Download presentation
Presentation is loading. Please wait.
1
MALWARE
2
Types of Malicious Programs
Virus Worm Logic Bomb Trojan Horse Backdoor(trapdoor) Rootkit Zombie/Bot Spyware/Keyloggers
3
Historical – first mentioned malware
Worm – Moris Internet worm of November 2, 1988 not written to cause damage, but to gauge the size of the Internet Spreading using: Unix sendmail, finger, rsh/rexec Error in spreading logic: if worm already exist do not always spread - only 1 out of 7 times (still flooding the network = DoS) 6,000 major UNIX machines infected – estimated cost $100,000–10,000,000
4
Virus and other malware
Well known malware 1999: Melissa ( ) 2000: ILOVEYOU ( ) 2001: Klez ( ) 2004 Sasser ( ) 2009: Conficker Virus(‘worm’) 2010: Stuxnet (in Iran – purpose to stop nuklear bomb )
5
Nature of Virus Four phases Dormant Phase: The Virus is idle
Propagation Phase: The Virus copying itself Triggering Phase: The event that activate the Virus Execution Phase: The function is performed
6
The Virus structure Small piece of code Briefly: Infect next
While (not trigger activated) wait Do damage To hide (live in stealth) – often compress + encrypt Mutates (change signature) – polymorph Mutates dynamic for each iteration - metamorphic
7
Virus Countermeasures (antivirus)
Ideal: Prevent viruses coming in (not possible) Real life: Detection: is there a virus Identify: which virus Remove: clean up all traces of the virus (perhaps set program in suspension)
8
Virus Countermeasures (antivirus) cont.
How to Recognize signature (file size, code, file name …) simple but work for known viruses – if not too hidden Detect suspicious behavior (write to boot sector, change system files, TSR) complex work for ‘unknown’ viruses Problems to face False positive (find virus – which is not a virus) False negative (do not find a real virus)
9
Virus Countermeasures (antivirus) cont. 2
Advanced Techniques e.g. Generic Decryption (shortened) ‘run’ possible infected files on a cpu-emulator => let the virus unpack/decrypt => now possible to detect from signature
10
Worms Worm Malware: make a copy and propagate by it self i.e. do not need a host-program (like viruses) Structure: more or less the same as virus (try to hide)
11
Worms Countermeasure approaches
In general try to prevent spreading by closing in- and out-going traffic Signature based filtering (no in/out of the signature) Like Firewall – look at content / payload off in/out packets Threshold random walk (TRW) limited no of connecting to diff. networks Rate Limiting / halting stop when some max rate had been exceeded
12
Others Logic Bomb (like salary database trigger)
Rootkit designed to hide the existence of certain processes or programs – i.e. Sony BMG copy protection rootkit scandal Zombie/Bot programs/computers under remote direction Botnet – most wide spread BredoLab/Oficia approx. 30 mill bots (cost bots $ / day)
13
Literature Network Security Essentials 4th ed. Pearson2011 – W. Stalling
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.