This document discusses tools for detecting attacks, including honey pots, anti-spyware tools, and backup/recovery tools. It focuses on KFSensor honeypot software, which acts as a decoy server to detect and study hacker behavior without risk to critical systems. The document also covers NetBus and other Trojans, how anti-spyware software differs from viruses/worms in not self-replicating but exploiting computers for commercial gain, and the importance of backups for recovery from attacks.
This document discusses viruses, worms, malware, and techniques for detecting and preventing them. It covers the basics of viruses and how they spread. It then describes the coevolution between viruses and antivirus programs, with viruses constantly evolving new techniques to evade detection while antivirus programs work to improve detection methods. The document outlines several proactive detection techniques used to identify both known and unknown malware threats, such as heuristic analysis, policy-based security, and intrusion detection systems.
sKyWIper is a complex malware used for targeted attacks that was discovered in 2012. It has likely been operational for over 5 years. The malware contains several encrypted and compressed modules that steal information, propagate, and communicate over command and control channels. sKyWIper stores stolen data in encrypted SQLite databases and uses various techniques to evade detection by security programs.
Malicious software, also known as malware, refers to programs that are intentionally designed to cause damage to a computer, server, client, or computer network. There are several types of malware including viruses, worms, Trojan horses, backdoors, and spyware. Viruses attach themselves to other programs and replicate when the host program is executed, while worms can replicate independently and propagate across networks. Trojan horses masquerade as legitimate programs to trick users into installing them. Distributed denial of service (DDoS) attacks aim to make networked services unavailable by flooding them with traffic from compromised systems.
This document provides an overview of different types of malware including viruses, worms, Trojans, and backdoors. Viruses can damage or delete files while replicating themselves. Worms replicate endlessly without damaging files. Trojans masquerade as legitimate programs but provide unauthorized access. Backdoors bypass authentication to remotely access systems. The document describes characteristics and examples of each type as well as how they infect systems.
This document discusses viruses, worms, and other types of malware. It defines viruses and worms as replicating programs that can attach themselves to other programs or files to spread. Viruses can remain dormant until certain conditions are met before activating. The document outlines the life stages of viruses from design, replication, activation, detection, and incorporation into antivirus defenses. It discusses various types of viruses like encryption viruses, polymorphic viruses, and macro viruses. Motivations for creating viruses and common infection methods are explained. Finally, some famous viruses are described like Mydoom, Melissa, ILOVEU, Bubble Boy, and Blaster to illustrate how different viruses function and spread.
This document summarizes various types of malicious software including viruses, worms, trojan horses, logic bombs, and backdoors. It describes how viruses and worms operate by having dormant, propagation, and triggering phases. Viruses can attach to files or reside in memory. Worms replicate over networks to infect other systems. The document also discusses countermeasures like antivirus software, digital immune systems, and efforts to prevent, detect, and trace distributed denial of service attacks.
Computer viruses refer to malicious programs that can copy themselves and damage computer systems by destroying data without the user's permission or knowledge. Some of the earliest detected viruses include the Creeper virus from the early 1970s. Common types of viruses include time bombs, logic bombs, worms, boot sector viruses, DOS viruses, and Trojan horses. To prevent virus infections, users should install and regularly update antivirus software, install security updates, avoid opening unknown emails, and back up important files.
This document provides an overview of various internet security threats including malicious webpages, malware, viruses, spyware, and keyloggers. It defines these threats and describes how they infect systems and collect sensitive information without consent. The document also outlines approaches for detecting and preventing these threats, such as using antivirus software, practicing safe browsing habits, and implementing full-featured security solutions.
This document discusses viruses, worms, malware, and techniques for detecting and preventing them. It covers the basics of viruses and how they spread. It then describes the coevolution between viruses and antivirus programs, with viruses constantly evolving new techniques to evade detection while antivirus programs work to improve detection methods. The document outlines several proactive detection techniques used to identify both known and unknown malware threats, such as heuristic analysis, policy-based security, and intrusion detection systems.
sKyWIper is a complex malware used for targeted attacks that was discovered in 2012. It has likely been operational for over 5 years. The malware contains several encrypted and compressed modules that steal information, propagate, and communicate over command and control channels. sKyWIper stores stolen data in encrypted SQLite databases and uses various techniques to evade detection by security programs.
Malicious software, also known as malware, refers to programs that are intentionally designed to cause damage to a computer, server, client, or computer network. There are several types of malware including viruses, worms, Trojan horses, backdoors, and spyware. Viruses attach themselves to other programs and replicate when the host program is executed, while worms can replicate independently and propagate across networks. Trojan horses masquerade as legitimate programs to trick users into installing them. Distributed denial of service (DDoS) attacks aim to make networked services unavailable by flooding them with traffic from compromised systems.
This document provides an overview of different types of malware including viruses, worms, Trojans, and backdoors. Viruses can damage or delete files while replicating themselves. Worms replicate endlessly without damaging files. Trojans masquerade as legitimate programs but provide unauthorized access. Backdoors bypass authentication to remotely access systems. The document describes characteristics and examples of each type as well as how they infect systems.
