hands-on network security: practical tools & methodscja/hns12/lectures/netsec-05-slides.pdf ·...
TRANSCRIPT
![Page 1: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/1.jpg)
Hands-On Network Security: Practical Tools & Methods
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2012
![Page 2: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/2.jpg)
Hands-On Network Security
Module 5 Viruses & Worms, Botnets,
Today’s Threats
![Page 3: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/3.jpg)
Viruses & Worms
![Page 4: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/4.jpg)
Viruses
• Program that copies itself to other programs In the same directory In a fixed directory
• Virus spreads by the copying of files By users, typically
• When program invoked Virus executes first
Copies itself to other programs Optionally, performs some malicious action
Then executes host program • Example:
W97M.Marker
4 04/12 cja 2012
![Page 5: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/5.jpg)
Worms
• Viruses that use network to replicate • No dependence on copying files • Worm generates its own targets
Via self-stored data Via host-stored data Randomly Combinations thereof
• Example: Blaster
5 04/12 cja 2012
![Page 6: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/6.jpg)
Types of Viruses
• Boot sector • Executable infector • Multipartite • TSR • Stealth • Encrypted • Polymorphic • Metamorphic
6 04/12 cja 2012
![Page 7: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/7.jpg)
Macro Viruses
• Virus instructions are interpreted Platform independent
• Infect common applications Microsoft Excel, …
• Easily spread • Easily defeated
Prohibit automatic execution of code
7 04/12 cja 2012
![Page 8: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/8.jpg)
Virus distribution
• Sophos study (2002) 26.1% macro viruses 26.1% Trojan horses 19.2% executable viruses 6.8% script viruses 21.8% other (Unix, boot sector, worms, file,
Macintosh, multipartite)
8 04/12 cja 2012
![Page 9: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/9.jpg)
Malicious code types, 2010
9
Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011
04/12 cja 2012
![Page 10: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/10.jpg)
Antiviral approaches
• Detection Scan for virus code “signatures” More difficult for encrypting viruses
Polymorphic - decrypt using emulator, or analyze encrypted virus body statistically
Metamorphic - harder • Identification
Vendor databases • Removal
Quarantine render harmless by encryption or compression copy to quarantine area
Delete
10 04/12 cja 2012
![Page 11: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/11.jpg)
Anti-virus
• Detection and removal tools Microsoft Security essentials http://www.microsoft.com/security_essentials/
McAfee Virus Scan http://www.mcafee.com
11 04/12 cja 2012
![Page 12: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/12.jpg)
12
U-M Anti-virus
• http://safecomputing.umich.edu/antivirus/ • Free Microsoft Security Essentials for personally-owned Windows
machines • Microsoft Forefront Endpoint Protection for university owned
Windows machines 32- and 64-bit versions
• Free Sophos Anti-Virus for Mac OS X machines All versions of OS X up to and including 10.7 (Lion)
• Good, concise security recommendations http://www.safecomputing.umich.edu/tools/security_shorts.html" http://www.safecomputing.umich.edu/MDS/ http://www.safecomputing.umich.edu/students.php
• More information http://www.safecomputing.umich.edu/
04/12 cja 2012
![Page 13: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/13.jpg)
Spyware
• Generic name for software that tracks users’ behavior • Wide range of activities
Keystroke loggers Tracking cookies File inspectors Location awareness Remote video & audio recording
• Store-and-forward As hard to detect remotely as botnets are
13 04/12 cja 2012
![Page 14: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/14.jpg)
Spyware
• Detection and removal tools Windows Defender (née Microsoft AntiSpyware)
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Lavasoft Ad-Aware http://www.lavasoftusa.net/
Spybot Search&Destroy http://www.safer-networking.org/
14 04/12 cja 2012
![Page 15: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/15.jpg)
Botnets
![Page 16: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/16.jpg)
Botnets
• Malware installed on victim machines listens for transmitted instructions Attack other machines Transmit spam Participate in DDOS attacks Crack passwords …
• Installed via well-known vectors • Communicate with command and control host(s) via
anonymous message services Typically irc Typically encrypted Typically silent, so hard to find
16 04/12 cja 2012
![Page 17: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/17.jpg)
Botnets
• Emerging as one of the major threats Large increase in 4Q2006 spam traffic 30-450% increase
Very large botnets 1.5 x 106 bots in Dutch botnet (2005)
Very old botnets 2 x 106 bots in CoreFlood (2011)
» Operating for 8+ years
17 04/12 cja 2012
![Page 18: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/18.jpg)
18
Botnets
• One of the major threats Large increase in 4Q2006 spam traffic 30-450% increase
Very large botnets 1.5 x 106 bots in Dutch botnet (2005) 5 x 106 bots in Conficker (2009)
» Encrypted & authenticated » Some recent progress in detection
2 x 106 bots in CoreFlood (2011) » Operating for 8+ years
04/12 cja 2012
![Page 19: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/19.jpg)
Microsoft Security Intelligence Report 1H2011
04/12 19 http://www.microsoft.com/security/sir/default.aspx cja 2012
![Page 20: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/20.jpg)
Today’s Threats
![Page 21: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/21.jpg)
Today’s Threats
• Targeted attacks continue to evolve Hydraq, Stuxnet
• Social Networking Target research -> effective social engineering attacks
• 0day vulnerabilities + rootkits Get inside an organization & stay hidden
• Boosted attack kits Innovations from targeted attacks -> toolkits -> massive attacks
• Mobile threats Attacks moving to mobile divices
04/12 21
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
![Page 22: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/22.jpg)
Today’s Threats
04/12 22
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
![Page 23: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/23.jpg)
Today’s Threats
23
Source: Symantec Global Internet Security Threat Report, Vol. XVI, April 2011
04/12 cja 2012
![Page 24: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/24.jpg)
Today’s Threats
04/12 24
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
cja 2012
![Page 25: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/25.jpg)
Today’s Threats
04/12 25
Source: Symantec Internet Security Threat Report, Vol. XVI, April 2011
Spam from botnets as a percentage of total email
cja 2012
![Page 26: Hands-On Network Security: Practical Tools & Methodscja/HNS12/lectures/netsec-05-slides.pdf · Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles](https://reader033.vdocuments.site/reader033/viewer/2022060900/609dfe756bdc71654419200c/html5/thumbnails/26.jpg)
References
• http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
• Symantec Internet Security Threat Report, Volume XVI, April 2011
04/12 26 cja 2012