Malicious Software
Upcoming SlideShare
Loading in...5
×
 

Malicious Software

on

  • 4,038 views

 

Statistics

Views

Total Views
4,038
Views on SlideShare
4,038
Embed Views
0

Actions

Likes
0
Downloads
167
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Malicious Software : This produces intentional flaws in the programs. Developed by attacker to probe the computer system in an unauthorized way.
  • Malicious Software is of different types: Viruses – Traditionally divided into two types : Boot sector viruses, File viruses. Rabbit Hoaxes Trojan Horse – e.g., Time Bomb and Logic Bomb. Spyware Trapdoor Worms
  • Viruses: Programs that spread malicious code to other programs by modifying them. Communications networks, such as the Internet, offer the viruses a good base for spreading worldwide. Viruses can weaken the availability, integrity and confidentiality of the data; in other words, they can destroy, change or alter the data. Viruses can also slow or hamper other operations of the systems. Some viruses may cause random damage to data files or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. Properties desired from virus: Hard to detect. Hard to destroy or deactivate. Spread widely. Able to re-infect. Platform independent. Easy to create.
  • Rabbit : Their sole purpose is to replicate themselves. A typical rabbit program may do nothing more than execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two new files, each of which is a copy of the original source file of the rabbit program. Both of those programs then may copy themselves twice, and so on. Rabbit reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources.
  • Hoaxes can be, for example, false alerts of spreading viruses. They can appear in the form of chain letters. Hoaxes are based on the assumption that information contained in a message is of such kind that the recipient will almost certainly forward it. This again can block the systems because so many users are sending e-mails at the same time thus loading the network resources.
  • Trojan Horse : This program appears to do something non-malicious. Trojan Horse programs are advertised to perform one function while, in fact, they perform a different function. This alternate, or secondary, function usually performs a covert action such as stealing user passwords. While the secondary function always executes in some manner, the advertised functionality may not necessarily exist. Trojan Horse programs that wish to function in a concealed manner, however, will perform their advertised task so as not to arouse suspicion. A common example of this is a system's user login program that not only authenticates users, but also records a user's plaintext password for use in future, unauthorized access. As Trojan Horses are neither self-replicating nor self-propagating , user assistance is required for infection. This occurs by user installing and executing programs that are infected with a Trojan Horse.
  • Trojan traditionally classified into two major categories: Time Bomb : A "time bomb" is simply a Trojan horse set to trigger at a particular time/date. Logic Bomb : A "logic bomb" is a Trojan horse set to trigger upon the occurrence of a particular logical event. An example of a logic bomb is a "letter bomb”, contained in electronic mail and triggered when the mail is read. 
  • Trapdoor: A trapdoor or backdoor is a feature in a program by which it can be accessed by someone using some means other than the obvious direct call, perhaps with special privileges. Key characteristics of a trap door: Since it is installed within the controlling portion of the system (e.g., operating system) and is therefore capable, it circumvents the normal control features of a system.  Another key characteristic is that a trap door is exercised under the direct control of an activation stimulus.    e.g., As the name implies, trap doors have a means of activation (like the latch on a door).  This activation key is under the direct control of the attacker.  A simple example of an activation key is a special sequence of characters that is typed into a terminal.  A software trap door program, embedded in the operating system code, can recognize this key and allow the user of the terminal special privileges.  This is done by the software circumventing the normal control features of the system.
  • Undetectable Trapdoor : The attacker can construct the trap door in such a manner as to make it virtually undetectable to even suspecting investigators.  Hardware Trapdoor : A major concern in computer security dealt with security-related hardware flaws.  The fear is that, processor hardware might fail in such a way that the processor would keep running but that security-related hardware checks would no longer be made.  For example, the failed hardware might allow a privileged instruction to be executed from a user program. 
  • Worms : A virus that spreads over a network and can run independently. A worm is very much like a virus in that it replicates itself and attacks a system with the potential to do irrecoverable damage. Unlike a virus, a worm is a stand-alone program that infects a computer system and infects other computers only through network connections. Once a worm infects a system, it actively seeks out connections to other computers and copies itself onto these systems. In addition to propagating from one computer system to another computer system, worms often perform malicious action. And such a malicious activity is not limited to just deletion of files. Since the computers are connected via a computer network, the worm can communicate information back to the author regarding such things as user passwords, network service information, and even proprietary research or information. Further a worm may be able to completely disrupt normal operations on a computer, thus causing denial of service attack. This often occurs when a worm does not check a system to see if it has already been infected and multiple worm programs execute on one computer system. Difference between Worms & Viruses : The difference is that unlike viruses, worms exist as separate entities. They do not attach themselves to other files or programs.
  • Infection by Worms : Before a system can become infected with a worm, the worm must be created. Creating a worm is a more difficult task. For a worm to properly function, the author must be knowledgeable with communication protocols, network system vulnerabilities, and operating system details such as file locations, file contents, and file manipulation. Once a worm has been created and testes, it can be released to attack and infect computer systems. By taking advantage of trusted host lists (e.g., UNIX .rhosts files), a worm would be capable of quickly infecting numerous systems. In the event that trusted host lists are unavailable, many worms will attempt to penetrate a system by guessing passwords. When both password guessing and trusted host accessing fails, a worm may attempt to exploit (widely) known security holes. This technique requires a worm's author to be very familiar with the inner-workings of a computer network services: an author must understand both how network services work and how they may be exploited to install a worm. An example of one such incident where this knowledge was used is the widely known Internet Worm. 
  • Virus infected file gets bigger because virus code embeds itself into the original program (which it is infecting) in any one of these places: Starting of the program End of the program In-between the program code – scattered with-in the program code so difficult to detect and remove, but equally difficult to design.