This document discusses viruses, worms, and other types of malware. It defines viruses and worms as replicating programs that can attach themselves to other programs or files to spread. Viruses can remain dormant until certain conditions are met before activating. The document outlines the life stages of viruses from design, replication, activation, detection, and incorporation into antivirus defenses. It discusses various types of viruses like encryption viruses, polymorphic viruses, and macro viruses. Motivations for creating viruses and common infection methods are explained. Finally, some famous viruses are described like Mydoom, Melissa, ILOVEU, Bubble Boy, and Blaster to illustrate how different viruses function and spread.
This document summarizes various types of malicious software including viruses, worms, trojan horses, logic bombs, and backdoors. It describes how viruses and worms operate by having dormant, propagation, and triggering phases. Viruses can attach to files or reside in memory. Worms replicate over networks to infect other systems. The document also discusses countermeasures like antivirus software, digital immune systems, and efforts to prevent, detect, and trace distributed denial of service attacks.
Computer viruses refer to malicious programs that can copy themselves and damage computer systems by destroying data without the user's permission or knowledge. Some of the earliest detected viruses include the Creeper virus from the early 1970s. Common types of viruses include time bombs, logic bombs, worms, boot sector viruses, DOS viruses, and Trojan horses. To prevent virus infections, users should install and regularly update antivirus software, install security updates, avoid opening unknown emails, and back up important files.
This document provides an overview of various internet security threats including malicious webpages, malware, viruses, spyware, and keyloggers. It defines these threats and describes how they infect systems and collect sensitive information without consent. The document also outlines approaches for detecting and preventing these threats, such as using antivirus software, practicing safe browsing habits, and implementing full-featured security solutions.
What is the meaning of the term logic bomb? What are the features and examples of logic bomb malware? Finally, how to protect yourself from logic bombs?
The document provides an overview of malicious software including viruses, worms, Trojan horses, and distributed denial of service (DDoS) attacks. It defines viruses as self-replicating code that attaches itself to other programs and executes when the host program runs. Worms are independent programs that replicate themselves across networks to infect other computers. The document also describes other types of malicious software like backdoors, logic bombs, and Trojan horses, and explains how DDoS attacks are constructed to overwhelm servers.
The document discusses various types of malicious software including viruses, worms, Trojans, and DDoS attacks. It defines viruses as self-replicating programs that attach themselves to other programs to spread. Viruses have three parts - an infection mechanism, trigger, and payload. The document outlines the life cycle of viruses and categorizes them based on their target (e.g. boot sector, files) and concealment strategy (e.g. encrypted, stealth). Examples of risky file types are also provided.
This document provides an overview of an in-service computer science course for postgraduate teachers (PGT) held at Kendriya Vidyalaya Gachibowli in Hyderabad. It includes a demo lesson on computer viruses presented by B.S. Kalyan Chakravathy from Kendriya Vidyalaya Guntur. The document then provides detailed information about computer viruses including their history, operations, infection methods, stealth strategies, and countermeasures like antivirus software.
This document discusses computer viruses, including their definition, types (resident and non-resident), vectors of transmission, how antivirus software works to detect viruses using signatures and heuristics, methods of virus removal, and a brief history of early work on the theory of computer viruses. It provides an overview of the key topics around computer viruses.
This document discusses computer viruses, including their definition, types (resident and non-resident), vectors of transmission, vulnerability of operating systems, antivirus software and how it works to detect viruses using signatures and heuristics, virus removal methods, and a brief history of early academic work on the theory of self-replicating programs.
The document describes various computer security concepts including threats to information systems like viruses, worms, Trojans, and bots. It discusses different types of malware such as file infectors, macro viruses, encrypted viruses, and rootkits. It also outlines security defenses like using updated antivirus software, firewalls, and practicing safe email/web habits by avoiding suspicious attachments or downloads.
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...eLiberatica
This is a presentation held at eLiberatica 2007.
http://www.eliberatica.ro/2007/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
The document discusses various types of program security issues including:
1) Buffer overflow errors which occur when a program tries to store more data in a buffer than it was designed for, potentially allowing attackers to insert malicious code.
2) Incomplete mediation where programs do not properly check all user inputs, enabling attacks such as changing price values.
3) Time-of-check to time-of-use errors where access checks become out of date due to delays between the check and actual use.
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Metasploit is a vulnerability and exploitation framework used by security professionals to ease the burden of performing security assessments. It contains modules divided into exploits, auxiliary, payloads, and post exploitation that allow penetration testing functionality. Some techniques demonstrated in the document include browser, PDF, and executable exploitation using Metasploit payloads to gain remote access shells on target systems.
This document discusses different types of malicious programs including viruses, worms, Trojan horses, logic bombs, spyware, and adware. Viruses replicate by inserting copies of themselves into other programs or files. Worms replicate across network connections without needing host programs. Trojan horses appear useful but contain hidden malicious code. Logic bombs trigger when specific conditions occur. Spyware collects user information without consent. Adware automatically displays advertisements. The document provides examples of different malware types and advises users to only install trusted software and keep anti-virus software updated.
