Professional Documents
Culture Documents
AIMS Security
Malware
2
Malware
3
Malware: Computer Virus
Computer Virus: A a type of
malware that propagates by inserting
a copy of itself into and becoming part
of another program.
It spreads from one computer to
another, leaving infections as it travels.
Can cause mildly annoying effects or damage data or
software and causing denial-of-service (DoS) conditions.
Almost all viruses are attached to an executable file, the
virus may exist on a system but will not be active or able
to spread until a user runs or opens the malicious host file
or program.
4
Malware: Computer Virus (con’t)
5
Malware: Computer Worm
Computer Worms replicate
functional copies of themselves
and can cause the same type
of damage as viruses.
Worms are standalone software and
do not require a host program or
human help to propagate.
To spread, worms either exploit a
vulnerability on the target system or
use some kind of social engineering to trick users into executing them.
A worm enters a computer through a vulnerability in the system and
takes advantage of file-transport or information-transport features on the
system, allowing it to travel unaided.
6
Malware: Trojan
7
Malware: Trojan (con’t)
8
Malware: “Bots”
Servant Bots
9
Malware: “Bots” (cont’d)
Bots can be used for either good or malicious intent.
A malicious bot is self-propagating malware designed to infect a
host and connect back to a central server(s) that act as a
command and control (C&C) center for an entire network of
compromised devices, or "botnet."
With a botnet, attackers can launch broad-based, "remote-
control," flood-type attacks against their target(s).
Bots can:
Log keystrokes
Gather passwords
Capture and analyze packets
Gather financial information
Launch DoS attacks, relay spam
Open back doors on the infected host.
10
Malware: “Bots” (cont’d)
11
Bot Example - Mirai
12
Mirai
• The DNS is the first step in the process when a user accesses a
website or API.
• If a fresh DNS record is not located in the user’s cache, the OS will
set off a recursive search to find the IP address for the domain in
question.
• The search ends at an authoritative server that provides the
‘authoritative’ answer to the user’s query.
• Dyn is a service that runs authoritative servers on behalf of its
customers. Therefore, when Dyn is inaccessible, the DNS records of
its customers are also inaccessible, and their sites will become
progressively unavailable as the time to live (TTL) of their DNS
records expire.
Mirai to date
• September 20th-30th, 2016
• Services of security journalist & blogger, Brian Krebs, of
krebsonsecurity.com
• 620 Gbps attack
• French internet infrastructure company OVH
• 100Gbps-799Gbps
• September 30th, 2016
• Mirai source code released publicly on Hackforums
• “Hacker” by the name “Anna-Senpai”
• October 21st, 2016
• Dyn
• Said to be 50 times the size of a “normal” DDoS
• Twitter
• Amazon
• Spotify
• Netflix
Mirai DDoS against Dyn
The view from Cloudflare
The view from Cloudflare
Who was affected (courtesy of Wikipedia)
Future
• Tracking Mirai:
• https://twitter.com/MiraiAttacks
• https://intel.malwaretech.com/mirai.html
27
Questions?