2. Overview
— Introduc:on
— Virus
— Worm
— Other
Malicious
SoAware
o
Backdoor/Trapdoor
o
Logic
Bomb
o
Trojan
Horse
— DDoS
AKack
o
DDos
Descrip:on
o
Construc:on
of
AKack
2!
3. Program Defini:on
A
computer
program
tells
a
computer
what
to
do
and
how
to
do
it
• Computer
viruses,
network
worms,
and
Trojan
Horse
are
computer
programs.
3!
4. Malicious
soAware
?
• Malicious
SoAware
(Malware)
is
a
soAware
that
is
included
or
inserted
in
a
system
for
harmful
purposes.
OR
• A
Malware
is
a
set
of
instruc:ons
that
run
on
your
computer
and
make
your
system
do
something
that
an
aKacker
wants
it
to
do.
4!
6. Taxonomy
of
Malicious
Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Trojan
Viruses
Zombies
Worms
Bombs
Horses
Most current malicious code mixes all capabilities! 6!
7. What
it
is
good
for
?
• Steal
personal
informa:on
• Delete
files
• Click
fraud
• Steal
soAware
serial
numbers
7!
8. What
to
Infect
• Executable
• Interpreted
file
• Kernel
• Service
• Master
Boot
Record
8!
9. Virus
• Self-‐replica:ng
code,
aKaches
itself
to
another
program
and
executes
secretly
when
the
host
program
is
executed.
• No
Hidden
ac:on
– Generally
tries
to
remain
undetected,
but
what
about
ac:vi:es,
such
as
deleted
files
?
9!
10. Parts
of
a
Virus
• Three
Parts
– Infec:on
Mechanism:
The
means
by
which
a
virus
spreads,
enabling
it
to
replicate,
also
referred
as
Infec:on
Vector.
– Trigger:
The
event
or
condi:on
that
determines
when
the
payload
is
ac:vated
or
delivered.
– Payload:
The
payload
may
involve
damage
or
may
involve
benign
but
NOTICEABLE
ac:vity.
11. Phases
–
Life
Cycle
• Dormant
phase
-‐
the
virus
is
idle
• Propaga1on
phase
-‐
the
virus
places
an
iden:cal
copy
of
itself
into
other
programs
• Triggering
phase
–
the
virus
is
ac:vated
to
perform
the
func:on
for
which
it
was
intended
• Execu1on
phase
–
the
func:on
is
performed
11!
13. Opera:on
rou:ne
• Operates
when
infected
code
executed
(execu:on
sequence)
– Jump
to
Main
Virus
program
– If
spread
(infec:on)
condi:on
then
{
For
target
files
:
if
not
infected,
then
alter
file
to
include
virus
}
– Perform
malicious
ac:on
– Transfer
control
back
– Execute
normal
program
• If
the
infec:on
phase
is
rapid,
user
will
not
no:ce
any
difference
between
the
execu:on
of
infected
program
and
uninfected
program.
14. Types
of
Viruses
• On
the
basis
of
target
• Boot
Sector
Infector:
Infects
master
boot
record
/
boot
record
(boot
sector)
of
a
disk
and
spreads
when
a
system
is
booted
with
an
infected
disk
(original
DOS
viruses).
They
are
Memory-‐resident
Virus.
• File
Infector
:
Infects
executable
files,
they
are
also
called
Parasi1c
Virus
as
they
aKach
their
self
to
executable
files
as
part
of
their
code.
Runs
whenever
the
host
program
is
executed.
• Macro
Virus
–Infects
files
with
macro
code
that
is
interpreted
by
the
relevant
applica:on,
such
as
doc
or
excel
files.
14!
15. Types
of
Viruses
• On
the
basis
of
concealment
strategy
• Encrypted
Virus
–
A
por:on
of
virus
creates
a
random
encryp:on
key
and
encrypts
the
remainder
of
the
virus.
The
key
is
stored
with
the
virus.
When
the
virus
replicates,
a
different
random
key
is
generated.
• Stealth
Virus
-‐
explicitly
designed
to
hide
from
Virus
Scanning
programs.
• Polymorphic
Virus
-‐
mutates
with
every
new
host
to
prevent
signature
detec:on,
signature
detec:on
is
useless.
• Metamorphic
Virus
–
Rewrites
itself
completely
with
every
new
host,
may
change
their
behavior
and
appearance.
15!
16. Recent
addi:on:
Email
Virus
• Moves
around
in
e-‐mail
messages,
triggered
when
user
opens
aKachment
• Do
local
damages
on
the
user’s
system
• Propagates
very
quickly
• Replicates
itself
by
automa:cally
mailing
itself
to
dozens
of
people
in
the
vic:m’s
e-‐mail
address
book
16!
