Malicious Software and Internet Security

Malicious Software
and Internet
Security
By
Farhan M.Shaikh
B.Sc. (CS),M.Sc. (IT), B.Ed.,M.Ed., M.A (Sociology)., UGC-NET (Education/ Sociology)
Visiting Faculty
L.S. Raheja College, SantaCruz
Tolani College, Andheri
Pioneer Education Center, Borivali, Andheri & Vasai
L.I.I.T., Dadar & Mulund
T.I.M.E., Andheri & Borivali
Objectives
Viruses and Related Threats
Virus Counter Measures
Denial of Service (DoS) Attacks
Hacking
Security Policies and Plans
Strategies for a secure network
farhan.mohd@yahoo.co.in 2
Different types of Malicious Software
Different types of Malicious Software
Viruses and Related Threats
There is nothing magical about computer viruses.
A virus is simply a computer program, which is
stored somewhere on the disk.
But unlike the other programs, this program is not
available separately. It will try to hide itself by
attaching to some legitimate program. Still, it is to
be called a computer program.
There is very much similarity between a computer
virus and a biological virus. Both invade the
body/machine and attach to cell / program and
once lodged, they monitor the activity of the host
in order to replicate themselves
What is a Virus ?
a program that can infect other

programs by modifying them to include
a, possibly evolved, version of itself
Fred Cohen 1983
Computer Viruses- A Brief History
The concept of viruses dates back to 1949 when John
von Neumann submitted a paper, putting forward the
concept of self-replicating program. The idea seemed
impossible and was dropped.
Subsequently, the first virus-like program appeared from
the recreational game called code-wars. The first
commercial application of viruses was in 1985, when two
Pakistani brothers, in order to keep track of software
piracy used Brian virus (also called as Pakistani virus).
Hidden in nearly every disk they sold, was an extra
program not supplied by the manufacturer (which was
self-replicating in nature and would infect an unauthorized
users computers by destroying its applications).
These self-replicating programs multiplied so fast that
today they threat to the smooth operation of the
computer.
Why viruses are developed?
The virus programs are normally written with an
objective of destructive effects. A virus cannot do
anything that was not written into its program. It is
the creation of intelligent computer programmer but
with the harmful intentions. There are other harmful
programs like worms, Trojan horses etc. A program
is not a virus unless it has the ability to replicate
itself.
There are several ways and intentions with which
the viruses are written. These range from complete
destruction of host system, to simple pass-time
nuisance activities. Sometimes viruses are used to
stop from copying legitimate programs, or just to
prove someone's knowledge, to simply make fun
out of it & so forth.
How do they work?
Similar to their biological counterpart, the computer
viruses also require some carriers. As biological viruses
may use animals, insects, water or air as a medium for
propagation, computer viruses need carriers like some
legitimate executable programs, boot sectors, Partition
tables etc. to carry them to the host for further
destruction and replication. When infected code gets
executed by some means (using these carriers), the
virus launches itself into memory and performs
according to its program.
Virus Life Cycle
The first stage is called Pre-trigger stage or the
dormant stage. In this stage viruses lie dormant,
and does not do any destruction. (This act is
also similar in the biological virus.) It is hard to
detect a virus in this stage.
The second stage called Trigger stage is the
one in which virus performs any destruction. A
trigger can be made to set off at a given time,
given number of times a program is run, physical
condition of disk, specific date or time, any other
event or just anything which might have been
thought of by its developer.
Virus Life Cycle
Once this trigger goes off, the destructive action
mentioned in the virus program executes to carry out the
destruction. This is said to be the final stage as it
causes actual damage it is supposed to do.
Virus programs enter into the system either by way of
copying the carrier programs (exe, com, bat, sys &
similar files) or copying anything from a disk with infected
boot sector or partition table or even through E-mail or
Website contents. Also, the replication activity of viruses
is transparent to the user.
Structure of a Virus
Here is a simple structure of a virus. In the infected binary, at a
known byte location in the file, a virus inserts a signature byte used to
determine if a potential carrier program has been previously infected.
V()
{
infectExecutable();
if (triggered()) {
doDamage();
}
jump to main of infected program;
}
void infectExecutable()
{
file = chose an uninfected executable file;
prepend V to file;
}
void doDamage() {
...
}
int triggered()
{
return (some test? 1 : 0);
}
Structure of a Virus
The above virus makes the infected file longer
than it was, making it easy to spot. There are
many techniques to leave the file length and
even a check sum unchanged and yet infect.
For example, many executable files often
contain long sequences of zero bytes, which
can be replaced by the virus and re-generated.
It is also possible to compress the original
executable code like the typical Zip programs
do, and uncompress before execution and pad
with bytes so that the check sum comes out to
be what it was.
Component of a Virus
There are 3 parts:
a. Infector
b. Replicator
c. Payload
a. Infector: This is the section of the viral code, which
infects some part of the system when triggered for the first
time. That happens when the virus enters a system first.
The infector part may decide to infect a file system or a
system sector or an application.
b. Replicator: The Replicator is that section of the virus,
which has the Job of making the virus replicate or duplicate
such that every time the viral code is triggered or executed,
the virus gets a chance to replicate. Usually the infection at
a proper place like the system sector leaves a better
chance of replication more number of times. Replicators
are crucial in deciding the strength of the virus overall.
Component of a Virus
c. Payload: This the section, which can determine the
amount of damage or harm the virus can cause to the
system or its resources. Usually it is a direct implication
of the Replicator. Because replicator will be able to
replicate a specific number of times, so the payload will
be greater. Depending on how much the payload is, the
virus goes into the attack phase. Usually a higher
payload means that the virus can easily overcome the
system and its resources can be easily overcome by the
virus.
Classification of Virus
Word Macro Virus
Cascade Virus
How to protect the computer
against

