SlideShare a Scribd company logo

Malicious software

Download as PPTX, PDF
CAS
CAS

This document discusses various types of malicious software including viruses, worms, and malware. It provides definitions and examples of different viruses and worms, how they spread and replicate on systems. It also summarizes approaches for detecting, identifying and removing viruses and worms, as well as proactive containment strategies for worms.

Technology
1 of 40
1 MALICIOUS SOFTWARE ITSY3104 - Computer Security A - Lecture 5 - Malicious Software Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
• 5.1 Malware • 5.2 Advanced Persistent Threats (APTs) • 5.3 Viruses • 5.4 Worms • 5.5 Bots • 5.6 Rootkits • 5.7 Mobile Code • 5.8 Mobile Phone Worms 2ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5.1 Malware • [NIST05] defines malware as: “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 3
5.1.1 Malware Terminologies 4ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
6ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5.1.2 Classification of Malware • classified into two broad categories based on: – how it spreads or propagates to reach the desired targets – the actions or payloads it performs once a target is reached • also classified by: – those that need a host program • parasitic code such as viruses – those that are independent, self-contained programs • worms, trojans, and bots – malware that does not replicate • trojans and spam e-mail – malware that does replicate • viruses and worms ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 7
5.1.3 Types of Malicious Software • propagation mechanisms include: – infection of existing content by viruses that is subsequently spread to other systems – exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate – social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks • payload actions performed by malware once it reaches a target system can include: – corruption of system or data files – theft of service/make the system a zombie agent of attack as part of a botnet – theft of information from the system/keylogging – stealthing/hiding its presence on the system ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 8
5.1.4 Attack Kits • Initially the development and deployment of malware required considerable technical skill by software authors – The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware • Toolkits are often known as “crimeware” – Include a variety of propagation mechanisms and payload modules that even novices can deploy – Variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them • Widely used toolkits include: – Zeus, Blackhole, Sakura, Phoenix ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 9
5.1.5 Attack Sources • Another significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as: • This has significantly changed the resources available and motivation behind the rise of malware and has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information Politically motivated attackers Criminals Organized crime Organizations that sell their services to companies and nations National government agencies ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 10
5.2 Advanced Persistent Threats (APTs) • Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) • Typically attributed to state-sponsored organizations and criminal enterprises • Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods • High profile attacks include Aurora, RSA, APT1, and Stuxnet ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 11
5.2.1 APT Characteristics Advanced • Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if required • The individual components may not necessarily be technically advanced but are carefully selected to suit the chosen target Persistent • Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success • A variety of attacks may be progressively applied until the target is compromised Threats • Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets • The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attacks ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 12
5.2.2 APT Attacks • Aim: – Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure • Techniques used: – Social engineering – Spear-phishing email – Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization • Intent: – To infect the target with sophisticated malware with multiple propagation mechanisms and payloads – Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 13
5.3 Viruses • piece of software that infects programs – modifies them to include a copy of the virus – replicates and goes on to infect other content – easily spread through network environments • when attached to an executable program a virus can do anything that the program is permitted to do – executes secretly when the host program is run • specific to operating system and hardware – takes advantage of their details and weaknesses ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 14
5.3.1 Virus Components • means by which a virus spreads or propagates • also referred to as the infection vector infection mechanism • event or condition that determines when the payload is activated or delivered • sometimes known as a logic bomb trigger • what the virus does (besides spreading) • may involve damage or benign but noticeable activity payload ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 15
5.3.2 Virus Phases dormant phase • virus is idle • will eventually be activated by some event • not all viruses have this stage triggering phase • virus is activated to perform the function for which it was intended • can be caused by a variety of system events propagation phase •virus places a copy of itself into other programs or into certain system areas on the disk •may not be identical to the propagating version •each infected program will now contain a clone of the virus which will itself enter a propagation phase execution phase • function is performed • may be harmless or damaging ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 16
