Lec 2b - Chapter 3.pdf

Full Transcript

MALWARE
LECTURE SET 02B
FROM CHAPTER 03 (SECTION 3.2 AND 3.3 ONLY)

CRs NO:1502170
INTRODUCTION TO CYBER SECURITY

M5 – 220 [email protected] Dr. Saddaf Rubab
Security failures can result from intentional or
nonmalicious causes; both can cause harm.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 2
MALWARE AND ITS TYPES
Malware (MALicious softWARE) : Programs planted by an
agent with malicious intent to cause unanticipated or
undesired effects. Following are some main types:
 Virus : A program that can replicate itself and pass on
malicious code to other nonmalicious programs by
modifying them. (Transient vs resident virus)
 Worm: A stand-alone program that spreads copies of itself
through a network, act like crawlers
 Trojan horse: Code that, in addition to its stated effect, has
a second, nonobvious, malicious effect
3
EXAMPLES OF MALWARE

 Malicious code that is designed to
look legitimate.
 Often found attached to online
games.
 Non-replicating type of malware.
 Exploits the privileges of the user
that runs the malware.
 Can cause immediate damage,
provide remote access to the
system, or access through a back
door.

4
 OTHER MALWARE
 Spyware - Used to gather information about a user and send the information
to another entity without the user’s consent. Can be a system monitor, Trojan
horse, Adware, tracking cookies, and key loggers.
 Adware - Typically displays annoying pop-ups to generate revenue for its
author. May analyze user interests by tracking the websites visited and send
pop-up advertising pertinent to those sites.
 Scareware - Includes scam software which uses social engineering to shock or
induce anxiety by creating the perception of a threat. Generally directed at an
unsuspecting user and attempts to persuade the user to infect a computer by
taking action to address the bogus threat.
 Phishing - Attempts to convince people to divulge sensitive information.
Examples include receiving an email from their bank asking users to divulge
their account and PIN numbers.
5
TROJAN HORSE CLASSIFICATION
 Remote-access Trojan horse - Enables
unauthorized remote access.
 Data-sending Trojan horse - Provides
the threat actor with sensitive data, such as
passwords.
 Destructive Trojan horse - Corrupts or
deletes files.
 Proxy Trojan horse - Will use the
victim's computer as the source device to
launch attacks and perform other illegal
activities.
 FTP Trojan horse - Enables unauthorized
file transfer services on end devices.
 Security software disabler Trojan
horse - Stops antivirus programs or
firewalls from functioning.
 DoS Trojan horse - Slows or halts
network activity. 6
FURTHER TO DISCUSS

 Harm — how they affect users and systems
 transmission and propagation — how they are transmitted and replicate,
and how they cause further transmission
 Activation — how they gain control and install themselves so that they
can reactivate
 Stealth — how they hide to avoid detection

7
HARM FROM MALICIOUS CODE
 Harm to users and systems:
 Sending email to user contacts
 Deleting or encrypting files
 Modifying system information, such as the Windows registry
 Stealing sensitive information, such as passwords
 Attaching to critical system files
 Hide copies of malware in multiple complementary locations
 Harm to the world:
 Some malware has been known to infect millions of systems, growing
at a geometric rate
8

 Infected systems often become staging areas for new infections
 TRANSMISSION AND PROPAGATION

 Setup and installer program
 Attached file
 Document viruses
 Autorun
 Propagation
 Using nonmalicious programs:
 Appended viruses
 Viruses that surround a program
 Integrated viruses (virus insertion)

9
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 10
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 11
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 12
Malware Activation
One-time execution (implanting)
Boot sector viruses
Memory-resident viruses
Application files
Code libraries

