This document provides an overview of various types of host-based attacks, including backdoors, viruses, worms, trojans, rootkits, and spyware. It discusses the characteristics and infection methods of each type of malicious code or software. The document emphasizes that host-based attacks are becoming more sophisticated over time, leading to an arms race between attackers and security developers, with attackers usually staying one step ahead due to their professional training and links to organized crime.

1. Computer Security Management
(ISYS20261)
Lecture 5 - Host-based Attacks
Module Leader: Dr Xiaoqi Ma
School of Science and Technology

2. Last Time:
• CSI Computer Security Survey
• Offers good overview
• Three basic types of attacks:
– Host-based Attacks
– Network-based Attacks
– Social Engineering
• Host-based attacks:
– Malicious Code
– Malicious Software
Computer Security Management
Page 2

3. Today
• Malicious Code
– Backdoors
– Computer Viruses
• Malicious Software (Malware)
– Computer Worms
– Trojan Horses (Trojans)
– Rootkits
– Spyware
Computer Security Management
Page 3

4. Backdoors (1)
• Sometimes referred to as Trapdoor
• Secret build-in method for (unauthorised) access to a system
– Universal standard password
– Secret admin account
• Usually smuggled in by a third party
– Programmer who wants to gain access to the system once it is put into
operations
– Espionage
– Viruses and Trojans
– etc
Computer Security Management
Page 4

5. Backdoors (2)
• Can be inserted at any point in tool-chain
– Source code
– Compiler
– Executable
• Open source software less likely to contain a backdoor
• Symmetric Backdoor
– everybody who knows about the Backdoor can use it
• Asymmetric Backdoor
– can only be used by the attacker who plants it
– Based on asymmetric cryptography
Computer Security Management
Page 5

6. Finding backdoors
• Code reviews
– Only possible if the code is available (Open Source)
– Similar to white box testing
– Example: backdoor in Linux kernel's source code
• Disassembling and analysing of executables
– Can be done for programs and libraries
– Laborious and error prone
Computer Security Management
Page 6

7. Computer viruses (1)
• Term was introduced in 1983 by Fred Cohen
• Self-replicating code (viral code) that secretly embeds itself into a
host program without permission or knowledge of the owner/user
(infection)
• If the infected program is executed, the virus is executed as well
and tries to spread itself by infecting other programs
• Sometimes a virus is modifying its own code before it infects other
programs to avoid detection (no fixed signature, i.e. sequence of
instructions)
– Polymorphic virus re-encrypts itself with each infection
– Metamorphic virus re-writes its own code with each infection
Computer Security Management
Page 7

8. Computer viruses (2)
• Viruses usually carry a payload, i.e. serve another (criminal)
purpose
– Installing malicious software on the computer
– Deleting data and/or programs
– Encryption of data (blackmailing!)
• Different infection methods
– Boot sectors
– Executable files
– Macros in documents
– Scripts on web pages
Computer Security Management
Page 8

9. Boot sector viruses
• Oldest type of computer viruses
• Does not infect an executable but the boot sector of a floppy disk or
the Master Boot Record (MBR) of a hard disk
• MBRs and boot sectors contain a Boot Loader program that is
executed after the computer is switched on to load the operating
system
– Boot virus embeds itself into the Boot Loader
– It is executed when the BIOS tries to run the Boot Loader
– It then tries to infect the MBRs of installed hard drives before it carries out a
destructive action or before it loads the OS
• Today extinct
– Can easily be found by anti-virus software
– The virus is very limited in memory (444 Bytes!)
Computer Security Management
Page 9

10. File viruses (1)
• Embeds itself into an executable program file
• Different infection methods
– Overwriting viruses
– Companion viruses
– Parasitic viruses
Computer Security Management
Page 10

11. File viruses (2)
• Overwriting virus:
– Virus completely replaces the code of the infected program
– Easy to detect since the original program does not work anymore
– File size changed, can be detected by integrity-checking software
• Companion virus:
– infects an .EXE file by creating a matching file with a .COM extension that
contains the viral code and puts it into the same directory
– The OS gives preferences to .COM files over .EXE files and hence the viral code
is executed when the user starts the program
– It then carries out the spread routine before executing the original .EXE file
– Size of original file is not changed
Computer Security Management
Page 11

12. File viruses (3)
• Parasitic viruses modify the code of the infected file
• The infected file remains partially or fully functional
• Different types:
– Prepender
– Appender
– Entry Point Obscuring (inserting)
– Cavity filler
• Stealth virus:
– Tries to hide its existence
– Example: parasitic virus that intercepts system calls that return the size of a file
to fool integrity-checking software
Computer Security Management
Page 12

13. File viruses (4)
• Prepender virus:
– Places its code at the beginning of the file it infects
– Viral code is executed first when the infected file is executed
– File size increased, can be detected by integrity-checking software
• Appender virus:
– Places its code at the end of the file it infects
– Adjusting the file's entry point to cause its code to be executed before that of
the original file
– File size increased, can be detected by integrity-checking software
Computer Security Management
Page 13