17. Examples
of
risky
file
types
• The
following
file
types
should
never
be
opened
if…
– .EXE
– .PIF
– .BAT
– .VBS
– .COM
17!
18. Viruses
Propaga:on
• Virus
wriKen
in
some
language
e.g.
C,
C++,
Assembly
etc.
• Inserted
into
another
program
– use
tool
called
a
“dropper”
• Virus
dormant
un:l
program
executed
– then
infects
other
programs
– eventually
executes
its
“payload”
18!
19. Viruses
Propaga:on
• An
executable
program
• With
a
virus
at
the
front
(File
size
is
increased)
• With
the
virus
at
the
end
(File
size
is
increased)
• With
a
virus
spread
over
free
space
within
program
19!
20. Viruses
Propaga:on
(a)
A
program
(b)
Infected
program
(c)
Compressed
infected
program
(d)
Encrypted
virus
(e)
Compressed
virus
with
encrypted
compression
code
20!
21. An:-‐virus
• It
is
not
possible
to
build
a
perfect
virus/malware
detector.
• Analyze
system
behavior
• Analyze
binary
to
decide
if
it
a
virus
• Type
:
– Scanner
– Real
:me
monitor
21!
22. An:-‐virus
• Scanners
– First
Genera:on,
relied
on
signature.
– Second
Genera:on,
relied
on
heuris:c
rules
or
integrity
checking
(e.g.
checksum
appended
to
a
program).
• Real
:me
Monitors
• Third
Genera:on,
memory
resident
and
iden:fy
virus
by
its
ac:ons
(behaviour).
• Fourth
Genera:on,
combina:on
of
different
capabili:es.
22!
23. Worm
A computer worm is a self-replicating computer
virus. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.!
23!
24. Comparision
of
Worm
Features
1)
Computer
Virus:
• Needs
a
host
file
• Copies
itself
• Executable
2)
Network
Worm:
• No
host
(self-‐contained)
• Copies
itself
• Executable
3)
Trojan
Horse:
•
No
host
(self-‐contained)
• Does
not
copy
itself
• Imposter
Program
24!
25. Worm:
History
• Runs
independently
– Does
not
require
a
host
program
• Propagates
a
fully
working
version
of
itself
to
other
machines
— History
◦ Morris
worm
was
one
of
the
first
worms
distributed
over
Internet
— Two
examples
◦ Morris
–
1998,
◦ Slammer
–
2003
25!
26. Worm
Opera:on
• Worm
has
similar
phases
like
a
virus:
• Dormant
(inac:ve;
rest)
• Propaga:on
• Search
for
other
systems
to
infect
• Establish
connec:on
to
target
remote
system
• Replicate
self
onto
remote
system
– Triggering
– Execu:on
26!
27. Morris
Worm
• Best
known
classic
worm
• Released
by
Robert
Morris
in
1988
• Targeted
Unix
systems
• Using
several
propaga:on
techniques
• If
any
aKack
succeeds
then
replicated
self
27!
28. Slammer
(Sapphire)
Worm
• When
• Jan
25
2003
• How
• Exploit
Buffer-‐overflow
with
MS
SQL
• Random
Scanning
• Randomly
select
IP
addresses
• Cost
• Caused
~
$2.6
Billion
in
damage
28!
29. Slammer
Scale
The
diameter
of
each
circle
is
a
func:on
of
the
number
of
infected
machines,
so
large
circles
visually
under
represent
the
number
of
infected
cases
in
order
to
minimize
overlap
with
adjacent
loca:ons
29!
30. The
worm
itself
…
— System
load
◦ Infec:on
generates
a
number
of
processes
◦ Password
cracking
uses
lots
of
resources
◦ Thousands
of
systems
were
shut
down
• Tries
to
infect
as
many
other
hosts
as
possible
– When
worm
successfully
connects,
leaves
a
child
to
con:nue
the
infec:on
while
the
parent
keeps
trying
new
hosts
– find
targets
using
several
mechanisms:
'netstat
-‐r
-‐n‘,
/etc/hosts,
• Worm
DO
NOT:
– Delete
system's
files,
modify
exis:ng
files,
install
Trojan
horses,
record
or
transmit
decrypted
passwords,
capture
super
user
privileges
30!
31. Backdoor
or
Trapdoor
— Secret
entry
point
into
a
program
— Allows
those
who
know
access
by
passing
usual
security
procedures
— Remains
hidden
to
casual
inspec:on
— Can
be
a
new
program
to
be
installed
— Can
modify
an
exis:ng
program
— Trap
doors
can
provide
access
to
a
system
for
unauthorized
procedures
— Very
hard
to
block
in
O/S
31!