13
STEALTH

 The final objective for a malicious code writer is stealth: avoiding
detection during installation, while executing, or even at rest in storage.
 Most viruses maintain stealth by concealing their action, not announcing
their presence, and disguising their appearance.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 14
VIRUS EFFECTS
· Virus Effect How It Is Caused
Attach to executable · Modify file directory
program · Write to executable program file
Attach to data or · Modify directory
control file · Rewrite data
· Append to data
· Append data to self
Remain in memory · Intercept interrupt by modifying interrupt
handler address table
· Load self in non-transient memory area
Infect disks · Intercept interrupt
· Intercept operating system call (to format
disk, for example)
· Modify system file
· Modify ordinary executable program
Conceal self · Intercept system calls that would reveal
self and falsify result
· Classify self as “hidden” file
Spread infection · Infect boot sector
· Infect systems program
· Infect ordinary program
· Infect data ordinary program reads to
15
control its execution
Prevent deactivation · Activate before deactivating program and
block deactivation
· Store copy to reinfect after deactivation
 VIRUS EFFECTS

 Computers infected with malware often exhibit one or more of the following:
 Appearance of strange files, programs, or desktop icons.
 Antivirus and firewall programs are turning off or reconfiguring settings.
 Computer screen is freezing or system is crashing.
 Emails are spontaneously being sent without your knowledge to your contact list.
 Files have been modified or deleted.
 Increased CPU and/or memory usage.
 Problems connecting to networks.
 Slow computer or web browser speeds.
 Unknown processes or services running.
 Unknown TCP or UDP ports open.
16
 Connections are made to hosts on the Internet without user action.
 Strange computer behavior.
COUNTERMEASURES FOR USERS

USE SOFTWARE TEST SOFTWARE IN AN ONLY OPEN TREAT EVERY WEBSITE
ACQUIRED FROM ISOLATED ATTACHMENTS WHEN AS POTENTIALLY
RELIABLE SOURCES ENVIRONMENT YOU KNOW THEM TO HARMFUL
BE SAFE

CREATE AND MAINTAIN
BACKUPS 17
 1. Patch, Patch, Patch!
 Set up your computer for automatic
software and operating system updates.An
 unpatched machine is more likely to have
software vulnerabilities that can be exploited.
2. Install Security Software
 When installed, the software should be set
COUNTERMEASURES to scan your files and update your virus
FOR USERS  definitions on a regular basis.
3. Choose Strong Passwords
Choose strong passwords with letters,
numbers, and special characters to
create a mental image or an acronym
that is easy for you to remember.
Create a different password for each
important account, and change
passwords regularly.
18
 4. Backup, Backup, Backup!
Backing up your machine regularly can protect
you from the unexpected. Keep a few months'
worth of backups and make sure the files can be
retrieved if needed.

5. Control access to your machine
Don't leave your computer in an unsecured
area, or unattended and logged on, especially
COUNTERMEASURES in public places. The physical security of your
FOR USERS machine is just as important as its technical
security

6. Use email and the Internet safely
Ignore unsolicited emails, and be wary of
attachments, links and forms in emails that
come from people you don't know, or which
seem "phishy." Avoid untrustworthy (often
free) downloads from freeware or shareware
sites.

19
 7. Protect sensitive data
Reduce the risk of identity theft. Securely
remove sensitive data files from your hard
drive, which is also recommended when
recycling or repurposing your computer. Use
the encryption tools built into your operating
system to protect sensitive files you need to
retain.

8. Use desktop firewalls
COUNTERMEASURES Macintosh and Windows computers have
FOR USERS basic desktop firewalls as part of their
operating systems. When set up properly,
these firewalls protect your computer files
from being scanned

9. Use secure connections.
When connected to the Internet, your
data can be vulnerable while in transit.
Use remote connectivity and secure file
transfer options when off campus

20
VIRUS DETECTION

 Virus scanners look for signs of malicious code infection using signatures in
program files and memory
 Traditional virus scanners have trouble keeping up with new malware—detect
about 45% of infections
 Detection mechanisms:
 Known string patterns in files or memory
 Execution patterns
 Storage patterns

21
VIRUS SIGNATURES

IF (--)
Attached Recognizable
JUMP
Virus Code signature elements

Original
Program
Original
Program

Separate
Virus 22

Module
CODE ANALYSIS

 analyze the code to determine what it does, how it propagates and perhaps
even where it originated.

