Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software

1. NETWORK SECURITY
Name of the Staff : M.FLORENCE DAYANA M.C.A.,M.Phil.,(Ph.D).,
Head, Dept. of CA
Bon Secours College For Women
Thanjavur.
Class : II MSc., CS
Semester : III
Unit : V
Topic : Malicious Software(Malware)
2/15/2019 1

2. Malicious Software
“Malicious software," malware refers to
software programs designed to damage or do
other unwanted actions on a computer
system.
Common examples of malware include
viruses,worms,trojan horses and spyware.

3. Terminology of malicious programme
Virus- attaches itself to a program and propogates copies of
itself to to other programs
Worm-program that propogates copies of itself to other
computers
Logic bomb-triggers when conditions occured
Trojan horse – program that contains unexpected additional
funcitionality
Kit(virus generator)-set of tools for generating new virus
automatically
Spammer-used to send large volumes of unwanted e-mail

4. Malicious programs
.
Independent –
Worm: automatic
propagation without
human assistance
• Host program–
Virus: human-
assisted propagation
(e.g., open email
attachment) –
Trojan: provides
desirable functionality
but hides malicious

5. Backdoor or Trapdoor
 Is a secret entry point into a program
 • A backdoor, which is also sometimes called a trapdoor, is a
hidden feature or command in a program that allows a user to
perform actions he or she would not normally be allowed to
do.
 • When used in a normal way, this program performs
completely as expected and advertised.
 • But if the hidden feature is activated, the program does
something unexpected, often in violation of security policies
 • example: Easter Eggs in DVDs and software ( is a hidden
message feature in an interactive work such as a computer
program, video game or DVD menu screen.

6. Logic Bomb
A logic bomb is a program that performs a
malicious action as a result of a certain logic
condition.
 •

7. Trojan Horse
 A Trojan horse is a useful program or
command procedure containing
hidden code when invoked some
unwanted function
 which is usually superficially
attractive
 eg game, s/w upgrade etc
• Crashing the computer or device.
• Modification or deletion of files.
• Data corruption.
• Formatting disks, destroying all
contents.
• Spreading malware across the
network.
• Spying on user activities and access
sensitive information

8. Zombie
 A zombie computer virus is a computer
that's been infected by a computer
virus or compromised by a hacker. It can
be controlled under remote direction to
perform criminal tasks, as well as infect
other computers with viruses.
often used to launch distributed denial of
service (DDoS) attacks being planted on
hundreds of computers belonging to
unsuspecting third parties, and then used
to overwhelm the target Web site by
launching an Internet traffic

9. Nature of Viruses
Virus is a piece of software that can “infect”
other programs by modifying them
the modification includes a copy of the virus
program, which can then go on to infect other
programs. It can be compared to biological
viruses,
carries code to make copies of itself
as well as code to perform some covert task
Once a virus is executing, it can perform any function,
such as erasing files and programs.

10. Virus Operation-four phases or life cycle of
virus
• • Dormant phase: virus is idle, waiting
for trigger event (eg date, program or
file , disk capacity). Not all viruses have
this stage
• • Propagation phase: virus places a
copy of itself into other programs /
certrain system areas on the disk
• • Triggering phase: virus is activated by
some trigger event to perform
intended function (ie) counting no. of
times)
• • Execution phase: desired function
such as messages on the screen,
damaging the programs and data files.

11. A Compression virus

12. Virus Structure
A virus can be preponded or postponded to an
executable program or it can be embedded
with some other fashion.
program V := // the first line is main virus program
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-
file;
if (first-line-of-file = 1234567)
then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to
be done}
subroutine trigger-pulled := {return true if
condition holds}
main: main-program := {infect-executable;
if trigger-
pulled then do-damage;
goto next;}
next:
}
The second line is a special
marker for infected programs.
The main virus program first
seeks out uninfected
executable files and infects
them.
Finally, the virus transfers
control to the original program
This type of virus can be
detected because the length
of the program changes.
More sophisticated variants
attempt to hide their presence
better, by for example,
compressing the original
program.

