Protecting Computers From Viruses and Similarly Programmed Threats

  • Slides: 32
Download presentation
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316

Contents § Early virus protection software § Common malicious software § Notable viruses §

Contents § Early virus protection software § Common malicious software § Notable viruses § Identification and deletion techniques § Pitfalls of each

Virus Protection Software § Used to prevent, detect, and remove malicious software § Began

Virus Protection Software § Used to prevent, detect, and remove malicious software § Began in 1980’s in research fields § BITNET/EARN network led to first open discussion of viruses § Mailing list included John Mc. Afee and Eugene Kaspersky

Early Viruses § Malicious code spread through infected floppy disks § Exploited boot sectors

Early Viruses § Malicious code spread through infected floppy disks § Exploited boot sectors of hard drives and executables § Windows Autorun § Limited in scope § Could only damage the host system § No replication § Mostly macros

Internet Age § As the internet became popular, malicious software evolved § Often infected

Internet Age § As the internet became popular, malicious software evolved § Often infected Windows and Microsoft products § Outlook § Word § Malicious software becomes self-replicating and mobile § Infected emails and attachments § Zero-day exploits

Common Malicious Software § Today malicious software has many names based on behavior §

Common Malicious Software § Today malicious software has many names based on behavior § Malware, spyware, viruses, trojans, keyloggers, backdoors, rootkits, worms, adware

Notable Viruses and Worms § 1982 - Elk Cloner infected Apple II systems §

Notable Viruses and Worms § 1982 - Elk Cloner infected Apple II systems § 1990 - ILOVEYOU infects millions of Windows systems Worldwide § 2002 - Mylife first virus to send infected emails to all Outlook contacts § 2003 – SQL Slammer jams internet traffic worldwide by exploiting SQL Server § 2004 – Sasser exploits LSASS Windows service blocking internet traffic to government agencies and private corporations.

Elk Cloner

Elk Cloner

ILOVEYOU

ILOVEYOU

Mylife

Mylife

SQL Slammer

SQL Slammer

Sasser

Sasser

Notable Continued § 2011 - Anti Spyware appears as a legitimate program but forces

Notable Continued § 2011 - Anti Spyware appears as a legitimate program but forces users to pay for removal § 2013 - Crypto. Locker trojan encrypts an important file on a computer and forces users to pay a ransom

Anti Spyware

Anti Spyware

Crypto. Locker

Crypto. Locker

Identification and Deletion § Multiple techniques exist to identify and delete malicious software §

Identification and Deletion § Multiple techniques exist to identify and delete malicious software § In 1987, Fredrick Cohen demonstrates no algorithm is perfect to remove all malicious software § Signature-Based detection § Heuristics § Rootkit § Real-time Protection/Shield

Signature-Based § AVG’s and Avast! Methods § Constantly refresh virus definitions on host systems

Signature-Based § AVG’s and Avast! Methods § Constantly refresh virus definitions on host systems § Scan contents of files looking for known signatures § Quarantine or encrypt those files to render them inoperable

Signature-Based Example § Signatures are pieces of code stripped from known malicious software and

Signature-Based Example § Signatures are pieces of code stripped from known malicious software and stored for cross-referencing on host systems § AVG and Avast! maintain their own virus definitions

Signature-Based Example § Simplistic Example § Malicious software with these lines of code §

Signature-Based Example § Simplistic Example § Malicious software with these lines of code § § int[] example = new int[1000] int counter = 500 while(counter>0) example[counter] = some. Generic. Get()

Signature-Based Example § Anti-Virus software will (hopefully) identify this malicious code and take proper

Signature-Based Example § Anti-Virus software will (hopefully) identify this malicious code and take proper action § This technique is simple, efficient, and effective for most malicious code § Most, meaning it is easily defeated by modern metamorphic viruses

Signature-Based Example § Metamorphic viruses redefine themselves to avoid detection § § int[] new.

Signature-Based Example § Metamorphic viruses redefine themselves to avoid detection § § int[] new. Example = new int[1000] int new. Counter = 500 while(new. Counter>0) new. Example[counter] = even. More. Generic. Get()

Signature-Based Example § The relationship between signature-based detection and false-positives inversely proportional § More

Signature-Based Example § The relationship between signature-based detection and false-positives inversely proportional § More strict and descriptive signatures throw more false-positives § Less strict signatures fail to detect known malicious code § Does not work on new malicious software as the signature does not yet exist in anti-virus definitions § Definitions must be constantly updated

Signature-Based

Signature-Based

Real-Time Detection § To use Avast! as an example, uses multiple techniques to provide

Real-Time Detection § To use Avast! as an example, uses multiple techniques to provide protection while the system is being used § On-access scanner § Real-Time shields and sandboxing § Firewalls

Realtime in Avast!