23
COUNTERMEASURES FOR DEVELOPERS
(DESIGN PRINCIPLES FOR SECURITY)

 Least privilege
 Economy of mechanism
 Open design
 Modularity  Complete mediation
 Encapsulation  Permission based
 Information Hiding  Separation of privilege
 Least common mechanism
 Ease of use

24
CODE TESTING

 Unit testing
 Integration testing
 Function testing
 Performance testing
 Acceptance testing
 Installation testing
 Regression testing
 Penetration testing

25
COUNTERMEASURES FOR SECURITY

Design Principles for Security
1. Least privilege. Each user and each program should operate using the
fewest privileges possible.
2. Economy of mechanism. The design of the protection system should be
small, simple, and straightforward.
3. Open design. The protection mechanism must not depend on the
ignorance of potential attackers; the mechanism should be public,
depending on secrecy of relatively few key items, such as a password table.
An open design is also available for extensive public scrutiny, thereby
providing independent confirmation of the design security.

26
Design Principles for Security
4. Complete mediation. Every access attempt must be checked.
5. Permission based. The default condition should be denial of access. A
conservative designer identifies the items that should be accessible, rather
than those that should not.
6. Separation of privilege. Ideally, access to objects should depend on more
than one condition, such as user authentication plus a cryptographic key.
In this way, someone who defeats one protection system will not have
complete access.
7. Least common mechanism. Shared objects provide potential channels for
information flow. Systems separation reduce the risk from sharing.
8. Ease of use. If a protection mechanism is easy to use, it is unlikely to be 27

avoided.
Penetration Testing for Security
 A system that fails penetration testing is known to have faults; one that
passes is known only not to have the faults tested for.
Proofs of Program Correctness
 program verification.
Validation
 Requirements checking, Design and code reviews, System testing
Defensive Programming
 Program designers must not only write correct code but must also
anticipate what could go wrong. 28
 COUNTERMEASURES DON’T WORK

Penetrate-and-Patch
 analysts searched for and repaired flaws.
 test a system’s security by attempting to cause it to fail, if the system
withstood the attacks, it must be secure.
Security by Obscurity
 ineffective countermeasure of assuming the attacker will not find a
vulnerability.
29
SUMMARY

 Malware can have a variety of harmful effects depending on its
characteristics, including resource usage, infection vector, and payload
 Developers can use a variety of techniques for writing and testing code
for security

30
 NETWORK SECURITY
LECTURE SET 03
CHAPTER 06

CRs NO:1502170
INTRODUCTION TO CYBER SECURITY

M5 - 220 [email protected] Dr. Saddaf Rubab
 NETWORK TRANSMISSION MEDIA
There are vulnerabilities in each of these media.

The purpose of introducing them here is to understand that they all have
different physical properties, and those properties will influence their
susceptibility to different kinds of attack.

 Cable
 Optical fiber
 Microwave
 WiFi
 Satellite communication
32
COMMUNICATION MEDIA VULNERABILITY (CONTD)

Interception, or unauthorized viewing
Modification, or unauthorized change
Fabrication, or unauthorized creation
Interruption, or preventing authorized access

Different touch points where attackers can take advantage of
communication media: wiretaps, sniffers, interception, and 33

impersonation.
VIRTUAL PRIVATE NETWORKS (VPN)

 A VPN—an encrypted tunnel that provides confidentiality and integrity
for communication between two sites over public networks—connects
Office A to Office B over the Internet so they appear to their users as
one seamless, private network.

 The VPN is terminated by firewalls at both ends, which is often the case
in the real world.

34
VIRTUAL PRIVATE NETWORKS (VPNS)

Institutions often want private networks for
security.
Costly! Separate routers, links, DNS infrastructure.
With a VPN, institution’s inter-office traffic is sent
over public Internet instead.
But inter-office traffic is encrypted before entering
public Internet

35
VPN
Public laptop
Internet IP IPsec Secure w/ IPsec
header header payload

salesperson
in hotel

Router w/ Router w/
IPv4 and IPsec IPv4 and IPsec

branch office
36

headquarters
VIRTUAL PRIVATE NETWORKS (VPN)

37
VIRTUAL PRIVATE NETWORKS (VPN)

A1 A2 A3 A4
To other
sites

Office A
Firewall A

B1 B2 B3 B4

Office B
Firewall B
38
Encrypted
 VIRTUAL PRIVATE NETWORKS (VPN)
 In this VPN scenario,
To other A1 A3 A4
a teleworker uses a sites
A2

