Embed Size (px)
Citation preview
Software Threats and Counter
Measures
A presentation byAjay Chinthapalli
What is a Malware? Malware is a Portmanteau word. It stands for Malicious Software.
It is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Types of Malware’s: Viruses Ransomware Trojan Horses Worms and Mass-Mailers Backdoors Rootkits Spyware Adware and many others…
What is a Ransomware? It is a type of Malicious Software which “ restricts the user from
accessing his computer until and unless some Ransom is paid to the creator” of that software.
How did it Start? The first known Ransomware was the “AIDS(Aids info disk) Trojan”. It was written by
“Joseph Popp”.
This malicious Software triggered a payload claiming that the user's license to use a certain piece of software had expired, encrypted file names on the hard drive, and required the user to pay US$189 to
"PC Cyborg Corporation" in order to unlock the system.
Because of that, this malicious software was also known “PC Cyborg”.
There are two common ways your computer can get infected.
By downloading or clicking on links/advertisements from a malicious website.
By exploiting vulnerable programs on your operating system (such as a Browser).
How does this Infect?
What are the Types of Ransomware’s?
There are many variants. But, they can be loosely classified into 3 types.
Win-locker File Encryptor MBR (Master Boot Record)
Win-Locker: This variant of ransomware locks your
computer, it displays an intimidating ransom message which appears to be from your local law enforcement agency.
It instructs you to pay through an online payment system such as Ukash, Paysafecard, or Moneypak.
The most comman Win-locker Ransomware are The CryptoLocker
and The FBI Virus.
File Encryptor: This kind of ransomware can encrypt
your personal files and folders using complex encryption algorithms to make your computer’s data unusable.
The malware author then demands that you pay for the decryption key using one of the online payment systems mentioned above.
The ransomware often leaves a file (or a “ransom note”) on the victim’s machine with payment instructions.
This type of ransomware may or may not lock your screen.
Master Boot Record:
This type of Ransomware changes your computers Master Boot Record and interrupts the normal booting process.
MBR is a partition on your computer’s hard drive that allows the Operating System to load and boot.
The creator asks the user to pay the amount online using UKash, Paysafecard or Moneypak.
Fortunately, the hard drives or files are not encrypted as the malware author claims. This ransomware only overwrites the original MBR with a malicious one
How to Protect your Computer???
Always backup your data: Backup your data on a regular basis and keep those files in a secure place so that you can restore it in an event of data loss.
Think before you click: Do not open email attachments that you were not expecting or click on links on suspicious websites. Ignore that email/link because it may be an attempt to get you to install bad software.
Secure your PC: Make sure your computer is protected with Anti-Virus, your operating system and other applications are Up-To-Date.
Don’t Pay: It’s not a good idea to pay as you can never be sure that the criminals will keep their end of the deal.
What can i do if My System is Infected? System Restore: Go to Start -> All programs -> Accessories -> System Restore. Follow the
instructions given to restore your computer back to a previous date before the virus was on your computer.
Safe Mode With Networking: Turn off your computer-> Turn on your computer-> Go to advance options-> safe mode with networking and press enter. Open your browser, download a trusted anti-malware software. Run the software and delete all the malicious programs.
Flash drive option: Install a trusted anti-malware software on your Flash drive from an uninfected computer. Turn off your computer-> Turn on your computer-> Go to advance options-> Boot menu->Select USB drive as your boot priority-> Your computer will now boot from the USB drive and automatically run the anti-malware program. Delete all the malicious programs found after the scan. After that reboot your computer. Windows should start normally.
References:
All You Need To Know About Ransomware. (2013, August 7). SUPERAntiSpyware Blog. Retrieved , from http://www.superantispyware.com/blog/2013/08/all-you-need-to-know-about-ransomware/
CryptoLocker Virus – Removal and Decryption Guide. (2013, September 9). . Retrieved , from http://freetechsupport.com/virus-removal/cryptolocker-virus-removal-decryption-guide/
Geier, E. (2014, January 13). How to rescue your PC from ransomware | PCWorld.PCWorld. Retrieved , from http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html
TOCTTOU SOFTWARE SECURITY THREAT
IN UNIX FILE SYSTEM
TIME OF CHECK TO TIME OF USE(TOCTTOU) “In software development, TOCTTOU is a class of software bug caused by
changes in a system between the checking of a condition and the use of the results of that check”
TOCTTOU attacks are most common in 1. UNIX File System 2. Local Sockets 3. Improper use of database transactions
UNIX FILE SYSTEMA TOCTTOU vulnerability requires 2 steps.1. A vulnerable program checks for a file status.2. The program operates on the file assuming that the original file is still valid during execution.
