Malicious software

1
MALICIOUS SOFTWARE
ITSY3104 - Computer Security A - Lecture 5 - Malicious Software
Mr. RAJASEKAR RAMALINGAM
Department of IT, College of Applied
Sciences, Sur.
Sultanate of Oman.
http://vrrsekar.wixsite.com/raja
Based on
William Stallings, Lawrie Brown, Computer Security:
Principles and Practice, Third Edition

• 5.1 Malware
• 5.2 Advanced Persistent Threats (APTs)
• 5.3 Viruses
• 5.4 Worms
• 5.5 Bots
• 5.6 Rootkits
• 5.7 Mobile Code
• 5.8 Mobile Phone Worms
2ITSY3104 - Computer Security A - Lecture 5 - Malicious Software

5.1 Malware
• [NIST05] defines malware as:
“a program that is inserted into a system, usually covertly,
with the intent of compromising the confidentiality,
integrity, or availability of the victim’s data, applications,
or operating system or otherwise annoying or disrupting the
victim.”
ITSY3104 - Computer Security A - Lecture 5 - Malicious Software 3

5.1.1 Malware Terminologies

5.1.2 Classification of Malware
• classified into two broad categories based on:
– how it spreads or propagates to reach the desired targets
– the actions or payloads it performs once a target is reached
• also classified by:
– those that need a host program
• parasitic code such as viruses
– those that are independent, self-contained programs
• worms, trojans, and bots
– malware that does not replicate
• trojans and spam e-mail
– malware that does replicate
• viruses and worms

5.1.3 Types of Malicious Software
• propagation mechanisms include:
– infection of existing content by viruses that is subsequently spread to other
systems
– exploit of software vulnerabilities by worms or drive-by-downloads to allow
the malware to replicate
– social engineering attacks that convince users to bypass security mechanisms
to install Trojans or to respond to phishing attacks
• payload actions performed by malware once it reaches a target
system can include:
– corruption of system or data files
– theft of service/make the system a zombie agent of attack as part of a botnet
– theft of information from the system/keylogging
– stealthing/hiding its presence on the system

5.1.4 Attack Kits
• Initially the development and deployment of malware required
considerable technical skill by software authors
– The development of virus-creation toolkits in the early 1990s and then more
general attack kits in the 2000s greatly assisted in the development and
deployment of malware
• Toolkits are often known as “crimeware”
– Include a variety of propagation mechanisms and payload modules that even
novices can deploy
– Variants that can be generated by attackers using these toolkits creates a
significant problem for those defending systems against them
• Widely used toolkits include:
– Zeus, Blackhole, Sakura, Phoenix

5.1.5 Attack Sources
• Another significant malware development is the change from attackers
being individuals often motivated to demonstrate their technical
competence to their peers to more organized and dangerous attack sources
such as:
• This has significantly changed the resources available and motivation
behind the rise of malware and has led to development of a large
underground economy involving the sale of attack kits, access to
compromised hosts, and to stolen information
Politically
motivated
attackers
Criminals
Organized
crime
Organizations
that sell their
services to
companies and
nations
National
government
agencies

5.2 Advanced Persistent Threats (APTs)
• Well-resourced, persistent application of a wide variety of
intrusion technologies and malware to selected targets (usually
business or political)
• Typically attributed to state-sponsored organizations and criminal
enterprises
• Differ from other types of attack by their careful target selection
and stealthy intrusion efforts over extended periods
• High profile attacks include Aurora, RSA, APT1, and Stuxnet

5.2.1 APT Characteristics
Advanced
• Used by the attackers of a wide variety of intrusion technologies and malware
including the development of custom malware if required
• The individual components may not necessarily be technically advanced but are
carefully selected to suit the chosen target
Persistent
• Determined application of the attacks over an extended period against the chosen
target in order to maximize the chance of success
• A variety of attacks may be progressively applied until the target is compromised
Threats
• Threats to the selected targets as a result of the organized, capable, and well-funded
attackers intent to compromise the specifically chosen targets
• The active involvement of people in the process greatly raises the threat level from
that due to automated attacks tools, and also the likelihood of successful attacks

5.2.2 APT Attacks
• Aim:
– Varies from theft of intellectual property or security and infrastructure related
data to the physical disruption of infrastructure
• Techniques used:
– Social engineering
– Spear-phishing email
– Drive-by-downloads from selected compromised websites likely to be visited
by personnel in the target organization
• Intent:
– To infect the target with sophisticated malware with multiple propagation
mechanisms and payloads
– Once they have gained initial access to systems in the target organization a
further range of attack tools are used to maintain and extend their access

5.3 Viruses
• piece of software that infects programs
– modifies them to include a copy of the virus
– replicates and goes on to infect other content
– easily spread through network environments
• when attached to an executable program a virus can do
anything that the program is permitted to do
– executes secretly when the host program is run
• specific to operating system and hardware
– takes advantage of their details and weaknesses

