Week 3 Computer Security(Malware and Intrusion detection Malware)

Virus

-A virus is a program that can replicate itself and pass on malicious code to other nonmalicious programs by modifying them. -It infects other healthy subjects by attaching itself to the program and either destroying the program or coexisting with it. -The infection usually spreads at a geometric rate, eventually overtaking an entire computing system and spreading to other connected systems.

Polymorphic Viruses

-A virus that can change its appearance is called a polymorphic virus A two-form polymorphic virus can be handled easily as two independent viruses. Therefore, the virus writer intent on preventing detection of the virus will want either a large or an unlimited number of forms so that the number of possible forms is too large for a virus scanner to search for

Other Homes for Viruses

-Although such a file is not executable as a program itself, it can cause activity in the program that handles it. Such a file is called interpretive data, and the handler program is also called an interpreter. -One popular home for a virus is an application program. virus writer can create a virus macro that adds itself to the startup directives for the application -Code libraries are also excellent places for malicious code to reside. Because libraries are used by many programs, the code in them will have a broad effect.

Memory-Resident Viruses

-For frequently used parts of the operating system and for a few specialized user programs, it would take too long to reload the program each time it is needed. Instead, such code remains in memory and is called "resident" code. -Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running. Each time the resident code runs, the virus does too.

Boot Sector Viruses

-In such attackers, the easy way to become permanent is to force the harmful code to be reloaded each time the system is restarted. -Malicious code can intrude in this bootstrap sequence in several ways. An assault can revise or add to the list of modules to be loaded, or substitute an infected module for a good one by changing the address of the module to be loaded or by substituting a modified routine of the same name -The boot sector is an especially appealing place to house a virus. The virus gains control early in the boot process, before most detection tools are active, so that it can avoid, or at least complicate, detection.

History of Malicious Code

-Malicious code dates certainly to the 1970s, and likely earlier. Its growth has been explosive, but it is certainly not a recent phenomenon -Through the 1980s and early 1990s, malicious code was communicated largely person to-person by means of infected media (such as removable disks) or documents (such as macros attached to documents and spreadsheets) transmitted through email -During the late 1990s, as the Internet exploded in popularity, so too did its use for communicating malicious code. Network transmission became widespread

Harm from Malicious Code malicious code into three categories

-Nondestructive. Examples of behavior are sending a funny message or flashing an image on the screen, often simply to show the author's capability. This category would also include virus hoaxes, -Destructive. This type of code corrupts files, deletes files, damages software, or executes commands to cause hardware stress or breakage with no apparent motive other than to harm the recipient -Commercial or criminal intent. An infection of this type tries to take over the recipient's computer, installing code to allow a remote agent to cause the computer to perform actions on the agent's signal or to forward sensitive data to the agent

IDS Limitation

-On the downside, avoiding an IDS is a high priority for successful attackers. An IDS that is not well defended is useless. -Knowing how to evade a particular model of IDS is an important piece of intelligence passed within the attacker community -Another IDS limitation is its sensitivity, which is difficult to measure and adjust. IDSs will never be perfect, so finding the proper balance is critical -An IDS does not run itself; someone has to monitor its track record and respond to its alarms. An administrator is foolish to buy and install an IDS and then ignore it.

Capacity Planning

-One benign cause of denial of service is insufficient capacity: too much data for too little capability -A network or component running at or near capacity has little margin for error, meaning that a slight but normal surge in traffic can put the network over the top and cause significant degradation in service. -Websites are especially vulnerable to unexpected capacity problems

Shunning

-Real-time monitoring that detects an attack determines the addresses from which the attack is coming and acts quickly to block those addresses shunning, essentially filters out all traffic from implicated addresses -Shunning has a downside, however. If an attacker can detect that a site implements shunning, the attacker can send attack traffic spoofed to appear to be from a legitimate source.

Disadvantage of Signature-Based Intrusion Detection

-The problem with signature-based detection is the signatures themselves. An attacker will try to modify a basic attack in such a way that it will not match the known signature of that attack. -each of these variations could be detected by an IDS, but more signatures require additional work for the IDS, thereby reducing performance. -signature-based IDS cannot detect a new attack for which no signature has yet been installed in the database. Every attack type starts as a new pattern at some time, and the IDS is helpless to warn of its existence

Alarm

-The simplest and safest action for an IDS is simply to generate an alarm to an administrator who will then determine the next steps. -humans can remember past situations and sometimes recognize connections or similarities that an IDS may not detect. -If multiple sensors generate alarms at the same time, the human can become overloaded and miss new alarms

Security Information and Event Management (SIEM)

-Too much information can overwhelm a human network administrator, especially someone whose security skills are limited. -SIEMs are software systems that collect security-relevant data from a variety of hardware and software products in order to create a unified security dashboard -SIEMs allow analysts to organize data in countless interesting ways. -SIEMs allow users to create and share searches set to run at regular intervals and generate responses based on the results. -One common feature among SIEMs is to allow analysts to "claim" events for investigation, giving SOC teams a straightforward way to divide workload.