This document outlines the requirements for a virus detection system project. It includes team members names, hardware and software requirements, system design details like database tables and UML diagrams, implementation details using C# and .NET framework, and testing strategies including unit, integration, and acceptance testing. The proposed system provides a generic antivirus approach that detects suspicious file behaviors and avoids signature-based detection methods. Currently it only allows moving infected files to a vault or deleting them.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
A computer virus is a program that can copy itself without permission and infect other computers. It spreads by attaching itself to other programs and files that are transferred between computers. Viruses replicate by piggybacking on real programs and files and then reproducing themselves when those programs are run or files opened. The first computer virus was created in 1986 and was named "Brain".
A computer virus is a program that can copy itself without permission and infect other computers. It spreads by attaching itself to other programs and files that are transferred between computers. Viruses replicate by piggybacking on real programs and files and automatically spreading to other computers through email attachments or by exploiting security vulnerabilities over networks. The first computer virus was created in 1986 and was named "Brain".
This document defines and describes various types of malicious software (malware) such as viruses, worms, trojans, and rootkits. It explains that malware can harm computer systems and takes various forms. The document then describes key characteristics of different types of viruses like parasitic viruses, memory resident viruses, boot sector viruses, stealth viruses, polymorphic viruses, and metamorphic viruses. It concludes by emphasizing the importance of using antivirus software to protect systems from malware like viruses and worms.
This document discusses various types of program and system threats including Trojan horses, trapdoors, buffer overflows, worms, viruses, and denial of service attacks. A Trojan horse masquerades as legitimate software to gain unauthorized access. Trapdoors are secret vulnerabilities built into programs by designers. Buffer overflows occur when more data is input than a program expects, potentially allowing code execution. Worms self-replicate to spread while viruses require host files or human action. Examples like the Morris worm and Love Bug virus are provided. Protection involves antivirus software and safe computing practices. The key differences between worms and viruses are also outlined.
Computer Introduction-Lecture04 for applied scince college students, Seiyun University , yemen 2023-2024 Academic year. لطلاب كلية العلوم التطبيقية بجامعة سيئون
مقدمة في علوم الحاسوب المحاضرة الرابعة
Software security aims to protect software from malicious attacks. Common software vulnerabilities include buffer overflows, which occur when more data is written to a buffer than it can hold, overwriting adjacent memory. Other vulnerabilities are format string exploits, SQL injection, and cross-site scripting (XSS) attacks. Malware such as viruses, worms, Trojan horses, and bots also pose security risks by accessing computers without permission and potentially damaging systems.
What is the meaning of the term logic bomb? What are the features and examples of logic bomb malware? Finally, how to protect yourself from logic bombs?
The document provides an overview of malicious software including viruses, worms, Trojan horses, and distributed denial of service (DDoS) attacks. It defines viruses as self-replicating code that attaches itself to other programs and executes when the host program runs. Worms are independent programs that replicate themselves across networks to infect other computers. The document also describes other types of malicious software like backdoors, logic bombs, and Trojan horses, and explains how DDoS attacks are constructed to overwhelm servers.
The document discusses various types of malicious software including viruses, worms, Trojans, and DDoS attacks. It defines viruses as self-replicating programs that attach themselves to other programs to spread. Viruses have three parts - an infection mechanism, trigger, and payload. The document outlines the life cycle of viruses and categorizes them based on their target (e.g. boot sector, files) and concealment strategy (e.g. encrypted, stealth). Examples of risky file types are also provided.
This document provides an overview of an in-service computer science course for postgraduate teachers (PGT) held at Kendriya Vidyalaya Gachibowli in Hyderabad. It includes a demo lesson on computer viruses presented by B.S. Kalyan Chakravathy from Kendriya Vidyalaya Guntur. The document then provides detailed information about computer viruses including their history, operations, infection methods, stealth strategies, and countermeasures like antivirus software.
This document discusses computer viruses, including their definition, types (resident and non-resident), vectors of transmission, how antivirus software works to detect viruses using signatures and heuristics, methods of virus removal, and a brief history of early work on the theory of computer viruses. It provides an overview of the key topics around computer viruses.
This document discusses computer viruses, including their definition, types (resident and non-resident), vectors of transmission, vulnerability of operating systems, antivirus software and how it works to detect viruses using signatures and heuristics, virus removal methods, and a brief history of early academic work on the theory of self-replicating programs.
The document describes various computer security concepts including threats to information systems like viruses, worms, Trojans, and bots. It discusses different types of malware such as file infectors, macro viruses, encrypted viruses, and rootkits. It also outlines security defenses like using updated antivirus software, firewalls, and practicing safe email/web habits by avoiding suspicious attachments or downloads.
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...eLiberatica
This is a presentation held at eLiberatica 2007.
http://www.eliberatica.ro/2007/
One of the biggest events of its kind in Eastern Europe, eLiberatica brings community leaders from around the world to discuss about the hottest topics in FLOSS movement, demonstrating the advantages of adopting, using and developing Open Source and Free Software solutions.