5.3.3 Virus Structure ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 17
5.3.4 Virus Classifications • boot sector infector – infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus • file infector – infects files that the operating system or shell considers to be executable • macro virus – infects files with macro or scripting code that is interpreted by an application • multipartite virus – infects files in multiple ways • encrypted virus – a portion of the virus creates a random encryption key and encrypts the remainder of the virus • stealth virus – a form of virus explicitly designed to hide itself from detection by anti- virus software • polymorphic virus – a virus that mutates with every infection • metamorphic virus – a virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearanceITSY3104 - Computer Security A - Lecture 5 - Malicious Software 18
19 5.3.5 Virus Countermeasures • Prevention - ideal solution but difficult • Best approach is to be able to do the following: 1. Detection - determine & locate virus 2. Identification - identify the specific virus that infected 3. Removal - remove all traces of the virus from the infected program • If detect but can’t identify or remove, must discard and replace infected program ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5.3.6 Generations of Anti-Virus Software • first generation: simple scanners – requires a malware signature to identify the malware – limited to the detection of known malware • second generation: heuristic scanners – uses heuristic rules to search for probable malware instances – another approach is integrity checking • third generation: activity traps – memory-resident programs that identify malware by its actions rather than its structure in an infected program • fourth generation: full-featured protection – packages consisting of a variety of anti-virus techniques used in conjunction – include scanning and activity trap components and access control capability ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 20
5.3.7 Digital Immune System ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 21
The digital immune system is a comprehensive approach to virus protection developed by and subsequently refined by Symantec. In 2010, their resulting Global Intelligence Network comprised more than 240,000 sensors, and gathered intelligence on malicious code from more than 133 million client, server, and gateway systems that have deployed Symantec anti-virus products. The motivation for this development has been the rising threat of Internet-based virus propagation, and the need to acquire a global view of the situation. 22ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
The typical steps in early proposals for digital immune system operation: 1. A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that malware may be present. The monitoring program forwards a copy of any suspect program to an administrative machine within the organization. 2. The administrative machine encrypts the sample and sends it to a central malware analysis system. 3. This machine creates an environment in which the suspect program can be safely run for analysis. Techniques used for this purpose include emulation, or the creation of a protected environment within which the suspect program can be executed and monitored. The malware analysis system then produces a prescription for identifying and removing the malware. 23ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
4. The resulting prescription is sent back to the administrative machine. 5. The administrative machine forwards the prescription to the original client. 6. The prescription is also forwarded to other clients in the organization. 7. Subscribers around the world receive regular anti-virus updates that protect them from the new malware. 24ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5.4 Worms • program that actively seeks out more machines to infect – each infected machine serves as an automated launching pad for attacks on other machines • exploits software vulnerabilities in client or server programs • can use network connections to spread from system to system • spreads through shared media – USB drives, CD, DVD data disks ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 25
Worms… • e-mail worms spread in macro or script code included in attachments and instant messenger file transfers • upon activation the worm may replicate and propagate again • usually carries some form of payload • first known implementation was done in Xerox Palo Alto Labs in the early 1980s ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 26
5.4.1 Worm Replication •worm e-mails a copy of itself to other systems •sends itself as an attachment via an instant message service Electronic mail or instant messenger facility •creates a copy of itself or infects a file as a virus on removable mediaFile sharing •worm executes a copy of itself on another system Remote execution capability •worm uses a remote file access or transfer service to copy itself from one system to the other Remote file access or transfer capability •worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other Remote login capability ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 27
5.4.2 Morris Worm • earliest significant worm infection – released by Robert Morris in 1988 • designed to spread on UNIX systems – attempted to crack local password file to use login/password to logon to other systems – exploited a bug in the finger protocol which reports the whereabouts of a remote user – exploited a trapdoor in the debug option of the remote process that receives and sends mail • successful attacks achieved communication with the operating system command interpreter – sent interpreter a bootstrap program to copy worm over ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 28