5.3.1 Virus Components
• means by which a virus spreads or propagates
• also referred to as the infection vector
infection mechanism
• event or condition that determines when the payload is
activated or delivered
• sometimes known as a logic bomb
trigger
• what the virus does (besides spreading)
• may involve damage or benign but noticeable activity
payload

5.3.2 Virus Phases
dormant phase
• virus is idle
• will eventually be
activated by some
event
• not all viruses
have this stage
triggering phase
• virus is activated to
perform the function for
which it was intended
• can be caused by a
variety of system events
propagation phase
•virus places a copy of itself into other programs or
into certain system areas on the disk
•may not be identical to the propagating version
•each infected program will now contain a clone of the
virus which will itself enter a propagation phase
execution phase
• function is
performed
• may be harmless
or damaging

5.3.3 Virus Structure

5.3.4 Virus Classifications
• boot sector infector
– infects a master boot record or boot
record and spreads when a system is
booted from the disk containing the
virus
• file infector
– infects files that the operating
system or shell considers to be
executable
• macro virus
– infects files with macro or scripting
code that is interpreted by an
application
• multipartite virus
– infects files in multiple ways
• encrypted virus
– a portion of the virus creates a
random encryption key and encrypts
the remainder of the virus
• stealth virus
– a form of virus explicitly designed to
hide itself from detection by anti-
virus software
• polymorphic virus
– a virus that mutates with every
infection
• metamorphic virus
– a virus that mutates and rewrites itself
completely at each iteration and may
change behavior as well as
appearanceITSY3104 - Computer Security A - Lecture 5 - Malicious Software 18

19
5.3.5 Virus Countermeasures
• Prevention - ideal solution but difficult
• Best approach is to be able to do the following:
1. Detection - determine & locate virus
2. Identification - identify the specific virus that
infected
3. Removal - remove all traces of the virus from the
infected program
• If detect but can’t identify or remove, must discard
and replace infected program

5.3.6 Generations of Anti-Virus Software
• first generation: simple scanners
– requires a malware signature to identify the malware
– limited to the detection of known malware
• second generation: heuristic scanners
– uses heuristic rules to search for probable malware instances
– another approach is integrity checking
• third generation: activity traps
– memory-resident programs that identify malware by its actions rather than
its structure in an infected program
• fourth generation: full-featured protection
– packages consisting of a variety of anti-virus techniques used in conjunction
– include scanning and activity trap components and access control capability

5.3.7 Digital Immune System

The digital immune system is a comprehensive approach to virus
protection developed by and subsequently refined by Symantec.
In 2010, their resulting Global Intelligence Network comprised
more than 240,000 sensors, and gathered intelligence on malicious
code from more than 133 million client, server, and gateway
systems that have deployed Symantec anti-virus products.
The motivation for this development has been the rising threat of
Internet-based virus propagation, and the need to acquire a global
view of the situation.

The typical steps in early proposals for digital immune system operation:
1. A monitoring program on each PC uses a variety of heuristics based on system
behavior, suspicious changes to programs, or family signature to infer that
malware may be present. The monitoring program forwards a copy of any
suspect program to an administrative machine within the organization.
2. The administrative machine encrypts the sample and sends it to a central
malware analysis system.
3. This machine creates an environment in which the suspect program can be
safely run for analysis. Techniques used for this purpose include emulation,
or the creation of a protected environment within which the suspect program
can be executed and monitored. The malware analysis system then produces a
prescription for identifying and removing the malware.

4. The resulting prescription is sent back to the administrative
machine.
5. The administrative machine forwards the prescription to the
original client.
6. The prescription is also forwarded to other clients in the
organization.
7. Subscribers around the world receive regular anti-virus updates
that protect them from the new malware.

5.4 Worms
• program that actively seeks out more machines to infect
– each infected machine serves as an automated
launching pad for attacks on other machines
• exploits software vulnerabilities in client or server
programs
• can use network connections to spread from system to
system
• spreads through shared media
– USB drives, CD, DVD data disks

Worms…
• e-mail worms spread in macro or script code included in
attachments and instant messenger file transfers
• upon activation the worm may replicate and propagate
again
• usually carries some form of payload
• first known implementation was done in Xerox Palo Alto
Labs in the early 1980s

5.4.1 Worm Replication
•worm e-mails a copy of itself to other systems
•sends itself as an attachment via an instant message service
Electronic mail or
instant messenger
facility
•creates a copy of itself or infects a file as a virus on
removable mediaFile sharing
•worm executes a copy of itself on another system
Remote execution
capability
•worm uses a remote file access or transfer service to copy
itself from one system to the other
Remote file access or
transfer capability
•worm logs onto a remote system as a user and then uses
commands to copy itself from one system to the other
Remote login
capability

5.4.2 Morris Worm
• earliest significant worm infection
– released by Robert Morris in 1988
• designed to spread on UNIX systems
– attempted to crack local password file to use login/password to
logon to other systems
– exploited a bug in the finger protocol which reports the
whereabouts of a remote user
– exploited a trapdoor in the debug option of the remote process
that receives and sends mail
• successful attacks achieved communication with the
operating system command interpreter
– sent interpreter a bootstrap program to copy worm over