virus
Virus detection, prevention and recovery:
There are several precautions one can take in
order to safeguard from virus infection. Even
then if the virus still creeps in, one has to
follow the detection and elimination procedures
further. The safety measures or precautions for
virus prevention are rightly called the Golden
Rules or the Commandments as given below.
While it is difficult to protect the system totally,
using these rules one may prevent from the
virus infections to a great extent
The Golden Rules for virus
prevention
Always keep backup of your data/programs.
Keep floppies Write-protected (especially if
they are bootable.)
Do not copy anything in your system from any
unknown source.
Restrict the use of machine to only authorized
users.
Never download mail attachments, unknown
content from Internet.
Even after using these precautions, if the virus
creeps into your system, it can be detected in
various ways apart from using a virus scanner
for it.
Virus Symptoms
Computer system seems to be running too slow
than normal
Floppy disk or hard disk is accessed suddenly
without any reason. Programs do something
unusual or do not work normally
Files, folders disappear mysteriously or contain
garbage.
System crashes often without any reason.
Computer does not boot completely at all.
System memory or disk space reduces without
logical reason.
Unusual error messages appear on screen.
Programs take more time to load than normal.
Change in data/program file sizes is observed. 24
farhan.mohd@yahoo.co.in
Recovery procedure
If these symptoms are observed, they may
indicate the presence of virus in your system.
To eliminate virus when observed or detected
in the system, one should carry out some
specific steps called as Recovery procedure. If
you use the Anti-virus softwares, they will do
this job for you. Many such products exist
including MacAfee, Norton, F-prot, AVG & so
on. One must ensure to update these utilities
frequently, to stay safe from the newer viruses,
which keep coming. Apart from using the tools,
one must create a Rescue disk that should be
a clean, an infected bootable disk with required
set of tools. This can be used to diagnose,
detect & eliminate viruses from the system.
Anti-Virus Software
first-generation
scanner uses virus signature to identify virus
or change in length of programs
second-generation
uses heuristic rules to spot viral infection
or uses crypto hash of program to spot changes
third-generation
memory-resident programs identify virus by actions
fourth-generation
packages with a variety of antivirus techniques
eg scanning & activity traps, access-controls
arms race continues
Digital Immune System
Digital Immune System
1. A monitoring program on each PC uses a variety of heuristics
based on system behavior, suspicious changes to programs, or
family signature to infer that a virus may be present, & forwards
infected programs to an administrative machine
2. The administrative machine encrypts the sample and sends it to a
central virus analysis machine
3. This machine creates an environment in which the infected
program can be safely run for analysis to produces a prescription
for identifying and removing the virus
4. The resulting prescription is sent back to the administrative
machine
5. The administrative machine forwards the prescription to the
infected client
6. The prescription is also forwarded to other clients in the
organization
7. Subscribers around the world receive regular antivirus updates
that protect them from the new virus.
Trojan Horses
Yet another type of malicious program
observed is a Trojan horse, sometimes simply
called Trojan. The name has a funny history
behind it.
In the Greek kingdom, a wooden horse was
gifted to the enemy and taken inside their fort.
This actually contained soldiers inside it, which
came out and fought with the enemy taking
them by surprise.
Our Trojan horse in computer works with a
similar principle. Even if it claims to be a
genuine program, in fact it is a malicious one.
