.$$
$
• Like$the$giE$horse$leE$outside$the$gates$of$Troy$by$the$
Greeks,$ Trojan$ Horses$ appear$ to$ be$ useful$ or$
interesAng$to$an$unsuspecAng$user,$but$are$actually$
harmful.$
36!
Trojan$Percentage$
37!
37!
What$Trojans$can$do$?$
• Erase$or$overwrite$data$on$a$computer$
• Spread$other$viruses$or$install$a$backdoor.$In$this$case$the$
Trojan$horse$is$called$a$'dropper'.$
• Sevng$up$networks$of$zombie$computers$in$order$to$launch$
DDoS$aNacks$or$send$Spam.$
• Logging$keystrokes$to$steal$informaAon$such$as$passwords$
and$credit$card$numbers$(known$as$a$key$logger)$
• Phish$for$bank$or$other$account$details,$which$can$be$used$for$
criminal$acAviAes.$
• Or$simply$to$destroy$data$
• Mail$the$password$file.$
$
38!
• Erase$or$overwrite$data$on$a$computer$
• Spread$other$viruses$or$install$a$backdoor.$In$this$case$the$
Trojan$horse$is$called$a$'dropper'.$
• Sevng$up$networks$of$zombie$computers$in$order$to$launch$
DDoS$aNacks$or$send$Spam.$
• Logging$keystrokes$to$steal$informaAon$such$as$passwords$
and$credit$card$numbers$(known$as$a$key$logger)$
• Phish$for$bank$or$other$account$details,$which$can$be$used$for$
criminal$acAviAes.$
• Or$simply$to$destroy$data$
• Mail$the$password$file.$
$
38!
How$can$you$be$infected$?$
• Websites:$You$can$be$infected$by$visiAng$a$rogue$website.$
Internet$Explorer$is$most$oEen$targeted$by$makers$of$
Trojans$and$other$pests.$Even$using$a$secure$web$browser,$
such$as$Mozilla's$Firefox,$if$Java$is$enabled,$your$computer$
has$the$potenAal$of$receiving$a$Trojan$horse.$
• Instant!message:$Many$get$infected$through$files$sent$
through$various$messengers.$This$is$due$to$an$extreme$lack$
of$security$in$some$instant$messengers,$such$of$AOL's$
instant$messenger.$
• E@mail:$ ANachments$ on$ eYmail$ messages$ may$ contain$
Trojans.$$Trojan$horses$via$SMTP.$
39!
• Websites:$You$can$be$infected$by$visiAng$a$rogue$website.$
Internet$Explorer$is$most$oEen$targeted$by$makers$of$
Trojans$and$other$pests.$Even$using$a$secure$web$browser,$
such$as$Mozilla's$Firefox,$if$Java$is$enabled,$your$computer$
has$the$potenAal$of$receiving$a$Trojan$horse.$
• Instant!message:$Many$get$infected$through$files$sent$
through$various$messengers.$This$is$due$to$an$extreme$lack$
of$security$in$some$instant$messengers,$such$of$AOL's$
instant$messenger.$
• E@mail:$ ANachments$ on$ eYmail$ messages$ may$ contain$
Trojans.$$Trojan$horses$via$SMTP.$
39!
Sample$Delivery$
• ANacker$will$aNach$the$Trojan$to$an$eYmail$with$an$enAcing$
header.$
$
• The$ Trojan$ horse$ is$ typically$ a$ Windows$ executable$
program$file,$and$must$have$an$executable$file$extension$
such$as$.exe,$.com,$.scr,$.bat,$or$.pif.$Since$Windows$is$
configured$by$default$to$hide$extensions$from$a$user,$the$
Trojan$horse's$extension$might$be$"masked"$by$giving$it$a$
name$ such$ as$ 'Readme.txt.exe'.$ With$ file$ extensions$
hidden,$the$user$would$only$see$'Readme.txt'$and$could$
mistake$it$for$a$harmless$text$file.$$
40!
• ANacker$will$aNach$the$Trojan$to$an$eYmail$with$an$enAcing$
header.$
$
• The$ Trojan$ horse$ is$ typically$ a$ Windows$ executable$
program$file,$and$must$have$an$executable$file$extension$
such$as$.exe,$.com,$.scr,$.bat,$or$.pif.$Since$Windows$is$
configured$by$default$to$hide$extensions$from$a$user,$the$
Trojan$horse's$extension$might$be$"masked"$by$giving$it$a$
name$ such$ as$ 'Readme.txt.exe'.$ With$ file$ extensions$
hidden,$the$user$would$only$see$'Readme.txt'$and$could$
mistake$it$for$a$harmless$text$file.$$
40!