Malicious Software Malicious Software Presentation Transcript

    • Malicious Software
    • By
    • Kavita Khanna
    • ( [email_address] )
    • &
    • Himani Singh
    • ( [email_address] )
    • (CS-265, Fall-2003)
    • Malicious Software – “Presentation Outline”
    • What is malicious software?
    • Categories of malicious software.
    • Different malicious software – viruses, worms, Trojan Horse etc.
    • More description about viruses :
    • Desirable properties of viruses.
    • Identifying infected files and programs.
    • Where do viruses reside.
    • Identifying and detecting viruses – virus signature.
    • Effect of Virus attack on computer system.
    • Protection against attacks by malicious software – preventing infection.
    • References.
  • What is Malicious Software:
    • Software deliberately designed to harm
    • computer systems.
    • Malicious software program causes undesired actions in information systems.
    • Spreads from one system to another through:
    • E-mail (through attachments)
    • Infected floppy disks
    • Downloading / Exchanging of corrupted files
    • Embedded into computer games
  • Malicious Software - Categories Malicious Software Viruses Trapdoor Worms Spyware Trojan Horse Hoaxes Rabbit Time Bomb Logic Bomb Boot Viruses File Viruses
  • Types of Malicious Software
    • Virus : These are the programs that spread to other software in the system .i.e., program that incorporates copies of itself into other programs.
    • Two major categories of viruses:
    • Boot sector virus : infect boot sector of systems.
    • become resident.
    • activate while booting machine
    • File virus : infects program files.
      • activates when program is run.
  • Categories of Viruses
    • Polymorphic
    • Virus
    • Produces
    • modified & fully
    • operational code.
    • Produces new
    • & different code
    • every time when
    • virus is copied &
    • transmitted to a
    • new host.
    • Difficult to
    • detect & remove.
    • Stealth
    • Virus
    • Programming
    • tricks make the
    • tracing and
    • understanding
    • the code difficult.
    • Complex
    • programming
    • methods used to
    • design code, so
    • difficult to repair
    • infected file.
    • Armored
    • Virus
    • Hides
    • modifications it
    • has made to
    • files or to the
    • disk.
    • Reports
    • false values to
    • programs as
    • they read files
    • or data from
    • storage media. 
    • Companion
    • Virus
    • Creates new
    • program instead
    • of modifying
    • existing program.
    • Contains all
    • virus code.
    • Executed by
    • shell, instead of
    • original program.
    • Rabbit : This malicious software replicates itself without limits. Depletes some or all the system’s resources.
    • Re-attacks the infected systems – difficult recovery.
    • Exhausts all the system’s resources such as CPU time, memory, disk space.
    • Depletion of resources thus denying user access to those resources.
    • Hoaxes : False alerts of spreading viruses.
    • e.g., sending chain letters.
    • message seems to be important to recipient, forwards it to other users – becomes a chain.
    • Exchanging large number of messages (in chain) floods the network resources – bandwidth wastage.
    • Blocks the systems on network – access denied due to heavy network traffic.
    • Trojan Horse : This is a malicious program with unexpected additional functionality. It includes harmful features of which the user is not aware.
    • Perform a different function than what these are advertised to do (some malicious action e.g., steal the passwords).
    • Neither self-replicating nor self-propagating.
    • User assistance required for infection.
    • Infects when user installs and executes infected programs.
