Computer Security Threats

Chapter 2

1
 Topics
1. Viruses
2. Worms
3. Trojan Horses
4. Logic bombs
5. Spy-wares
6. Other threats

Prepared by: Dr. Oliver 2

 Viruses and Other Wildlife
• The word virus has become a generic term
describing a number of different types of attacks on
computers using malicious code.
• Many have been infected at least once, either by
one of the famous attacks such as Melissa,
ExploreZip, MiniZip, Code Red, NIMDA, BubbleBoy, I
LoveYou, NewLove, KillerResume, Kournikova,
NakedWife, or Klez;
• Each of which uses a certain amount of the
computer’s resources to display or gather data
about the user.
Prepared by: Dr. Oliver 3
 Malicious Logic
• Computer viruses, worms, and Trojan horses
are effective tools with which to attack
computer systems.
• They assume an authorized user's identity.
• This makes most traditional access controls
useless.
• We study malicious logic, focusing on Trojan
horses and computer viruses, and discusses
defenses.
 Introduction
• The classification of malicious code into
categories such as "virus" or "worm" is today
somewhat quaint.
• Attackers who want to harm your system will
get there any way they can and whipping up a
software half-breed that blurs definitions
• For this reason, modern attack tools tend to
be labeled by their function more than their
genealogy.
 Introduction…
• Hence there are viruses, worms ,rootkits,
Trojan horses, password sniffers, and zombies.
• In this course we shall call all such programs
malicious code, or for short, malware
• Malicious logic is a set of instructions that
cause a site's security policy to be violated
 Viruses and Public Health
• Most malicious code today is concerned not only with
trashing your machine, but also in using your machine
to infect others.
• A classic example is the software used to create a DDoS
attack.
• After hiding itself in your computer, modern malware
typically seeks information from you to use to infect
others, and it usually finds it in your address book or by
prowling your local area network.
• The malware then stalks its new victims, often by
sending an email in your name and infects them as well

