Ch04_Malware2

图灵

• On computable numbers， with an application to the Entscheidungs problem (by 图灵)提出了通用机概念
• 可计算性与λ可定义性(Computability and λ-definability)形成丘奇-图灵论点

冯诺依曼

• 冯•诺依曼是第一个写出能进行完全自我复制程序的人
• 冯·诺依曼为计算机的体系结构作了奠基性的工作，2进制思想与程序内存思想(EDVAC方案)

病毒发展史

• 1949年,冯•诺依曼(John Von Nermann),这位伟大的数学家和计算机科学家就在其《复杂机器的理论与结构》(Theory and Organization of Complicated Automata)的论文中首次提出了复杂机械的自动复制的理论,即程序能在内存中进行繁殖。
• 50年代后期Bell实验室和Xerox公司研究人工智能的专家(Victor A. Vyssotsky, Robert T.Morris and M. Douglas McIlroy)开发出用于娱乐的Core War游戏程序。由于这种游戏引起了系统的瘫痪,最终Core War游戏程序被终止使用(从此,程序自我复制理论沉睡了20年)。
• 60年代Conway设计出具有复制机制的"活的"程序。
• 1983年程序复制理论被UNIX操作系统的创始人之一、获得A.M.Turing奖的Ken Thompson公之于众。
• 1984年《科学美国人》出版,它详细讨论了Core War,同时包括有编写可自我复制的程序的信息。计算机病毒的研究在美国大学校园和计算机黑客(Harker)中得到了进一步发展。
• 1983年,Fred Cohen在作其博士论文时,开始着手研究计算机病毒传染性实现的可能性以及计算机病毒的预防问题。
• 1983年11月Fred Cohen在美国一个"计算机安全每周会议上"将这种能够寄生于其他程序之上且具有自身复制能力的程序实现的可能性问题出来,Len Adleman将其定名为计算机病毒。
• Fred Cohen于1984年全美计算机安全会议上争得同意又作了计算机病毒的传染实验,通过反复的实验验证了计算机病毒的传染性和真实存在性,从此这种能够自身复制自身并以其他程序为宿主的可执行的代码,冠以计算机病毒的名称为美国计算机安全界所了解。
• 1987年Fred Cohen在计算机与安全的第一期上发表了《计算机病毒:理论与实践》的文章,从此,专门讨论计算机病毒的文章出现了。

• Computational aspects of computer viruses。 Fred Cohen
  • Theorem. It is undecidable whether an arbitrary program contains a computer virus.
• An abstract theory of computer viruses. Leonard.M.Adleman
  • Theorem. It is undecidable whether an arbitrary program contains malicious logic.

Worm

• First,Nov 2,1998 Robert.T.Morris

  1. Exploit a buffer overflow in the “finger” daemon
  2. Use a back door left in the “sendmail” mail daemon
  3. Try a “dictionary attack” against local users' passwords. If successful, log in as them, and spread to other machines they can access without requiring a password

• 

Code Red Worm

• July 13 2001,Infected more than 250,000 systems in about 15 hours,Eventually infected 750,000

• An infected machine would:

  • Deface its home page
  • Launch attacks on other web servers (IIS or not)‏
  • Launch a denial-of-service attack on a handful of web sites, including www.whitehouse.gov
  • Installed a back door and a Trojan horse to try to prevent disinfection

  The Slammer Worm

  • 2004,First Example of "Warhol Worm"(A worm which can infect nearly all vulnerable machines in just 15 minutes)
  • Exploited a buffer overflow in Microsoft's SQL Server
  • A vulnerable machine could be infected with a single UDP packet!

  Email Worm

  • Email worm goes into a user’s contact/address book and chooses every user in that contact list.
  • It then copies itself and puts itself into an attachment; then the user will open the attachment and the process will start over again!

  Rootkits

  rootkit是攻击者用来隐藏自己的踪迹和保留root访问权限的工具

  Zero-Day Attacks

  Botnet

  networks that control vast networks of compromised computers, using them as nodes in a spam operation or stealing information from their owners.

Bot herder is the owner who centrally controlled the botnets.

Malware Zombies

Malware can turn a computer in to a zombie, which is a machine that is controlled externally to perform malicious attacks, usually as a part of a botnet.

Privacy-Invasive Software

user’s privacy or information that a user considers sensitive or valuable

Two forms of privacy-invasive software:

• Adware
• Spyware

What does spyware do?

• Installation of ‘keystroke logging’ program
• Hijack internet browser / homepage
• Track Internet-surfing habits
• Hogs system’s memory, CPU cycles & Internet bandwidth
• Creates its own files, cookies, DDLs, registry key…

Scareware

The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user

Best Practices to safeguard against Malware

1. Try to limit software installations to systems that come from trusted sources
2. Avoid freeware and shareware
3. Avoid peer- to- peer ( P2P) music and video sharing systems
4. Install a network monitor that blocks the installation of known instances of privacy- invasive software or the downloading of web pages from known malware web sites.
5. Install a network firewall,
6. Use physical tokens, e. g., smartcards, or biometrics in addition to passwords for authentication,”Separation of Privilege”
7. Keep all software up- to- date.