Embed Size (px)
DESCRIPTION
Citation preview
Malicious SoftwaresPresented By:
Mirza Adnan BaigNaheed AfzalAamir Husnain
Software deliberately designed to harmcomputer systems.
Malicious software program causes undesired actions in information systems.
Spreads from one system to another through:
1. E-mail (through attachments)2. Infected floppy disks3. Downloading / Exchanging of corrupted files4. Embedded into computer games
What is Malicious Software:
Malicious Software - Categories
These are the programs that spread to other software in the system .i.e., program that incorporates copies of itself into other programs.
Two major categories of viruses:1. Boot sector virus : infect boot sector of
systems. become resident. activate while booting
machine2. File virus : infects program files.
activates when program is run.
Virus
Henric Johnson 6
Dormant phase - the virus is idle Propagation phase - the virus places an
identical copy of itself into other programs Triggering phase – the virus is activated
to perform the function for which it was intended
Execution phase – the function is performed
Virus Phases
Categories of Viruses
Polymorphic
Virus Producesmodified &
fullyoperational
code. Produces
new& different
codeevery time
whenvirus is copied
&transmitted to
a new host. Difficult todetect &
remove.
StealthVirus Programmingtricks make the tracing andunderstanding the code
difficult. Complexprogramming methods used todesign code, sodifficult to repairinfected file.
Armored Virus Hides modifications
ithas made tofiles or to thedisk. Reportsfalse values to programs asthey read files or data fromstorage
media.
CompanionVirus Creates newprogram insteadof modifying existing program. Contains allvirus code. Executed byshell, instead oforiginal program.
Identifying Viruses : A virus is a unique program. It as a unique object code. The pattern of object code and where it is inserted
provides a signature to the virus program. This virus signature can be used by virus scanners to
identify and detect a particular virus. Some viruses try to hide or alter their signature: Random patterns in meaningless places. Self modifying code – metamorphic, polymorphic
viruses. Encrypt the code, change the key frequently.
Effect of Virus attack on computer system
Virus may affect user’s data in memory – overwriting.
Virus may affect user’s program – overwriting.
Virus may also overwrite system’s data or programs – corrupting it – disrupts normal operation of system.
“Smashing the Stack” – Buffer overflow due to execution of program directed to virus code.
prevention - ideal solution but difficult realistically need:
◦ detection◦ identification◦ removal
if detect but can’t identify or remove, must discard and replace infected program
Virus Countermeasures
virus & antivirus tech have both evolved early viruses simple code, easily removed as become more complex, so must the
countermeasures generations
first - signature scannerssecond - heuristicsthird - identify actionsfourth - combination packages
Anti-Virus Evolution
runs executable files through GD scanner:CPU emulator to interpret instructionsvirus scanner to check known virus signaturesemulation control module to manage process
lets virus decrypt itself in interpreter periodically scan for virus signatures issue is long to interpret and scan
tradeoff chance of detection vs time delay
Generic Decryption
Behavior-Blocking Software
Rabbit : This malicious software replicates itself without limits. Depletes some or all the system’s resources.
Re-attacks the infected systems – difficult recovery.
Exhausts all the system’s resources such as CPU time, memory, disk space.
Depletion of resources thus denying user access to those resources.
Hoaxes : False alerts of spreading viruses.
e.g., sending chain letters.
message seems to be important to recipient, forwards it to other users – becomes a chain.
Exchanging large number of messages (in chain) floods the network resources – bandwidth wastage.
Blocks the systems on network – access denied due to heavy network traffic.
04/08/2023 16
A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with negative consequences (e.g., launches a keylogger).
Trojan horses can be installed as part of the payload of other malware but are often installed by a user or administrator, either deliberately or accidentally.
Malware
Trojan Horses
Time Bomb Logic Bomb
Trojan traditionally classified into two major categories:
A "time bomb" is simply a Trojan horse set to trigger at a particular time/date.
Time Bomb
one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met
◦ eg presence/absence of some file◦ particular date/time◦ particular user
when triggered typically damage system◦ modify/delete files/disks, halt machine, etc
Logic Bomb
04/08/2023 20
Trojans currently have largest infection potential◦ Often exploit browser vulnerabilities◦ Typically used to download other malware in multi-stage attacks
Malware
Current Trends
Source:Symantec Internet Security Threat Report, April 2009
1. Remote access Trojan takes full control of your system and passes it to the hacker.
2. The data-sending Trojan sends data back to the hacker by means of e-mail.e.g., Key-loggers – log and transmit each keystroke.
Different types of Trojan Horses :
3. The destructive Trojan has only one purpose: to destroy and delete files. Unlikely to be detected by anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines computing power of all computers/systems it infects to launch an attack on another computer system. Floods the system with traffic, hence it crashes.
5. The proxy Trojans allows a hacker to turn user’s computer into HIS (Host Integration Server) server – to make purchases with stolen credit cards and run other organized criminal enterprises in particular user’s name.
6. The FTP Trojan opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP).
7. The security software disabler Trojan is designed to stop or kill security programs such as anti-virus software, firewalls, etc., without you knowing it.