Prepared by: Dr. Oliver 7

 I. Viruses
• A virus is a code fragment that copies itself into a
larger program, modifying that program.
• It is not an independent program but depends upon a
host program, which it infects.
• A virus executes only when its host program begins to
run.
• The virus then replicates itself, infecting other
programs as it reproduces.
• After seeing to its own reproduction, it then does
whatever dirty work it carries in its programming, or
payload.
Prepared by: Dr. Oliver 8
• A virus might start reproducing right away, or
it might lie dormant for some time, until it’s
triggered by a particular event. (Friday the 13th
virus).
• A virus may infect memory, a floppy disk, a
hard drive, a backup tape, or any other type of
storage.
• Viruses also can move about as macros, such
as those written in the scripting language used
to automate keystrokes in office programs such
as Microsoft Word or Excel.
Prepared by: Dr. Oliver 9
 The history of viruses
• 1949 - John von Neumann presented a paper on the
“Theory and Organization of Complicated Automata,” in
which he postulated that a computer program could
reproduce.
• 1950 - Bell Labs game they called “Core Wars.” In
which, two programmers would unleash software
“organisms” and watch as they vied for control of the
computer.
• 1984 - Ken Thompson described the development of
what can be considered the first practical computer
virus. Thompson wrote a self-reproducing program in
the C programming language.
Prepared by: Dr. Oliver 10
 Types of Viruses
• Several types of computer viruses have been
identified
– Boot Sector Infectors
– Multipartite Viruses
– Stealth Viruses
– Encrypted Viruses
– Polymorphic Viruses
 Boot Sector Infectors
• The boot sector is the part of a disk used to
bootstrap the system or mount a disk
• Code in that sector is executed when the system
"sees" the disk for the first time
• When the system boots, or the disk is mounted,
any virus in that sector is executed. (The actual
boot code is moved to another place, possibly
another sector.)
• A boot sector infector is a virus that inserts
itself into the boot sector of a disk.
 Executable Infectors
• The PC variety of executable infectors are called
COM or EXE viruses because they infect
programs with those extensions.
• The virus can prepend itself to the executable or
append itself.
• An executable infector is a virus that infects
executable programs
 Multipartite Viruses
• A multipartite virus is one that can infect
either boot sectors or applications
• Such a virus typically has two parts, one for
each type.
 Stealth Viruses
• Stealth viruses are viruses that conceal the
infection of files.
• It avoid detection by modifying parts of the
system that could be used to detect it.
 Encrypted Viruses
• Computer virus detectors often look for known
sequences of code to identify computer viruses.
• To conceal these sequences, some viruses
encipher most of the virus code, leaving only a
small decryption routine and a random
cryptographic key in the clear.
• An encrypted virus is one that enciphers all of
the virus code except for a small decryption
routine
 Polymorphic Viruses
• A polymorphic virus is a virus that changes its
form each time it inserts itself into another
program
• Consider an encrypted virus. The body of the
virus varies depending on the key chosen, so
detecting known sequences of instructions will
not detect the virus.
• However, the decryption algorithm can be
detected. Polymorphic viruses were designed to
prevent this.
 Virus Detection
• The following techniques are used to detect
viruses:
• Scanning
– Once a virus has been detected , it is possible to
write scanning program that look for signature string
characteristics of the virus
• Integrity checking with checksums
– Integrity checking reads the entire disk and records
integrity data that acts as a signature for the files
and system sectors
 II. Computer Worms
• A computer virus infects other programs. A variant
of the virus is a program that spreads from
computer to computer, spawning copies of itself on
each one.
• A worm is a program that replicates and
propagates itself without having to attach itself to
a host
• Worms can continue replicating themselves until
they completely fill available resources, such as
memory, hard drive space, and network bandwidth
 Viruses and Worms
• Viruses and worms can be used to infect a system and modify
a system to allow a hacker to gain access. Many viruses and
worms carry Trojans and backdoors.
• A virus and a worm are similar in that they’re both forms of
malicious software (malware).
• A virus infects another executable and uses this carrier
program to spread itself. The virus code is injected into the
previously benign program and is spread when the program is
run.
• A worm is similar to a virus in many ways but does not need a
carrier program. A worm can self-replicate and move from
infected host to another host.
• A worm spreads from system to system automatically, but a
virus needs another program in order to spread.
 History of Worms
• 1975 - John Brunner’s science fiction novel, The
Shockwave Rider, programs called “tapeworms” lived
inside computers, spread from machine to machine, and
were “indefinitely self-perpetuating so long as the net
exists.”
• 1980 - John Schoch and Jon Hupp, researchers at Xerox
Palo Alto Research Center, developed the first
experimental worm programs as a research tool.
• The Xerox PARC worms were, on the whole, useful
creatures; they handled mail, ran distributed
diagnostics, and performed other distributed functions

