Professional Documents
Culture Documents
Α.Π.Σ. - Κακόβουλο Λογισμικό
Α.Π.Σ. - Κακόβουλο Λογισμικό
gaggelinos@ssl-unipi.gr
;
;
1:
( )
2:
.
.
: (
) ,
( ) -
- ( ),
: :
,
.
:
(.. ,
)
(payload)
8
,
9
(1/4)
(
) ( )
10
(2/4)
11
(3/4)
,
,
,
-
12
(4/4)
-
(interpreted)
(executed),
13
Melissa
(1/3)
-,
newsgroups Internet, 1999.
: W97M/Melissa.o,
W97M/Melissa.gen@MM,
W97M/Melissa.bp@MM.
:
(Microsoft Word).
e-mail,
Outlook.
14
Melissa
(2/3)
Visual Basic
Scripting, Outlook
.
50
address book outlook
Important
message from application.username,
application.username
.
15
Melissa
(3/3)
:
:
16
ILoveYou
(1/4)
-
, 2000.
: VBS/Loveletter.*,
*=b,c,d,af,ag,ah,ae,ai,be, LoveBug, Very Funny,
Love Letter, Mothers Day.
:
Visual Basic Scripting.
e-mail VBS
, ILOVEYOU
address book,
.
17
ILoveYou
(2/4)
Windows 9x/NT
scripts.
.
.
18
ILoveYou
(3/4)
19
ILoveYou
(4/4)
:
WIN-BUGSFIX.EXE .
mailme@super.net.ph
:
WIN-BUGSFIX.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Run\WIN-BUGSFIX register,
.
20
(1/3)
,
,
21
(2/3)
(worms)
,
22
(3/3)
.
.
(Hoax)
23
Internet worm
(1/4)
UNIX
hosts
host
system tables hosts
host
24
Internet worm
(2/4)
host
built-in passwords
debug
option sendmail
25
Internet worm
(3/4)
,
command interpreter,
bootstrap,
,
.
26
Internet worm
(4/4)
bootstrap,
parent program,
(
),
,
.
27
(1/4)
28
(2/4)
25/01/2003: Slammer (
http://en.wikipedia.org/wiki/SQL_Slammer)
11/08/2003: Blaster (
http://en.wikipedia.org/wiki/Blaster_(comput
er_worm)
18/08/2003: Welchia (
http://en.wikipedia.org/wiki/Welchia)
29
(3/4)
(4/4)
17/01/2007: Storm (
http://en.wikipedia.org/wiki/Storm_Worm)
2010: Stuxnet (
http://en.wikipedia.org/wiki/Stuxnet)
31
Payload
32
(1/2)
Scanning
33
(2/2)
P2P shared folders, Google
34
(CodeRed, Slammer, Witty)
(Blaster)
TFTP, FTP, HTTP
35
36
Payload
/
(traffic/machine load)
DDoS
Remote control
Backdoors, botnets
Spam relay
/
37
Botnets
(1/3)
38
Botnets
(2/3)
>1 . Zombies
70%-80% spam zombies
Honeynet project: 226.585
IP logging IRC botnet
C&C
13 zombies
DDoS 1 (1,544 Mbit),
128 Kbit
39
Botnets
(3/3)
spam
DDoS
malware
IRC
online
adware
Phishing web servers
40
:
.
:
.
:
.
41
(.. )
42
:
,
43
( )
:
(
),
,
44
(1/5)
(
)
45
(2/5)
(Mandatory
Access Control MAC)
(Protection Domains)
46
(3/5)
:
:
:
,
:
(sandboxing)
47
(4/5)
.
,
.
.
48
(5/5)
,
/
. ,
49
(1/5)
,
50
(2/5)
(least privilege)
( :
)
51
(3/5)
,
,
(Demilitarised
Zone)
52
(4/5)
53
(5/5)
54
, (
)
55
:
(Order of Play)
:
()
:
()
(Time of Play)
:
,
:
56
(1/2)
:
( )
,
,
.
(.. )
57
(2/2)
(..
)
58
59