5.4.3 Worm Technology multiplatform multi-exploit ultrafast spreading polymorphic metamorphic Zero-day exploit ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 29
30 Worm Technology… The state of the art in worm technology includes the following: • Multiplatform: Can attack in variety of platforms. • Multi-exploit: Exploiting web servers, browsers, e-mail, file sharing & other networking machines to attack. • Ultrafast spreading: Accelerating the speed of a worm. • Polymorphic: Takes multiple copies and act differently. • Metamorphic : Have a repertoire of behavior patterns • Transport vehicles: Ideal for spreading other attack tools • Zero-day exploit: A worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
31 5.4.4 Worm Countermeasures • Overlaps with Anti-Virus techniques. • Antivirus software can be used to detect worms • Worms also cause significant network activity • Worm defense approaches include: – Signature-based worm scan filtering (Worm signature) – Filter-based worm containment (Worm Content) – Payload-classification-based worm containment (Anomaly detection) – Threshold Random Walk (TRW) scan detection (Random Scan) – Rate limiting and Rate halting (Limit Traffic & Blocks outgoing traffic) ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
32 5.4.6 Proactive Worm Containment (PWC)  PWC scheme is host based software.  PWC monitors the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts.  When such a surge is detected, the software immediately blocks its host from further connection attempts.  PWC system consists of a PWC manager & PWC agents in hosts. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
33 PWC operates as follows 1) A PWC agent monitors outgoing traffic for scan activity, • If a surge is detected, the agent: a) Issues an alert to local system; b) Blocks all outgoing connection attempts; c) Transmits the alert to the PWC manager; d) Starts a relaxation analysis. 2) PWC manager receives an alert, and propagates the alert to all other agents. 3) The host receives an alert, and performs the following actions: a) blocks all outgoing connection attempts from the specific alerting port b) starts a relaxation analysis. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
34 5.4.7 Network Based Worm Defense (NBWD) ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
35 • The key element of a NBWD is worm monitoring software. • Two types of monitoring software are needed: 1) Ingress Monitors (Located at Border router, External firewall) 2) Egress Monitors (Located at individual LANs, External border router, Switch, External Firewall) • The two types of monitors can be collocated. • It is designed to catch the source of a worm attack by monitoring outgoing traffic. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
36 NBWD architecture works as follows: 1. Sensors deployed at various network locations detect a potential worm. 2. and send alerts to a central server that correlates / analyzes incoming alerts. 3. forwards info to a protected environment, where worm is sandboxed for analysis 4. protected system tests the suspicious software against an appropriately instrumented version of the targeted application to identify the vulnerability. 5. protected system generates one or more software patches and tests these. 6. system sends the patch to the application host to update the targeted application. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
37 5.5 Bots • A bot (robot), also known as a zombie or drone. • It is a program that secretly takes over hundreds or thousands of Internet- attached computer and then uses that computer to launch attacks that are difficult to trace to the bot's creator. • The collection of bots often is capable of acting in a coordinated manner; referred to as a botnet. • A botnet exhibits three characteristics 1) The bot functionality 2) A remote control facility 3) A spreading mechanism to propagate the bots and construct the botnet. • Some uses of bots include: – Distributed denial-of-service attacks, spamming, sniffing traffic, keylogging, spreading new malware, installing advertisement add-ons and browser helper objects (bhos), attacking irc chat networks, manipulating online polls/games. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
38 5.6 Rootkits • Set of programs installed for admin access • Malicious and stealthy changes to host O/S • May hide its existence – Subverting report mechanisms on processes, files, registry entries etc • May be: – Persistent or memory-based – User or kernel mode • Installed by user via trojan or intruder on system • Range of countermeasures needed ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
5.7 Mobile Code • programs that can be shipped unchanged to a variety of platforms • transmitted from a remote system to a local system and then executed on the local system • often acts as a mechanism for a virus, worm, or Trojan horse • takes advantage of vulnerabilities to perform it own exploits • popular vehicles include – Java applets, ActiveX, JavaScript and VBScript ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 39
5.8 Mobile Phone Worms • Cabir worm in 2004 • Lasco and CommWarrior in 2005 • communicate through Bluetooth wireless connections or MMS – target is the smartphone • can completely disable the phone, delete data on the phone, or force the device to send costly messages – CommWarrior replicates by means of Bluetooth • sends itself as an MMS file to contacts and • as an auto reply to incoming text messages ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 40