Indirect Harm to User

-company's public image can be harmed if the company's web site is hijacked to spread malicious code. -harm as the user tries to clean up a system after infection.

four aspects of malicious code infection

-harm:how they affect users and systems -transmission and propagation:how they are transmitted and replicate, and how they cause further transmission -activation:how they gain control and install themselves so that they can reactivate -stealth:how they hide to avoid detection

Load balancing

-no single computer has the capacity to support all the traffic these sites receive at once. Instead, these places rely on many computers to handle the volume. -A load balancer is an appliance that redirects traffic to different servers while working to ensure that all servers have roughly equivalent workloads

Network Tuning

-two clients on one segment are responsible for a large proportion of the traffic, it may be better to place them on separate segments to even the traffic load. -Network tuning depends on solid data obtained by monitoring network traffic over time. In a real attack, network administrators can adjust bandwidth allocation to segments, and they can monitor incoming traffic, selectively dropping packets that seem to be malicious. -Rate limiting is a countermeasure that reduces the impact of an attack. With rate limiting, the volume of traffic allowed to a particular address is reduced

Trojan horse

A Trojan horse is malicious code that, in addition to its primary effect, has a second, nonobvious, malicious effect.

Counterattack

A final action that can be taken on a detection of an attack is to mount an offense, to strike back. Legality can shift. Measured, necessary action to protect one's resources is a well-established legal principle. Taking offensive action opens one to legal jeopardy, comparable to that of the attacker.

Attached File

A more common means of virus activation is in a file attached to an email message or embedded in a file. In this attack, the virus writer tries to convince the victim (the recipient of the message or file) to open the object. Once the viral object is opened (and thereby executed), the activated virus can do its wor

network-based IDS

A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network

network-based IDS or NIDS

A network-based IDS or NIDS is generally a separate network appliance that monitors traffic on an entire network. It receives data from firewalls, operating systems of the connected computers, other sensors such as traffic volume monitors and load balancers, and administrator actions on the network. The goal of a NIDS is to protect the entire network or some set of specific sensitive resources

Appended Viruses

A program virus attaches itself to a program; then, whenever the program is run, the virus is activated. This kind of attachment is usually easy to design and implement. The virus writer need not know anything about the program to which the virus will attach, and often the attached program simply serves as a carrier for the virus

resident virus

A resident virus locates itself in memory; it can then remain active or be activated as a stand-alone program, even after its attached program ends.

Integrated Viruses

A third situation occurs when the virus replaces some of its target, integrating itself into the original code of the target. Such a situation is shown in Figure 3-21. Clearly, the virus writer has to know the exact structure of the original program to know where to insert which pieces of the virus.

transient virus

A transient virus has a life span that depends on the life of its host; the virus runs when the program to which it is attached executes, and it terminates when the attached program ends.

Transmission Patterns

A virus is effective only if it has some means of transmission from one location to another. As we have already seen, viruses can travel during the boot process by attaching to an executable file or traveling within data files. The travel itself occurs during execution of an already infected program -Since a virus can execute any instructions a program can, virus travel is not confined to any single medium or execution pattern.

Document Viruses

A virus type that used to be quite popular is what we call the document virus, which is implemented within a formatted document, such as a written document, a database, a slide presentation, a picture, or a spreadsheet. virus writer simply includes the virus in the commands part of the document, as in the integrated program virus.

Sinkholing

Alternatively, the administrator may redirect traffic to a valid address where the incoming traffic can be analyzed; this process is called sinkholing

Viruses That Surround a Program

An alternative to the attachment is a virus that runs the original program but has control before and after its execution. For example, a virus writer might want to prevent the virus from being detected. If the virus is stored on disk, its presence will be given away by its file name, or its size will affect the amount of space used on the disk. The virus writer might arrange for the virus to attach itself to the program that constructs the listing of files on the disk. If the virus regains control after the listing program has generated the listing but before the listing is displayed or printed, the virus could eliminate its entry from the listing and falsify space counts so that it appears not to exist.

Internal IDSs

An internal device monitors activity within the network. An internal IDS is also more well protected from outside attack. Furthermore, an internal IDS can learn typical behavior of internal machines and users

Heuristic Intrusion Detection Disadvantages

As with pattern-matching, heuristic intrusion detection is limited by the amount of information the system has seen (to classify actions into the right category) and how well the current actions fit into one of these categories.

