3. 33
What is Malicious Code?What is Malicious Code?
Any code which:Any code which:
– Modifies or destroys dataModifies or destroys data
– Steals dataSteals data
– Allows unauthorized accessAllows unauthorized access
– Exploits or damages a systemExploits or damages a system
– Does something user did not intend to doDoes something user did not intend to do
Malware is a MALicious softWAREMalware is a MALicious softWARE
Malware can be any things: viruses, worms, trojan horses, etc.Malware can be any things: viruses, worms, trojan horses, etc.
4. 44
Trojan HorseTrojan Horse
A Trojan horse is a program that appears to be useful orA Trojan horse is a program that appears to be useful or
harmless but that contains hidden code designed to exploit orharmless but that contains hidden code designed to exploit or
damage the system on which it is run.damage the system on which it is run.
Originally Trojan horses were not designed to spreadOriginally Trojan horses were not designed to spread
themselves.themselves.
A Trojan horse tricks user into executing malicious code.A Trojan horse tricks user into executing malicious code.
Examples:Examples:
– A simple example of a Trojan Horse would be a program namedA simple example of a Trojan Horse would be a program named
“Bush.EXE" that is posted on a website with a promise to be a fun“Bush.EXE" that is posted on a website with a promise to be a fun
animation.animation.
– On the Microsoft Windows platform, an attacker might attach a TrojanOn the Microsoft Windows platform, an attacker might attach a Trojan
horse with an innocent-looking filename to an email message whichhorse with an innocent-looking filename to an email message which
entices the recipient into opening the file.entices the recipient into opening the file.
– Phish-BuyPhone (1/7/2007).Phish-BuyPhone (1/7/2007).
7. 77
VirusVirus
A virus uses code written with the express intention ofA virus uses code written with the express intention of
replicating itself.replicating itself.
A virus attempts to spread from computer to computer byA virus attempts to spread from computer to computer by
attaching itself to a host program.attaching itself to a host program.
It may damage hardware, software, or data. When the host isIt may damage hardware, software, or data. When the host is
executed, the virus code also runs, infecting new hosts andexecuted, the virus code also runs, infecting new hosts and
sometimes delivering an additional malicious actions.sometimes delivering an additional malicious actions.
Example:Example:
– Melissa: MacrovirusMelissa: Macrovirus
8. 88
Virus structureVirus structure
Program V:=
{goto main;
1234567;
subroutine infect-executable :=
{loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567)
then goto loop
else prepend V to file;
subroutine do-damage :=
{what ever damage to be done}
subroutine trigger-pulled :=
{return true if some condition
holds}
Main: main-program :=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
(on right) A virus structure
that is prepended to infected
programs
Type of this virus: File
virus.
A virus can be prepended orA virus can be prepended or
postpended to an executablepostpended to an executable
programprogram
When an infected programWhen an infected program
(containing a virus) is invoked,(containing a virus) is invoked,
will first execute the virus codewill first execute the virus code
then execute the original code tothen execute the original code to
the programthe program..
9. 99
Types of virusesTypes of viruses
1.1. File virus, also called parasitic virus.File virus, also called parasitic virus.
2.2. Boot sector infectors: Infects a master boot record or boot record andBoot sector infectors: Infects a master boot record or boot record and
spreads when a system is booted from the disk containing the virus.spreads when a system is booted from the disk containing the virus.
3.3. Macro virus: infects macro programming environment (e.g., MicrosoftMacro virus: infects macro programming environment (e.g., Microsoft
office application such as Word) rather than specific operating systems .office application such as Word) rather than specific operating systems .
– A macro is a an executable program embedded in a word processing documentA macro is a an executable program embedded in a word processing document
or other types of files.or other types of files.
– A macros is an executable file that can modify commands within the applicationA macros is an executable file that can modify commands within the application
menu.menu.
– Macro virus infects data files rather than executable files.Macro virus infects data files rather than executable files.
1.1. Stealth virus: a form of virus explicitly designed to hide itself fromStealth virus: a form of virus explicitly designed to hide itself from
detection by antivirus softwares.detection by antivirus softwares.
2.2. Polymorphic virus: a virus that mutates with every infection, making itsPolymorphic virus: a virus that mutates with every infection, making its
detection impossible.detection impossible.
3.3. ……
10. 1010
WormsWorms
A worm uses self-propagating malicious code that canA worm uses self-propagating malicious code that can
automatically distribute itself from one computer to anotherautomatically distribute itself from one computer to another
through network connections.through network connections.
– i.e.i.e., Worms can execute and spread without user intervention., Worms can execute and spread without user intervention.
A worm can take harmful actions, such as:A worm can take harmful actions, such as:
– consuming network or local system resourcesconsuming network or local system resources
– causing a denial of service attack.causing a denial of service attack.
– deleting data, spying users, …deleting data, spying users, …
11. 1111
WormsWorms
By denition, a worm is supposed to hop from machine to
machine on its own, it needs to come equipped with considerable
networking support.
With regard to autonomous network hopping, the important
question to raise is: What does it mean for a program to hop
from machine to machine?
A program may hop from one machine to another by a variety of
means:
– By using the remote shell facilities, as provided by rsh and rexec in Unix,
to execute a command on the remote machine.
– By cracking the passwords and logging in as a regular user on a remote
machine.
Example: The Slammer Worm (online info)
12. 1212
Other malwaresOther malwares
Trap door: a secret entry point into a program that allowsTrap door: a secret entry point into a program that allows
someone that is aware of the trapdoor to gain access withoutsomeone that is aware of the trapdoor to gain access without
going through the usual security procedures.going through the usual security procedures.