Transmitting medium :
1. spam or e-mail2. a downloaded file3. a disk from a trusted source4. a legitimate program with the Trojan
inside.
Trojan looks for your personal information and sends it to the Trojan writer (hacker). It can also allow the hacker to take full control of your system.
For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hack your computer to commit illegal Denial of service attacks .
How you can know if you are under Trojan horse attack?
1. Clean Re-installation:
Back up your entire hard disk, format the disk, re-install the operating system and all your applications from original CDs.
How do I get rid of Trojans?!?
2. Anti-Virus Software:Anti-virus software is always going to be playing catch up with active virus on the system. Make sure your computer has an anti virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats Anti-Trojan Programs:These programs are the most effective against Trojan horse attacks, because they specialize in Trojans instead of general viruses.
NEVER download blindly from people or sites which you aren't 100% sure about Even if the file comes from a friend, you still must be sure what the file is before opening it NEVER use features in your programs that automatically get or preview files Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts
How do We avoid getting infected with (Trojan horse) in the future?
A simple example of a trojan horse would be a program named “waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead would allow access to the user's computer remotely. AIDS(trojanhorse)AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable).
Example of a simple Trojan horse
Spyware :
Spyware programs explore the files in an information system.
Information forwarded to an address specified in Spyware.
Spyware can also be used for investigation of software users or preparation of an attack.
Trapdoor : Secret undocumented entry point to the program.
An example of such feature is so called back door, which enables intrusion to the target by passing userauthentication methods.
A hole in the security of a system deliberately left in place by designers or maintainers.
Trapdoor allows unauthorized access to the system. Only purpose of a trap door is to "bypass" internal
controls. It is up to the attacker to determine how this circumvention of control can be utilized for his benefit.
Types of Trapdoor
Undetectable Trapdoor
Virtually undetectable.
HardwareTrapdoor
Security-related hardware flaws.
Worms : program that spreads copies of itself through a
network. Does irrecoverable damage to the computer
system. Stand-alone program, spreads only through
network. Also performs various malicious activities other
than spreading itself to different systems e.g., deleting files.
1. Deleting files and other malicious actions on systems.
2. Communicate information back to attacker e.g., passwords, other proprietary information.
3. Disrupt normal operation of system, thus denial of service attack (DoS) – due to re-infecting infected system.
4. Worms may carry viruses with them.
Attacks of Worms:
Means of spreading Infection by Worms :
Infects one system, gain access to trusted host lists on infected system and spread to other hosts.
Another method of infection is penetrating a system by guessing passwords.
By exploiting widely known security holes, in case, password guessing and trusted host accessing fails.
e.g., A well-known example of a worm is the ILOVEYOU worm, which invaded millions of computers through e-mail in 2000.
Worm Propagation Model
Code Red◦ July 2001 exploiting MS IIS bug◦ probes random IP address, does DDoS attack
Code Red II variant includes backdoor SQL Slammer
◦ early 2003, attacks MS SQL Server Mydoom
◦ mass-mailing e-mail worm that appeared in 2004
◦ installed remote access backdoor in infected systems
Warezov family of worms◦ scan for e-mail addresses, send in attachment
Recent Worm Attacks
multiplatform multi-exploit ultrafast spreading polymorphic metamorphic transport vehicles zero-day exploit
Worm Technology
first appeared on mobile phones in 2004target smartphone which can install s/w
they communicate via Bluetooth or MMS to disable phone, delete data on phone, or
send premium-priced messages CommWarrior, launched in 2005
replicates using Bluetooth to nearby phonesand via MMS using address-book numbers
Mobile Phone Worms
overlaps with anti-virus techniques once worm on system A/V can detect worms also cause significant net activity worm defense approaches include:
signature-based worm scan filteringfilter-based worm containmentpayload-classification-based worm containmentthreshold random walk scan detectionrate limiting and rate halting
Worm Countermeasures:
Proactive Worm Containment
Network Based Worm Defense
Conclusion:
Preventing infection by malicious software :
Use only trusted software, not pirated software. Test all new software on isolated computer system. Regularly take backup of the programs. Use anti-virus software to detect and remove viruses. Update virus database frequently to get new virus signatures. Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses. Make sure that the e-mail attachments are secure. Do not keep a floppy disk in the drive when starting a program,
unless sure that it does not include malicious software, else virus will be copied in the boot sector.
Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website: http://www.webopedia.com/TERM/T/Trojan_horse.html
Staffordshire University, Information & Security Team (Jun 8, 2002). Information Systems Security Guidelines. RetrievedNov 10, 2003 from website:http://www.staffs.ac.uk/services/information_technology/regs/security7.shtm
M.E.Kabay, Norwich University, VT (2002). Malicious Software. Retrieved Nov 9, 2003 from website:http://www2.norwich.edu/mkabay/cyberwatch/09malware.htm
Computer Emergency Response Team (CERT), Information Security (Jul 2, 2002). Malicious Software – general. Retrieved Nov 10, 2003 fromwebsite: http://www.ficora.fi/englanti/tietoturva/haittaohj.htm
References:
