Computer Security Assignment :PART 2 Name: Bibi Neehad Nankoo ID: 0912134 Name: Bibi Naziha Mahamodhossen ID:

0914990

Provide a current classification of malware, giving examples of each type, and estimate the damage that can be caused by each type of malware.
INTRODUCTION Malware is an abbreviated term used to define a "malicious software" program. Malware includes things like spyware or adware programs, such as tracking cookies, which are used to monitor surfing habits. It also includes more menacing items, such as keyloggers, Trojan horses, worms, and viruses. On the Internet today is malware is one of the major threats to computer users, along with viruses. It can take over browser, redirect search attempts, track what web sites are visited, and generally screw things up. Malware programs are usually poorly-programmed and can cause your computer to become intolerably slow and unsound in addition to all the other disaster they cause. Many of them will reinstall themselves even after we believe that they have been removed, or hide themselves deep within Windows, making them very tough to clean. Malware can infect a PC in several ways. Malware often comes bundled with other programs (Kazaa, iMesh, and other file sharing programs seem to be the biggest bundlers). These malware programs usually pop-up ads, sending revenue from the ads to the program's authors. Others are installed from websites, pretending to be software needed to view the website. Still others, most remarkably some of the CoolWebSearch variants, install themselves through holes in Internet Explorer like a virus would, requiring you to do nothing but visit the wrong web page to get infected. Regrettably, it is more difficult to get rid of malware compared to get infected by them. And once got it on the computer its tends to multiply and cause all the destruction intended.

1|P age

MALWARE CLASSIFICATIONS Classifying malware into possible types was started somewhere in 1990s where the thought of malicious software clearly described for all unwanted code. In 1991, Computer Antivirus Researchers Organization (CARO) decided that the fundamental principle behind the malware naming scheme should be grouped into families, which is based to the similarity of its programming code. According to the naming scheme, only the family name and the variant name of a piece of malware are compulsory. It is known as CARO Malware Naming Scheme. Normal practice by anti-malware products is creating a malware naming for each malware samples that have analyzed. The malware naming is very subjective and depends on particular vendors to come out with their own name. They also have different naming class. Different naming class can cause the malware characterization is different between each antimalware products because the unique malware are created with avoidance technique and their characteristics belong to several malware classes [1]. The problem is due to the different naming schemes and can lead to a very serious confusion. In order to overcome this problem, this paper is proposed to standardize malware class and classify the malware based on malware specific target and its operation behavior. Aycock, malware can be classed into ten classes [1]. However, Apel stated that malware are consisted of seventeen classes, whereas seven more classes are added to the previous list [3]. Recent study by Filiol stated that malware classes are divided into two groups which are Self-Reproducing and Simple groups [2]. Self-Reproducing group consists of Virus and Worms. According to Aycock, virus is a computer program that able to perform secret action without owners permission [1]. It was firstly demonstrated to public in November 1983 by Cohen [7]. At that time, the number of virus increased with an ability to cause damage and the ability to avoid detection.

2|P age

Virus Computer viruses are small software programs that are designed to spread using a host from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk. Virus can increase their probabilities of spreading to other computers by infecting files on a network or a file system accessed by another computer. Virus also can be spread as attachments in the e-mail note, in the downloaded file, on a diskette or CD. Worms Worms is quite similar to a virus by design and many researchers considered it as a subclass of virus. Worms is a self-reproducing malware that run independently and travel across network connections without any user intervention. According to Mohamad Fadli Zolkipli and Aman Jantan, Worms use network connectivity to find an attack vulnerable system from nodes to nodes [8]. In general, the goal of worm is to infect as many computer systems that connected to the network. The difference between worms and viruses is, worms normally causes at least some harm to the network by consuming bandwidth and also it has the capability to travel without any human action, whereas viruses normally corrupt or modify files on a targeted computer. Trojan horse According to Filiol, Trojan horse is benign software that appears to perform a necessary function for the user prior to run or install but instead simplifies unauthorized access to the user's computer system [2]. Trojan horse designed to embed secret malicious task into other application or system. This software is normally made for servers and client modules whereby attacker can control and access the whole resources of infected systems [2]. By default Trojan horse will appear to be useful software but it will actually do damage once installed or ran on the computer. Trojan horse is also known for creating a backdoor on the computer that gives malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate [7].

