Transcript Malware

Malware
Types of incidents 2010 (%)
Types of incidents 2010 (%)
Malicious programs

Operate automatically

Sometimes they need initial action from the user

Social engineering

Propagation can be fast

Difficult

Detection

Containment

Eradication
History


Since 1970

Creeper virus in ARPANET

“I'M THE CREEPER : CATCH ME IF YOU CAN.”
Very popular in the 80s and 90s


DOS and Windows
The resumed with renewed strength

The net

$
Malicious code

A program or part of a program that has the intent to
cause damage or “unexpected” events




Executables (compiled)
Scripts (interpreted)
Macros (series of commands)
Onjectives



Information stealing
Eliminate import files of a system
Invasive advertising (adware, spyware, spam)
Types

Virus

Worms

Trojan horses

Logic bombs

Backdoors

Rabbits

Zombies
Virus

Latin vīrus = poison

Programs that modify other programs

Infection process

They add them selves to other programs

Requires execution
“A virus is a piece of code that inserts itself into a host,
including operating systems, to propagate. It cannot run
independently. It requires that its host program be run
to activate it”
RFC 1135
Infection process (very simple)
If (x) JMP β
β
Worm

Programs that trasnport themselves across the
network

They propagate as autonomous programs

Very fast propagation


Significant threat


Network and autonomy
Speed without the intervention of users
Now the dividing line between virus and worms is
blurred

There are many worms with viral components
Logic Bombs

One of the oldest

Code embedded in genuine programs

They get activated by specific conditions


Presence/absence of a file

Date and time

Specific events (keys)
Once activated they usually cause damage

Modification/deletion of files
Trojans

They seem to have another function

There are atractive to execute


Upon exetution they do saomething else



Games, animations, updates
Give access to an attacker
There are used to propagate virus, create
backdoors
Or just cause damage
Zombies




Program that take possession of a computer
Later the computers are used for an attack to a thrid
person
Typically used in DDOS attacks
They exploit failures and vulneravilities of systems
to get installed
Backdoors

Secret point of access to an OS

It is usefull to bypass security of a system

login/password, acceso físico, etc.

Used by developers as a convenience

The problem: they forget to teake them out.....


Sometimes is intentional
Very hard to block
The most popular......
Wikipedia
Famous worms
Morris worm

Robert T. Morris Jr., November 1988

Post graduate student at Cornell

Ph. D. de Harvard

First grave incident in the Internet

Infected 6000 sites

Now he is a professor at MIT

Overloaded the machines



Sendmail hole

Buffer overflow in finger
1990: Sentenced to 3 years probation, 440 horas community
service and fine of $10,050
Caused the creation of CERT
Code Red

First modern worm

250,000 sites in 9 hours

July of 2001

Still active

Many mutations

Attack IIS


Microsoft released a patch in the middle of june
$2.5 billions in loses
Nimda

Another worm against IIS

September of 2001

Still active
Saphire/Slammer


The fastest and most efficient
Infected the 90% of vulnerable machines (more than
75,000) in 10 minutes

The complete worm was 376 bytes

Random IP address to generate targets

Against SQL server

South Korea was down for 12 hours

500,000 servers in the world