Scribd Logo
Upload

Welcome to Scribd!

  • SWE322: Software Security: Malware

    Uploaded by

    Mahiya Rahman Rafa
    28 views57 pages

    Original Title

    Malware

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views57 pages

    SWE322: Software Security: Malware

    Uploaded by

    Mahiya Rahman Rafa

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 57

    SWE322: Software Security

    Module: Malware
    What is malware ?
    Malware is a software that can damage or disable your
    system and gives limited or full control of the system to the
    malware creator for the purpose of thread or fraud.
    There can be many types of malware. Some of those are
    1. Trojan horse
    2. Backdoor 7. Virus
    3. Rootkit 8. Worms
    4. Ransomware 9. Spyware
    5. Adware 10. Botnet
    6. Trapdoor 11. Crypter
    12. Logic bomb
    Trojan percentage
    Taxonomy of Malicious Programs
    Ways of a malware can get into a system
    1. Install messenger application
    2. IRC (Internet relay chat)

    Ref : CEHv9
    3. Removable drive
    4. Attachment
    5. Legitimate shrink wrapped software packed by an degraded
    employee
    6. Browser and email software bug
    7. Fake program or application
    8. Untrusted site and freeware software
    9. NetBIOS (File sharing)
    10. Downloading file, games, screensaver and image from internet.
    Ref : CEHv9 Common techniques attacker to spread malware in web
    Ref : CEHv9 Common techniques attacker to spread malware in web
    How a Trojan virus execute on system
    1. Make a Trojan virus.
    2. Create a dropper, which is a part of in a trojanized packet that install
    malicious code on the system.
    3. Warp the Trojan virus.
    4. Spread the Trojan.
    5. Execute the dropper.
    6. Execute damage routine.
    How a Trojan virus execute on system (cont.)
    Ref : CEHv9 How anti-virus techniques can evading
    Ref : CEHv9
    How Trojan can be detected ?
    Ref : CEHv9
    How a malware auto start ?
    Folder auto‐start
    Ref : Unknown
    Win.ini : run=[backdoor]" or "load=[backdoor]".
    System.ini : shell=”myexplorer.exe”
    Autoexec.bat
    Config.sys
    Init.d
    Assign know extension (.doc) to the malware

    Add a Registry key such as


    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Add a task in the task scheduler


    Run as service
    Share : Malware enter by shared folder
    • How file can share ?
    1. User to user on same pc.
    2. PC to PC on same LAN network.
    3. Device to device by WiLAN.

    Folder in Homegroup

    Put the packet in folder Re Send


    qu the p
    es acke
    tt t
    he
    pa
    ck
    et

    Connected by
    LAN
    Prevention : Malware enter by shared folder (continue)
    • How to prevent it ?
    1. Don’t connect with untrusted network.
    2. Always scan homegroup folder.
    3. Turn Off File Sharing and Network Discovery.
    4. Scan before download shared file.
    Counter measure : Malware enter by shared folder (continue)
    Ref : CEHv7
    Email propagation and spoofing
    • How a victim injected ?
    1. Email from a great person.
    2. Malware behind a link.
    3. Email from a well know person.
    4. Mail for delicious offers.

    Hi. I am bob

    bob@gmail.com
    alice@gmail.com
    Email propagation and spoofing (cont.)
    • How to prevent it ?
    1. Use Domain Keys Identified Mail (DKIM) system.
    2. Don’t click spam or junk email.
    3. Use private browser option.
    4. Use no script add-ons if
    visit spam email.
    5. Enable spam filter.
    6. Don’t click mail from
    untrusted resource.
    Fake page or phishing
    • How phishing happened ?
    1. Bogus Email (one kind of mail spoofing)
    2. Counterfeit Websites.
    3. HTML injection.
    4. Counterfeit / Fake website
    5. Spotting Phishing
    Fake page or phishing (continue)
    • How to prevent phishing ?
    1. Check website URL carefully.
    2. Use private browser system.
    3. Use no-script add-ons.
    4. Clear cookie regularly.
    5. Don’t click pop-up page if it seem untrusted.
    Fake page or phishing (continue)
    How malware comes via P2P connection?
    • How it work ?
    1. Spread by peer-to-peer
    connection.
    2. Same routed area,
    fast connection.
    3. Different routed area,
    slow connection.
    4. Download by a
    magnet link.
    5. Can’t scan download
    file while downloading.
    6. 35.5 % files are have
    malware.
    7. Best example
    torrents file.
    Picture of Botnet Spread
    How malware comes via P2P connection? (cont.)
    • How to prevent it ?
    1. Use strong anti-virus and firewall.
    2. Use sandboixe.