The eLiberatica organizational committee together with our speakers and guests, have graciously allowed media representatives and all attendees to photograph, videotape and otherwise record their sessions, on the condition that the photos, videos and recordings are licensed under the Creative Commons Share-Alike 3.0 License.
The document discusses various types of program security issues including:
1) Buffer overflow errors which occur when a program tries to store more data in a buffer than it was designed for, potentially allowing attackers to insert malicious code.
2) Incomplete mediation where programs do not properly check all user inputs, enabling attacks such as changing price values.
3) Time-of-check to time-of-use errors where access checks become out of date due to delays between the check and actual use.
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Metasploit is a vulnerability and exploitation framework used by security professionals to ease the burden of performing security assessments. It contains modules divided into exploits, auxiliary, payloads, and post exploitation that allow penetration testing functionality. Some techniques demonstrated in the document include browser, PDF, and executable exploitation using Metasploit payloads to gain remote access shells on target systems.
This document discusses different types of malicious programs including viruses, worms, Trojan horses, logic bombs, spyware, and adware. Viruses replicate by inserting copies of themselves into other programs or files. Worms replicate across network connections without needing host programs. Trojan horses appear useful but contain hidden malicious code. Logic bombs trigger when specific conditions occur. Spyware collects user information without consent. Adware automatically displays advertisements. The document provides examples of different malware types and advises users to only install trusted software and keep anti-virus software updated.
This document outlines the requirements for a virus detection system project. It includes team members names, hardware and software requirements, system design details like database tables and UML diagrams, implementation details using C# and .NET framework, and testing strategies including unit, integration, and acceptance testing. The proposed system provides a generic antivirus approach that detects suspicious file behaviors and avoids signature-based detection methods. Currently it only allows moving infected files to a vault or deleting them.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
A computer virus is a program that can copy itself without permission and infect other computers. It spreads by attaching itself to other programs and files that are transferred between computers. Viruses replicate by piggybacking on real programs and files and then reproducing themselves when those programs are run or files opened. The first computer virus was created in 1986 and was named "Brain".
A computer virus is a program that can copy itself without permission and infect other computers. It spreads by attaching itself to other programs and files that are transferred between computers. Viruses replicate by piggybacking on real programs and files and automatically spreading to other computers through email attachments or by exploiting security vulnerabilities over networks. The first computer virus was created in 1986 and was named "Brain".
This document defines and describes various types of malicious software (malware) such as viruses, worms, trojans, and rootkits. It explains that malware can harm computer systems and takes various forms. The document then describes key characteristics of different types of viruses like parasitic viruses, memory resident viruses, boot sector viruses, stealth viruses, polymorphic viruses, and metamorphic viruses. It concludes by emphasizing the importance of using antivirus software to protect systems from malware like viruses and worms.
This document discusses various types of program and system threats including Trojan horses, trapdoors, buffer overflows, worms, viruses, and denial of service attacks. A Trojan horse masquerades as legitimate software to gain unauthorized access. Trapdoors are secret vulnerabilities built into programs by designers. Buffer overflows occur when more data is input than a program expects, potentially allowing code execution. Worms self-replicate to spread while viruses require host files or human action. Examples like the Morris worm and Love Bug virus are provided. Protection involves antivirus software and safe computing practices. The key differences between worms and viruses are also outlined.
Computer Introduction-Lecture04 for applied scince college students, Seiyun University , yemen 2023-2024 Academic year. لطلاب كلية العلوم التطبيقية بجامعة سيئون
مقدمة في علوم الحاسوب المحاضرة الرابعة
Software security aims to protect software from malicious attacks. Common software vulnerabilities include buffer overflows, which occur when more data is written to a buffer than it can hold, overwriting adjacent memory. Other vulnerabilities are format string exploits, SQL injection, and cross-site scripting (XSS) attacks. Malware such as viruses, worms, Trojan horses, and bots also pose security risks by accessing computers without permission and potentially damaging systems.
This document discusses malware, antivirus software, and firewalls. It defines malware as malicious software like viruses, worms, trojans, adware and spyware that can damage computers. It describes common types of malware and how they infect devices. It then explains how antivirus software works using techniques like signature-based detection, heuristics, rootkit detection and real-time protection to identify and remove malware. Finally, it defines firewalls as systems that block unauthorized network access and outlines types like hardware/software firewalls as well as how they function using methods such as packet filtering, application inspection and proxy servers.
A computer virus is a malicious computer program that can copy itself and spread without permission. It can infect computers by being transferred through email attachments, files on removable drives like USBs, or by exploiting vulnerabilities in network file sharing systems. While some viruses only replicate and spread, others are programmed to damage systems by deleting files or reformatting hard drives. Anti-virus software uses virus signatures and heuristics to detect known and unknown viruses, helping to prevent and remove infections. However, users must still regularly update their software and operating systems to patch new vulnerabilities exploited by viruses.
Training on July 16, 2017.
This training is the compressed version of Malware Engineering & Crafting.
In this training, we will talk about malware as well as crafting the simple working malware. The goal of this session is to understanding malware internal so one can have tactics to combat it.