14. File viruses (5)
• Entry Point Obscuring:
– Places its code in the middle of the files it infects
– May move a section of the original code to the end of the file, or simply push
the code aside to make space for its own code
– File size increased, can be detected by integrity-checking software
• Cavity filler:
– virus which seeks out unused space within the files it infects
– inserting its code into these gaps to avoid changing the size of the file
– not alerting integrity-checking software to its presence
Computer Security Management
Page 14

15. Macro viruses
• Relies on application programs that use documents with embedded
macros, e.g. MS Word, MS Excel, etc
• Viral code is programmed as a macro and embedded in an infected
document
• If an infected document is opened in the application program, the
macro is executed
• The macro tries to locate other documents of that type and embeds
copies of itself into the documents found
Computer Security Management
Page 15

16. Script viruses
• Very similar to macro viruses
• Uses web applications and script languages, e.g. JavaScript
• Normally, scripts are embedded in HTMP web pages to provide
additional functionality, e.g. dynamic web pages, guest books, etc
• Script virus embeds itself into HTML page
• Most browsers execute embedded scripts automatically!
• If executed, it tries to spread or carries out its payload
Computer Security Management
Page 16

17. How to protect against computer viruses
• Use anti-virus software with up-to-date signature database
• Install software patches immediately (OS and applications)
• Disable macros in applications unless you really need them
• Disable scripting in web browsers
Computer Security Management
Page 17

18. Computer Worms
• Self-replicating computer program that secretly copies itself to other
computers without permission or knowledge of the owner/user
(infection)
• It uses a network to send copies of itself to other nodes (computers)
• It may do so without any user intervention but sometimes some
user action is required (email worms)
• Unlike viruses, worms do not need to attach themselves to an
existing program
• Worms always consume network bandwidth and might carry a
payload, e.g. to install backdoors on infected machines
Computer Security Management
Page 18

19. How to protect against computer worms
• Use a firewall
• Install software patches immediately (OS and applications)
• Do not open unexpected emails or run unknown email attachments
Computer Security Management
Page 19

20. Trojan Horses (Trojans)
• Malicious software (malware) that appears to perform a desirable
function but also performs undisclosed malicious functions
• Term is derived from the classical story of the Trojan Horse
• Always requires some user action to install
• Trojans usually installs malware (payload) to
– Gain unauthorised remote access (backdoors)
– Destruct data
– Download even more malware (spyware)
– Disable security software
– Start denial-of-service attacks
• Once the malware is installed, deleting the Trojan does not help!
Computer Security Management
Page 20

21. How to protect against Trojans
• Do not install software from an unknown source
• Do not run attachments from unexpected emails
• Use anti-virus software with up-to-date signature database
Computer Security Management
Page 21

22. Rootkits (1)
• Malicious program that hides malicious files or folders from normal
sight
• Often used by malware to conceal its presence and activities
• The term rootkit applied originally to the UNIX-based operating
systems
• It is a collection of tools to enable a user to obtain root
(administrator-level) access to a system and to conceal any changes
they might make
• Such tools often included malicious versions of standard system
monitoring programs which would hide the rootkit operators'
activities
• More recently: malware using stealth techniques
Computer Security Management
Page 22

23. Rootkits (2)
• Rootkits can operate at a number of levels
• Application level
– replacing or adjusting the settings of system software to prevent the display of
certain information
• Operating system level
– hooking certain system functions
– inserting modules or drivers into the operating system kernel
• Firmware level/virtualisation level
– firmware and/or virtual machines are activated before the operating system and
thus even harder to detect while the system is running
Computer Security Management
Page 23

24. Rootkits (3)
• Example: in 2005, Sony BMG caused a scandal by including a
rootkit on music CDs, in an attempt to enforce DRM; it allowed
anyone who knew about the rootkit to gain administrator rights on
an infected machine
• Rootkit binaries are easy to detect using anti-virus software
• However, once they run they are hidden and hence very difficult to
detect
• Might be detected using anti-spyware software
• Detection based on analysis of the behaviour of a system
• Rootkits are difficult to remove once detected!
Computer Security Management
Page 24

25. Spyware/Adware
• Software that collects private information or monitors user
behaviour secretly
• The term spyware essentially covers any software that gathers
information and passes it to a third party without adequate
permission from the owner of the data
• Examples
– Keylogger: monitors the keys pressed and thus records any sensitive data, such
as passwords, entered by the user
– Password stealer: steals user data such as login IDs/passwords
– Packet analyser (sniffer): intercepts and logs traffic passing over a digital
network
– Cookies: allows the identification of a computer/user, e.g. for tracking etc
• Adware: software package which automatically plays, displays, or
downloads advertisements to a computer after the software is
installed ( privacy-invasive software)
Computer Security Management
Page 25

26. Summary
• Host-based attacks are carried out using malicious code and
software
– Code: Backdoors and viruses
– Software: Worms, trojans, rootkits, spyware, …
• The sophistication increases all the time which led to an arms race
between the developers of malicious software and security software
• The baddies are usually one step ahead
• They are professionals, highly trained and educated
• Usually linked to organised crime
Computer Security Management
Page 26