Logic bomb: is a code embedded in some legitimate programLogic bomb: is a code embedded in some legitimate program
that is set to explode when certain conditions are met (time, orthat is set to explode when certain conditions are met (time, or
data).data).
Zombie: is a program that secretly takes over another Internet-Zombie: is a program that secretly takes over another Internet-
attached computer and then uses this computer to launch attacksattached computer and then uses this computer to launch attacks
13. 1313
Other malwaresOther malwares
What is not malware?What is not malware?
– Spyware (also calledSpyware (also called spybotspybot oror tracking software)tracking software). programs that conduct. programs that conduct
certain activities (collecting personal information) on a computer withoutcertain activities (collecting personal information) on a computer without
obtaining appropriate consent from the user.obtaining appropriate consent from the user.
– Adware:Adware: pop-up advertisementspop-up advertisements
– Spam: is unsolicited e-mail generated to advertise some service orSpam: is unsolicited e-mail generated to advertise some service or
productproduct
– Scams: An e-mail message that attempts to trick the recipient intoScams: An e-mail message that attempts to trick the recipient into
revealing personal information that can be used for unlawful purposesrevealing personal information that can be used for unlawful purposes
14. 1414
Virus countermeasuresVirus countermeasures
The antivirus approach: the ideal solution to the threat of virusesThe antivirus approach: the ideal solution to the threat of viruses
is prevention:is prevention:
– Don’t allow malware to get into the systemDon’t allow malware to get into the system
This is difficult (even impossible) to achieveThis is difficult (even impossible) to achieve
Follow the following approach:Follow the following approach:
– Detection: once the infection has occurred, locate the virus.Detection: once the infection has occurred, locate the virus.
– Identification: identify the specific virus that has infected a program.Identification: identify the specific virus that has infected a program.
– Removal: remove all traces of the virus from the infected program andRemoval: remove all traces of the virus from the infected program and
restore it to its original state.restore it to its original state.
Follow Virus Alert’s website: (eg, next slide)Follow Virus Alert’s website: (eg, next slide)
Example:Example:
– The Windows case (the antivirus Defense-in-Depth Guide, Ch4)The Windows case (the antivirus Defense-in-Depth Guide, Ch4)
16. 1616
Windows’s antivirus Defense-Windows’s antivirus Defense-
in-Depth Guidein-Depth Guide
1.1. Active processes and servicesActive processes and services
– Task Manager, Ps Tools, Process ExplorerTask Manager, Ps Tools, Process Explorer
1.1. The local registryThe local registry
– Regedit (the registry editor)Regedit (the registry editor)
1.1. Files in the Microsoft Windows system folders.Files in the Microsoft Windows system folders.
– Use the “Windows Search”Use the “Windows Search”
1.1. New user or group accounts, especially with AdministratorNew user or group accounts, especially with Administrator
privilegesprivileges
2.2. Shared folders (including hidden folders).Shared folders (including hidden folders).
3.3. Newly created files with normal looking file names but inNewly created files with normal looking file names but in
unusual locationsunusual locations
4.4. Opened network portsOpened network ports
– Netstat, FPortNetstat, FPort
18. 1818
Intrusion detectionIntrusion detection
Viruses and intrusion are the most publicized threats to systemViruses and intrusion are the most publicized threats to system
securitysecurity
Intrusion: illegally gaining access to systemsIntrusion: illegally gaining access to systems
Intrusion techniques: acquiring protected information (often userIntrusion techniques: acquiring protected information (often user
passwords)passwords)
– Passwords are associated with users in filesPasswords are associated with users in files
Password files must be protectedPassword files must be protected
Countermeasures: prevention and detectionCountermeasures: prevention and detection
– If intrusion prevention fails,If intrusion prevention fails,
– Intrusion detection is the real defense line.Intrusion detection is the real defense line.
19. 1919
Intrusion detectionIntrusion detection
Intrusion detection is based on the assumption that the behaviorIntrusion detection is based on the assumption that the behavior
of the intruder differs from that of a legitimate user in ways thatof the intruder differs from that of a legitimate user in ways that
can be quantified.can be quantified.
Intrusion detection approaches:Intrusion detection approaches:
– Statistical anomaly detectionStatistical anomaly detection
– Rule-based detectionRule-based detection
Audit Records: is a fundamental tool for intrusion detectionAudit Records: is a fundamental tool for intrusion detection
– A detection record may contain subject (user, process), action (login,A detection record may contain subject (user, process), action (login,
read, write), object (files, programs), resource usage, timestampread, write), object (files, programs), resource usage, timestamp
Examples of IDS:Examples of IDS:
– Cisco’s Secure IDSCisco’s Secure IDS
– ISS RealSecureISS RealSecure
– SnortSnort
21. 2121
FirewallFirewall
A firewall is any device used as a network-level access controlA firewall is any device used as a network-level access control
mechanism for a particular network or a set of networksmechanism for a particular network or a set of networks
– Firewall is used to prevent outsiders from accessing an internal network.Firewall is used to prevent outsiders from accessing an internal network.
Firewalls may be stand-alone computers, routers, or firewallFirewalls may be stand-alone computers, routers, or firewall
appliances (sometimes with their own OS)appliances (sometimes with their own OS)
They serve as control points to and from networksThey serve as control points to and from networks
They check whether or not network traffic should be allowedThey check whether or not network traffic should be allowed
according to sets of rules or policies.according to sets of rules or policies.
Pitfalls: slowing data transmission, impairing networkingPitfalls: slowing data transmission, impairing networking
Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file