This document discusses vulnerabilities in antivirus software. It begins by noting that over 165 vulnerabilities have been reported in antivirus software in the past 4 years according to the US National Vulnerability Database. It then examines why antivirus software is a target for attackers, including that users have blind faith in it and its error-prone nature in processing many file formats. The document outlines techniques used to find vulnerabilities, including source code audits, reverse engineering, and fuzzing. It also looks at exploiting found vulnerabilities, such as through weak permissions. The overall aim is to raise awareness of security issues in antivirus products.
This document discusses the development of a software package that combines virus protection, key logging, and download management capabilities. It provides code snippets for each of these components, including a download manager class, virus detector class, and key logger class. The goal was to create popular software for both personal and corporate users by bundling useful utilities with potential privacy concerns like key logging.
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
Computer viruses, worms, Trojan horses, spyware, and other malware can harm computer systems in various ways. Anti-virus software, firewalls, and other security measures help protect against malware threats. Digital certificates, digital signatures, strong passwords also help secure computer systems and networks from unauthorized access.
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
This white paper describes the current advanced threat landscape, shortcomings of anti-virus, and how RSA ECAT fills the gap and helps organizations detect advanced malware.
The document discusses various common security threats and how to mitigate them using Cisco's IOS Firewall features. It describes application-layer attacks, autorooters, backdoors, denial of service attacks, IP spoofing, man-in-the-middle attacks, network reconnaissance, packet sniffers, password attacks, port redirection attacks, Trojan horse attacks and viruses, and trust exploitation attacks. It then outlines Cisco IOS Firewall features like stateful inspection, intrusion detection, firewall voice traversal, ICMP inspection, authentication proxy, destination URL policy management, per-user firewalls, router provisioning, DoS prevention, dynamic port mapping, Java applet blocking, traffic filtering, multi-interface support, NAT, time-
This document discusses network viruses and strategies for virus detection and prevention. It defines viruses, worms, and Trojan horses and explains how they differ. It then covers various virus spreading strategies and types, including binary, script, macro, boot sector, and worm viruses. The document also discusses detection methods like signature-based and heuristic detection. For prevention, it recommends keeping antivirus software and signatures updated to identify new viruses. Memory demands of antivirus software are also discussed.
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
The document discusses viruses and malware, focusing on three key areas: detection, disinfection, and related costs for enterprise networks. It describes popular methods of malware infection like exploits, social engineering, rogue infections, peer-to-peer file sharing, emails, and USB devices. It also discusses different types of malware like metamorphic and polymorphic malware, and how they avoid detection through techniques like obfuscation. Current detection methods include signature-based analysis, file emulation, and file analysis, as well as emerging approaches like traffic analysis and vulnerability scanning. Disinfection includes removing malware through specific tools, real-time scanners, and cloud-based technologies. The document outlines how to quantify direct and indirect costs of
This document discusses several types of network security tools and technologies. It begins by explaining firewalls, how they block network traffic between trusted and untrusted networks similar to physical firewalls blocking the spread of fires. It then discusses antivirus software which scans for and removes viruses from computers. Intrusion detection systems monitor network traffic for suspicious activity and may alert administrators or take action like blocking sources. Other sections cover port scanners, network sniffers, network utilities like ping and traceroute, vulnerability scanners and more.
Computer viruses are programs that can copy themselves and infect computers without permission. They share traits with biological viruses and pass from computer to computer. Some examples of damaging viruses include Mydoom in 2004, Melissa in 1999, and ILOVEYOU in 2000. Viruses work by attaching themselves to other programs or system areas of the disk. They have dormant, propagation, triggering, and execution phases. Anti-virus software uses techniques like pattern recognition, heuristics, integrity checking, and behavior blocking to detect viruses.
The document provides an overview of network-based intrusion detection systems (NIDS) and the open-source NIDS tool Snort. It discusses the need for NIDS to monitor networks for attacks and anomalies, explores commercial and open-source NIDS options like Snort and BlackICE, and how to analyze NIDS logs and write custom Snort rules. The document aims to present the basics of intrusion detection and how NIDS tools can be deployed to detect attacks on networks.
The document provides an overview of network-based intrusion detection systems (NIDS) and explores Snort, an open-source NIDS. It discusses the need for NIDS to monitor networks for attacks, presents examples of NIDS detections using Snort logs, and provides information on writing custom Snort rules. Key topics covered include NIDS deployments with Snort, analyzing Snort detects, and the basics of writing Snort signatures.
The document discusses computer viruses and antivirus technologies. It begins with defining computer viruses and outlining their history. It then analyzes three common types of viruses: file infectors, macro viruses, and the "I LOVE YOU" virus. The document also describes how antivirus software detects and removes viruses and outlines best practices for preventing virus infections like regular backups and keeping antivirus definitions up to date.
1. Abstract—Attacks on a computer system has become an area
of serious concern these days. Honey pots (sand boxes) are
being used to divert and study the behavior of an attacker.
Attacks using Trojans and other networking tools can be
detected and studied using hone pots. The use of anti-spyware
tools and the importance of backup and recovery is also
discussed in this document.