Adaptive Behavior IDS

Because of these limitations of humans, an IDS can sometimes be configured to take action to block the attack or reduce its impact. • Continue to monitor the network. • Block the attack by redirecting attack traffic to a monitoring host, discarding the traffic, or terminating the session. • Reconfigure the network by bringing other hosts online (to increase capacity) or adjusting load balancers. • Adjust performance to slow the attack, for example, by dropping some of the incoming traffic. • Deny access to particular network hosts or services. • Shut down part of the network. • Shut down the entire network

Damage Estimates

Estimating the cost of an incident is hard. That does not mean the cost is zero or insignificant, just hard to determine. The first step is to enumerate the losses. Some will be tangibles, such as damaged equipment. Other losses include lost or damaged data that must be re-created or repaired, and degradation of service in which it takes an employee twice as long to perform a task. -Knowing the losses and their approximate cost, you can compute the total cost of an incident.

Harm to Users

Examples • Hiding the cursor. • Displaying text or an image on the screen. • Opening a browser window• Sending email to some or all entries in the user's contacts or alias list. • Opening text documents • Deleting all files. The Jerusalem virus did this every Friday that was a 13th day of the month. • Modifying system program files. Many strains of malware do this to ensure subsequent reactivation and avoid detection. • Modifying system information, such as the Windows registry (the table of all critical system information). • Stealing and forwarding sensitive information such as passwords and login details.

Harm to the World

Except for specifically targeted attacks, malware writers usually want their code to infect many people, and they employ techniques that enable the infection to spread at a geometric rate.

Replacements Viruses

Finally, the malicious code can replace an entire target, either mimicking the effect of the target or ignoring its expected effect and performing only the virus effect. In this case, the user may perceive the loss of the original program.

Malware Toolkits

First, there is a thriving underground of web sites for hackers to exchange techniques and knowledge. (As with any web site, the reader has to assess the quality of the content.) Second, attackers can often experiment in their own laboratories (homes) before launching public strikes. Malware toolkits let novice attackers probe for many vulnerabilities at the press of a button

Stealth Mode

IDSs run in stealth mode, whereby an IDS has two network interfaces: one for the network (or network segment) it is monitoring and the other to generate alerts and perhaps perform other administrative needs. The IDS uses the monitored interface as input only; it never sends packets out through that interface. Often, the interface is configured so that the device has no published address through the monitored interface; If the IDS needs to generate an alert, it uses only the alarm interface on a completely separate control network.

Goals for Intrusion Detection Systems

Ideally, an IDS should be fast, simple, and accurate, while at the same time being complete. It should detect all attacks with negligible performance penalty.

Intrusion Response

In taking action, especially if a tool causes the action automatically, a network administrator has to weigh the consequences of action against the possibility that there is no attack

Accurate Situation Assessment

Intrusion detection systems are not perfect, and mistakes are their biggest problem. Although an IDS might detect an intruder correctly most of the time, it may stumble in two different ways: by raising an alarm for something that is not really an attack (called a false positive, or type I error in the statistical community) or not raising an alarm for a real attack (a false negative, or type II error)

One-Time Execution (Implanting)

Malicious code often executes a one-time process to transmit or receive and install the infection. Sometimes the user clicks to download a file, other times the user opens an attachment, and other times the malicious code is downloaded silently as a web page is displayed. In any event, this first step to acquire and install the code must be quick and not obvious to the user.

IDS Advantages

On the upside, IDSs detect an ever-growing number of serious problems. And as we learn more about problems, we can add their signatures to the IDS model.

Setup and Installer Program Transmission

Recall the SETUP program that you run to load and install a new program on your computer. It may call dozens or hundreds of other programs, some on the distribution medium, some already residing on the computer, some in memory. If any one of these programs contains a virus, the virus code could be activated. Human intervention is necessary to start the process; a human being puts the virus on the distribution medium, and perhaps another person initiates the execution of the program to which the virus is attached

Execution Stealth

Similarly, remaining unnoticed during execution is not too difficult. Modern operating systems often support dozens of concurrent processes, many of which have unrecognizable names and functions. Thus, even if a user does notice a program with an unrecognized name, the user is more likely to accept it as a system program than malware.

Propagation

Since a virus can be rather small, its code can be "hidden" inside other larger and more complicated programs. Two hundred lines of a virus could be separated into one hundred packets of two lines of code and a jump each; these one hundred packets could be easily hidden inside a compiler, a database manager, a file manager, or some other large utility.

Vulnerability Scanners

System vulnerability scanners, such as ISS Scanner or Nessus [AND03], can be run against a network. They check for known vulnerabilities and report flaws found.

Blacklisting

The administrator can blacklist the target address, meaning that no traffic goes to that address, from legitimate or malicious sources alike

IDS Response To Alarm

The alarm can range from something modest, such as writing a note in an audit log, to something significant, such as paging the system security administrator. • Monitor, collect data, perhaps increase amount of data collected. • Protect, act to reduce exposure. • Signal an alert to other protection components. • Call a human.

