Chapter 13

Malicious Software

Introduction
Malware is the short form of malicious software. It is software to help hackers disrupt users computer operation, gather sensitive information, or gain unauthorized access to a computer system. It can also appear in the form of script or code. Malware is a general term used by computer professionals to mean a variety of forms of hostile , intrusive, or annoying software or code. Malware includes computer viruses, worms, Trojan horses, spyware, adware, most root kits, and other malicious programs. Malware is not the same as defective software, which is software that has a legitimate purpose but contains harmful bugs that were not noticed before release. Sometimes , malware is considered as genuine software used for useful purposes that also includes tracking software to gather marketing statistics for advertising. Some security programs may find potentially unwanted programs or PUP , though a computer virus malware that can reproduce itself, the term is sometimes used erroneously to refer to the entire category.

Malware

Malware

Malicious programs
One common mistake that people make while considering virus is that they think a worm or Trojan horse as a virus. While Trojan, worm and virus are often used interchangeably, they are not exactly the same thing. Viruses , worms and Trojan Horses are all malicious programs that can cause damages to your computer, but there are differences among the three, and knowing those differences can help you better protect your computer from their often damaging effects.

Virus
A virus is a small piece of software that piggybacks on real programs. A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. Like a human virus, a computer virus can range in severity: some may cause only mildly annoying effects while others can damage your hardware , software or files. Almost all viruses are attached to an executable file , which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious programs. Also a virus cannot be spread without a human action, (such as running infected program)to keep it going. Because a virus is spread by human action people will unknowingly continue the spread of a computer virus by sharing infecting files or sending emails with viruses as attachments in the E-mail.

Viruses
Two main characteristics of Viruses: It executes itself. It replicates itself. Various types of infections: Virus might attach itself to a program such as spreadsheet. Each time the spreadsheet program runs, the virus runs too and replicates it. Email-Virus moves around in email messages, replicates it by automatically mailing itself to dozens of people in the victims email address book.

Viruses
Example: MELISSA VIRUS(1999). It was created as a Word document. Uploaded to an internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. Sends friendly email messages to first 50 people in the persons address book. It was the fastest spreading virus ever seen. Forced a number of large companies to shut down their e-mail systems.

Viruses
Example: I LOVE YOU VIRUS(2000) It contains piece of code like attachment. Double click on the attachment. It sends copies of itself to all in the address book. It starts corrupting files on the victims machine.

Melissa Virus

I LOVE YOU VIRUS

Types of Viruses
File infector virus it infects the program files. Boot sector virus it infects the system area of a disk. Master boot record virus it infects the disks in the same manner as boot sector viruses. The only difference with these two virus types is location of the viral code. Multi- partite virus it infects both records and program files. Macro virus it infects data files. E.g. Microsoft Office Word, Excel, PowerPoint and Access files.

Worm
Worm is a small piece of software that uses computer networks security holes to replicate itself.

A worm is same as virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but it has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example , would be for a worm to send a copy of itself to everyone listed in your e-mail address book. The worm replicates and sends itself out to everyone listed in each of the receivers address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing web servers, network servers and individual computers to stop responding. In recent worm attacks such as the much- talked about Blaster Worm, the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

WORM
Example:- CODE RED
Code Red made huge headlines in 2001. It slowed down internet traffic when it began to replicate itself. Each copy of the worm scanned the internet for Windows NT or Windows 2000 that dont have security patch installed. Each time it found an unsecured server, the worm copied itself to that server. Designed to do three things :(1) Replicate itself for the first 20days of each month. (2) Replace web pages on infected server with a page that declares Hacked by Chinese (3) Launch a concreted attack on the White House Web server.

Worm

Trojan Horse

Trojan-Horse is a simple computer program that claims to be a game and erase your hard dick. It cannot replicate itself. A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. At first glance, the Trojan horse, will appear to be useful software but will actually do damage once installed or run your computer. Those on the receiving end of a Trojan horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan horse is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious(like changing your desktop , adding silly active desktop icons) or can cause serious damage by deleting files and destroying information on your system. Trojans are known to create a backdoor on your computer. It gives malicious users access to your system and allowing confidential or personal information to be compromised. Trojans do not reproduce by infecting other files and do they selfreplicate.

Trojan Horse

Impact of Infections
Program take longer to load than normal. Computers hard drive constantly runs out of free space. The floppy disk drive or hard drive runs when you are not using it. New files keep appearing on the system and you dont know where it came from. Strange sounds or beeping noises come from the computer. Strange graphics are displayed on your computer monitor. Unable to access the hard drive when booting from the floppy drive. Program sizes keep changing.

Protection Measures
To protect yourself you need to be Proactive about security issues. Being reactive wont solve anything, specially at crunch time and deadlines!! In matter of fact it can make the problem much more complex to solve, and the situation much worse, resulting in complete nightmare!! Best measures are the proactive ones. You need to basically to do four steps to keep your computer and your data secure. (1) Get the latest Anti-virus Software. (2) Make sure you have the latest security patches and hot fixes using Windows Update. (3) Use a Host-Based Firewall. (4) BACKUP your important files.

Blended Threats

Blended threat is a sophisticated attack that bundles some of the worst aspects of viruses , worms, Trojan horses and malicious code into one single threat. Blended threats can use server and internet to initiate, then transmit and also spread an attack. Blended threats cause harm to the infected system or network, they propagates using multiple methods, and the attack can come from multiple points. The attack would normally serve to transport multiple attacks in one payload. For example, it wouldnt just launch a Dos attack, it would also, for example , install a backdoor and maybe even damage a local system in one shot. Blended threats are designed to use multiple modes of transport. So, while a worm may travel and spread through e-mail,a single blended threat could use multiple routs including e-mail, file sharing networks. Lastly, rather than a specific attack on predetermined .exe file, a blended thread could do multiple malicious acts, like modify your exe files, HTML files and registry keys at the same time basically it can cause damage within several areas of your network at once. Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats also require no human intervention to propagate.