Index Terms—Anti-Spyware, Honeypots, Intrusions, Trojans,
Remote Access.
I.INTRODUCTION
HIS document is about the importance and use of
Honey pots, Anti-Spyware tools and the Backup and
recovery tools. The document has been divided into five parts.
In each part we have discussed about the working of different
tools. The tools include KF Sensor, NetBus, Internet
Explorer, Microsoft Anti-Spyware, Hijackthis and
NTBackup. Various features and capabilities have been
brought to light in the document. Illustrations and examples
make it easier to understand the working of the tools.
T
KFSensor is a Windows based honeypot Intrusion Detection
System (IDS).It acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services
and trojans. By acting as a decoy server it can divert attacks
from critical systems and provide a higher level of
information than can be achieved by using firewalls and
NIDS alone. KFSensor is designed for use in a Windows
based corporate environment and contains many innovative
and unique features such as remote management, a Snort
compatible signature engine and emulations of Windows
networking protocols. With its GUI based management
console, extensive documentation and low maintenance,
KFSensor provides a cost effective way of improving an
organization's network security. [1]
Netbus is among those popular Trojans of 1998 and has been
very controversial for its potential of being used as a
backdoor. There are two components to the client-server
architecture. The server must be installed and run on the
computer that should be remotely controlled. It was a .exe file
with a file size of almost 500 KB. The name and icon varied a
lot from version to version. Common names were "Patch.exe"
and "SysEdit.exe". When started for the first time, the server
would install itself on the host computer, including modifying
the Windows registry so that it starts automatically on each
system startup. The server is a faceless process listening for
connections on port 12345 (in some versions, the port number
can be adjusted). Port 12346 is used for some tasks.
The client was a separate program presenting a graphical user
interface that allowed the user to perform a number of
activities on the remote computer. Examples of its
capabilities:
• Keystroke logging
• Keystroke injection
• Screen captures
• Program launching
• File browsing
• Shutting down the system
• Opening / closing CD-tray
• Tunneling a NetBus connections through a number
of systems
The NetBus client was designed to support the following
operating system versions:
• Windows 95
• Windows 98
• Windows NT 4.0
II.TROJANS
These are Windows applications designed to allow other
people to access your machine (generally for malicious
purposes) over the Internet.
In order for anyone to use a Trojan on your machine, the
server side of the application is to be installed on victim’s
computer. This is normally done by getting the victim to
download an application or by sending the server EXE to the
victim in an e-mail message and hoping to execute it. This is
why it is called a Trojan horse -- victim has to consciously or
unconsciously run the EXE to install the server -- it does not
propagate itself like a virus. Once the server EXE is executed,
the server is installed and will start running automatically
every time victim’s computer starts.
With the server installed, an evil-doer can run the Trojan
client program and control victim’s computer remotely,
running programs, erasing files... Obviously, this is not a
good thing. It is easy to detect popular Trojans like Netbus
and Back Orifice either manually or with software.
III. KFSENSOR HONEY POT
KFSensor is a system installed in a network in order to divert
and study an attacker’s behavior. This is a new technique that
is very effective in detecting attacks. The main feature of
KFSensor is that every connection it receives is a suspect
hence it results in very few false alerts.
At the heart of KFSensor sits a powerful internet daemon
service that is built to handle multiple ports and IP addresses.
It is written to resist denial of service and buffer overflow
attacks. Building on this flexibility KFSensor can respond to
connections in a variety of ways, from simple port listening
and basic services (such as echo), to complex simulations of
Preparing for and Detecting Attacks: Honey
Pots, Spyware, Backing Up and Restoring
Sai Kiran S. Kovvuri, Venkat Kalvala and Shanmugarajan Rathinakumar
1
2. standard system services. For the HTTP protocol KFSensor
accurately simulates the way Microsoft’s web server (IIS)
responds to both valid and invalid requests. As well as being
able to host a website it also handles complexities such as
range requests and client side cache negotiations. This makes
it extremely difficult for an attacker to fingerprint, or identify
KFSensor as a honeypot. [1]
KFSensor simulates the system services in the top level of the
OSI- layers. Hence it makes good use of the WINDOWS
security and the network libraries present. It acts as another
server on any network it’s installed on.
KFSensor’s effectiveness is evident from the immediate
response its gives when an attack is detected. The type and
quantity of attack is clearly stated by KFSensor that anyone
can understand the nature of attack. KFSensor does not rely
on the signature of older attacks hence can detect newer
attacks and alerts even when the attack is in progress.
The architecture of KFSensor can be extended by writing our
own scripts and customize the actions taken by the Honeypot.
Various scenarios can be defined according to our need.
“KFSensor appears to be the only virtual honeypot in this
review with a clear sense of what it takes to appear to be a
Windows host."
"This functionality puts KFSensor in the top echelon of
Windows honeypots."
"If you want a feature-packed Windows honeypot that's easy
to install and use, KFSensor is the clear choice for you." [2]
IV. ANTI-SPYWARE
PYWARE covers a broad category of malicious software
designed to intercept or take partial control of a
computer's operation without the informed consent of that
machine's owner or legitimate user. While the term taken
literally suggests software that surreptitiously monitors the
user, it has come to refer more broadly to software that
subverts the computer's operation for the benefit of a third
party.
