Presentation is loading. Please wait.

Presentation is loading. Please wait.

Viruses and Related Threats. 2 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms.

Published byShannon Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "Viruses and Related Threats. 2 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms."— Presentation transcript:

1 Viruses and Related Threats

2 2 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms  countermeasures  distributed denial of service attacks

3 3 Viruses and Related Threats  Viruses  Computer viruses have got a lot of publicity  One of a family of malicious software  Malicious software is software that is intentionally included or inserted in a system for a harmful purpose  Effects usually obvious  They have figured in news reports, fiction, movies  often exaggerated  getting more attention than deserve

4 4 Viruses and Related Threats  Malicious Programs  Dependent program  They Need host programs  They cannot exist independent of some actual application  E.g.: Viruses, Logic bomb, Backdoor  Independent program  They can be scheduled and run by the OS  E.g.: Worm, Zombie

5 5 Viruses and Related Threats Taxonomy of Malicious Programs

6 6 Viruses and Related Threats  Backdoor or Trapdoor  A secret entry point in a program  It allows those who know access bypassing usual security procedures  It have been commonly used by developers  A threat when left in production programs allowing exploited by attackers  It is very hard to block in O/S  It requires good s/w development & update

7 7 Viruses and Related Threats  Logic Bomb  One of oldest types of malicious software  Code embedded in legitimate program  It is activated when specified conditions met  Example  presence/absence of some file  particular date/time  particular user  When triggered typically damage system  E.g., modify/delete files/disks, halt machine, etc

8 8 Viruses and Related Threats  Trojan Horse  A program (or some part of a program) with hidden side-effects  Trojan horse is usually attractive to run  E.g., freeware game, s/w upgrade, etc  when runs, it performs some additional tasks  allows attacker to indirectly gain access they do not have directly  E.g., destroy/modify data, …  It often used to propagate a virus/worm or install a backdoor

9 9 Viruses and Related Threats  Zombie  A program which secretly takes over another networked computer  Then, the attacker uses the zombies to indirectly launch attacks (to the target host)  => Zombies often used to launch distributed denial of service (DDoS) attacks  Zombie exploits known flaws in network systems

10 10 Viruses and Related Threats  The Nature of Viruses  Viruses: a piece of self-replicating code attached to some other code  Cf. biological virus  Both (biological/computer virus) carry a payload and propagate itself  Payload contains code to make copies of itself as well as code to perform some covert task

11 11 Viruses and Related Threats  Virus phases:  Dormant – waiting on trigger event  Propagation – replicating to programs/disks  Triggering – activated by event to execute payload  Execution – performing the functions in the payload  Detailed phases usually depend on machine/OS specific  exploiting features/weaknesses

12 12 Viruses and Related Threats program V := {go to main : 1234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if( first-line-of-file = 1234567 ) then goto loop else prepend V to file;} subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main : main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next; } - A simple virus - This virus is easily detected because an infected version of a program is longer than the corresponding uninfected one Virus Structure

13 13 Viruses and Related Threats program CV := {go to main : 01234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if( first-line-of-file = 1234567 ) then goto loop (1) compress file; (2) prepend CV to file; } main : main-program := {infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file; goto next;} next; } - A Compression virus :A way to thwart a means of detecting a simple virus is to compress the executable file so that both the infected and uninfected versions are of identical length. Logic of Compression Virus Running steps of compressed P1’ file that contains the virus code. 1.For each uninfected file P2, the virus first compress P2 to produce P2’. 2.The virus code is prepended to the P2’ 3.P1’ is uncompressed to P1 4.P1 is executed

14 14 Viruses and Related Threats A Compression Virus

15 15 Viruses and Related Threats  Types of Viruses  We can classify on basis of how they attack  Parasitic virus  it attaches itself to executable files and replicates.  Memory-resident virus  Lodges in main memory as part of a resident system program.  Boot sector virus  Infects a master boot record or boot record.  Stealth virus  A form of virus explicitly designed to hide itself from detection by antivirus software.  Polymorphic virus  A virus that mutates with every infection.

16 16 Viruses and Related Threats  Macro Virus  macro code can be attached to some data file which is interpreted by program using file  E.g., Word/Excel macros  Esp. using auto command & command macros  Macro code is now platform independent  Macro virus is a major source of new viral infections  There is blur distinction between data and program files  Classic trade-off: "ease of use" vs "security ”  Successive release of Word provide increased protection, and today macro virus is no longer dominant virus threat

17 17 Viruses and Related Threats  Email Virus  Email viruses are spread using email with attachment containing a macro virus  cf Melissa  They are triggered when user opens attachment, or worse even when mail viewed by using scripting features in mail agent  => hence propagate very quickly  Usually targeted at Microsoft Outlook mail agent & Word /Excel documents  We need better O/S & application security

18 18 Viruses and Related Threats  Worms  Originally, worms are self-replicating programs but not infecting ones.  Typically, spread over a network  E.g., Morris Internet Worm in 1988, which led to creation of CERTs  Worms propagate by using users ’ distributed privileges or by exploiting system vulnerabilities  Recently, worms are widely used by hackers to create zombie PC's, subsequently used for further attacks, esp. DoS (Denial-of-Services) attack.  Major issue is lack of security of permanently connected systems, esp. PC's

19 19 Viruses and Related Threats  It exhibits the same characteristics as a computer virus  The propagation phase performs the following functions :  Search for other systems to infect by examining host tables  Establish a connection with a remote system.  Copy itself to the remote system and cause the copy to be run.  It may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator.