Recommended

NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Network security
Network securityNetwork security
Network securityNkosinathi Lungu
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Network security
Network securityNetwork security
Network securitySimranpreet Singh
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric keyTriad Square InfoSec
 

Recommended

NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Network security
Network securityNetwork security
Network securityNkosinathi Lungu
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Network security
Network securityNetwork security
Network securitySimranpreet Singh
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric keyTriad Square InfoSec
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virusshusrusha
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Computer Security
Computer SecurityComputer Security
Computer SecurityFrederik Questier
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
System security
System securitySystem security
System securitysommerville-videos
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptOECLIB Odisha Electronics Control Library
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 
Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptxssuser6e5862
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 

More Related Content

What's hot

Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virusshusrusha
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 

What's hot (20)

Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Counter Measures Of Virus
Counter Measures Of VirusCounter Measures Of Virus
Counter Measures Of Virus
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
System security
System securitySystem security
System security
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Security policies
Security policiesSecurity policies
Security policies
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Firewalls
FirewallsFirewalls
Firewalls
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Network security
Network securityNetwork security
Network security
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
 

Similar to Malicious software

Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptxssuser6e5862
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Network and Information security_new2.pdf
Network and Information security_new2.pdfNetwork and Information security_new2.pdf
Network and Information security_new2.pdfAyanMujawar2
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfWajdiElhamzi3
 
Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020Arun Velayudhan
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 

Similar to Malicious software (20)

Malicious Software.pptx
Malicious Software.pptxMalicious Software.pptx
Malicious Software.pptx
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Application security
Application securityApplication security
Application security
 
Network and Information security_new2.pdf
Network and Information security_new2.pdfNetwork and Information security_new2.pdf
Network and Information security_new2.pdf
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Mitppt
MitpptMitppt
Mitppt
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdf
 
Unit-4-LOS.pdf
Unit-4-LOS.pdfUnit-4-LOS.pdf
Unit-4-LOS.pdf
 
Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020
 
Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
 
Thur Venture
Thur VentureThur Venture
Thur Venture
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Sangeetha Venture
Sangeetha VentureSangeetha Venture
Sangeetha Venture
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Regression
RegressionRegression
Regression
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 

More from CAS

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4CAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1CAS
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodologyCAS
 
Can you solve this
Can you solve thisCan you solve this
Can you solve thisCAS
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authenticationCAS
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Database security
Database securityDatabase security
Database securityCAS
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic toolsCAS
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)CAS
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2CAS
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 

More from CAS (20)

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodology
 
Can you solve this
Can you solve thisCan you solve this
Can you solve this
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Database security
Database securityDatabase security
Database security
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

