Understanding Malicious Software: Viruses, Worms, Trojans, and DDoS Attacks, Slides of Cryptography and System Security

An in-depth analysis of various types of malicious software, including viruses, worms, trojans, and logic bombs. It also covers countermeasures and distributed denial of service (ddos) attacks. Learn about the characteristics, operation, and impact of these malicious programs.

Typology: Slides

2011/2012

Uploaded on 07/17/2012

pameela
pameela ๐Ÿ‡ฎ๐Ÿ‡ณ

4.8

(5)

94 documents

1 / 28

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Chapter 19 โ€“ Malicious Software
What is the concept of defense: The
parrying of a blow. What is its
characteristic feature: Awaiting the blow.
โ€”On War, Carl Von Clausewitz
docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c

Partial preview of the text

Download Understanding Malicious Software: Viruses, Worms, Trojans, and DDoS Attacks and more Slides Cryptography and System Security in PDF only on Docsity!

Chapter 19 โ€“ Malicious Software What is the concept of defense: The

parrying of a blow. What is itscharacteristic feature: Awaiting the blow. โ€” On War, Carl Von Clausewitz

Viruses and Other Malicious

Content

๏ƒ˜ computer viruses have got a lot of publicity ๏ƒ˜ one of a family of malicious software ๏ƒ˜ effects usually obvious ๏ƒ˜ have figured in news reports, fiction,movies (often exaggerated) ๏ƒ˜ getting more attention than deserve ๏ƒ˜ are a concern though

Backdoor or Trapdoor

๏ƒ˜ secret entry point into a program ๏ƒ˜ allows those who know access bypassingusual security procedures ๏ƒ˜ have been commonly used by developers ๏ƒ˜ a threat when left in production programsallowing exploited by attackers ๏ƒ˜ very hard to block in O/S ๏ƒ˜ requires good s/w development & update

Logic Bomb

๏ƒ˜ one of oldest types of malicious software ๏ƒ˜ code embedded in legitimate program ๏ƒ˜ activated when specified conditions met ๏ฌ eg presence/absence of some file ๏ฌ particular date/time ๏ฌ particular user ๏ƒ˜ when triggered typically damage system ๏ฌ modify/delete files/disks, halt machine, etc

Zombie

๏ƒ˜ program which secretly takes over anothernetworked computer ๏ƒ˜ then uses it to indirectly launch attacks ๏ƒ˜ often used to launch distributed denial ofservice (DDoS) attacks ๏ƒ˜ exploits known flaws in network systems

Viruses

๏ƒ˜ a piece of self-replicating code attached tosome other code ๏ฌ cf biological virus ๏ƒ˜ both propagates itself & carries a payload ๏ฌ carries code to make copies of itself ๏ฌ as well as code to perform some covert task

Virus Structure

program V := {goto main;1234567;subroutine infect-executable := {loop: file := get-random-executable-file;if (first-line-of-file = 1234567) then goto loopelse prepend V to file; } subroutine do-damage := {whatever damage is to be done}subroutine trigger-pulled := {return true if condition holds}main: main-program := {infect-executable;if trigger-pulled then do-damage;goto next;} next: }

Types of Viruses

๏ƒ˜ can classify on basis of how they attack ๏ƒ˜ parasitic virus ๏ƒ˜ memory-resident virus ๏ƒ˜ boot sector virus ๏ƒ˜ stealth ๏ƒ˜ polymorphic virus ๏ƒ˜ metamorphic virus

Email Virus

๏ƒ˜ spread using email with attachmentcontaining a macro virus ๏ฌ cf Melissa ๏ƒ˜ triggered when user opens attachment ๏ƒ˜ or worse even when mail viewed by usingscripting features in mail agent ๏ƒ˜ hence propagate very quickly ๏ƒ˜ usually targeted at Microsoft Outlook mailagent & Word/Excel documents ๏ƒ˜ need better O/S & application security

Worms

๏ƒ˜ replicating but not infecting program ๏ƒ˜ typically spreads over a network ๏ฌ cf Morris Internet Worm in 1988 ๏ฌ led to creation of CERTs ๏ƒ˜ using users distributed privileges or by exploitingsystem vulnerabilities ๏ƒ˜ widely used by hackers to create zombie PC's , subsequently used for further attacks, esp DoS ๏ƒ˜ major issue is lack of security of permanentlyconnected systems, esp PC's

Morris Worm

๏ƒ˜ best known classic worm ๏ƒ˜ released by Robert Morris in 1988 ๏ƒ˜ targeted Unix systems ๏ƒ˜ using several propagation techniques ๏ฌ simple password cracking of local pw file ๏ฌ exploit bug in finger daemon ๏ฌ exploit debug trapdoor in sendmail daemon ๏ƒ˜ if any attack succeeds then replicated self

Recent Worm Attacks

๏ƒ˜ new spate of attacks from mid- ๏ƒ˜ Code Red - used MS IIS bug ๏ฌ probes random IPs for systems running IIS ๏ฌ had trigger time for denial-of-service attack ๏ฌ 2 nd wave infected 360000 servers in 14 hours ๏ƒ˜ Code Red 2 - installed backdoor ๏ƒ˜ Nimda - multiple infection mechanisms ๏ƒ˜ SQL Slammer - attacked MS SQL server ๏ƒ˜ Sobig.f - attacked open proxy servers ๏ƒ˜ Mydoom - mass email worm + backdoor

Virus Countermeasures

๏ƒ˜ best countermeasure is prevention ๏ƒ˜ but in general not possible ๏ƒ˜ hence need to do one or more of: ๏ฌ detection

  • of viruses in infected system ๏ฌ identification
    • of specific infecting virus ๏ฌ removeal
      • restoring system to clean state

Anti-Virus Software

๏ƒ˜ first-generation ๏ฌ scanner uses virus signature to identify virus ๏ฌ or change in length of programs ๏ƒ˜ second-generation ๏ฌ uses heuristic rules to spot viral infection ๏ฌ or uses crypto hash of program to spot changes ๏ƒ˜ third-generation ๏ฌ memory-resident programs identify virus by actions ๏ƒ˜ fourth-generation ๏ฌ packages with a variety of antivirus techniques ๏ฌ eg scanning & activity traps, access-controls ๏ƒ˜ arms race continues