Professional Documents
Culture Documents
CS 426
Lecture 15
Malwares
• Runs independently
– Does not require a host program
• Propagates a fully working version of itself to other
machines
• Carries a payload performing hidden tasks
– Backdoors, spam relays, DDoS agents; …
• Phases
– Probing Exploitation Replication Payload
1 Attacker scans
Internet for
Unsecured Computers
unsecured systems that
Attacker
can be compromised
Internet
2 Attacker secretly
installs zombie agent Unsecured Computersbie
Zombies
Attacker programs, turning
unsecured computers
into zombies
Internet
3 Zombie agents
``phone home’’ Zombies
Attacker and connect to a
master server
Master
Server
Internet
Master
Server
Internet
5 Master Server
sends signal to
Zombies
zombies to launch
Attacker attack on targeted
system
Master
Server
Internet
Targeted
System
CS426 Fall 2010/Lecture 15 System 18
Detailed Steps (6)
6 Targeted system is
overwhelmed by
Zombies
zombie requests,
Attacker denying requests
from normal users
Master
Server
Internet
• Simple rootkits:
– Modify user programs (ls, ps)
– Detectable by tools like Tripwire
• Sophisticated rootkits:
– Modify the kernel itself
– Hard to detect from userland
Evil Program
good good good good
Trojan Trojan Trojan good
login ps ifconfig tripwire
good good good good login ps ifconfig tripwire
program program program program
Trojan
Under-Kernel RootKit
Kernel
Hypervisor
Hardware/
Evil VMM
firmware
• Wikipedia
• Malware
• Computer Virus
• Computer Worm
• Botnet
• Spyware