    • Some types of trojan horses include Remote Access Trojans (RAT), KeyLoggers, Password-Stealers (PSW), and logic bombs.
    • Transmitting medium :
    • spam or e-mail
    • a downloaded file
    • a disk from a trusted source
    • a legitimate program with the Trojan inside.
    • Trojan looks for your personal information and sends it to the Trojan writer (hacker). It can also allow the hacker to take full control of your system .
    • Different types of Trojan Horses :
    • 1. Remote access Trojan takes full control of your
    • system and passes it to the hacker.
    • 2. The data-sending Trojan sends data back to the hacker by means of e-mail.
    • e.g., Key-loggers – log and transmit each keystroke.
    • The destructive Trojan has only one purpose: to destroy and delete files. Unlikely to be detected by anti-virus software.
    • The denial-of-service (DOS) attack Trojans combines computing power of all computers/systems it infects to launch an attack on another computer system. Floods the system with traffic, hence it crashes.
    • The proxy Trojans allows a hacker to turn user’s computer into HIS (Host Integration Server) server – to make purchases with stolen credit cards and run other organized criminal enterprises in particular user’s name.
    • The FTP Trojan opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP).
    • The security software disabler Trojan is designed to stop or kill security programs such as anti-virus software, firewalls, etc., without you knowing it.
    • Spyware :
    • Spyware programs explore the files in an information system.
    • Information forwarded to an address specified in Spyware.
    • Spyware can also be used for investigation of software users or preparation of an attack.
    • Trapdoor : Secret undocumented entry point to the program.
    • An example of such feature is so called back door , which enables intrusion to the target by passing user
    • authentication methods.
    • A hole in the security of a system deliberately left in place by designers or maintainers. 
    • Trapdoor allows unauthorized access to the system.
    • Only purpose of a trap door is to "bypass" internal controls.  It is up to the attacker to determine how this circumvention of control can be utilized for his benefit.
    • Types of Trapdoor
    Undetectable Trapdoor Virtually undetectable. Hardware Trapdoor Security-related hardware flaws.
    • Worms :
    • program that spreads copies of itself through a
    • network. 
    • Does irrecoverable damage to the computer system.
    • Stand-alone program, spreads only through network.
    • Also performs various malicious activities other than spreading itself to different systems e.g., deleting files.
    • Attacks of Worms:
    • Deleting files and other malicious actions on systems.
    • Communicate information back to attacker e.g., passwords, other proprietary information.
    • Disrupt normal operation of system, thus denial of service attack (DoS) – due to re-infecting infected system.
    • Worms may carry viruses with them.
    • Means of spreading Infection by Worms :
    • Infects one system, gain access to trusted host lists on infected system and spread to other hosts.
    • Another method of infection is penetrating a system by guessing passwords.
    • By exploiting widely known security holes, in case, password guessing and trusted host accessing fails.
    • e.g., A well-known example of a worm is the ILOVEYOU
    • worm, which invaded millions of computers through
    • e-mail in 2000.
    • VIRUSES – More Description
    • Desirable properties of Viruses :
    • Virus program should be hard to detect by
    • anti-virus software.
    • Viruses should be hard to destroy or deactivate.
    • Spread infection widely.
    • Should be easy to create.