20 20 Viruses and Related Threats  Morris Worm  best known classic worm  released by Robert Morris in 1988  targeted Unix systems  using several propagation techniques  simple password cracking of local pw file  exploit bug in finger daemon  exploit debug trapdoor in sendmail daemon  if any attack succeeds then replicated self

21 21 Viruses and Related Threats  Recent Worm  Attacks new spate of attacks from mid-2001  Code Red - used MS IIS bug  probes random IPs for systems running IIS  had trigger time for denial-of-service attack  2 nd wave infected 360000 servers in 14 hours  Code Red 2 - installed backdoor  Nimda - multiple infection mechanisms  SQL Slammer - attacked MS SQL server  Sobig.f - attacked open proxy servers  Mydoom - mass email worm + backdoor

22 22 Viruses and Related Threats  State of Worm Technology  multiplatform  multiexploit  ultrafast spreading  polymorphic  metamorphic  transport vehicles  zero-day exploit

23 23 Virus Countermeasures  Best countermeasure is prevention  However, in general not possible  Hence, we need to do one or more of:  Detection - of viruses in infected system  Identification - of specific infecting virus  Removal - restoring system to clean state

24 24 Virus Countermeasures  Anti-Virus Approaches  first-generation  scanner uses virus signature to identify virus  or change in length of programs  second-generation  uses heuristic rules to spot viral infection  or uses crypto hash of program to spot changes  third-generation  memory-resident programs identify virus by actions  fourth-generation  packages with a variety of antivirus techniques  eg scanning & activity traps, access-controls  arms race continues

25 25 Virus Countermeasures  Advanced Anti-Virus Techniques  Generic decryption  It use CPU simulator to check program signature & behavior befo re actually running it  It start the simulator to simulate the file execution  Note that all polymorphic virus should decrypt itself to activate.  By periodically scanning the memory, decrypted virus code can be detected.

26 26 Virus Countermeasures  Digital Immune System  It is a comprehensive approach to virus protection developed by IBM  The objective of this system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced  It uses general purpose emulation & virus detection  Any virus entering org is captured, analyzed, detection/shielding c reated for it, removed

27 27 Virus Countermeasures Digital Immune System

28 28 Virus Countermeasures  Behavior-Blocking Software  integrated with host O/S  monitors program behavior in real-time  E.g., file access, disk format, executable modifications, system set tings changes, network access  For possibly malicious actions, if detected can block, term inate, or seek OK  B-B s/w has advantage over scanners  But, malicious code runs before detection

29 29 Distributed Denial of Service Attacks (DDoS)  Denial of Service (DoS) attacks  An attempt to make a computer resource unavailable to its intended users.  Typically, the targets are high-profile web servers where the attack is aiming to cause the hosted web pages to be unavailable on the Internet.  Distributed Denial of Service (DDoS) attacks  Attacks form a significant security threat where it makes networked systems unavailable by flooding with useless traffic  It uses large numbers of “zombies”  It is one of growing sophistication of attacks  Defense technologies are struggling to cope

30 30 Distributed Denial of Service Attacks (DDoS)

31 31 Distributed Denial of Service Attacks (DDoS)  Constructing the DDoS Attack Network  We must infect large number of zombies  Requirements.: 1. Software to implement the DDoS attack 2. An unpatched vulnerability on many systems 3. A scanning strategy to find vulnerable systems  random, hit-list, topological, local subnet

32 32 Distributed Denial of Service Attacks (DDoS)  DDoS Countermeasures  Three broad lines of defense: 1. Attack prevention & preemption (before) 2. Attack detection & filtering (during) 3. Attack source traceback & identification (after)  There are huge range of attack possibilities  Hence, DDos contermeasures must evolve with the threat

Download ppt "Viruses and Related Threats. 2 Summary  have considered:  various malicious programs  trapdoor, logic bomb, trojan horse, zombie  viruses  worms."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Lecture 13 Malicious Software modified from slides of Lawrie Brown.

Lecture 13 Malicious Software modified from slides of Lawrie Brown.
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.
Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.
NS-H0503-02/11041 Malicious Software. NS-H0503-02/11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information.

NS-H /11041 Malicious Software. NS-H /11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information.
Chapter 14 Computer Security Threats

Chapter 14 Computer Security Threats
Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.

Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,

Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
After this session, you should be able to:

After this session, you should be able to:
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: –masquerader.

Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: –masquerader.
Cryptography and Network Security Chapter 21

Cryptography and Network Security Chapter 21
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Hofstra University – Network Security Course, CSC290A

Hofstra University – Network Security Course, CSC290A
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Similar presentations

Ads by Google