Where$They$Live$?$(1)$
• Autostart$Folder$
The$Autostart$folder$is$located$in$C:\Windows\Start$Menu\Programs
\startup$and$as$its$name$suggests,$automaAcally$starts$everything$placed$
there.$$
• Win.ini$
Windows$system$file$using$load=Trojan.exe$and$run=Trojan.exe$to$execute$
the$Trojan$$
• System.ini$
Using$Shell=Explorer.exe$trojan.exe$results$in$execuAon$of$every$file$aEer$
Explorer.exe$$
• Wininit.ini$
SetupYPrograms$use$it$mostly;$once$run,$it's$being$autoYdeleted,$which$is$
very$handy$for$Trojans$to$restart$$
41!
• Autostart$Folder$
The$Autostart$folder$is$located$in$C:\Windows\Start$Menu\Programs
\startup$and$as$its$name$suggests,$automaAcally$starts$everything$placed$
there.$$
• Win.ini$
Windows$system$file$using$load=Trojan.exe$and$run=Trojan.exe$to$execute$
the$Trojan$$
• System.ini$
Using$Shell=Explorer.exe$trojan.exe$results$in$execuAon$of$every$file$aEer$
Explorer.exe$$
• Wininit.ini$
SetupYPrograms$use$it$mostly;$once$run,$it's$being$autoYdeleted,$which$is$
very$handy$for$Trojans$to$restart$$
41!
Where$They$Live$?$(2)$
• Winstart.bat$
AcAng$as$a$normal$bat$fi[email protected]$to$hide$its$
execuAon$from$the$user$$
• Autoexec.bat$
It's$a$DOS$autoYstarAng$file$and$it's$used$as$autoYstarAng$method$like$this$Y>$
c:\Trojan.exe$$
• Config.sys$
Could$also$be$used$as$an$autoYstarAng$method$for$Trojans$$
• Explorer$Startup$
Is$an$autoYstarAng$method$for$Windows95,$98,$ME,$XP$and$if$c:
\explorer.exe$exists,$it$will$be$started$instead$of$the$usual$c:\Windows
\Explorer.exe,$which$is$the$common$path$to$the$file.$
42!
• Winstart.bat$
AcAng$as$a$normal$bat$fi[email protected]$to$hide$its$
execuAon$from$the$user$$
• Autoexec.bat$
It's$a$DOS$autoYstarAng$file$and$it's$used$as$autoYstarAng$method$like$this$Y>$
c:\Trojan.exe$$
• Config.sys$
Could$also$be$used$as$an$autoYstarAng$method$for$Trojans$$
• Explorer$Startup$
Is$an$autoYstarAng$method$for$Windows95,$98,$ME,$XP$and$if$c:
\explorer.exe$exists,$it$will$be$started$instead$of$the$usual$c:\Windows
\Explorer.exe,$which$is$the$common$path$to$the$file.$
42!
What$the$aNacker$wants?$
• Credit$Card$InformaAon$(oEen$used$for$domain$$
registraAon,$shopping$with$your$credit$card)$$
• Any$accounAng$data$(EYmail$passwords,$Login$passwords,$
Web$Services$passwords,$etc.)$$
• Email$Addresses$(Might$be$used$for$spamming,$as$explained$
above)$$$
• Work$Projects$(Steal$your$presentaAons$and$work$related$
papers)$$$$
• School$work$(steal$your$papers$and$publish$them$with$his/
her$name$on$it)$
43!
• Credit$Card$InformaAon$(oEen$used$for$domain$$
registraAon,$shopping$with$your$credit$card)$$
• Any$accounAng$data$(EYmail$passwords,$Login$passwords,$
Web$Services$passwords,$etc.)$$
• Email$Addresses$(Might$be$used$for$spamming,$as$explained$
above)$$$
• Work$Projects$(Steal$your$presentaAons$and$work$related$
papers)$$$$
• School$work$(steal$your$papers$and$publish$them$with$his/
her$name$on$it)$
43!
Stopping$the$Trojan$…$
The$Horse$must$be$“invited$in”$….$
44!
How$does$it$get$in?$
Downloading$a$file$
By:$
Installing$a$program$
Opening$an$aNachment$
Opening$bogus$Web$pages$
Copying$a$file$from$someone$else$
The$Horse$must$be$“invited$in”$….$
44!