3|P age

Logical bomb Logical bomb is a simple type of malware which waits for significant event such as date, action and particular data to be activated and launch its criminal activity. Many logical bombs attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. According to Filiol, to be considered as a logic bomb, the payload should be unwanted and unknown to the user of the software [2]. Some logical bombs can be detected and abolished before trying to execute through a periodic scan of all computer files, including compressed files, with an up-to-date anti-malware products. Backdoor As their name implies, backdoor software allows an attacker to access a machine using an alternative entry method. Normal users log in through front doors, such as login screens with user IDs and passwords. Attackers use backdoors to bypass these normal system security controls that act as the front door and its associated locks. Once attackers install a backdoor on a machine, they can access the system without using the passwords, encryption, and account structure associated with normal users of the machine. Rootkit A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. An attacker may use a rootkit to replace vital system files, which may then be used to hid processes and files the attacker has installed. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms. Kernel rootkits can be especially difficult to detect and remove because they operate at the same level as the operating system itself and are thus able to intercept or subvert any operation made by the operating system. Any software such as antivirus software, running on the compromised system is equally easily subverted. The fundamental problem with rootkit detection is that if the operating system currently running has been subverted, it cannot be trusted, including to find unauthorized modifications to itself or its components.

4|P age

Spyware Spyware extract the personal information or details from the computers. This information is sent to specific locations without permission of owner which can be very dangerous. The attacker uses the spywares to steal the personal information of users like password or credit card number. Adware Adware usually try to sell something to the users which automatically appear as pop up window even if users dont open these. Normally this program comes to the systems in the form of the gambling advertisements and these advertisements are related to the websites which you open. There will many windows open and users will not be able to close these windows in case of adware attack. Mobile Code Malicious mobile code is becoming a popular way to get malware installed on a computer. It is malware that is attained from remote servers, transferred across a network, and then downloaded on to your computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. Once the user clicks on the website and uses these applications, the malware is installed without the user's permission and is usually the first step to a combined malware attack. The malware is installed on the user's computer and then it generates additional malware such as spyware, keylogging, adware, and other malicious software. This allows the intruder to access personal and financial information, passwords, logins, and other sensitive data.

5|P age

Phishing Phishing involves sending emails that seem to come from trustworthy sources and that try to get users to reveal confidential banking information, which is then used treacherously. To do this, the messages usually include a link to bluffed web pages. This way, users believe they have reached a trusted website, and enter the requested information, which is really falling into the hands of the impostors. Harmful effects of phishing are:

Excessive resource consumption on corporate networks (bandwidth, saturated email systems, etc.). Loss of productivity. Theft of identity and users confidential details. This could result in financial losses for users and even prevent them from accessing their own accounts.

Unique and blended malware is a malware created by malware writers by using avoidance technique. According to Martignoni, these types of malware combine two or more attribute from its predecessor and produce a new class of malware [4]. New class will be created each time when the new combination is detected and the list of malware class will continue to expand. Nevertheless, the unique malware still performs similar behavior even classified in different classes. Therefore, this paper try to propose new malware classes to overcome this issue, hence optimize the classification process. Figure 3 shows unique malware classes from the group defined by [2].

6|P age

Figure 1. Malware with Additional Unique Class

7|P age

Discuss the assertion that 'Microsoft operating systems are more vulnerable to malware attacks than other operating systems.'
Advantages of Windows:
User Account Control

By limiting application software to standard user privileges, UAC aims to improve the security of Microsoft Windows until an administrator authorizes an elevation.In this way , only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may hav e administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user ex plicitly authorizes it. AutoRun AutoRun is intended as a conv enience feature: software distributed on a disc can automatically start an installer when the disc is inserted.

Limitations of Windows operating systems as compared to other Operating Systems

Autorun can pose a security threat, when the user does not expect or intend to run the software, such as in the case of some v iruses, which take advantage of this feature to propagate, especially on USB flash driv es.

For instance, an attacker with brief and casual physical access to a computer can surreptitiously insert a disc and cause software to run. Alternately, malicious software can be distributed with a disc that the user doesn't ex pect to contain software at all -- such as an audio compact disc. Ev en music CDs from well known name-brand labels have not always been safe, for ex ample, the 2005 Sony BMG CD copy protection scandal.