S
First lets look at what the malware is, that helps us in
clearly differentiating between the different types of malware
and the spyware. The best way to differentiate between
malware and spyware is to define them.
Malware (a portmanteau of "malicious software") is a type
of software designed to take over and/ or damage a computer
user's operating system, without his or her knowledge or
approval. Once installed, it is often very difficult to remove,
and depending on the severity of the program installed, its
handiwork can range in degree from the slightly annoying
(such as unwanted pop up ads while a user is performing
regular computing tasks on or offline), to irreparable damage
requiring the reformatting of one's hard drive, since much of
malware is poorly written. Examples of malware include
viruses and trojan horses.
In computer security technology, a virus is a self-
replicating program that spreads by inserting copies of itself
into other executable code or documents. A computer virus
behaves in a way similar to a biological virus, which spreads
by inserting itself into living cells. Extending the analogy, the
insertion of the virus into a program is termed infection, and
the infected file (or executable code that is not part of a file)
is called a host. Viruses are one of the several types of
malware or malicious software. In common parlance, the
term virus is often extended to refer to computer worms and
other sorts of malware. This can confuse computer users,
since viruses in the narrow sense of the word are less
common than they used to be, compared to other forms of
malware such as worms. This confusion can have serious
consequences, because it may lead to a focus on preventing
one genre of malware over another, potentially leaving
computers vulnerable to future damage. However, a basic rule
is that computer viruses cannot directly damage hardware,
but only software.
While viruses can be intentionally destructive (for example,
by destroying data), many other viruses are fairly benign or
merely annoying. Some viruses have a delayed payload,
which is sometimes called a bomb. For example, a virus
might display a message on a specific day or wait until it has
infected a certain number of hosts. A time bomb occurs
during a particular date or time, and a logic bomb occurs
when the user of a computer takes an action that triggers the
bomb. However, the predominant negative effect of viruses is
their uncontrolled self-reproduction, which wastes or
overwhelms computer resources.
Computer worms are similar to viruses but are stand-alone
software and thus do not require host files (or other types of
host code) to spread themselves. They do modify their host
operating system, however, at least to the extent that they are
started as part of the boot process. To spread, worms either
exploit some vulnerability of the target system or use some
kind of social engineering to trick users into executing them
Spyware differs from viruses and worms in that it does not
usually self-replicate. Like many recent viruses, however,
spyware - by design - exploits infected computers for
commercial gain. Typical tactics furthering this goal include
delivery of unsolicited pop-up advertisements; theft of
personal information (including financial information such as
credit card numbers); monitoring of Web-browsing activity
for marketing purposes; or routing of HTTP requests to
advertising sites.
After getting familiar with all the terms such as Spyware,
Trojans and Worms etc, we now turn towards how we deal
with the problem of these Spyware getting installed in our
system without our consent. We use Microsoft Anti-Spyware
to remove these things, which if not taken care of are going to
seriously effect the system’s performance.
We concentrate on explaining how effectively Microsoft
Anti-Spyware removes the Spyware and other forms of
Malware restoring your system to the point where it was
2
3. perfect without any Viruses. For this we download the
HijackThisBrowser software on the system, which apart from
performing many other functions also does the system scan
and create a log file that lists all the processes running on our
system. We are going to make use of this log file to explain
how effectively Microsoft Anti-Spyware helps in removing
them.
There are three steps of doing this we first do a system scan
and save the log file using the HijackThisBrowser’s “Do a
system scan and save a log file” option. Then as a part of a
second step we open several WebPages, which you think, can
download Spyware. Now you do a system scan again and save
the log file. Compare both the first and second saved log files
you notice that there are more processes running in the
second log file than in the first one. This indicates Spyware
has been downloaded in the system running more processes
than usual.
As a part of the third operation we run the Anti-Spyware.
After the Initial scan is done we get a list of all the threats,
their names and the severity of the threat. We then remove all
of them. After we remove all of them we do a system scan
again and compare the third log file and the first one and
what we get to notice is that the Anti-Spyware restores the
system, bringing back to the safe mode.
V. BACKING UP AND RECOVERY IN WINDOWS
Backing up data is one of the most important security
measures that you can implement. Disasters may happen
even with an expertly configured firewall, up-to-date virus
signatures, and intrusion detection systems running. If the
data is destroyed or corrupted, the only hope you have of
retrieving the data is from a properly configured format. A
backup job is an instruction to the computer that identifies
the date, time, and files designated to be backed up. Files
will be backed up to the backup media. This can be a
network share, a tape device, or some other drive of
appropriate size.
Since data on a computer will change quite often
depending on the purpose and use of the computer system,
the backup files may become out of date. For this reason, a
backup should be performed on regular basis.