13. Types of Viruses
• Parasitic virus: traditional and still most common form of virus, it attaches itself to
executable files and replicates when the infected program is executed
• • Memory-resident virus: Lodges in main memory as part of a resident system
program, and infects every program that executes
• • Boot sector virus: Infects a master boot record and spreads when a system is
booted from the disk containing the virus
• • Stealth virus: a virus explicitly designed to hide itself from detection by antivirus
software
• • Polymorphic virus: mutates with every infection, making detection by the
“signature”of the virus impossible.
• • Metamorphic virus: mutates with every infection, rewriting itself completely at
each iteration changing behavior and/or appearance, increasing the difficulty of
detection.

14. Macro Virus
 macro virus attached to some data file
 interpreted by program using file
 eg Word/Excel macros
 esp. using auto command & command macros
 This is platform independent
 Macro viruses take advantage of the macro feature
found in Word and other office applications.
 A macro is an executable program embedded in a
word processing document or other type of file
 have improving security in Word etc

15. Email Virus
 spread using email with attachment containing a
macro virus
 The first rapidly spreading e-mail viruses
 or worse even when mail viewed by using scripting
features in mail agent
 usually targeted at Microsoft Outlook mail agent &
Word/Excel documents
 need better O/S & application security

16. Worms
 A worm is a program that can replicate itself and
send copies from computer to computer across
network connections.
 using users distributed privileges or by exploiting
system vulnerabilities
 a network worm can behave as a computer virus or
bacteria, or it could implant Trojan horse programs
or perform any number of disruptive or destructive
actions.

17. Virus, Worm and Trojan - Differentiation
• A computer virus attaches itself to program or file enabling it to
spread from one computer to another, leaving infections as it
travels.
• A worm is similar to a virus by design and is considered to be a
sub-class of a virus. Worms spread from computer to computer,
but unlike a virus, it has the capability to travel without any
human action.
• A Trojan Horse is full of as much trickery as the mythological
Trojan Horse it was named after. The Trojan Horse, at first glance
will appear to be useful software but will actually do damage
once installed or run on your computer.

18. Morris Worm
best known classic worm
released by Robert Morris in 1988
targeted Unix systems
using several propagation techniques
simple password cracking of local pw file
exploit bug in finger protocol
exploit debug trapdoor in send mail

19. Worm Technology
• •Multiplatform: not limited to Windows, can attack a variety
of O/S’s, esp UNIX.
• • Multiexploit: penetrate systems in a variety of ways that
exploits like web browsers, web servers, file sharing
• • Ultrafast spreading: using prior internet connection scan to get
addresses of vulnerable machines
• • Polymorphic: skip past filters and foil real time analysis
• • Metamorphic: change both appearance & behavior patterns
• • Transport vehicles: to spread other distributed attack tools, eg
zombies
• • Zero-day exploit: exploit general network community

20. Anti-Virus Software
 first-generation
 Simple scanner uses virus signature to identify virus
 or change in length of programs
 second-generation
 uses heuristic scanner rules to spot viral infection
 or uses crypto hash of program to spot changes
 third-generation
 memory-resident programs identify virus by actions rather
than a structure
 fourth-generation
 Full featured protection using packages with a variety of
antivirus techniques
 arms race continues- a more comprehensive defense strategy
is employed

21. Advanced Anti-Virus Techniques
 Generic Decryption (GD) technology enables the
antivirus program to easily detect even the most
complex polymorphic viruses, while maintaining fast
scanning speeds, using a CPU simulator to scan
program for virus signatures & to monitor its
behavior before actually running
 There are three elements:
1. CPU emulator -a s/w based virtual computer
2. Virus signature scanner-scan the virus signature
3. Emulation control module-control the execution

22. Digital Immune System
typical steps in digital immune system operation:
1. A monitoring program on each PC uses a
variety of heuristics based on system behavior,
suspicious changes to programs, or family
signature to infer that a virus may be present, &
forwards infected programs to an
administrative machine
2. The administrative machine encrypts the
sample and sends it to a central virus analysis
machine
3. This machine creates an environment in which
the infected program can be safely run for
analysis to produces a prescription for
identifying and removing the virus
4. The resulting prescription is sent back to the
administrative machine
5. The administrative machine forwards the
prescription to the infected client
6. The prescription is also forwarded to other
clients in the organization
7. Subscribers around the world receive regular
antivirus updates that protect them from the