How$does$it$get$in?$
Downloading$a$file$
By:$
Installing$a$program$
Opening$an$aNachment$
Opening$bogus$Web$pages$
Copying$a$file$from$someone$else$
Zombie$
• The$ program$ which$ secretly$ takes$ over$ another$
networked$computer$ $and$force$it$to$run$under$a$
common$command$and$control$infrastructure.$
• Uses$it$to$indirectly$launch$aNacks,$e.g.,$DDoS,$phishing,$
spamming,$cracking$$
• Difficult$to$trace$zombie’s$creator)$
• Infected$computers$—$mostly$Windows$machines$—$are$
now$the$major$delivery$method$of$spam.$
• Zombies$have$been$used$extensively$to$send$eYmail$
spam;$between$50%$to$80%$of$all$spam$worldwide$is$now$
sent$by$zombie$computers.$
$ 45!
• The$ program$ which$ secretly$ takes$ over$ another$
networked$computer$ $and$force$it$to$run$under$a$
common$command$and$control$infrastructure.$
• Uses$it$to$indirectly$launch$aNacks,$e.g.,$DDoS,$phishing,$
spamming,$cracking$$
• Difficult$to$trace$zombie’s$creator)$
• Infected$computers$—$mostly$Windows$machines$—$are$
now$the$major$delivery$method$of$spam.$
• Zombies$have$been$used$extensively$to$send$eYmail$
spam;$between$50%$to$80%$of$all$spam$worldwide$is$now$
sent$by$zombie$computers.$
$ 45!
Adware$
46!
46!
Scareware$/$Rouge/$
Fake$anAvirus$
47!
Fake$anAvirus$
47!
Where$malware$Lives:$Auto$start$
• Folder$autoYstart$$
• Win.ini$:$run=[backdoor]"$or$"load=[backdoor]".$
• System.ini$:$shell=”myexplorer.exe”$
• Autoexec.bat$
• Config.sys$
• Init.d$
48!
• Folder$autoYstart$$
• Win.ini$:$run=[backdoor]"$or$"load=[backdoor]".$
• System.ini$:$shell=”myexplorer.exe”$
• Autoexec.bat$
• Config.sys$
• Init.d$
48!
Auto$start$
• Assign$know$extension$(.doc)$to$the$malware$
• Add$a$Registry$key$such$as$HKCU\SOFTWARE\Microso=
\Windows%\CurrentVersion\Run%
• Add$a$task$in$the$task$scheduler$
• Run$as$service$
49!
• Assign$know$extension$(.doc)$to$the$malware$
• Add$a$Registry$key$such$as$HKCU\SOFTWARE\Microso=
\Windows%\CurrentVersion\Run%
• Add$a$task$in$the$task$scheduler$
• Run$as$service$
49!
Web$
! 1.3%$of$the$incoming$search$queries$to$Google$returned$at$a$
least$one$malware$site$
! Visit$sites$with$an$army$of$browsers$in$VMs,$check$for$changes$
to$local$system$
! Indicate$potenAally$harmful$sites$in$search$results$
! 1.3%$of$the$incoming$search$queries$to$Google$returned$at$a$
least$one$malware$site$
! Visit$sites$with$an$army$of$browsers$in$VMs,$check$for$changes$
to$local$system$
! Indicate$potenAally$harmful$sites$in$search$results$
Web:$Fake$page$
51!
51!
Shared$folder$
52!
52!
Email$
53!
53!
Email$again$
54!
54!
P2P$Files$
• 35.5%$malwares$
$
55!
• 35.5%$malwares$
$
55!
Typical$Symptoms$
• File$deleAon$
• File$corrupAon$
• Visual$effects$
• PopYUps$
• Computer$crashes$
• Slow$ConnecAon$
• Spam$Relaying$
56!
• File$deleAon$
• File$corrupAon$
• Visual$effects$
• PopYUps$
• Computer$crashes$
• Slow$ConnecAon$
• Spam$Relaying$
56!
Distributed Denial of Service
• A$denial@of@service!aKack$is$an$aNack$that$causes$a$loss$
of$ service$ to$ users,$ typically$ the$ loss$ of$ network$
connecAvity.$
• CPU,$ memory,$ network$ connecAvity,$ network$
bandwidth,$baNery$energy$
• Hard$to$address,$especially$in$distributed$form$
57!