5.4.3 Worm Technology
multiplatform
multi-exploit
ultrafast spreading
polymorphic
metamorphic
Zero-day exploit

30
Worm Technology…
The state of the art in worm technology includes the following:
• Multiplatform: Can attack in variety of platforms.
• Multi-exploit: Exploiting web servers, browsers, e-mail, file
sharing & other networking machines to attack.
• Ultrafast spreading: Accelerating the speed of a worm.
• Polymorphic: Takes multiple copies and act differently.
• Metamorphic : Have a repertoire of behavior patterns
• Transport vehicles: Ideal for spreading other attack tools
• Zero-day exploit: A worm should exploit an unknown vulnerability
that is only discovered by the general network community when the
worm is launched.

31
5.4.4 Worm Countermeasures
• Overlaps with Anti-Virus techniques.
• Antivirus software can be used to detect worms
• Worms also cause significant network activity
• Worm defense approaches include:
– Signature-based worm scan filtering (Worm signature)
– Filter-based worm containment (Worm Content)
– Payload-classification-based worm containment (Anomaly
detection)
– Threshold Random Walk (TRW) scan detection (Random Scan)
– Rate limiting and Rate halting (Limit Traffic & Blocks outgoing
traffic)

32
5.4.6 Proactive Worm Containment (PWC)
 PWC scheme is host based software.
 PWC monitors the rate of frequency of outgoing connection
attempts and the diversity of connections to remote hosts.
 When such a surge is detected, the software immediately blocks
its host from further connection attempts.
 PWC system consists of a PWC manager & PWC agents in hosts.

33
PWC operates as follows
1) A PWC agent monitors outgoing traffic for scan activity,
• If a surge is detected, the agent:
a) Issues an alert to local system;
b) Blocks all outgoing connection attempts;
c) Transmits the alert to the PWC manager;
d) Starts a relaxation analysis.
2) PWC manager receives an alert, and propagates the alert to
all other agents.
3) The host receives an alert, and performs the following
actions:
a) blocks all outgoing connection attempts from the
specific alerting port b) starts a relaxation analysis.

34
5.4.7 Network Based Worm Defense (NBWD)

35
• The key element of a NBWD is worm monitoring software.
• Two types of monitoring software are needed:
1) Ingress Monitors (Located at Border router, External
firewall)
2) Egress Monitors (Located at individual LANs, External
border router, Switch, External Firewall)
• The two types of monitors can be collocated.
• It is designed to catch the source of a worm attack by monitoring
outgoing traffic.

36
NBWD architecture works as follows:
1. Sensors deployed at various network locations detect a potential worm.
2. and send alerts to a central server that correlates / analyzes incoming
alerts.
3. forwards info to a protected environment, where worm is sandboxed for
analysis
4. protected system tests the suspicious software against an appropriately
instrumented version of the targeted application to identify the
vulnerability.
5. protected system generates one or more software patches and tests these.
6. system sends the patch to the application host to update the targeted
application.

37
5.5 Bots
• A bot (robot), also known as a zombie or drone.
• It is a program that secretly takes over hundreds or thousands of Internet-
attached computer and then uses that computer to launch attacks that are
difficult to trace to the bot's creator.
• The collection of bots often is capable of acting in a coordinated manner;
referred to as a botnet.
• A botnet exhibits three characteristics
1) The bot functionality
2) A remote control facility
3) A spreading mechanism to propagate the bots and construct the botnet.
• Some uses of bots include:
– Distributed denial-of-service attacks, spamming, sniffing traffic,
keylogging, spreading new malware, installing advertisement add-ons and
browser helper objects (bhos), attacking irc chat networks, manipulating
online polls/games.

38
5.6 Rootkits
• Set of programs installed for admin access
• Malicious and stealthy changes to host O/S
• May hide its existence
– Subverting report mechanisms on processes, files, registry
entries etc
• May be:
– Persistent or memory-based
– User or kernel mode
• Installed by user via trojan or intruder on system
• Range of countermeasures needed

5.7 Mobile Code
• programs that can be shipped unchanged to a variety
of platforms
• transmitted from a remote system to a local system
and then executed on the local system
• often acts as a mechanism for a virus, worm, or
Trojan horse
• takes advantage of vulnerabilities to perform it own
exploits
• popular vehicles include
– Java applets, ActiveX, JavaScript and VBScript

5.8 Mobile Phone Worms
• Cabir worm in 2004
• Lasco and CommWarrior in 2005
• communicate through Bluetooth wireless connections or
MMS
– target is the smartphone
• can completely disable the phone, delete data on the
phone, or force the device to send costly messages
– CommWarrior replicates by means of Bluetooth
• sends itself as an MMS file to contacts and
• as an auto reply to incoming text messages

Malicious software

More Related Content

What's hot

Similar to Malicious software

More from CAS

Recently uploaded

Malicious software