32. Trap
Door
Example
(a)
Normal
code.
(b)
Code
with
a
trapdoor
inserted
32!
33. Logic
Bomb
• One
of
oldest
types
of
malicious
soAware
• Piece
of
code
that
executes
itself
when
pre-‐defined
condi:ons
are
met
• Logic
Bombs
that
execute
on
certain
days
are
known
as
Time
Bombs
• Ac:vated
when
specified
condi:ons
met
– E.g.,
presence/absence
of
some
file
– par:cular
date/:me
– par:cular
user
• When
triggered
typically
damage
system
– modify/delete
files/disks,
halt
machine,
etc.
33!
34. Tracing
Logic
Bombs
• Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system
functions, the hardware, the hardware/software/firmware/
operating system interface, and the communications functions
inside and outside the computer
• Example of benign logical fun
– http://googletricks.com/top-25-fun-google-tricks/
– Type zerg rush in google
34!
36. Trojan
Horse
• Trojan
horse
is
a
malicious
program
that
is
designed
as
authen:c,
real
and
genuine
soAware.
• Like
the
giA
horse
leA
outside
the
gates
of
Troy
by
the
Greeks,
Trojan
Horses
appear
to
be
useful
or
interes:ng
to
an
unsuspec:ng
user,
but
are
actually
harmful.
36!
38. What
Trojans
can
do
?
• Erase
or
overwrite
data
on
a
computer
• Spread
other
viruses
or
install
a
backdoor.
In
this
case
the
Trojan
horse
is
called
a
'dropper'.
• Sevng
up
networks
of
zombie
computers
in
order
to
launch
DDoS
aKacks
or
send
Spam.
• Logging
keystrokes
to
steal
informa:on
such
as
passwords
and
credit
card
numbers
(known
as
a
key
logger)
• Phish
for
bank
or
other
account
details,
which
can
be
used
for
criminal
ac:vi:es.
• Or
simply
to
destroy
data
• Mail
the
password
file.
38!
39. How
can
you
be
infected
?
• Websites:
You
can
be
infected
by
visi:ng
a
rogue
website.
Internet
Explorer
is
most
oAen
targeted
by
makers
of
Trojans
and
other
pests.
Even
using
a
secure
web
browser,
such
as
Mozilla's
Firefox,
if
Java
is
enabled,
your
computer
has
the
poten:al
of
receiving
a
Trojan
horse.
• Instant
message:
Many
get
infected
through
files
sent
through
various
messengers.
This
is
due
to
an
extreme
lack
of
security
in
some
instant
messengers,
such
of
AOL's
instant
messenger.
• E-‐mail:
AKachments
on
e-‐mail
messages
may
contain
Trojans.
Trojan
horses
via
SMTP.
39!
40. Sample
Delivery
• AKacker
will
aKach
the
Trojan
to
an
e-‐mail
with
an
en:cing
header.
• The
Trojan
horse
is
typically
a
Windows
executable
program
file,
and
must
have
an
executable
file
extension
such
as
.exe,
.com,
.scr,
.bat,
or
.pif.
Since
Windows
is
configured
by
default
to
hide
extensions
from
a
user,
the
Trojan
horse's
extension
might
be
"masked"
by
giving
it
a
name
such
as
'Readme.txt.exe'.
With
file
extensions
hidden,
the
user
would
only
see
'Readme.txt'
and
could
mistake
it
for
a
harmless
text
file.
40!
41. Where
They
Live
?
(1)
• Autostart
Folder
The
Autostart
folder
is
located
in
C:WindowsStart
MenuPrograms
startup
and
as
its
name
suggests,
automa:cally
starts
everything
placed
there.
• Win.ini
Windows
system
file
using
load=Trojan.exe
and
run=Trojan.exe
to
execute
the
Trojan
• System.ini
Using
Shell=Explorer.exe
trojan.exe
results
in
execu:on
of
every
file
aAer
Explorer.exe
• Wininit.ini
Setup-‐Programs
use
it
mostly;
once
run,
it's
being
auto-‐deleted,
which
is
very
handy
for
Trojans
to
restart
41!
42. Where
They
Live
?