VPN to connect to a
remote office.
Office
 She authenticates to Firewall A

the firewall (that’s
acting as a VPN
server), and the
firewall passes that
authentication
information to the
servers in the office
so she can be Teleworker
appropriately access 39

Encrypted
controlled.
FIREWALLS
 A device (hardware/software) that
filters all traffic between a protected
or “inside” network and less
trustworthy or “outside” network
 Most firewalls run as dedicated
devices
 Easier to design correctly and
inspect for bugs
 Easier to optimize for performance
 Firewalls implement security policies,
or set of rules that determine what 40

traffic can or cannot pass through
TYPES OF FIREWALLS

 Packet filtering gateways or screening routers
 Stateful inspection firewalls
 Application-level gateways, also known as
proxies
 Circuit-level gateways
 Guards
 Personal or host-based firewalls

41
 PACKET-FILTERING GATEWAYS

A packet-filtering gateway controls access on the basis of packet address and specific
transport protocol type (e.g., HTTP traffic).

Src: other addresses
HTTP

Src: 100.50.25.x 100.50.25.x Network
Telnet

The firewall is filtering traffic on the basis of
The firewall is filtering out Telnet traffic but allowing source IP rather than port. Filtering rules can
HTTP traffic in. also be based on combinations of addresses42

and ports/protocols.
 STATEFUL INSPECTION FIREWALL

Packet-filtering gateways maintain no state from one packet to the next. They
simply look at each packet’s IP addresses and ports and compare them to the
configured policies. Stateful inspection firewalls, on the other hand, maintain
state information from one packet to the next.

43
STATEFUL INSPECTION FIREWALL (CONTD.)

In the example in the image, the firewall is
10.1.3.1:4® 10.1.3.1:3® 10.1.3.1:2®
10.1.3.1:1
counting the number of systems coming
from external IP 10.1.3.1; after the
external system reaches out to a fourth
10.1.3.1 computer, the firewall hits a configured
Further
10.1.3.1:x
threshold and begins filtering packets from
traffic
that address.

In real life, it can be difficult to define rules
that require state/context and that
attackers cannot avoid.

44
APPLICATION PROXY
Filtered
commands

Results

Logging
File
cache

An application proxy simulates the behavior of an application at OSI layer 7 so that the
real application receives only requests to act properly. Application proxies can serve
several purposes:

▪ Filtering potentially dangerous application-layer requests
▪ Log requests/accesses
▪ Cache results to save bandwidth
45

Perhaps the most common form of application proxies in the real world is a web proxy,
which companies often use to monitor and filter employee Internet use.
CIRCUIT-LEVEL GATEWAY

100.1.1.x netw ork

Circuit
gateway

To Yes
200.1.1.x?
Encryption
No
A circuit-level gateway
connects two separate
Main
firewall networks as if they
are one.

A circuit-level gateway is a firewall that essentially allows one network to be an extension
of another. It operates at OSI layer 5, the session layer, and it functions as a virtual gateway
between two networks. One use of a circuit-level gateway is to implement a VPN. 46
 PERSONAL FIREWALLS
A personal firewall runs on a
workstation or server and can
enforce security policy like other
firewalls. In addition to restricting
traffic by source IP and destination
port, personal firewalls can restrict
which applications are allowed to
use the network.

In this example. Windows firewall
configuration dialog, an
administrator can select which
protocols and applications should
be allowed to communicate to and 47
from the host.
 GUARD

▪ A guard is a sophisticated firewall, determines what services to perform on
the user’s behalf in accordance with its available information
▪ Like a proxy firewall, it receives protocol data units, interprets them, and
emits the same or different protocol data units that achieve either the same
result or a modified result.

A guard can implement any programmable set of conditions, even if the
program conditions become highly sophisticated.

48
 GUARD - EXAMPLES

▪ A university wants to allow its students to use email up to a limit of so many
messages or so many characters of email in the last so many days.
▪ A school wants its students to be able to access the World Wide Web but,
because of the capacity of its connection to the web, it will allow only so
many bytes per second.
▪ A library wants to make available certain documents but, it will allow a user
to retrieve only the first so many characters of a document.
▪ A company wants to allow its employees to fetch files by FTP. However, to
prevent introduction of viruses, it will first pass all incoming files through a
virus scanner.