    • Be able to re-infect.
    • Should be machine / platform independent, so that it can spread on different hosts.
    • Detecting virus infected files/programs :
    • Virus infected file changes – gets bigger.
    • Modification detection by checksum :
    • > Use cryptographic checksum/hash function
    • e.g., SHA, MD5.
    • > Add all 32-bit segments of a file and store the sum
    • (i.e., checksum).
    • Identifying Viruses :
    • A virus is a unique program.
    • It as a unique object code.
    • It inserts in a deterministic manner.
    • The pattern of object code and where it is inserted provides a signature to the virus program.
    • This virus signature can be used by virus scanners to identify and detect a particular virus.
    • Some viruses try to hide or alter their signature:
    • Random patterns in meaningless places.
    • Self modifying code – metamorphic, polymorphic viruses.
    • Encrypt the code, change the key frequently.
    • Places where viruses live :
    • Boot sector
    • Memory resident
    • Disk – Applications and data stored on disk.
    • Libraries – stored procedures and classes.
    • Compiler
    • Debugger
    • Virus checking program infected by virus – unable to detect that particular virus signature.
    • Effect of Virus attack on computer system
    • Virus may affect user’s data in memory – overwriting.
    • Virus may affect user’s program – overwriting.
    • Virus may also overwrite system’s data or programs – corrupting it – disrupts normal operation of system.
    • “ Smashing the Stack” – Buffer overflow due to execution of program directed to virus code.
    • Preventing infection by malicious software :
    • Use only trusted software, not pirated software.
    • Test all new software on isolated computer system.
    • Regularly take backup of the programs.
    • Use anti-virus software to detect and remove viruses.
    • Update virus database frequently to get new virus signatures.
    • Install firewall software, which hampers or prevents the functionality of worms and Trojan horses.
    • Make sure that the e-mail attachments are secure.
    • Do not keep a floppy disk in the drive when starting a program, unless sure that it does not include malicious software, else virus will be copied in the boot sector.
  • References:
    • Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website: http:// www.webopedia.com/TERM/T/Trojan_horse.html
    • Staffordshire University, Information & Security Team (Jun 8,
    • 2002). Information Systems Security Guidelines. Retrieved
    • Nov 10, 2003 from website:
    • http://www.staffs.ac.uk/services/information_technology/regs/security7.shtm
    • M.E.Kabay, Norwich University, VT (2002). Malicious Software. Retrieved Nov 9, 2003 from website:
    • http://www2.norwich.edu/mkabay/cyberwatch/09malware.htm
    • Computer Emergency Response Team (CERT), Information Security (Jul 2, 2002). Malicious Software – general. Retrieved Nov 10, 2003 from
    • website: http://www.ficora.fi/englanti/tietoturva/haittaohj.htm
  • References Cont...
    • Rutgers, New Jersey (Oct 10, 2003). Trojan Horses. Retrieved Nov 10, 2003 from website: http:// netsecurity.rutgers.edu/trojan.htm
    • Dr. Roger R. Schell, Monterey CA (Apr 24, 2000). Malicious Software.
    • Retrieved Nov 11, 2003 from website: www.sp.nps.navy.mil
    • Edward F. Gehringer. Computer Abuse – Worms, Trojan Horses, Viruses. Retrieved Nov 12, 2003 from website:
    • http://legacy.eos.ncsu.edu/eos/info/computer_ethics/abuse/wvt/study.html
    • Bullguard.com Computer Viruses. Retrieved Nov12, 2003 from website:
    • http://www.bullguard.com/antivirus/vi_info.aspx
    • Google.com. Program Security. Retrieved Nov 12, 2003 from website:
    • http://www.sm.luth.se/csee/courses/smd/102/lek6-6.pdf .