OSU CS373 - Defense Against the Dark Arts

95% of all malware (both enterprise and consumer) is delivered via the Internet. The timeline of web-based malware delivery has rapidly changed in a short amount of time. Originally phishing attacks were primarily via redirections to fake websites. As time goes on, phishing got more sophisticated and browser-specific attacks became more common. Currently a lot of attacks remain in the browser and don't write to disk as at this point they will be detected by anti-virus software. This image below shows a basic timeline of web-based malware. source: lecture slides, Oregon State University CS373 Defense Against the Dark Arts In terms of web attacks and Windows, there are a couple of different malware injection points. From the top layer down, de-obfuscated content (final rendered content) such as the browser and extensions, Javascript for the script engine, HTML (DOM Tree) also at the browser and extensions, HTML (raw HTML) such as WinInet and ETW/ETL, and HTTP at the HTTP proxy...

Last week we were deep down in memory. This week we will start to work our way back up to a more familiar space. Specifically we will discuss network security. Why is network security important? First and foremost it can keep threats from the host machine. However it is also used to protect against threats from the network itself as well as threats coming in from the network (think DDoS attacks). There are many different protection strategies to try and prevent network attacks. Positive Policy - This is also known as whitelisting. This is a list of expected behaviors from a network. By knowing what is expected, unexpected behaviors can be quickly identified. Firewall - This is the machine that processes the list of expected vs. unexpected behaviors on the network. An analogy the lecturer used was an attack surface. The attack surface is the set of operations that the network is willing to respond to.  Various zones of the network are created and identified (e.g. intranet, Int...

This week we will be primarily focusing on rootkits. A rootkit is a piece of malware that conceals its activities and existence from the user. The ushering in of this new era of malware came into focus in 2006 when Sony released a disk to try and prevent copying of music. In this piece of software any file that started with $sys$ was hidden from the user. Attackers saw the potential of this and gained control of this method. The majority of rootkits operate in a 32 bit Windows environment however some rootkits target a 64 bit environment. Most rootkits are at the kernel level because at this level they have full access and control to the system. The slide below is a nice illustration what the computer architecture looks like and where rootkits are located. slide source from lecture, OSU CS 373 Definitions for this week: thread - the smallest unit of execution within an operating system. The slide below has a nice demonstration of how a thread is executed hooking - redirecting...

There are two main components to hacking, finding "bugs" in the software that allows the user to interact with a program in an unintended way and configuration vulnerabilities (an example of a configuration vulnerability is a weak password). Hacking used to primarily focus on a company's perimeter systems (parts of the system that are exposed to the internet), but as defense against those types of attacks have been improved hackers are now targeting the internal systems aka the system's users. Memory corruption is a key area that attackers can examine to try and gain access to the system. The definition used by the lecturer this week is: "Accessing (reading/writing) memory (stack/heap) in an invalid (originally unintended) way which results in an undefined behavior (what we are looking to control)." There are four common categories of memory corruption: lifetime control, uninitiated memory, array index calculations, and buffer length calculations. A stan...