Professional Documents
Culture Documents
Malicious software
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
1 / 10
Lecture Outline
Learning Outcomes
The exploit downloads and installs a malware sample, infecting the victim Week 1 Introduction 1 (Should we care? A botnet takeover storytelling) 2 Admin blabbing 3 Malicious software 4 (a glimpse at) Botnets 5 (a glimpse at) Botnets detection & Rootkits Week 2 Static analysis and its limitations Week 3 Dynamic analysis and its limitations Week 4 Mobile malware Week 5 Cybercriminal underground economy Week 6 The cost of cybercrime
(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-3 2 / 10
Malicious Software
(Malware) refers to any unwanted software and executable code that is used to perform an unauthorized, often harmful, action on a computing device. It is an umbrella-term for various types of harmful software, including viruses, worms, Trojans, rootkits, and botnets.
Taxonomy I
Self-Spreading
Means of Distribution
Virus
Worm
Non-Spreading
Requires Host
Dependency on Host
(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-3 4 / 10
Taxonomy II
Virus
Self-replicating Needs a host to infect
Boot (Brain virus), overwrite, parasitic, cavity, entry point obfuscation, code integration (W95/Zmist virus)
Worm
Self-replicating, spreads (autonomously) over network
Exploits vulnerabilities aecting a large number of hosts Sends itself via email
5 / 10
Taxonomy III
Trojan horse
Malicious program disguised as a legitimate software Many dierent malicious actions
Spy on sensitive user data Hide presence (e.g., root-kit) Allow remote access (e.g., Back Orice, NetBus)
Root-kit
Used to keep access to a compromised system Usually hides les, processes, network connections
User- and kernel-level
6 / 10
Taxonomy III
Trojan horse
Malicious program disguised as a legitimate software Many dierent malicious actions
Spy on sensitive user data Hide presence (e.g., root-kit) Let us have a look some numbers. Allow remote access (e.g., at Back Orice, NetBus) . .
Root-kit
Used to keep access to a compromised system Usually hides les, processes, network connections
User- and kernel-level
6 / 10
8 / 10
8 / 10
8 / 10
8 / 10
Figure : New Password Stealers Samples (Source: McAfee Q4 2012 Threats Report)
8 / 10
Figure : Total Malicious Signed Binaries (Source: McAfee Q4 2012 Threats Report)
8 / 10
8 / 10
Figure : Leading Global Botnet Infections (Source: McAfee Q4 2012 Threats Report)
8 / 10
8 / 10
8 / 10
Fighting Malware I
Foremost Goals Understand malware behaviors to (automatically) identify and classify families of malware (to) automatically generate eective malware detection models Collect malware samples
How about infection strategies?
Analyze samples
Static analysis
Studying a programs properties without executing it Reverse engineering may be hampered (e.g., obfuscation, encryption)
Dynamic analysis
Studying a programs properties by executing it Environment-limited analysis
9 / 10
Fighting Malware II
Generate and deploy detection models Problems hard Lack of general denition of malicious behavior Cat-and-mouse game: attackers have much freedom Victims often (unwittingly) help attackers
10 / 10