Malicious Software, Viruses - Network Security and Cryptography - Lecture Slides, Slides of Cryptography and System Security

Download Malicious Software, Viruses - Network Security and Cryptography - Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity! Cryptography and Network Security Chapter 19 Docsity.com Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War, Carl Von Clausewitz Docsity.com Backdoor or Trapdoor  secret entry point into a program  allows those who know access bypassing usual security procedures  have been commonly used by developers  a threat when left in production programs allowing exploited by attackers  very hard to block in O/S  requires good s/w development & update Docsity.com Logic Bomb  one of oldest types of malicious software  code embedded in legitimate program  activated when specified conditions met  eg presence/absence of some file  particular date/time  particular user when triggered typically damage system  modify/delete files/disks, halt machine, etc Docsity.com Trojan Horse  program with hidden side-effects  which is usually superficially attractive  eg game, s/w upgrade etc  when run performs some additional tasks  allows attacker to indirectly gain access they do not have directly  often used to propagate a virus/worm or install a backdoor  or simply to destroy data Docsity.com Virus Operation  virus phases:  dormant – waiting on trigger event  propagation – replicating to programs/disks  triggering – by event to execute payload  execution – of payload  details usually machine/OS specific  exploiting features/weaknesses Docsity.com Virus Structure program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } Docsity.com Types of Viruses  can classify on basis of how they attack  parasitic virus memory-resident virus  boot sector virus  stealth  polymorphic virus metamorphic virus Docsity.com Worms  replicating but not infecting program  typically spreads over a network  cf Morris Internet Worm in 1988  led to creation of CERTs  using users distributed privileges or by exploiting system vulnerabilities  widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS  major issue is lack of security of permanently connected systems, esp PC's Docsity.com Worm Operation worm phases like those of viruses:  dormant  propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system  triggering  execution Docsity.com Morris Worm  best known classic worm  released by Robert Morris in 1988  targeted Unix systems  using several propagation techniques  simple password cracking of local pw file  exploit bug in finger daemon  exploit debug trapdoor in sendmail daemon  if any attack succeeds then replicated self Docsity.com Virus Countermeasures  best countermeasure is prevention  but in general not possible  hence need to do one or more of:  detection - of viruses in infected system  identification - of specific infecting virus  removeal - restoring system to clean state Docsity.com Anti-Virus Software  first-generation  scanner uses virus signature to identify virus  or change in length of programs  second-generation  uses heuristic rules to spot viral infection  or uses crypto hash of program to spot changes  third-generation  memory-resident programs identify virus by actions  fourth-generation  packages with a variety of antivirus techniques  eg scanning & activity traps, access-controls  arms race continues Docsity.com Advanced Anti-Virus Techniques  generic decryption  use CPU simulator to check program signature & behavior before actually running it  digital immune system (IBM)  general purpose emulation & virus detection  any virus entering org is captured, analyzed, detection/shielding created for it, removed Docsity.com Distributed Denial of Service Attacks (DDoS) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable  by flooding with useless traffic  using large numbers of “zombies”  growing sophistication of attacks  defense technologies struggling to cope Docsity.com Distributed Denial of Service JMS (DDoS) KL suns seee roche tributed ICMP attac Contructing the DDoS Attack Network  must infect large number of zombies  needs: 1. software to implement the DDoS attack 2. an unpatched vulnerability on many systems 3. scanning strategy to find vulnerable systems  random, hit-list, topological, local subnet Docsity.com