It is supposed to do something useful while all
it does is totally different and that is
destructive.
Trojan Horses: How do they work?
Trojans - as specified, always claim to be a genuine
program. If it were not a genuine program, rather
one would not copy or try it out! It may say it is a
new game released, some kind of a utility program
newly developed, or something similar.
Once copied/downloaded on to a host and executed,
actually it may do something like formatting hard
disk, erasing files/folders and so on. They may work
either like a Time Bomb (based on some value,
number as triggering condition) or like a Logic Bomb
(destructing after satisfying some logical event or
condition).
It is also possible that the Trojan horse program may
be working normally for some time, just to fool the
user that it is doing something useful.
Mac OS Trojan
Trojan Horses: How do they work?
There are some types of Trojans, which
include some form of self-destruction which
means the Trojan program itself gets deleted
after triggering condition along with other
destruction. (Can this be very much analogous
to a human bomb!) Examples of Trojan horse
program include 12 tricks Trojan, actual file
name CORETEST.COM (claims as hard disk
benchmarking program!) Nortstop Trojan,
filename NORTSTOP. EXE or NORTSTOP.ZIP
(claims to be an antivirus public domain utility!)
Remote Access Trojans
Types of Trojans
Mail Trojans: Another popular type of
Trojan in hackers circles is the mail
Trojan. It works in server mode only and
its main function is to record certain data
such as the keystrokes the user enters
when passwords are typed, the web
sites he regularly visits and files in
general. An infected machine will
automatically send the information by
email to the attacker. These are very
difficult to spot because the email client
is part of the Trojan itself.
Types of Trojans
FTP Trojans: This particular class of Trojan
works in server mode only. It allows FTP
access to an infected machine and can
download or upload files at the intruders whim.
Telnet Trojans: Telnet Trojans run in server
mode only and allow an intruder to execute
DOS commands on a remote machine.
Key logger Trojans: These Trojans record the
keystroke input on an infected machine and
then stores the information in a special log file
that the intruder can access in order to
decipher passwords.
Types of Trojans
Types of Trojans
Fake Trojans: This type of Trojan uses
fake dialog boxes and other bogus
windows that purport to show that the
user has attempted to perform an illegal
operation. By displaying a dialog box, its
sole purpose is to get the user to enter
his user name and password. That
information is then stored on file so that
the intruder can use it at a later date.
Fake Alerts Trojans
Detection, prevention and elimination
One major difference between Trojan horse
and worms or viruses is that the Trojans do not
self-replicate. This reduces the amount of
destruction caused by them compared to other
malicious programs.
Another limitation of them is that they are
available separately. Hence it is possible to
find out that the harm is caused by the running
program, label it as Trojan and discard it.
But beware! It is also possible that the Trojan
horse programs may be working like
Backdoors and passing the valuable
information from your system back to hackers!
Detection, prevention and elimination
It is hence difficult to detect a Trojan, unless
using some good utility. Now a days, many
anti-virus utilities also check for them as well.
Unless one tries out a Trojan program, it is
hard to know whether it is genuine or not. In
such case, one can try it (if it is absolutely
necessary) on some separated machines and
then using on regular once confirmed.
The prevention mechanism says, never
download/copy any content from unknown
source, or when in doubt.
The elimination is obviously the deletion of the
program identified as a Trojan.
What is a worm
A computer worm is a self-replicating computer

program. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.
Worms
Mobile Phone Worms
Detection, prevention and recovery
Normally, all the recent anti-virus utilities are
capable of detecting most of the worm codes as
well as disinfect them. The indication of worms
may be the terrible slowness of the network,
although there are several other reasons for this.
Worms do not modify a program nor attach
themselves to it and hence may be seen or
detected separately unlike the virus.
Still, some newer type of Worms hide themselves
inside the Email source, HTML scripts, web page
sources etc. to remain undetected.
As far as the prevention is concerned, using some
safety measures like detection tools, not opening
any content from unknown source, it may be
possible to prevent from their attacks.
Worm v/s Virus v/s Trojan Horse
A virus is code embedded in a file or
program
Viruses and Trojan horses rely on
human intervention
Worms are self-contained and may
spread autonomously
Denial of Service Attacks
The Denial Of Service (DOS) attack has gained a lot of
attention in the last few years. The basic purpose of a
DOS attack is simply to flood/overhaul a network so as
to deny the authentic users services of the network. A
DOS attack can be launched in many ways. The end
result is the flooding of a network, or change in the
configurations of routers on the network.
The reason it is not easy to detect a DOS attack is
because there is nothing apparent to suggest that a user
is launching a DOS attack, and is actually not a
legitimate user of the system.
This is because in a DOS attack, the attacker simply
goes on sending a flood of packets to the server/network
being attacked.
It is up to the server to detect that certain packets are
from an attacker, and not from a legitimate user, and
take an appropriate action. This is not an easy task.
Failing this, the server would fall short of resources
(memory, network connections, etc.) and come to a
grinding halt after a while.
A typical mechanism to launch a DOS attack is with the
help of the SYN requests. On the Internet, a client and a
server communicate using the TCP/IP protocol. This
involves the creation of a TCP connection between the
client and the server, before they can exchange any
data. The sequence of these interactions is as follows:
3.Acknowledge SYN
ACK
1. The client sends a SYN request to the server. A SYN
(abbreviation of synchronization) request indicates to
the server that the client is requesting for a TCP
connection with it.
2. The server responds back to the client with an
acknowledgement, which is technically called as SYN
ACK.
3. The client is then expected to acknowledge the
server's SYN ACK.
Only after all the three steps above are completed that
a TCP connection between a client and a server is
considered as established. At this juncture, they can
start exchanging the actual application data.
An attacker interested in launching a DOS attack on a
server, performs step 1.
The server performs step 2.
However, the attacker does not perform step 3. This
means that the TCP connection is not complete. As a
result, the server needs to keep the entry for the
connection request from the client as incomplete, and
must wait for a response (i.e. step 3) from the client.
The client (i.e. the attacker) is not at all interested in
executing step 3. Instead, she simply keeps quiet. Now,
imagine that the client sends many such SYN requests to
the same server, and does not perform step 3 in any of
the requests.
Clearly, a lot of incomplete SYN requests would be
pending in the server's memory, and if these are too
many, the server could come to a halt!
Distributed Denial Of Service
Why use your own machine for such things when you
can use hundreds of other people's machines?
1. Attacker takes control of a less secure network say X.
2. Let us assume that there are 100 systems in Xs
network.
3. Attacker uses all these 100 systems to attack the actual
target T.
4. Hence, instead of one attacker, there are 100 attackers.
5. The attacker uses common users to install a zombie
program on as many machines on the Internet.
6. The attacker waits, when the time comes it controls all
the machines and makes all the machines to flood the
target.
Types of DDoS Attacks
Types of DDoS Attacks
Hacking
Hacking is the practice of modifying the features
of a system, in order to accomplish a goal
outside of the creator's original purpose. The
person who is consistently engaging in hacking
activities, and has accepted hacking as a
lifestyle and philosophy of their choice, is called
a hacker.
Computer hacking is the most popular form of
hacking nowadays, especially in the field of
computer security, but hacking exists in many
other forms, such as phone hacking, brain
hacking, etc. and it's not limited to either of
them.
Types of hackers
Professional hackers
Black Hats the Bad Guys
White Hats Professional Security Experts
Script kiddies
Mostly kids/students
User tools created by black hats,
To get free stuff
Impress their peers
Not get caught
Underemployed Adult Hackers
Former Script Kiddies
Cant get employment in the field
Want recognition in hacker community
Big in eastern european countries
Ideological Hackers
hack as a mechanism to promote some political or ideological purpose
Usually coincide with political events
Types of Hackers
Criminal Hackers
Real criminals, are in it for whatever they can get no
matter who it hurts
Corporate Spies
Are relatively rare
Disgruntled Employees
Most dangerous to an enterprise as they are
insiders
Since many companies subcontract their network
services a disgruntled vendor could be very
dangerous to the host enterprise
What is a Security Policy?
Set of decisions
Rules & regulation
Written or verbally understood
Which Collectively determines Organization's
posture towards security
Delimits the boundaries
Acceptable & non acceptable behaviours
What is ethical and what is non-ethical?
What is the degree of seriousness of the offence
Or is it an offence at all
What if it is violated?
Security Policy will decide
What legal course of action will you follow
if attacked?