Malicious software

  • 1. 1 MALICIOUS SOFTWARE ITSY3104 - Computer Security A - Lecture 5 - Malicious Software Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
  • 2. • 5.1 Malware • 5.2 Advanced Persistent Threats (APTs) • 5.3 Viruses • 5.4 Worms • 5.5 Bots • 5.6 Rootkits • 5.7 Mobile Code • 5.8 Mobile Phone Worms 2ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 3. 5.1 Malware • [NIST05] defines malware as: “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 3
  • 4. 5.1.1 Malware Terminologies 4ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 5. 5ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 6. 6ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 7. 5.1.2 Classification of Malware • classified into two broad categories based on: – how it spreads or propagates to reach the desired targets – the actions or payloads it performs once a target is reached • also classified by: – those that need a host program • parasitic code such as viruses – those that are independent, self-contained programs • worms, trojans, and bots – malware that does not replicate • trojans and spam e-mail – malware that does replicate • viruses and worms ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 7
  • 8. 5.1.3 Types of Malicious Software • propagation mechanisms include: – infection of existing content by viruses that is subsequently spread to other systems – exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate – social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks • payload actions performed by malware once it reaches a target system can include: – corruption of system or data files – theft of service/make the system a zombie agent of attack as part of a botnet – theft of information from the system/keylogging – stealthing/hiding its presence on the system ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 8
  • 9. 5.1.4 Attack Kits • Initially the development and deployment of malware required considerable technical skill by software authors – The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware • Toolkits are often known as “crimeware” – Include a variety of propagation mechanisms and payload modules that even novices can deploy – Variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them • Widely used toolkits include: – Zeus, Blackhole, Sakura, Phoenix ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 9
  • 10. 5.1.5 Attack Sources • Another significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as: • This has significantly changed the resources available and motivation behind the rise of malware and has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information Politically motivated attackers Criminals Organized crime Organizations that sell their services to companies and nations National government agencies ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 10
  • 11. 5.2 Advanced Persistent Threats (APTs) • Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) • Typically attributed to state-sponsored organizations and criminal enterprises • Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods • High profile attacks include Aurora, RSA, APT1, and Stuxnet ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 11
  • 12. 5.2.1 APT Characteristics Advanced • Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if required • The individual components may not necessarily be technically advanced but are carefully selected to suit the chosen target Persistent • Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success • A variety of attacks may be progressively applied until the target is compromised Threats • Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets • The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attacks ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 12
  • 13. 5.2.2 APT Attacks • Aim: – Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure • Techniques used: – Social engineering – Spear-phishing email – Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization • Intent: – To infect the target with sophisticated malware with multiple propagation mechanisms and payloads – Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 13
  • 14. 5.3 Viruses • piece of software that infects programs – modifies them to include a copy of the virus – replicates and goes on to infect other content – easily spread through network environments • when attached to an executable program a virus can do anything that the program is permitted to do – executes secretly when the host program is run • specific to operating system and hardware – takes advantage of their details and weaknesses ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 14
  • 15. 5.3.1 Virus Components • means by which a virus spreads or propagates • also referred to as the infection vector infection mechanism • event or condition that determines when the payload is activated or delivered • sometimes known as a logic bomb trigger • what the virus does (besides spreading) • may involve damage or benign but noticeable activity payload ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 15
  • 16. 5.3.2 Virus Phases dormant phase • virus is idle • will eventually be activated by some event • not all viruses have this stage triggering phase • virus is activated to perform the function for which it was intended • can be caused by a variety of system events propagation phase •virus places a copy of itself into other programs or into certain system areas on the disk •may not be identical to the propagating version •each infected program will now contain a clone of the virus which will itself enter a propagation phase execution phase • function is performed • may be harmless or damaging ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 16