There are several types of backups that can be
performed:
Normal, differential, and incremental. Each type of
backup has some advantage or disadvantage with backing
up and restoring (restoring is the process of retrieving data
from a backup). A normal backup, also known as a full
backup, will copy all the designated files. This type of
backup takes the longest to complete, but is the quickest to
restore. Since there is usually only one media that contains
the full backup, only one is needed to restore and as such is
the quickest to restore. A differential backup will copy all
of the files that have changed since the last full backup.
This takes less time to back up, since not all of the files are
being copied, but takes longer to restore since there will be
two media to restore: the full backup media and the
differential media. It is important to note that each day that
passes between full backups, the differential backup will
take longer and longer, since the changes in data are
accumulating.
An incremental backup backs up the data since the last
backup, whether full or incremental. This means that if you
did an incremental backup each day, you would only back
up the files changed that day. As a result the backup times
are usually short. However, restoring can take much
longer. Depending on how many incremental backups were
done since the last full backup, the restore process will take
longer and be more tedious.
Backing up files is an important skill, but restoring files
is equally important. The time to test out the restore
process is not during a disaster recovery incident. Horror
stories abound of administrators who backed up regularly
but came to find out after disaster hits that some key data
was not being saved or that the restore process was
improperly configured. Also it is always important to
remember to write-protect the media when restoring the
data. You would not want to inadvertently erase data when
you are in a data recovery situation. As backups are
insurance against data loss, they should also be stored in a
remote location to protect them from fire and other local
environment issues near the computer.
Now as we know pretty much about the backup and the
importance of it incases of disasters (system crashes etc.), we
now move on to backing up and restoring in Windows XP
platform. We begin by creating a shared network drive for
storing all the backup files. Select the Tools options in the
folder and select Map Network Drive; you’ll be popped with a
window showing all the options for selecting the name of the
shared drive and the folder. After this you’ll click Finish,
which will create a network drive.
Then you will create a folder that stores all the files that
are to be backed up. Then we go to Start and in the Run we
type ntbackup. This will open the Windows backup utility
window where you select the backup tab. Explore the folder
and check all the files that are to be backed up, give the name
of the back up file. Now press the start backup button, which
will open, with a window showing advanced options. Select
the advanced options and then select the type of backup to be
normal and press ok. We are now created with fullbackup file
stored in the network share drive.
For the differential backup we modify some of the files and
then perform the differential backup with same set of steps
but in the advanced options of the start backup window we
select the type of the backup to be differential, this will create
a differential backup file in the network share drive. Now we
replicate the system crash by deleting all the files from the
folder containing files that needs to be backed up.
Restoring the files from the backup files is pretty
interesting and different than backing up. First we will
restore the fullbackup file then the differential restore. For
this we need to go to the Restore and Manage Media tab in
the backup utility window and then select from the list of the
3
4. files in the left. Before selecting the start restore button make
sure that the files are restored to the original location. On the
Confirm Restore screen, click OK. On the Confirm
Name/Location dialog box, click OK. On the Check Backup
File Location screen, ensure that the correct path of the file is
selected. After the restore will complete go to the folder and
we can see that the files at the first point are restored.
Differential restore is slightly different from full restore.
On the Restore and Manage Media tab select the
differential backup on the left and check the checkbox on the
right. Click Tools, Options. Select the Restore tab. We get to
notice that the selection is “Do not replace the file on my
computer.” This should be replaced with another check
options which says “ Replace the files on my computer” will
enable the backup utility to restore the files to the point when
the crash has occurred. Now on the Confirm Restore screen,
click OK. After the restore process is complete we can see
that the files are restored to the state before crash.
PROBLEMS ENCOUNTERED
As we were working in a firewall’ed network there were not
many problems that could stop us from performing our
experiments. But as this experiment was done on Windows
XP SP2, the built-in firewall caused minor problems. Also
Microsoft AntiSpyware unexpectedly removed the Trojan as
it has malicious content. So Antispyware had to be removed
for the experiment and firewall was turned off. Also, as a
suggestive measure while using the ServerEdit component of
the Netbus Trojan, do not set the server.exe to “invisible” as
this becomes hard to find or remove the server component
after the experiment. Nevertheless there are tools available
today on the internet that can gracefully remove the Netbus
trojan from the infected system.
FUTURE WORK
Future work can be done on this project using this report
either by enhancing the work and/or adding more security
related issues through discussing the anatomy of any
malicious software and how to secure a system infected by the
same.
ACKNOWLEDGMENTS
We would like to thank Dr.Leszek Lilien for the lab manual
and also for guiding us in completing this project
successfully. Also we thank SCST team of WMU for
providing us with the required environment safely firewall’ed
from other network.
REFERENCES
[1] Computer Security Lab Manual by Nestler Vincent
J., Conklin Wm. Arthur, White Gregory B and
Hirsch Matthew P.
[2] Video Demo. Available:
http://www.cs.wmich.edu/~llilien/teaching/Fall2005/
cs5950-6030/index.html
[3] KFSensor Honey Pot. Available:
http://www.keyfocus.net/kfsensor/
[4] Microsoft Antispyware. Available:
http://ww.microsoft.com/downloads
[5] More Information on related terms.
http://www.howstuffworks.com and
http://en.wikipedia.org/wiki.
4