What will be considered as a cognizable
crime?
Can anyone be sued?
Infringing on someone elses rights?
What is Security Policy? - Definition
A security policy is the set of
decisions that collectively, determines
an organization's attitude toward
security.
A security policy defines the
boundaries of acceptable behaviour
and what the response to violations
should be.
What is Security Policy?
Naturally, security policies will differ from
organization to organization.
Your security policy may determine what
legal course you have to take if you are
ever attacked.
You must first decide what is and is not
permitted. To some extent, this process is
driven by the business or structural needs
of the organization. Thus, some companies
may issue a verdict that bars the personal'
use of corporate computers.
What is Security Policy?
Some companies wish to restrict outgoing
traffic, to guard against employees
exporting valuable data. Other policies
may be driven by technological
considerations.
In general, Computer security means
keeping anyone from doing anything,
which is unwanted or undesired, relating
to computers & peripherals. It is the way of
protecting your precious assets in terms of
information or resources.
Picking a security policy
A 'Security Policy' describes your plan,
methodology to safeguard your assets or
what measures / precautions you take (or
do not take) in order to keep your assets
secured.
A security policy differs from organization
to organization. All the decisions are then
based on this formulated policy.
Finding out what resources you wish to protect:
Resources may include: Physical resources like
printers, monitors, keyboards, drives, modems etc. &
Logical resources like source & object programs, data,
utilities, operating system, applications etc.
Find out who can disrupt them & in what ways: The
threats to your assets may include Physical threats to
the resources such as stealing, malfunctioning
devices, Logical threats such as unauthorized access
to data, information, resources Unintended disclosure
of your information.
Who is interested in attacking you? Outsiders as
well as insiders may form the collective answer here.
What kind of security therefore must be provided
differs from the type of attacker you are planning
against.
How much Security can you afford? Part of the cost
of security is direct financial expenditures, such as the
extra routers, firewalls, software packages, and so on.
Often, the administrative costs are overlooked. There
is another cost, however, a cost in convenience and
productivity, and even moderate. Too much security
can hurt as surely as too little can. Annoyed by
increases in security, people get frustrated. Finding the
proper balance therefore is essential.
What Stance do you take? The stance is
the attitude of the designer. It is
determined by the cost of failure and the
designers estimate of that likelihood. It is
also based on the designer's opinions of
their own abilities. At one end of the scale
is a philosophy to correct it only when
mistake happens and. the other one is
taking preventive measures so that no
mistake occurs.
Good Security Policy Characteristics
Should define a clear set of security goals.
Accurately define each issue discussed in
the policy.
Define under what circumstances each
issue is applicable.
Should be enforceable with security tools
wherever appropriate.
Should clearly define the areas of
responsibility for users, administrators &
management.
Should have acceptance within the
organization
Strategies for a secure Network
Host security - securing the prime, host machines by
logically isolating them. In most situations, the network
is not the resource at risk rather, it is the endpoints of
the network that are threatened. Usually, there are
bugs in the program for networks or in the
administration of the system. it is this way with
computer security, the attacker just has to win once.
But networked machines are also not isolated. There
are other machines which trust them in some fashion.
It might re therefore a major risk that the intruder can
compromise the entire system. He will now be able to
attack other systems, either by taking over root, and
hence the system's identity, or by taking over some
user account. This is called transitive trust.
Authentication of users - checking the identity of valid
users keeping the unauthorized users away.
Choosing good passwords & protecting them - A good
password should be developed using various criteria &
safeguarding it as well. Also making sure it is not
reused & changed frequently.
Using firewalls & proxy servers while accessing
Internet - using these tools to act like logical security
guards to monitor traffic in & out of your local network
(protected) & the Internet (unprotected).
Making use of Encryption techniques - used to encrypt
the sensitive information to be sent out, making it
harder to crack if intercepted. Involves using various
algorithm based on the Data Encryption Standard for
this purpose. Encryption is often considered as the
ultimate weapon in, the computer security wars. It is a
valuable tool but if used improperly it can hurt the real
goals of the organization. Encryption is best used to
safeguard file transmission, rather than file storage,
especially if the encryption key is generated from a
typed password. There are various encryption
techniques like the Conventional Symmetric and
Unconventional Asymmetric ones. The Asymmetric
Encryption techniques use the Public/Private key
concept. But even these have to be safeguarded from
the potential attacker.
References
Network Security Essentials,

Stallings W (Pearson Education)
Firewalls and Internet Security - Repelling

the Wily Hacker.2nd Edition

Malicious Software and Internet Security

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Malicious Software and Internet Security

Hochgeladen von

Copyright:

Verfügbare Formate

Malicious Software

a program that can infect other

Fred Cohen 1983

A computer worm is a self-replicating computer

Network Security Essentials,

Firewalls and Internet Security - Repelling

Das könnte Ihnen auch gefallen