CIS 4615 meeting -*- Outline -*- * varieties of attacks Much of this topic is adapted from the book "Computer Viruses and Malware" by John Aycock (Springer, 2006). ** types of malware Can characterize it by some dimensions: ------------------------------------------ MALWARE: CHARACTERISTIC MODES OF OPERATION self-replicating: agressively copies itself vs. passive/accidental copying by user population-growth: growing or stable parasitic: requires other software to exist ------------------------------------------ *** logic bomb ------------------------------------------ LOGIC BOMB self-replicating: no population growth: 0 Parasitic: possibly 2 parts: trigger and payload ... if (condition()) { payload(); } ... ------------------------------------------ Q: What could a logic bomb be used for? (violates availability) denial of service extortion/ransom insider stock trading scheme (confidentiality) *** trojan horse ------------------------------------------ TROJAN HORSE self-replicating: no population growth: 0 parasitic: yes (imitates behavior of other program) ------------------------------------------ Q: What can a trojan horse be used for? (violates confidentiality or integrity) stealing information from users (like passwords) spyware is special case the captures keyboard inputs in order to steal passwords, account info, etc. adware is another special case that does pop-up ads or redirects browser searches *** back door ------------------------------------------ BACK DOOR self-replicating: no population growth: 0 parasitic: possibly user = read_username(); pass = read_password(); if (user == "133t h4ck0r") { return ALLOW_LOGIN; } else if (check_login(user, pass)) { return ALLOW_LOGIN; } else { return DENY_LOGIN; } ------------------------------------------ Q: What can a back door be used for? (violates integrity) bypass authorization, then stealing information *** virus ------------------------------------------ VIRUS self-replicating: yes population growth: positive parasitic: yes infect(); if (trigger()) { payload(); } ------------------------------------------ Q: What is that like? A logic bomb! Q: What can a virus be used for? (violates availability or confidentiality) denial of service vs. worms: propagate within one computer or are transported between computers by humans (e.g., on disks) history: circulating in 1982 first academic work in 1983 *** worm ------------------------------------------ WORM self-replicating: yes population growth: positive parasitic: no propagate(); if (trigger()) { payload(); } ------------------------------------------ Q: What does this look like? A virus, and thus like a logic bomb! Q: What can a worm be used for? (violation of availability, and other attacks) denial of service, stealing secret information history: Xerox PARC experiments in early 1980s "the internet worm" of Nov. 1988 *** blended threats Ken Thompson's ACM Turing award lecture describes a C compiler that: when compiling the source for the login program, puts in a back door when compiling the compiler, replicates these features A dropper, malware whose payload leaves behind other malware A "blended threat", has other characteristics, but can also propagate itself