Difference between virus and worm

The primary difference between a worm and a virus is that a worm operates through networks, and a virus can spread through any medium (but usually uses a copied program or data files). Additionally, the worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs. -worms that travel and collect data do not have to be evil -A bot (short for robot), is a kind of worm Their purpose is to scan accessible web content continuously and report back to their controller any new content they have found

Code Modification Checkers

To detect unacceptable code modification, programs can compare the active version of software code with a saved version of a digest of that code.

How Malicious Code Gains Control

To gain control of processing, malicious code such as a virus (V) has to be invoked instead of the target (T). Essentially, the virus either has to seem to be T, saying effectively "I am T," or the virus has to push T out of the way and become a substitute for T, saying effectively "Call me instead of T."

Difference between worm,trojan, and virus

To remember the differences among these three types of malware, understand that a Trojan horse is on the surface a useful program with extra, undocumented (malicious) features. It does not necessarily try to propagate. By contrast, a virus is a malicious program that attempts to spread to other computers, as well as perhaps performing unpleasant action on its current host. The virus does not necessarily spread by using a network's properties; it can be spread instead by traveling on a document transferred by a portable device (that memory stick you just inserted in your laptop!) or triggered to spread to other, similar file types when a file is opened. However, a worm requires a network for its attempts to spread itself elsewhere

Worm

Worm: program that spreads copies of itself through a network

Heuristic intrusion detection systems,

also known as anomaly based, build a model of acceptable behavior and flag exceptions to that model; for the future, the administrator can mark a flagged behavior as acceptable so that the heuristic IDS will now treat that previously unclassified behavior as acceptable.

Malicious code

comes in many forms under many names. In this chapter we explore three of the most popular forms: viruses, Trojan horses, and worms. Malicious code can be directed at a specific user or class of users, or it can be for anyone -Malicious intent distinguishes this type of code from unintentional errors, even though both kinds can certainly have similar and serious negative effects.

Front End IDSs

front-end device monitors traffic as it enters the network and thus can inspect all packets; it can take as much time as needed to analyze them, and if it finds something that it classifies as harmful, it can block the packet before the packet enters the network.

host-based IDS

host-based IDS runs on a single workstation or client or host, to protect that one host.

Intrusion Prevention Systems

intrusion prevention system, or IPS, tries to block or stop harm. In fact, it is an intrusion detection system with a built-in response capability. The response is not just raising an alarm; the automatic responses include cutting off a user's access, rejecting all traffic from address a.b.c.d, or blocking all users' access to a particular file or program.

intrusion detection system (IDS)

is a device, typically another separate computer, that monitors activity to identify malicious or suspicious events. -In many cases the response is to alert a human team that will then decide what further action is warranted. Sometimes, however, the IDS goes into protection mode to isolate a suspected intruder and constrain access.

zero-day attack

meaning use of malware that exploits a previously unknown vulnerability or a known vulnerability for which no countermeasure has yet been distributed.

Signature-based intrusion detection systems

perform simple pattern-matching and report situations that match a pattern (signature) corresponding to a known attack type.

Host-based intrusion detection (called HIDS)

protects a single host against attack. It collects and analyzes data for that one host.

A Security Operations Center (SOC)

single location, perhaps their headquarters. A SOC is a team of security personnel dedicated to monitoring a network for security incidents and investigating and remediating those incidents.

model-based intrusion detection systems

sought to build a dynamic model of behavior to accommodate variation and evolution in a person's actions over time. The technique compares real activity with a known representation of normality.

stealth

stealth: avoiding detection during installation, while executing, or even at rest in storage.

SIEM Challenges

• Cost. A commercial SIEM solution for a large company can cost millions of dollars • Data portability. Requirements evolve, and the SIEM that meets today's needs will someday need replacing. •Log-source compatibility. SIEMs are continually becoming more flexible in terms of the types of data they can import and the ease with which they let users define new data types, but some SIEMs are better than others in this regard. • Deployment complexity. Because SIEMs can touch thousands of systems in an enterprise, deploying them is generally a complex undertaking • Customization. SIEM vendors compete on the basis of depth of built-in functionality and ease of customization • Full-time maintenance. Because they interact with so many different systems, SIEMs are inherently complex,

IDS functions:

• monitoring users and system activity • auditing system configuration for vulnerabilities and misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of policy or normal activity • correcting system configuration errors • installing and operating traps to record information about intruders

maneuvers to conceal malware

•Hide the file in a lower-level directory, often a subdirectory created or used by another legitimate program • Attach, using the techniques described earlier in this chapter, to a critical system file, especially one that is invoked during system startup • Replace (retaining the name of) a noncritical system file. • Hide copies of the executable code in more than one location. • Hide copies of the executable in different locations on different systems so no single eradication procedure can work. • Modify the system registry so that the malware is always executed or malware detection is disabled