  • 17. 5.3.3 Virus Structure ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 17
  • 18. 5.3.4 Virus Classifications • boot sector infector – infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus • file infector – infects files that the operating system or shell considers to be executable • macro virus – infects files with macro or scripting code that is interpreted by an application • multipartite virus – infects files in multiple ways • encrypted virus – a portion of the virus creates a random encryption key and encrypts the remainder of the virus • stealth virus – a form of virus explicitly designed to hide itself from detection by anti- virus software • polymorphic virus – a virus that mutates with every infection • metamorphic virus – a virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearanceITSY3104 - Computer Security A - Lecture 5 - Malicious Software 18
  • 19. 19 5.3.5 Virus Countermeasures • Prevention - ideal solution but difficult • Best approach is to be able to do the following: 1. Detection - determine & locate virus 2. Identification - identify the specific virus that infected 3. Removal - remove all traces of the virus from the infected program • If detect but can’t identify or remove, must discard and replace infected program ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 20. 5.3.6 Generations of Anti-Virus Software • first generation: simple scanners – requires a malware signature to identify the malware – limited to the detection of known malware • second generation: heuristic scanners – uses heuristic rules to search for probable malware instances – another approach is integrity checking • third generation: activity traps – memory-resident programs that identify malware by its actions rather than its structure in an infected program • fourth generation: full-featured protection – packages consisting of a variety of anti-virus techniques used in conjunction – include scanning and activity trap components and access control capability ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 20
  • 21. 5.3.7 Digital Immune System ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 21
  • 22. The digital immune system is a comprehensive approach to virus protection developed by and subsequently refined by Symantec. In 2010, their resulting Global Intelligence Network comprised more than 240,000 sensors, and gathered intelligence on malicious code from more than 133 million client, server, and gateway systems that have deployed Symantec anti-virus products. The motivation for this development has been the rising threat of Internet-based virus propagation, and the need to acquire a global view of the situation. 22ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 23. The typical steps in early proposals for digital immune system operation: 1. A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that malware may be present. The monitoring program forwards a copy of any suspect program to an administrative machine within the organization. 2. The administrative machine encrypts the sample and sends it to a central malware analysis system. 3. This machine creates an environment in which the suspect program can be safely run for analysis. Techniques used for this purpose include emulation, or the creation of a protected environment within which the suspect program can be executed and monitored. The malware analysis system then produces a prescription for identifying and removing the malware. 23ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 24. 4. The resulting prescription is sent back to the administrative machine. 5. The administrative machine forwards the prescription to the original client. 6. The prescription is also forwarded to other clients in the organization. 7. Subscribers around the world receive regular anti-virus updates that protect them from the new malware. 24ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 25. 5.4 Worms • program that actively seeks out more machines to infect – each infected machine serves as an automated launching pad for attacks on other machines • exploits software vulnerabilities in client or server programs • can use network connections to spread from system to system • spreads through shared media – USB drives, CD, DVD data disks ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 25
  • 26. Worms… • e-mail worms spread in macro or script code included in attachments and instant messenger file transfers • upon activation the worm may replicate and propagate again • usually carries some form of payload • first known implementation was done in Xerox Palo Alto Labs in the early 1980s ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 26
  • 27. 5.4.1 Worm Replication •worm e-mails a copy of itself to other systems •sends itself as an attachment via an instant message service Electronic mail or instant messenger facility •creates a copy of itself or infects a file as a virus on removable mediaFile sharing •worm executes a copy of itself on another system Remote execution capability •worm uses a remote file access or transfer service to copy itself from one system to the other Remote file access or transfer capability •worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other Remote login capability ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 27
  • 28. 5.4.2 Morris Worm • earliest significant worm infection – released by Robert Morris in 1988 • designed to spread on UNIX systems – attempted to crack local password file to use login/password to logon to other systems – exploited a bug in the finger protocol which reports the whereabouts of a remote user – exploited a trapdoor in the debug option of the remote process that receives and sends mail • successful attacks achieved communication with the operating system command interpreter – sent interpreter a bootstrap program to copy worm over ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 28