Realtime in Avast!

Scanners § Similar detection techniques previously mentioned § Signature-based, assuming a real-time shield failed

Scanners § Similar detection techniques previously mentioned § Signature-based, assuming a real-time shield failed § Sandboxing an executable § Analyze and/or disassemble program code to search for malicious modification of system files

Common Fallacies of Scanners § Scanning does NOT run every program on your drive

Common Fallacies of Scanners § Scanning does NOT run every program on your drive and look for malicious intent § Scanners can only detect known viruses from definitions § If detected, viruses are not often deleted § Encrypted or moved § Memory/Flash scans are not reliable

Scanners

Scanners

Sandboxing § Sandboxes are common in more fields than just security § For Windows

Sandboxing § Sandboxes are common in more fields than just security § For Windows compatible anti-virus programs § Emulate the OS with many of the same components § § Addressable memory OS Kernels Restricted network kernel that points to nowhere or is limited Mock system registry

Sandboxing Pitfalls § As with other methods, sandboxing has downsides § § § Memory

Sandboxing Pitfalls § As with other methods, sandboxing has downsides § § § Memory heavy CPU heavy False-positives Delayed execution of new programs Installation hang-ups and errors

Sandboxing

Sandboxing

Conclusion § Early virus protection software § Common malicious software § Notable viruses §

Conclusion § Early virus protection software § Common malicious software § Notable viruses § Identification and deletion techniques § Pitfalls of each

ATTACK AND THREATS THREATS AND ATTACK THREATS ThreatsATTACK AND THREATS THREATS AND ATTACK THREATS Threats
Programmed Threats Richard Newman What is a ProgrammedProgrammed Threats Richard Newman What is a Programmed
Presents programmed hygiene in beverage filling programmed hygienePresents programmed hygiene in beverage filling programmed hygiene
Catalyst Characterization by Temperature Programmed Methods temperature programmedCatalyst Characterization by Temperature Programmed Methods temperature programmed
Viruses and related threats Viruses and Malicious ContentViruses and related threats Viruses and Malicious Content
Session Agenda Threats Types of threats Threats againstSession Agenda Threats Types of threats Threats against
Chapter Fourteen Viruses Cancer and Immunology Viruses VirusesChapter Fourteen Viruses Cancer and Immunology Viruses Viruses
Chapter Fourteen Viruses Cancer and Immunology Viruses VirusesChapter Fourteen Viruses Cancer and Immunology Viruses Viruses
Viruses and Bacteria What are viruses Viruses areViruses and Bacteria What are viruses Viruses are
Viruses and Bacteria Viruses Discovery of Viruses DetectViruses and Bacteria Viruses Discovery of Viruses Detect
VIRUSES AND HUMAN HEALTH 1 Viruses Disease virusesVIRUSES AND HUMAN HEALTH 1 Viruses Disease viruses
BSC 2011 Chapter 21 Viruses Viruses Viruses areBSC 2011 Chapter 21 Viruses Viruses Viruses are
VIRUSES Chapter 18 Bacteria Viruses Bacteria 1 VirusesVIRUSES Chapter 18 Bacteria Viruses Bacteria 1 Viruses
Lecture16 Viruses Viruses General properties v Viruses areLecture16 Viruses Viruses General properties v Viruses are
Viruses Viruses Viruses are very simple forms ofViruses Viruses Viruses are very simple forms of
Viruses Chapter 27 Nature of Viruses All virusesViruses Chapter 27 Nature of Viruses All viruses
Arthropodborne Viruses Arthropodborne viruses arboviruses are viruses thatArthropodborne Viruses Arthropodborne viruses arboviruses are viruses that
Chapter 4 Viruses The concept of viruses VirusesChapter 4 Viruses The concept of viruses Viruses
VIRUSES I Introduction to Viruses 1 Viruses areVIRUSES I Introduction to Viruses 1 Viruses are
Viruses are particles Viruses are NOT living VirusesViruses are particles Viruses are NOT living Viruses
Viruses Virology is the study of viruses VirusesViruses Virology is the study of viruses Viruses
Arthropodborne Viruses Arthropodborne viruses arboviruses are viruses thatArthropodborne Viruses Arthropodborne viruses arboviruses are viruses that
PAPILLOMA VIRUSES Papilloma Viruses Characteristics ds DNA virusesPAPILLOMA VIRUSES Papilloma Viruses Characteristics ds DNA viruses
DOS Viruses Boot viruses Boot viruses are veryDOS Viruses Boot viruses Boot viruses are very