topicsinsecuritytesting

topicsinsecuritytesting内容摘要：

ing properly. • Ironically, buggy Adware defeats the purpose of the Adware itself. Sticky software • Sticky software implements methods that prevent or deter users from uninstalling it manually. • One simple solution is not to offer an uninstall program. • Another solution in Windows involves: – installing registry keys that instruct Windows to always launch the malware as soon as the system is booted. – The malware monitors changes to the registry and replace the keys of they are deleted by the user. – The malware uses two mutually monitoring processes to ensure that the user does not terminate the malware before deleting the keys. Future Malware • Today’s malware is just the tip of the iceberg. • The next generation of malware may take control of the low levels of the puter system (., BIOS, Firmware). – The antidote software will be in the control of the malware … • Also the theft of valuable information can result in holding it for ransom. Informationstealing worms • Presentday malware does not take advantage of cryptography much. • Asymmetric encryption creates new possibilities for the creation of informationstealing worms. • A worm encrypts valuable data on the infected system using an asymmetric cipher and hold the data as ransom. Informationstealing worms:Operation 1. The Kleptographic worm embeds a public encryption key in its body. 2. It starts encrypting every bit of valuable data on the host using the public key. 3. Decryption of the data is impossible without the private key. 4. Attacker blackmails the victim demanding ransom. 5. Attacker exchanges the private key for the ransom while maintaining anonymity. – Theoretically possible using zeroknowledge proofs – Attacker proves that he has the private key without exposing it. BIOS/Firmware Malware • Antivirus programs assume that there is always some trusted layer of the system. • Na239。 ve antivirus programs scan the hard drive for infected files using the highlevel filesystem service. • A clever virus can intercept file system calls and present to the virus with fake versions (original/uninfected) of the files on disk. • Sophisticated antivirus programs reside at a low enough level (in OS kernel) so that malware cannot distort their view of the system. BIOS/Firmware Malware: Operations (1) • What is the malware altered an extremely low level layer of the system? • Most CPUs/hardware devices run very lowlevel code that implements each assembly language instruction using low level instructions (microops). • The microops code that runs inside the processor is called firmware. • Firmware can be updated using a firmwareupdating program. BIOS/Firmware Malware: Operations (2) • Malicious firmware can (in theory) be included in malware that defeats antivirus programs. • The hardware will be promised by the malicious firmware. • Not easy to do in practice because firmware update files are encrypted (private key inside the processor). Antivirus programs • Antivirus programs identify malware by looking for unique signatures in the code of each program (., potential virus) on a puter. – A signature is a unique sequence of code found in a part of the malicious program. • The antivirus program maintains a frequently updated database of virus signatures. – The goal is for the database to contain a signature for every known malware program. • Well known antivirus software includes: – Symantec ( – McAfee ( Polymorphic viruses • Polymorphism is a technique that thwarts signaturebased identification programs. • Polymorphic viruses randomly encode or encrypt the program code in a semanticspreserving way. • The idea is to encrypt the code with a random key and decrypt it at runtime. – Each copy of the code is different because of the use of a random key. Polymorphic viruses: Decryption technique • A decryption technique that polymorphic viruses employ involves “XORing” each byte with a randomized key that was saved by the parent virus. • The use of XORoperations has the additional advantage that the encryption and decryption routine are the same: – a xor b = c – c xor b = a Polymorphic viruses: Weaknesses • Many antivirus programs scan for virus signatures in memory. – ., after the polymorphic virus has been decrypted. • If the virus code that does the decryption is static, then the decryption code can be used as a signature. • This limitation can be addressed (somewhat) if the decryption code is scrambled (superficially): – randomize the use of registers, – add noops in the code, … Metamorphic viruses • Instead of encrypting the program’s body and making slight alterations in the decryption engine, alter the entire program each time it is replicated. • This makes it extremely difficult for antivirus writers to use signaturematching techniques to identify malware. • Metamorphism requires a powerful code analysis engine that needs to be embedded into the malware. Metamorphic viruses: Operation • Metamorphic engine scans the code and generates a different version of it every time the program is duplicated. • The metamorphic engine performs a wide variety of transformations on the malware and on the engine itself. – Instruction and register randomization. – Instruction ordering – Reversing (negating) conditions – Insertion of “garbage” instructions – Reordering of the storage location of functions Timeline of famous malware (19821988) [wikipedia] • 1982 – Elk Cloner, written for Apple II systems, is credited with being the first puter virus. • 1987 – (c)Brain, the first virus written for PCs. – SCA, a boot sector virus for Amiga appears, immediately creating a pandemic viruswriter storm. A short time。