Α.Π.Σ. - Κακόβουλο Λογισμικό

.
gaggelinos@ssl-unipi.gr

;

;
1:

( )
2:

.
.
: (
) ,

( ) -

- ( ),

: :

,

.
:

(.. ,
)

(payload)

8

,

9
(1/4)

(
) ( )
10
(2/4)
11
(3/4)

,
,

,

-
12
(4/4)

-

(interpreted)
(executed),

13
Melissa
(1/3)
-,
newsgroups Internet, 1999.
: W97M/Melissa.o,
W97M/Melissa.gen@MM,
W97M/Melissa.bp@MM.
:
(Microsoft Word).
e-mail,
Outlook.
14
Melissa
(2/3)
Visual Basic
Scripting, Outlook
.
50
address book outlook
Important
message from application.username,
application.username
.

15
Melissa
(3/3)
:
:
16
ILoveYou
(1/4)
-
, 2000.
: VBS/Loveletter.*,
*=b,c,d,af,ag,ah,ae,ai,be, LoveBug, Very Funny,
Love Letter, Mothers Day.
:
Visual Basic Scripting.
e-mail VBS
, ILOVEYOU
address book,
.
17
ILoveYou
(2/4)
Windows 9x/NT

scripts.
.

.
18
ILoveYou
(3/4)
.vbs, .vbe, .js, .jse, .css,

.wsh, .sct, .hta, .jpg, .jpeg, .mp3, .mp2,

.

SYSTEM.
19
ILoveYou
(4/4)
:
WIN-BUGSFIX.EXE .

mailme@super.net.ph
:
WIN-BUGSFIX.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Run\WIN-BUGSFIX register,

.
20
(1/3)

,

,

21
(2/3)
(worms)

,

22
(3/3)

.
.
(Hoax)

23
Internet worm
(1/4)

UNIX
hosts
host
system tables hosts
host

24
Internet worm
(2/4)
host

built-in passwords

debug
option sendmail
25
Internet worm
(3/4)
,

command interpreter,
bootstrap,

,
.
26
Internet worm
(4/4)
bootstrap,
parent program,
(
),
,
.
27
(1/4)
13/07/2001: Code Red (

http://en.wikipedia.org/wiki/Code_Red_(com
puter_worm
))
04/08/2001: Code Red II (
http://en.wikipedia.org/wiki/Code_Red_II)
18/9/2001: Nimda (
http://en.wikipedia.org/wiki/Nimda)
28
(2/4)
25/01/2003: Slammer (
http://en.wikipedia.org/wiki/SQL_Slammer)
11/08/2003: Blaster (
http://en.wikipedia.org/wiki/Blaster_(comput
er_worm)
18/08/2003: Welchia (
http://en.wikipedia.org/wiki/Welchia)
29
(3/4)
19/03/2004: Witty worm (

http://en.wikipedia.org/wiki/Witty_(compute
r_worm)
20/04/2004: Sasser (
http://en.wikipedia.org/wiki/Sasser_(comput
er_worm
))
13/08/2005: Zotob (
http://en.wikipedia.org/wiki/Zotob)
30
(4/4)
17/01/2007: Storm (
http://en.wikipedia.org/wiki/Storm_Worm)
2010: Stuxnet (
http://en.wikipedia.org/wiki/Stuxnet)
31

Payload
32
(1/2)
Scanning
(CodeRed, Sasser, Slammer, Witty)

(CodeRed II)
subnet scanning (Blaster)
Hit-list (Witty (?))
(Slapper, Welchia)
33
(2/2)
E-mail address harvesting

Address books, files, web crawling, monitoring
SMTP activity
Network share enumeration/topology

Network neighborhood, /etc/hosts, known_hosts

P2P shared folders, Google
34

(CodeRed, Slammer, Witty)
(Blaster)
TFTP, FTP, HTTP
35
Reboot, user login,
36
Payload
/
(traffic/machine load)
DDoS
Remote control
Backdoors, botnets
Spam relay
/

37
Botnets
(1/3)
38
Botnets
(2/3)
>1 . Zombies
70%-80% spam zombies
Honeynet project: 226.585
IP logging IRC botnet
C&C
13 zombies
DDoS 1 (1,544 Mbit),
128 Kbit
39
Botnets
(3/3)
spam
DDoS
malware
IRC
online
adware
Phishing web servers

40

:

.
:

.
:

.
41

(.. )

42

:

,

43

( )

:
(
),
,

44
(1/5)

(
)
45
(2/5)

(Mandatory
Access Control MAC)
(Protection Domains)

46
(3/5)

:
:

:
,

:
(sandboxing)
47
(4/5)

.
,
.

.
48
(5/5)

,
/

. ,

49

(1/5)

,

50

(2/5)

(least privilege)

( :
)
51

(3/5)

,

,
(Demilitarised
Zone)

52

(4/5)

53

(5/5)

54

, (
)
55
:

(Order of Play)
:
()
:
()
(Time of Play)
:

,
:

56
(1/2)

:
( )

,

,
.
(.. )

57
(2/2)

(..
)
58
59

Α.Π.Σ. - Κακόβουλο Λογισμικό

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Α.Π.Σ. - Κακόβουλο Λογισμικό

Uploaded by

Copyright:

Available Formats

.

.vbs, .vbe, .js, .jse, .css,

13/07/2001: Code Red (

19/03/2004: Witty worm (

(CodeRed, Sasser, Slammer, Witty)

E-mail address harvesting

Network share enumeration/topology

Reboot, user login,

You might also like