  • 29. 5.4.3 Worm Technology multiplatform multi-exploit ultrafast spreading polymorphic metamorphic Zero-day exploit ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 29
  • 30. 30 Worm Technology… The state of the art in worm technology includes the following: • Multiplatform: Can attack in variety of platforms. • Multi-exploit: Exploiting web servers, browsers, e-mail, file sharing & other networking machines to attack. • Ultrafast spreading: Accelerating the speed of a worm. • Polymorphic: Takes multiple copies and act differently. • Metamorphic : Have a repertoire of behavior patterns • Transport vehicles: Ideal for spreading other attack tools • Zero-day exploit: A worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 31. 31 5.4.4 Worm Countermeasures • Overlaps with Anti-Virus techniques. • Antivirus software can be used to detect worms • Worms also cause significant network activity • Worm defense approaches include: – Signature-based worm scan filtering (Worm signature) – Filter-based worm containment (Worm Content) – Payload-classification-based worm containment (Anomaly detection) – Threshold Random Walk (TRW) scan detection (Random Scan) – Rate limiting and Rate halting (Limit Traffic & Blocks outgoing traffic) ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 32. 32 5.4.6 Proactive Worm Containment (PWC)  PWC scheme is host based software.  PWC monitors the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts.  When such a surge is detected, the software immediately blocks its host from further connection attempts.  PWC system consists of a PWC manager & PWC agents in hosts. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 33. 33 PWC operates as follows 1) A PWC agent monitors outgoing traffic for scan activity, • If a surge is detected, the agent: a) Issues an alert to local system; b) Blocks all outgoing connection attempts; c) Transmits the alert to the PWC manager; d) Starts a relaxation analysis. 2) PWC manager receives an alert, and propagates the alert to all other agents. 3) The host receives an alert, and performs the following actions: a) blocks all outgoing connection attempts from the specific alerting port b) starts a relaxation analysis. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 34. 34 5.4.7 Network Based Worm Defense (NBWD) ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 35. 35 • The key element of a NBWD is worm monitoring software. • Two types of monitoring software are needed: 1) Ingress Monitors (Located at Border router, External firewall) 2) Egress Monitors (Located at individual LANs, External border router, Switch, External Firewall) • The two types of monitors can be collocated. • It is designed to catch the source of a worm attack by monitoring outgoing traffic. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 36. 36 NBWD architecture works as follows: 1. Sensors deployed at various network locations detect a potential worm. 2. and send alerts to a central server that correlates / analyzes incoming alerts. 3. forwards info to a protected environment, where worm is sandboxed for analysis 4. protected system tests the suspicious software against an appropriately instrumented version of the targeted application to identify the vulnerability. 5. protected system generates one or more software patches and tests these. 6. system sends the patch to the application host to update the targeted application. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 37. 37 5.5 Bots • A bot (robot), also known as a zombie or drone. • It is a program that secretly takes over hundreds or thousands of Internet- attached computer and then uses that computer to launch attacks that are difficult to trace to the bot's creator. • The collection of bots often is capable of acting in a coordinated manner; referred to as a botnet. • A botnet exhibits three characteristics 1) The bot functionality 2) A remote control facility 3) A spreading mechanism to propagate the bots and construct the botnet. • Some uses of bots include: – Distributed denial-of-service attacks, spamming, sniffing traffic, keylogging, spreading new malware, installing advertisement add-ons and browser helper objects (bhos), attacking irc chat networks, manipulating online polls/games. ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 38. 38 5.6 Rootkits • Set of programs installed for admin access • Malicious and stealthy changes to host O/S • May hide its existence – Subverting report mechanisms on processes, files, registry entries etc • May be: – Persistent or memory-based – User or kernel mode • Installed by user via trojan or intruder on system • Range of countermeasures needed ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
  • 39. 5.7 Mobile Code • programs that can be shipped unchanged to a variety of platforms • transmitted from a remote system to a local system and then executed on the local system • often acts as a mechanism for a virus, worm, or Trojan horse • takes advantage of vulnerabilities to perform it own exploits • popular vehicles include – Java applets, ActiveX, JavaScript and VBScript ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 39
  • 40. 5.8 Mobile Phone Worms • Cabir worm in 2004 • Lasco and CommWarrior in 2005 • communicate through Bluetooth wireless connections or MMS – target is the smartphone • can completely disable the phone, delete data on the phone, or force the device to send costly messages – CommWarrior replicates by means of Bluetooth • sends itself as an MMS file to contacts and • as an auto reply to incoming text messages ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 40