    3. Don’t save downloaded file to


    booted drive.
    Backdoor or Trapdoor
    • What is backdoor or trapdoor and how its work?
    1. Secret entry point into a program.
    2. Allow unauthorized data.
    3. Sent data without notify administrator.
    4. Remains hidden to casual inspection.
    5. Can run a new program.
    6. Can modify an existing program.
    7. Can hard block in OS security.
    8. Payloads can enter by open ports.
    Backdoor or Trapdoor
    • How to prevent from backdoor ?
    1. Port binding by firewall.
    2. Use strong anti-malware
    program.
    3. Update OS patch day to day.
    4. Protection legitimate
    platform abuse.
    5. Filter open service port.
    6. Don’t use any crack version software.
    Backdoor or Trapdoor example
    Backdoor or Trapdoor example
    Logic bomb !
    • Behavior of logic bomb
    1. Lies until specific condition are met.
    2. Undetected until lunched.
    3. A code execute when it met logic and
    find it true. (Condition can be anything)
    4. Known as time bomb.
    5. Example : Forward information until
    antivirus stop scanning.

    Anti-virus
    Logic bomb ! (continue)
    • Tracing Logic Bomb :- Hard for trace but not impossible
    1. Logon/logoff
    2. File deletes
    3. Rights changes
    4. All accesses of anything by super users
    5. Failed logon attempts
    6. Unused accounts
    7. System reboots
    8. Remote accesses, in detail
    9. New User additions
    Logic bomb (continue)
    • How you prevent it ?
    1. Don’t download pirated software.
    Or you will
    2. Be careful with installing
    shareware/freeware applications.
    3. Be cautious when opening email
    attachments.
    4. Do not click on suspicious web
    links.
    5. Update you system time to time.
    6. Install latest OS patch.
    7. Backup important files.
    Logic bomb (continue)
    There is no counter measurement of logic bomb. The
    only think to do that, user should get a signature
    from the software vendor that if any problem occur
    by this software then user can fine to the vendor.
    Trojan horse
    • What do Trojans do?
    1. Creating backdoors.
    2. Spying.
    3. Steal passwords.
    4. Turn computer into a Zombie.
    5. Send costly messages
    (For smart phone).
    6. Non-replicable.
    7. Remote access computer.
    8. Over-write or erase data.
    9. Spread other viruses or install a
    backdoor. In this case the
    Trojan horse is called a 'dropper‘.
    10. Record keystroke.
    Inject : Trojan horse (continue)
    • How you can be injected?
    1. Visit website with unsecure browser.
    2. Even secure browser accept Trojan if java enable.
    3. IRC (Internet relay chat)
    4. Come from SMTP port.
    Pentest : Trojan horse (continue)
    Counter measure : Trojan horse (continue)
    Virus
    • What is virus and its characteristics?
    1. Self-replicating code.
    2. No hidden action but
    tires to remain undetected.
    3. Injected other
    program.
    4. Transform itself
    into a
    innocent data.
    5. Alter data &
    Erase data.
    6. Encrypt itself.
    Virus (continue)
    Major types of Virus
    Virus (continue)
    Virus (continue)
    Stages of Virus life
    Virus (continue)
    Virus (continue)
    • How anti-virus work ?
    Virus (continue)
    • antivirus and anti-anti virus technique
    Why people create malware and virus ?
    Ref : CEHv9
    Counter measure : Virus (continue)
    Zombie or BotNet
    • Behavior of zombie virus
    1. Secretly takes control to another network.
    2. Run under a command.
    3. Lunch attack at a time with one command.
    4. Attack on most windows machine.
    5. Sent unusual traffic to other network.
    Counter measure : Zombie or BotNet
    Worm
    • Behavior of worm.
    1. Malicious program that replicate, execute and spread across the network.
    2. Scanning new target in network.
    3. Automated intrusion techniques.
    4. Warm always almost cause of network harm.
    5. Run independently without host.
    6. Infection generates a number of processes
    7. Try to system shutdown.
    8. Worm don’t delete system's files, modify existing files, install Trojan horses
    etc.
    Feature : Worm (continue)
    • Comparison of Worm Features.
    1) Computer Virus: •Needs a host file

    2) Network Worm: •No host (self‐contained)


    •Copies itself
    •Executable
    •Copies itself
    •Executable

    3) Trojan Horse: • No host (self‐contained)


    •Does not copy itself
    •Imposter Program
    Typical Symptoms of victim system : worm (cont.)

    • File deletion
    • File corruption
    • Visual effects
    • Pop‐Ups
    • Computer crashes
    • Slow Connection
    • Spam Relaying
    Operation : worm (cont.)
    Counter measure : Worm
    Distributed Denial of Service
    • Goal: make a service unusable.
    • How: overload a server, router, network
    link, by flooding with useless traffic
    • Focus: bandwidth attacks, using large
    numbers of “zombies”
    How DDOS work
    DDoS Countermeasures

    • Three broad lines of defense:


    1. attack prevention & preemption (before)
    2. attack detection & filtering (during)
    3. attack source trace back & identification (after)
    Ping of dead in DDoS
    From dos to ddos
    Any Questions???

    You might also like