• A$denial@of@service!aKack$is$an$aNack$that$causes$a$loss$
of$ service$ to$ users,$ typically$ the$ loss$ of$ network$
connecAvity.$
• CPU,$ memory,$ network$ connecAvity,$ network$
bandwidth,$baNery$energy$
• Hard$to$address,$especially$in$distributed$form$
57!
DDoS$Mechanism$
• Goal:!make$a$service$unusable.$
• How:!overload$ a$ server,$ router,$ network$ link,$ by$
flooding$with$useless$traffic$
• Focus:!bandwidth$ aNacks,$ using$ large$ numbers$ of$
“zombies”$$
$
58!
• Goal:!make$a$service$unusable.$
• How:!overload$ a$ server,$ router,$ network$ link,$ by$
flooding$with$useless$traffic$
• Focus:!bandwidth$ aNacks,$ using$ large$ numbers$ of$
“zombies”$$
$
58!
How$it$works?$
• The$flood$of$incoming$messages$to$the$target$system$
essenAally$forces$it$to$shut$down,$thereby$denying$
service$to$the$system$to$legiAmate$users.$$
• VicAm's$IP$address.$$
• VicAm's$port$number.$$
• ANacking$packet$size.$$
• ANacking$interYpacket$delay.$$
• DuraAon$of$aNack.$$
$
59!
• The$flood$of$incoming$messages$to$the$target$system$
essenAally$forces$it$to$shut$down,$thereby$denying$
service$to$the$system$to$legiAmate$users.$$
• VicAm's$IP$address.$$
• VicAm's$port$number.$$
• ANacking$packet$size.$$
• ANacking$interYpacket$delay.$$
• DuraAon$of$aNack.$$
$
59!
Example$1$
• PingYofYdeath$
– IP$packet$with$a$size$larger$than$65,536$bytes$is$illegal$by$standard$
– Many$operaAng$system$did$not$know$what$to$do$when$they$received$
an$oversized$packet,$so$they$froze,$crashed$or$rebooted.$
– Routers$forward$each$packet$independently.$
– Routers$don’t$know$about$connecAons.$
– Complexity$is$in$end$hosts;$routers$are$simple.$
60!
• PingYofYdeath$
– IP$packet$with$a$size$larger$than$65,536$bytes$is$illegal$by$standard$
– Many$operaAng$system$did$not$know$what$to$do$when$they$received$
an$oversized$packet,$so$they$froze,$crashed$or$rebooted.$
– Routers$forward$each$packet$independently.$
– Routers$don’t$know$about$connecAons.$
– Complexity$is$in$end$hosts;$routers$are$simple.$
60!
Example$1$
Example$2$
• TCP$handshake$
• SYN$Flood$
– A$stream$of$TCP$SYN$packets$directed$to$a$listening$TCP$port$at$the$
vicAm$
– The$host$vicAm$must$allocate$new$data$structures$to$each$SYN$request$
– legiAmate$connecAons$are$denied$while$the$vicAm$machine$is$waiAng$$
to$complete$bogus$"halfYopen"$connecAons$
– Not$a$bandwidth$consumpAon$aNack$
• IP$Spoofing$
62!
• TCP$handshake$
• SYN$Flood$
– A$stream$of$TCP$SYN$packets$directed$to$a$listening$TCP$port$at$the$
vicAm$
– The$host$vicAm$must$allocate$new$data$structures$to$each$SYN$request$
– legiAmate$connecAons$are$denied$while$the$vicAm$machine$is$waiAng$$
to$complete$bogus$"halfYopen"$connecAons$
– Not$a$bandwidth$consumpAon$aNack$
• IP$Spoofing$
62!
Example$2$
63!
63!
From$DoS$to$DDoS$
64!
64!
From$DoS$to$DDoS$
65!
65!
Distributed$DoS$ANack$
66!
66!
DDoS$Countermeasures$
• Three$broad$lines$of$defense:$
1. aNack$prevenAon$&$preempAon$(before)$
2. aNack$detecAon$&$filtering$(during)$
3. aNack$source$trace$back$&$idenAficaAon$(aEer)$
67!
• Three$broad$lines$of$defense:$
1. aNack$prevenAon$&$preempAon$(before)$
2. aNack$detecAon$&$filtering$(during)$
3. aNack$source$trace$back$&$idenAficaAon$(aEer)$
67!
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 13,562
- Slides 67
- Favorites 6
- Age 4738 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views