Blended Threats

Safety of computer from Viruses, Worms, & Trojan Horses

Keep The Operating System Updated (1) The first step is to ensuring that the operating system is up-todate. (2) This is essential for Microsoft Windows Operating System. (3) You need to have the anti-virus software installed on your system, and ensure you download updates frequently to ensure your software has the latest fixes for new viruses , worms, and Trojan Horses. (4) You want to ensure your anti-virus program has the capability to scan E-mail and files as they are downloaded from the Internet and you also need to run full disk scans periodically. (5) This will help prevent the malicious programs from even reaching your computer.

2. Use a firewall
You should also install a firewall. A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in outgoing Emails and see this as regular network traffic. For individual users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or E-mails. The downside to software firewalls is that they will only protect the computer they are installed on , not a network. It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.

Virus Countermeasures
There are 7 countermeasures for protection of computer from computer viruses.

1. Vaccine Software Keep it Up-to-Date :

To protect against viruses, antivirus software should be installed.

2. Email Attachment Files.Should be Scanned :

Five points for handling E-mail Attachments:i) Be careful with Email attachments from unknown sources. ii) Do not be fooled by the appearance of attachment files. iii) Be wary of suspicious files attached to Emails even though they are from your friends. iv) Do not send a plain text that can be included in the body of an Email message as an attachment file. v) Learn about how Email attachments are handled by different Email programs.

Virus Countermeasures
3. Downloaded Files - Should be scanned. 4. For applications utilize Security Functions. 5. Security Patches Should be applied.

Virus Countermeasures
6. Symptoms of Virus Infection Must not be Overlooked. If you have encountered symptoms listed below, your computer may have been infected with computer viruses. Do not overlook them and scan your computer for viruses. System or application software often gets hosed(freezes), or the system does not start. Files disappear. Unknown files exist. Strange icons appear on the task bar. Attempts are made to access the Internet without any operation. Emails are sent without the users consent. Can intuitively sense that there is something wrong with the computer. 7. In Case of Emergency Data should be backed up. :- Make it a rule to back up data on a regular basis.

Terminology
SPAM Mail
It is also called Unsolicited Bulk Mail(UBM). Emails containing identical or nearly identical messages are sent to any number of recipients for commercial, religious, or harassing purposes.

File-Swapping Software
A software program that makes a users files available to other users for download over the internet.

Macro-Type Virus
It is a macro virus that infects Microsoft Word Documents and Excel spreadsheets. If you open a document or spreadsheet that is infected with this virus, Word or Excel itself is also contaminated. Virus-infected files that are attached to Emails or saved on recording media (such as floppy disks, magneto-optical disks etc.) become the source of another infection.

Terminology
Vulnerability Vulnerability in terms of information security is a security is a security hole that may degrade the security level of systems, networks , applications and protocols, which can bring unexpected events, or design and implementation errors. Vulnerabilities are classified into vulnerabilities in the operating systems , vulnerabilities in applications, etc. Inadequate security settings are also referred to vulnerability. In general terms, it is called security hole. Bot A computer virus designed to control computers (infected with this virus) from an external source via a network (or the Internet). It waits for instructions from the external source and upon receiving them, performs programmed tasks. The name Bot was derived from Robot, as its functions are similar to those of robots.

Distributed denial Of Service Attack

It uses many computers to launch a coordinated Dos attack for one or more targets. Using Client/Server technology, the performer multiplies the effectiveness of the Dos significantly by harassing the resources of multiple innocent assistant computers which are attack platforms. Typically a DDos master program is installed on one computer using a stolen account. The master program at a designated time, then communicates to any number of agent programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack . Using client/server technology , the master program can initiate hundreds or thousands of agent programs within seconds.

DDos Tools
Clog victims network. Use many sources(daemons) for attacking traffic. Use master machines to control the daemon attackers. At least 4 different versions in use: TFN,TFN2K,Trinoo,Stacheldraht.

Working of DDos

How they Talk

Trinoo :- Attacker uses TCP; masters and daemons use UDP; password authentication. TFN:- attacker uses shell to invoke master; masters and daemons use ICMP ECHO REPLY Stacheldraht:- Attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.

Deploying DDOS
Attackers seem to use standard, well-known holes(i.e. rpc.ttdbserver,amd,rpc.cmsd,rcp.mountd, rpc.statd). They appear to have auto-hack tools point, click, and invade. Lesson : practice good computer hygiene.

Detecting DDOS Tools

Most current IDSs detect the current generation of tools. They work by looking for DDOS control messages. Naturally, these will change over time; in particular, more such messages will be properly encrypted encrypted. (A hacker PKI?)

Denial of Service Attack

An attack on a computer or network that prevents legitimate use of its resources. Dos Attacks Affect: Software Systems. Network routers/Equipment/Servers. Servers and End-User PCs.

Dos shortfalls
Dos attacks are unable to attack large bandwidth websites one upstream client cannot generate enough bandwidth to cripple major megabit websites. New distributed server architecture makes it harder for one Dos to take down an entire site. New software protectons

Ddos Architecture

Widely used Ddos Programs

Trinoo Tribe Flood Network TFN2K Stacheldraht (barbed wire)