2. Contents
O What is Malware?
O Brain Virus
O Morris Worm
O Code Red
O SQL Slammer
O Trojan
O Malware Detection
O Future of Malware
3. What is Malware?
O malicious software, such as a virus, which is
specifically designed to disrupt or damage a
computer system.
O The infecting style of different malware are
entirely different
O General Categories of malware
Trojan
Horse
RabbitTrapdoor
Malware
Virus Wor
m
4. Brain Virus
O First Virus introduced to world-1986.
O Not malicious - not harmful – annoying.
O Places itself in boot sector and other places.
O Screens all the disk access to maintain.
O On access it would reinstall itself.
5. Morris Worm
O An important attack occurred which changed
world security level.
O Infecting via e-mail exchange - designed by
students of Cornell university.
O Morris's worm failed – no rechecking.
O Main Three procedures of this worm
O Determine whether it could spread.
O Spread infection when possible.
O Remain undiscovered.
O Designed in C code which gave a nuclear attack
impact to internet of 1988.
6. Code Red
O July -2001 Affects 2.5lakhs in 10-15 hours.
O But only affected 7.5 lakh out of 60lakh
susceptible systems worldwide.
O Gained access via Microsoft server and
undergoes the “buffer overflow”.
O Working method Is based on days.
O Day 1-19:Spread
O Day 20-27: DDoS
O A copy cat version of code red-reboots the system
to flush all traces of the worm.
7. SQL Slammer
O Came in 2004- Affecting 2.5lakh in 10
minutes.
O Affects via browsing Internet sites.
O Attacks one internet site and inside that
site it randomly generates IP addresses
and spread
O Burns down the bandwidth.
O Worm code was small 376 byte as firewall
denies small packets.
8. Trojan Horse
O Came from mac- harmless but annoying.
O It’s a click launch application virus.
O Trojan visually looks like a simple file
(mp3,word,ppt etc..) but on click event launches
the “duplicating virus code”
O Trojan is simple to design and its strength can
be altered.
O Best example :Short cut virus a.k.a autorun
virus
9. Malware Detection
O Three main methods:-
O Signature Detection
O Change Detection
O Anomaly detection
O Signature Detection:
O Each virus of a particular type have some thing
common.
O Minimum burden for user.
O Problems:
O Can only detect known virus.
O May remove important files.
10. O Change Detection:
O A change in file which is unexpected shows
presence of virus.
O Hash function
O Advantages:
O Virtually no false negatives
O Detect previously known malware
O Dis Advantage:
O Many false positives
O Causes Heavy burden to user
11. O Anomaly Detection:
O Based on Intrusion Detection systems(IDs).
O Difficult part here is to make it realize what is
“normal”.
O It can detect previously unknown malware.
O A file can change its anomaly and enter.
O This detection is not stand alone always combines
with any one above.
12. Future of Malware
O New malwares are created by writers for
future security.
O Polymorphic virus:-
O Encrypted with different keys each time it
propagates.
O Used to mask a signature
O Decrypted is also masked
O Difficult to detect but not impossible
13. O Metamorphic Virus:-
O Mutates before infecting and spreads inside
the system
O Even If original virus/worm is detected the
mutated one still remains with different
signature
O Warhol Worm:-
O Similar like SQL Slammer but with reduced
bandwidth utility.
O Creates “hit list”
O Via each hit list sites are infected first and finds
vulnerable IP address.
14. O 507 209.235.136.112
O 467 37.59.87.162
O 312 212.122.222.32
O 268 88.191.116.184
O 245 216.69.224.11
O 236 184.171.241.132
O 225 94.23.230.97
O 207 216.75.35.176
O 207 209.235.136.116
O 196 67.228.195.2
O 178 176.31.124.28
O 142 46.105.99.187
O 133 88.198.164.237
O 128 176.31.239.45
O 126 200.98.137.215
O 112 209.235.136.113
O 108 193.34.131.144
O 107 64.9.215.134
O 102 201.47.74.114
O 101 72.32.123.95
O 98 74.63.216.3
O 94 77.79.121.92
O 93 94.73.156.146
O 93 72.47.192.128
O 93 1.234.4.69
O 85 95.163.15.34
58 194.88.212.212
58 188.165.249.102
57 92.114.87.156
57 37.59.42.18
56 219.83.123.173
55 79.99.133.138
55 50.97.215.122
55 213.171.37.206
55 119.110.97.142
54 83.143.81.242
54 203.217.172.52
52 121.125.79.179
51 177.12.161.31
50 189.38.90.45
49 208.116.60.43
48 67.218.96.160
47 207.210.231.42
46 24.35.157.72
46 204.232.204.219
45 109.104.76.142
44 80.82.116.51
44 216.18.193.140
43 77.109.127.41
42 210.127.253.245
42 205.186.132.28
41 91.121.68.33
41 90.198.87.118
41 83.169.39.233
40 203.201.173.150
39 70.32.83.233
39 200.98.147.111
39 176.9.21.235
38 91.121.161.131
38 31.210.113.232
37 91.195.214.12
36 80.91.80.242
36 64.34.166.146
36 188.165.254.104
35 31.210.48.34
35 200.98.149.187
35 184.106.130.234
34 72.232.194.50
34 216.218.208.130
34 207.250.111.6
34 188.132.228.146
33 87.253.155.151
33 188.165.212.9
33 188.121.54.44
33 184.106.150.41
32 87.106.109.97
32 148.241.188.18
31 75.149.34.188
28 178.63.60.83
27 94.23.39.53
27 94.124.120.40
27 81.196.196.141
27 79.121.103.71
27 72.32.115.16
27 37.58.64.66
27 222.122.45.146
27 213.85.69.7
27 213.188.134.17
27 212.67.205.187
26 89.18.182.140
26 46.254.17.117
26 210.127.253.231
26 207.99.28.140
26 205.186.152.222
26 200.98.141.45
26
108 193.34.131.144
107 64.9.215.134
102 201.47.74.114
101 72.32.123.95
98 74.63.216.3
94 77.79.121.92
93 94.73.156.146
Vulnerable IP Address generated
Today