Windows will notify y ou on the attempt to overwrite one of its sy stem files stored, but does not try to protect privileged software.

Windows cannot v alidate permissions dates and checksums of sy stem and third-party software since it has no equiv alent to the operating sy stem Xs bill of materials.

Another trick that attackers learned from Microsoft is that Registry entries can be made read-only ev en to the Administrator, so y ou can find an ex ploit and be blocked from disarming it.

Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread. Attackers use this same tool to cloak malware. A privileged user must never be denied access to a debugger on any system. My right to track down malware on my computers

8|P age

trumps v endors' interests in preventing piracy or reverse-engineering. Maintaining that right is one of the reasons that open source commercial OS kernels are so v ital. Successful infection of running Windows software carries a good chance of access to sy stem priv ileges. Access to the massive, arcane, nearly unstructured, non-human-readable Windows Registry, which was to be obsolete by now, remains the only resource a Windows attacker needs to analyze and control a Windows sy stem. Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these. The Linux firewall has functionality that rivals expensive commercial firewalls. Its rules allow fine-grained control over stateless and stateful packet filtering. The Linux firewall is ex tensible, allowing new filtering capabilities as the need arises. Linux is a network engineer or admin's dream, allowing almost any conceivable form of NAT, port translation, and packet mangling. This allows transparent proxies, sophisticated QoS and policy routers, and much more. This can't happen under OS X because: OS X has no user account with privileges ex ceeding root. Max imum priv ilege is ex tended only to descendants of process ID 1 (init or Darwin's launchd), a role that is rarely used and closely scrutinized. Unlike serv ices.exe, launchd executes daemons and scheduled commands in a shell that's subject to login scripts, environment v ariables, resource limits, auditing and all security features of Darwin/OS X.

After this discussion, we can deduced from the facts presented that it can be said that Windows Oss are really more v ulnerable to malware than Linux. And maybe its only a matter of time , where windows can become more robust.

9|P age

Bibliography 1. Aycock, J.: Computer Viruses and Malware. Springer (2006). 2. Filiol, E.: Viruses and Malware. In: Handbook of Information and Communication Security. pp. 747-769. Springer (2010). 3. Apel, M., Bockermann, C., Meier, M.: Measuring Similarity of Malware Behaviour. In: The 5th LCN Workshop on Security in Communication Network. pp. 891--898. Zurich, Germany: IEEE (2009). 4. Martignoni, L., Paleari, R., Bruschi, D.: A Framework for Behavior-Based Malware Analysis in the Cloud. In: 5th International Conference on Information Systems Security. Vol. 5905, pp. 178-192. Berlin, Heidelberg: Springer-Verlag (2009). 5. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A View on Current Malware Behaviors. In: Usenix Workshop on Large-scale Exploits and Emergent Threats. Berkeley, CA, USA: USENIX Association (2009). 7. Jussi, P.: Digital Contagions. In: A Media Archaeology of Computer Viruses. New York, USA (2007). 8. Mohamad Fadli Zolkipli, Aman Jantan.: Malware Behavior Analysis: Learning and Understanding Current Malware Threats. In: Second International Conference on Network Applications, Protocols and Services. pp. 218

GRANNEMAN.S,2003. Linux v/s Windows viruses [Online]. Available from: http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/ [Accessed 26 October 2011]
http://arstechnica.com/security/news/2004/11/malware.ars[Accessed 23 October 2011] http://wormblaster.net/ [Accessed 23 October 2011] http://arstechnica.com/security/news/2004/11/malware.ars [Accessed 23 October 2011] http://www.2knetworks.com/spyware.htm [Accessed 23 October 2011] http://icucomputerrepair.com/malware.html [Accessed 23 October 2011] http://www.goldtoken.com/games/info?infoid=25 [Accessed 23 October 2011] http://computersforcharity.blogspot.com/ [Accessed 23 October 2011] http://www.wisegeek.com/what-is-malware.htm [Accessed 23 October 2011] GAUDIN.S,2003. Is Linux Really More Secure Than Windows [Online]. Available from: http://www.esecurityplanet.com/trends/article.php/3086051/Is-Linux-Really-More-Secure-Than-Windows.html [Accessed 23 October 2011]

10 | P a g e