(2)
• Winstart.bat
Ac:ng
as
a
normal
bat
file
trojan
is
added
as
@trojan.exe
to
hide
its
execu:on
from
the
user
• Autoexec.bat
It's
a
DOS
auto-‐star:ng
file
and
it's
used
as
auto-‐star:ng
method
like
this
-‐>
c:Trojan.exe
• Config.sys
Could
also
be
used
as
an
auto-‐star:ng
method
for
Trojans
• Explorer
Startup
Is
an
auto-‐star:ng
method
for
Windows95,
98,
ME,
XP
and
if
c:
explorer.exe
exists,
it
will
be
started
instead
of
the
usual
c:Windows
Explorer.exe,
which
is
the
common
path
to
the
file.
42!
43. What
the
aKacker
wants?
• Credit
Card
Informa:on
(oAen
used
for
domain
registra:on,
shopping
with
your
credit
card)
• Any
accoun:ng
data
(E-‐mail
passwords,
Login
passwords,
Web
Services
passwords,
etc.)
• Email
Addresses
(Might
be
used
for
spamming,
as
explained
above)
• Work
Projects
(Steal
your
presenta:ons
and
work
related
papers)
• School
work
(steal
your
papers
and
publish
them
with
his/
her
name
on
it)
43!
44. Stopping
the
Trojan
…
The
Horse
must
be
“invited
in”
….
How
does
it
get
in?
By:
Downloading
a
file
Installing
a
program
Opening
an
aKachment
Opening
bogus
Web
pages
Copying
a
file
from
someone
else
44!
45. Zombie
• The
program
which
secretly
takes
over
another
networked
computer
and
force
it
to
run
under
a
common
command
and
control
infrastructure.
• Uses
it
to
indirectly
launch
aKacks,
e.g.,
DDoS,
phishing,
spamming,
cracking
• Difficult
to
trace
zombie’s
creator)
• Infected
computers
—
mostly
Windows
machines
—
are
now
the
major
delivery
method
of
spam.
• Zombies
have
been
used
extensively
to
send
e-‐mail
spam;
between
50%
to
80%
of
all
spam
worldwide
is
now
sent
by
zombie
computers.
45!
48. Where
malware
Lives:
Auto
start
• Folder
auto-‐start
• Win.ini
:
run=[backdoor]"
or
"load=[backdoor]".
• System.ini
:
shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys
• Init.d
48!
49. Auto
start
• Assign
know
extension
(.doc)
to
the
malware
• Add
a
Registry
key
such
as
HKCUSOFTWAREMicroso=
Windows
CurrentVersionRun
• Add
a
task
in
the
task
scheduler
• Run
as
service
49!
50. Web
— 1.3%
of
the
incoming
search
queries
to
Google
returned
at
a
least
one
malware
site
— Visit
sites
with
an
army
of
browsers
in
VMs,
check
for
changes
to
local
system
— Indicate
poten:ally
harmful
sites
in
search
results
57. Distributed Denial of Service
• A
denial-‐of-‐service
aKack
is
an
aKack
that
causes
a
loss
of
service
to
users,
typically
the
loss
of
network
connec:vity.
• CPU,
memory,
network
connec:vity,
network
bandwidth,
baKery
energy
• Hard
to
address,
especially
in
distributed
form
57!
58. DDoS
Mechanism
• Goal:
make
a
service
unusable.
• How:
overload
a
server,
router,
network
link,
by
flooding
with
useless
traffic
• Focus:
bandwidth
aKacks,
using
large
numbers
of
“zombies”
58!
59. How
it
works?
• The
flood
of
incoming
messages
to
the
target
system
essen:ally
forces
it
to
shut
down,
thereby
denying
service
to
the
system
to
legi:mate
users.
• Vic:m's
IP
address.
• Vic:m's
port
number.
• AKacking
packet
size.
• AKacking
inter-‐packet
delay.
• Dura:on
of
aKack.
59!
60. Example
1
• Ping-‐of-‐death
– IP
packet
with
a
size
larger
than
65,536
bytes
is
illegal
by
standard
– Many
opera:ng
system
did
not
know
what
to
do
when
they
received
an
oversized
packet,
so
they
froze,
crashed
or
rebooted.
– Routers
forward
each
packet
independently.
– Routers
don’t
know
about
connec:ons.
– Complexity
is
in
end
hosts;
routers
are
simple.
60!
62. Example
2
• TCP
handshake
• SYN
Flood
– A
stream
of
TCP
SYN
packets
directed
to
a
listening
TCP
port
at
the
vic:m
– The
host
vic:m
must
allocate
new
data
structures
to
each
SYN
request
– legi:mate
connec:ons
are
denied
while
the
vic:m
machine
is
wai:ng
to
complete
bogus
"half-‐open"
connec:ons
– Not
a
bandwidth
consump:on
aKack
• IP
Spoofing
62!