Security Threats Worms and Viruses Cyril Onwubiko Cyril Onwubiko Networking and Communications Group Networking and Communications Group http://ncg.kingston.ac.uk http://ncg.kingston.ac.uk The Networking and Communications Group
Jan 14, 2016
Security Threats
Worms and Viruses
Cyril OnwubikoCyril OnwubikoNetworking and Communications GroupNetworking and Communications Group
http://ncg.kingston.ac.ukhttp://ncg.kingston.ac.uk
The Networking and Communications Group
Networking and Communications Group
Background Theory Detection Mechanisms Countermeasures Q/A
Overview
Networking and Communications Group
Background
Networking and Communications Group
Security Threats
Computer Systems Network Systems Information & ContentA
sset
Eff
ect
Disruption of Service Degradation of Service Denial of Service Manipulation/Theft of Information
Exploit Vulnerabilities in::
Causes::
Networking and Communications Group
Worms/Viruses
Worms Malicious software with the capability of self-replication May not require another software to be activated Propagates through networks
Viruses Malicious software that attaches itself to other software Requires another software to be activated Replicates within Computer systems, not necessarily
networks
Networking and Communications Group
Type of Worms/Viruses
Time Bomb: A type of worm that remains dormant in the host until a certain time is reached. Example: <if time Eq 22/03/2006 then start>
Logic Bomb: A type of worm that remains dormant in a host until a certain condition, or an event occurs (logic), and then deletes files, slows down or crashes the host system etc. Example: < if license_expires then start>
Trojan Horse: A type of worm (malicious logic) performing, or able to perform, an illegitimate action while giving the impression of being legitimate; the illegitimate action can be disclosure or modification of information. Example: Internet pop-ups: <Your system is running very slow, Do you want to Speed Up?> [Click]
1
Networking and Communications Group
Type of Worms/Viruses
Rabbit: A type of worm when activated replicates itself until a point of system exhaustion: Example: Consumes CPU and network resources
Bacterium: A type of virus that attaches itself on the OS (rather than application). It causes and consumes system’s resources to the point of exhaustion. Similar to ‘Rabbit’
Aggressive Worms: A type of worm that spreads across the network faster than normal worms. They are continuously activated!
2
Networking and Communications Group
Theory
Networking and Communications Group
General Concept
Countermeasures
Security Threats
Worm/Virus
Worms and Viruses are subsets of security threats. To appropriately mitigate against them, we need effective countermeasures!
Networking and Communications Group
Worm Models
Susceptible Infected
Susceptible Infected
Recovered
Susceptible Infected
quarantine
Removed
Recovered
SI
Mod
el
SIR
Mod
el
SIR
QR
Mod
el
No countermeasures applied
Recovered: infected systems that have been treatedRemoved: susceptible systems that are disconnected and patched
A single set of countermeasure
A couple of countermeasures
Networking and Communications Group
Classification of Worms
Worms Viruses Innocuous, Humorous, Data Altering & Catastrophic
Emphasis on Network
Early warning/detection possible
Emphasis on Computer Up to date DAT patches required
Beh
avio
urM
ediu
m
Innocuous, Humorous, Deceptive, Data Altering, & Catastrophic
Operational, external, human-made, software, malicious, deliberate and permanent
Operational, external, human-made, software, malicious, deliberate and permanent D
esig
n
Networking and Communications Group
Phases of Worm Propagation
External systems targeted (outside the ‘hitlist’) Propagation rate is quadratic or near exponential Combined efforts from compromised systems Hard to stop at this stage
Dormant and inactive Waits for a condition, or time to start: E.g.: Code Red II, Slammer Worms
Early stage Penetration Stage
Worm activated Hits the ‘hitlist’ – a list of systems with target vulnerability: E.g.: Win32.Blaster exploits flaw in MS RPC Propagation rate is gradual and linear
Exhaustion Stage
Near termination/completion Countermeasures known and patches released Program termination time very close
Perpetuation Stage
Networking and Communications Group
High CPU
System may crash intermittently
Increased/Abnormal traffic on egress routers/interfaces
Abnormal system behaviour (slows down, performance issues, freezes and hangs often)
Increased/Abnormal protocol usage high peer_contact sent/received traffic
System halt and may not start
Missing or corrupt/destroy files/ System register may be affected/altered
Symptomatic Effect (Behaviour)
Networking and Communications Group
Detection
Networking and Communications Group
Early Detection Mechanisms
Ingress ACL
Rate Limiting at gateway devices
Security Information Management Systems
Automated Filtering
Filtering of known security ports and protocols. Example: Ingress traffic using port UDP 137, TCP 135,139 445 etc
Proactive Monitoring
Networking and Communications Group
Early Warning Systems
Proactive-Based Systems
C orp ora te N e tw ork (C N )O p en N e tw ork (O N )
(In te rn e t)
p rob in gtra ffic
• Traffic analysis and
• Probabilistic analysis
• Pattern analysis and speculative evidences
Early warning System
Networking and Communications Group
Countermeasures
Networking and Communications Group
Stay up to date with latest software patches
Harden your operating systems (SP/personal FW etc)
Disable unused services
Consider filtering on ingress gateway devices
Consider disconnecting infected systems …
Remediation Services
Basic Techniques:
1
Networking and Communications Group
Microsoft NAP (Network Access Protection)
Cisco NAC (Network Admission Control)
Access Control Mechanisms.
Enterprise Initiatives
Admission Control Mechanisms:
2
Networking and Communications Group
OS-SIM (Open Source Security Information Management)
PADS (Passive Asset Detection Systems)
SNORT – Open Source IDS
BASE (Basic Analysis Security Engine (Alert Management)
Open Source Initiatives
Proactive Monitoring Technique:
3
Networking and Communications Group
Conclusion
Worms and Viruses are major security threats to information and network asset.
Worms (unlike viruses) can be detected early if adequate security mechanisms are in place.
Effects of worm/virus infection ranges from service disruption to system crash
Proactive monitoring and early warning systems are recommended detection mechanisms.
Remediation services, OS hardening, patching, ingress filtering and disconnecting of infected systems are recommended countermeasures!
Networking and Communications Group
Resources/References
1. Microsoft NAP: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/beta.mspx
2. Cisco NAC: http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm
3. Cisco CiscoWorks SIMS: http://www.cisco.com/en/US/products/sw/cscowork/ps5209/index.html
4. Additional Resource: http://www.research-series.com/cyril/resources.html5. IETF: EAP (Extensible Authentication Protocol):
https://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=83696. Desktop FW/IDS. E.g. Blackice defender (ISS); ZoneAlarm etc7. NCG: NCG Publications:
http://ncg.kingston.ac.uk/research/publications/publications.htm
Networking and Communications Group
Contact Details
Networking & Communications GroupKingston University
http://ncg.kingston.ac.uk
Email:[email protected] or [email protected]
Tel: Not Applicable