49
COMPARISON OF FIREWALL TYPES

50
 WHAT FIREWALLS CAN AND CANNOT DO

 Firewalls can protect an environment only if they control the entire
perimeter
 Firewalls do not protect data outside the perimeter
 Firewalls are the most visible part of an installation to the outside, so
they are an attractive target for attack
 Firewalls must be correctly configured, that configuration must be
updated as the environment changes, and firewall activity reports must
be reviewed periodically for evidence of attempted or successful
intrusion
 Firewalls exercise only minor control over the content admitted to the
inside, meaning that inaccurate or malicious code must be controlled by
51
means inside the perimeter
 NETWORK ADDRESS TRANSLATION (NAT)

With NAT, the source firewall converts
User host Destination
the source address in the packet into the (internal) host (external)

firewall’s own address. The firewall also
makes an entry in a translation table
192.168.1.35
showing the destination address, the 65.216.161.24

source port & the original source address
to be able to forward any replies to the packet
Src: 192.168.1.35:80
packet

original source address. The firewall then Firewall
Src: 173.203.129.90:80

converts the address back on any return
packets. packet
173.203.129.90 Src: 173.203.129.90:80

This has the effect of concealing the true Table of translations performed
Source Dest
address of the internal host and prevents 192.168.1.35:80 65.216.161.24:80

the internal host from being reached 52

directly.
INTRUSION DETECTION SYSTEMS (IDS)
 INTRUSION DETECTION SYSTEMS (IDS)
▪ IDSs complement preventative controls as a
Raw event source
next line of defense. IDSs monitor activity to
identify malicious or suspicious events. IDSs
may: (E)

Ra ev
Events

w ent
Monitor user and system activity

or
low data
Audit system configurations for

-le
ve
l
vulnerabilities and misconfigurations
Assess integrity of critical system and data (A)
Analysis
(S)
Storage
files in H
te ig
Recognize known attack patterns in system rp h
re -le
te v
d el
activity ev
en
ts
Identify abnormal activity through statistical
analysis Reactions to
events
(C)
Manage audit trails and highlight policy Countermeasures
violations 54
Install and operate traps to record
information about intruders
 TYPES OF IDS

 Detection method
 Signature-based - only detect known patterns,
 Heuristic - looks for patterns of behavior that are out of the ordinary.
 Location
 Front end - looks at traffic as it enters the network,
 Internal - monitors traffic within the network.
 Scope
 Host-based IDS (HIDS) - protects a single host by monitoring traffic from the OS.
 Network-based IDS (NIDS) - is a server or appliance that monitors network traffic.
 Capability
 Passive, Active, also known as intrusion prevention systems (IPS) - tries to block
55
or
otherwise prevent suspicious or malicious behavior once it is detected.
IDS VS FIREWALL

56
SECURITY INFORMATION AND EVENT
MANAGEMENT (SIEM)

SIEMs are software
systems that collect IDSs

security-relevant
OSs, Applications

data—usually audit Cloud

logs—from a variety Services

Firewalls

of hardware and Log Data Log Data

software products to Databases
SIEM

create a unified Proxy Servers

security dashboard
for security Web Servers/
Applications
SOC
Analysts
Switches

operations center
personnel. Email Servers
Routers

57
SECURITY INFORMATION AND EVENT
MANAGEMENT (SIEM) (CONTD.)

58
 SUMMARY

 A wide variety of firewall types exist, ranging from very basic IP-
based functionality to complex application-layer logic, and both
on networks and hosts
 There are many flavors of IDS, each of which detects different
kinds of attacks in very different parts of the network

59
SECURITY INFORMATION AND EVENT
MANAGEMENT (SIEM) (CONTD.)

▪ Without an SIEM, analysts would need to log into each device
individually on a constant basis and would have to manually correlate
events on one system against events on another, which is impossible on
any reasonably sized system.

▪ SIEMs range in functionality from simple ones that allow for basic search
and alerting to complex platforms that allow for completely custom
dashboards, reports, alerts, and correlation.

60