Security System 1 - 10

8/14/2019 Security System 1 - 10

1/30

SECURITY SYSTEMSECURITY SYSTEM

11

#10. Understanding S/W Exploitation


2/30

AGENDA

Understanding S/W Exploitation


3/30

Understanding SoftwareExploitation

Phage Virus Aphage virus modifies and alters other

programs and databases. The virus infects

all of these files. The only way to removethis virus is to reinstall the programs that areinfected.

If you miss even a single incident of this

virus on the victim system, the process willstart again and infect the system once more.


4/30


Polymorphic VirusPolymorphicviruseschange form in order to avoiddetection. These types of viruses attackyour system, display a message on yourcomputer, and delete files on yoursystem. The virus will attempt to hidefrom your antivirus software. Frequently,the virus will encrypt parts of itself toavoid detection. When the virus does this,its referred to as mutation.


5/30


6/30


7/30


Retrovirus A retrovirusattacks or bypasses the

antivirus software installed on a computer.

You can consider a retrovirus to be an anti-antivirus. Retroviruses can directly attackyour antivirus software and potentiallydestroy the virus definition database file.

Destroying this information without yourknowledge would leave you with a falsesense of security. The virus may alsodirectly attack an antivirus program to create

bypasses for itself.


8/30


Stealth Virus A stealth virusattempts to avoid detection

by masking itself from applications. It may

attach itself to the boot sector of the harddrive. When a system utility or programruns, the stealth virus redirects commandsaround itself in order to avoid detection. An

infected file may report a file size differentfrom what is actually present in order toavoid detection.


9/30


10/30


Virus Transmission in a Network Upon infection, some viruses destroy the

target system immediately. The saving grace

is that the infection can be detected andcorrected. Some viruses wont destroy orotherwise tamper with a system; they usethe victim system as a carrier.


11/30


12/30


Identifying Hoaxes Network users have plenty of real viruses

to worry about. Yet some people find it

entertaining to issue phony threats to keeppeople on their toes. Some of the morepopular hoaxes that have been passedaround are the Good Time and the Irina

viruses. Millions of users received e-mailsabout these two viruses, and the symptomssounded awful.


13/30


While spamis not truly a virus or a hoax,it is one of the most annoying things anadministrator can contend with. Spam isdefined as any unwanted, unsolicited e-mail,and not only can the sheer volume of it beirritating, it can often open the door to largerproblems. Some of the sites advertised inspam may be infected with viruses, worms,and other unwanted programs. If usersbegin to respond to spam by visiting thosesites, then your problems will only multiply.


14/30


Trojan Horses Trojan horsesare programs that enter a

system or network under the guise of

another program. A Trojan horse may beincluded as an attachment or as part of aninstallation program.


15/30


The Trojan horse could create a backdoor or replace a valid program duringinstallation. It would then accomplish itsmission under the guise of another program.Trojan horses can be used to compromisethe security of your system, and they canexist on a system for years before theyredetected.


16/30


The best preventive measure for Trojanhorses is to not allow them entry into yoursystem. Immediately before and after youinstall a new software program or operatingsystem, back it up! If you suspect a Trojanhorse, you can reinstall the originalprograms, which should delete the Trojanhorse. A port scan may also reveal a Trojanhorse on your system. If an applicationopens a TCP or UDP port that isnt regularlyused in your network, you can notice thisand begin corrective action.


17/30


18/30


19/30


Worms A wormis different from a virus in that it

can reproduce itself, its self-contained, and

it doesnt need a host application to betransported. Many of the so-called virusesthat have made the papers and mediawere, in actuality, worms and not viruses.

However, its possible for a worm to containor deliver a virus to a target system.


20/30


The Melissa virus (which was actually aworm) spread itself to more than 100,000users in a relatively short period when it firstcame out, according to CERT. One sitereceived more than 32,000 copies of theMelissa virus in a 45-minute period.


21/30


Worms by their nature and origin aresupposed to propagate and will usewhatever services theyre capable of to dothat. Early worms filled up memory and bredinside the RAM of the target computer.Worms can use TCP/IP, e-mail, Internetservices, or any number of means to reachtheir target.


22/30


Antivirus Software The primary method of preventing the

propagation of malicious code involves the use of

antivirus software. Antivirus software is anapplication that is installed on a system to protectit and to scan for viruses as well as worms andTrojan horses. Most viruses have characteristics

that are common to families of virus. Antivirussoftware looks for these characteristics, orfingerprints, to identify and neutralize virusesbefore they impact you.


23/30


Number of viruses (worms, bombs, and othermalicious codes) to top 1 million by 2009. Theantivirus software manufacturer will usually workvery hard to keep the definition database filescurrent. The definition database file contains allof the known viruses and countermeasures for aparticular antivirus software product. If we keepthe virus definition database files in our software

up-to-date, we probably wont be overlyvulnerable to attacks.


24/30


25/30


Understanding Social Engineering In theprevious sections, you learned how attackswork. You also learned about TCP/IP andsome of its vulnerabilities. And you wereexposed to the issues that your users will faceso you can help them from a technicalperspective. A key method of attack that youmust guard against is called social

engineering.


26/30


Social engineeringis a process in which anattacker attempts to acquire information aboutyour network and system by social means, suchas talking to people in the organization. A socialengineering attack may occur over the phone, bye-mail, or in person. The intent is to acquireaccess information, such as user IDs andpasswords.


27/30


With social engineering, the villain doesntalways have to be seen or heard to conduct theattack. The use of e-mail was mentioned earlier,and in recent years, the frequency of attacks viainstant messaging has also increased. Attackerscan send infected files over Instant Messaging(IM) as easily as they can over e-mail. A recentvirus on the scene accesses a users IM client

and uses the infected users buddy list to sendmessages to other users and infect theirmachines as well.


28/30


Phishingis a form of social engineering in whichyou simply ask someone for a piece ofinformation that you are missing by making itlook as if it is a legitimate request. An e-mailmight look as if it is from a bank and containsome basic information, such as the usersname.


29/30


In the e-mail, it will often state that there is aproblem with the persons account or accessprivileges. They will be told to click a link tocorrect the problem. After they click the linkwhich goes to a site other than the bankstheyare asked for their username, password, accountinformation, and so on. The person instigating thephishing can then use the values entered there to

access the legitimate account.


30/30


The only preventive measure in dealing withsocial engineering attacks is to educate yourusers and staff to never give out passwords anduser Ids to anyone.

Documents

Security System 1 - 10