For example, Send mail may check for a specific attribute of a
mail box in step one and then append new messages in step two.
TOCTTOU EXAMPLE Victim checks file, if its good, open it Attacker changes interpretation of file name Victim reads secret file
Victim Attacker
if(access(“file”)) { fd = open(“file”); symlink(“secret”,
“file”); read(fd,………); ……….. } time
REPORTED TOCTTOU VULNERABILITIES
Domain Application NameEnterprise applications Apache, bzip2, gzip,
getmail, Imp-webmail, procmail, openldap,openSSL, Kerberos, OpenOffice,StarOffice, CUPS, SAP, samba
Administrative tools at, diskcheck, GNU fileutils, log-watch, patchadd
Device managers Esound, glint, pppd, Xinetd
Development tools make, perl, Rational ClearCase,KDE, BitKeeper, Cscope
In 2000–2004, there are 20 Community Emergency Response Teams (CERT) advisories on TOCTTOU vulnerabilities. They cover wider range of applications from system management tools to user level applications.
The CERT advisories affected many operating systems including Caldera Conectiva Debiana FreeBSD HP-UX RedHat Sun Solaries MandrakSoft
HOW TO DEAL WITH TOCTTOU ATTACKS At USENIX Security 2004, Dean & Hu described a
scheme safely using the access system call in Unix systems.
Dean & Hu ‘s scheme calls K-race algorithm, In this the attacker has low probability of winning races.
REFERENCES : Jinpeng Wei, Calton Pu. TOCTTOU Vulnerabilities in
UNIX-Style File Systems: An Anatomical Study. FAST ’05: 4th USENIX Conference on File and Storage Technologies, 155-167.
Nikita Borisov, Rob Johnson, Naveen Sastry, David Wagner.
Fixing Races for Fun and Profit: How to abuse a time. USENIX Association, 303-314.
SNIFFER PROGRAM
A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to network.
Programs that tap into a computer network with the purpose of intercepting data traveling between two network machines are called sniffing software.
This type of software program can be used to intercept and interpret data on a computer or network, including browser passwords, chat programs, user settings and network traffic.
What is a Sniffer Program?
The sniffer program tells a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them.
How does a Sniffer work?
It does this by placing the NIC in a state known as promiscuous mode. The program then begins a constant read of all information entering the PC via the network card.
Due to this strict formatting, a sniffer can peel away the layers of encapsulation and decode the relevant information exchanged between two computers.
TJX COMPANIESoMarshall’soTJ MaxxoHome GoodsoA.J Goods
Largest known Credit Card Theft
Stephen Watt, 25, a New York man who admitted to providing the sniffer program that was used to hijack credit card numbers as they traversed the networks of a number of merchants, including TJX, was sentenced to two years in prison and three years of supervised release
TJX DATA BREACH
July 2005o Attackers gained access to the wireless network in a
Marshall’s discount clothing store in Miami, FL.o Over the next year, the interval network was systematically
searched for valuable information.
May 2006o Sniffer was installed on the network and over 80 GB of
encrypted data was sent to a cite in California.
December 2006o The incident was discovered by TJX and reported to law
enforcement.
WHAT HAPPENED ?
What went wrong? No defense in depth WEP was used Attackers were able to get to the corporate databases through remotes stores network. Customer data was stored for too long Customer data was stored that should not have been
• TJX officials admitted that more than 45 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its Wi-Fi network.
• The retailer has been criticized for collecting too much consumer data and failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.
What can be learned ? Security must be incorporated in all aspects of business and risks must understood. Security is not a product you can buy.Security is a process that must constantly evolve.Do not store unnecessary information.Don’t use WEP
"TJX Data Breach: At 45.6M Card Numbers, It's the Biggest Ever."Computerworld. Jaikumar Vijayan, 29 Mar. 2007. Web. 15 Apr. 2014.
REFERENCES
"Sniffers: What They Are and How to Protect Yourself." Endpoint, Cloud, Mobile & Virtual Security Solutions. Matthew Tanase, 26 Feb. 2002. Web. 15 Apr. 2014.