Prepared by: Dr. Oliver 21

 T HE MORRIS WORM
• A creation of Robert Tappan Morris, a 23-yearold doctoral
student from Cornell, who on the second of November
1988, at about 6:00 p.m., released a self-replication bit of
code onto the Internet designed to spread itself freely,
but to do little else.
• There was no dangerous payload.
• Soon, however VAX and Sun machines (the only systems
targeted) across the country started to bog down.
• This same scene was replayed at the sites of over 6,000
machines across the country.
• While no physical damage was caused by the worm, the
U.S. General Accounting Office estimated that the worm
cost between $100,000 and $10,000,000 due to lost
access. Prepared by: Dr. Oliver 22
 III. Trojans Horses and Backdoors
• Trojans and backdoors are types of malware used to
infect and compromise computer systems
• A Trojan horse is a program with an overt effect and a
covert effect.
• An overt channel is the normal and legitimate way
that programs communicate within a computer system
or network.
• A covert channel uses programs or communications
paths in ways that were not intended.
• Trojans can use covert channels to communicate. Some
client Trojans use covert channels to send instructions
to the server component on the compromised system.
 Trojans Horses and Backdoors…
• Trojan horses can make copies of themselves
a propagating Trojan horse
• Trojan horse hides in an independent
program that performs a useful or appealing
function or appears to perform that function.
• Along with the apparent function, however,
the program performs some other
unauthorized operation
 Trojans Horses and Backdoors…
• A typical Trojan horse tricks a user into running
a program, often an attractive or helpful one.
When the unsuspecting user runs the program,
it does indeed perform the expected function.
• But its real purpose is often to penetrate the
defenses of the system by usurping the user's
legitimate privileges and thus obtaining
information that the penetrator isn't authorized
to access.
 Trojans Horses and Backdoors…
• An example of this would be the modern
rootkit, which is a script that controls a small
suite of programs that create an
administrative level account on the targeted
system, and then create a backdoor.
• Backdoor is an unmonitored entrance way
that evades the security mechanisms, through
which the attacker can later gain convenient
access.
 Backdoors
• Backdoor is a program or a set of related programs
that a hacker installs on a target system to allow
access to the system at a later time.
• A backdoor can be embedded in a malicious Trojan.
• The objective of installing a backdoor on a system is
to give hackers access into the system at a time of
their choosing.
• The key is that the hacker knows how to get into the
backdoor undetected and is able to use it to hack the
system further and look for important information.
 Types of Trojans
• The most common types of Trojans
• Remote Access Trojans (RATs) Used to gain remote access to a
system.
• Data-Sending Trojans Used to find data on a system and deliver
data to a hacker.
• Destructive Trojans Used to delete or corrupt files on a system.
• Denial-of-Service Trojans Used to launch a denial-of-service attack.
• Proxy Trojans Used to tunnel traffic or launch hacking attacks via
other systems.
• FTP Trojans Used to create an FTP server in order to copy files onto
a system.
• Security Software Disabler Trojans Used to stop antivirus software
 Virus and Worm Hoaxes
• Hoaxes are false alarms claiming reports about
a non-existing virus
• It disrupt the harmony and flow of an
organization when they send group e-mails
warning of supposedly dangerous viruses that
don’t exist
• As frustrating as viruses and worms are,
perhaps more time and money is spent on
resolving virus hoaxes
 Virus and Worm Hoaxes…
• the network becomes overloaded, and much
time and energy is wasted as users forward the
warning message to everyone they know, post
the message on bulletin boards, and try tor
update their antivirus protection software
• A number of Internet resources enable
individuals to research viruses to determine if
they are fact or fiction
• www.cert.org or www.hoax-slayer.com
 IV. Other Forms of Malicious Logic
• Logic Bombs
• Rabbits and Bacteria
• Spyware
• Spam
• Software Attacks
• Hardware Threats …………….
 Logic Bombs
• A logic bomb is a type of malware that executes
its malicious purpose when a specific criteria is
met.
• Such as a user logging in or the arrival of
midnight, Friday the 13th.
• The most common factor is date/time
• Logic bomb might delete files on a certain
date/time
• Disaffected employees may plant Trojan horses in
systems use logic bombs such as deleting the
payroll roster when that user's name is deleted.
 Types of Bombs
1. A bomb that’s set to go off on a particular
date or after some period of time has
elapsed is called a time bomb.(e.g. Friday the
13th)
2. A bomb that’s set to go off when a particular
event occurs is called a logic bomb.

Prepared by: Dr. Oliver 33

 Rabbits and Bacteria
• A bacterium or a rabbit is a program that
absorbs all of some class of resource
• multiplies so rapidly that resources become
exhausted, this creates a denial of service
attack
While true
do
mkdir x
chdir x
done
 Spyware
• Spyware is simply software that literally spies on
what you do on your computer.
• Spyware can be as simple as a cookie used by a
website to record a few brief facts about your visit
to that website, or spyware could be of a more
insidious type, such as a key logger
• Cookie a text file that your browser creates and
stores on your hard drive—that a website you have
visited downloads to your machine and uses to
recognize you when you return to the site
 Spyware
• Key loggers are programs that record every keystroke
you make on your keyboard
• This spyware then logs your keystrokes to the spy’s file
• The most common use of a key logger is to capture
usernames and passwords.
• And can capture every document you type, as well as
anything else you might type
• This data can be stored in a small file hidden on your
machine for later extraction or sent out in TCP packets
to some predetermined address
 Spyware
• Wait until after hours to upload this data to some
server or to use your own email software to
send the data to an anonymous email address.
• There are also some key loggers that take
periodic screenshots from your machine,
revealing anything that is open on your
computer.
• spyware is software that literally spies on your
activities on a particular computer.
 Spam
• Spam is unwanted email.
• Spam is email that is sent out to multiple parties, that
is unsolicited.
• Often it is used for marketing purposes, but it can be
used for much more malicious goals
– Can be used to spread a virus or worm.
– also used to send emails enticing recipients to visit phishing
websites in order to steal the recipient’s identity.
• Essentially, spam is, at best, an annoyance and, at
worst, a vehicle for spyware, viruses, worms, and
phishing attacks.
 Software Attacks

• Password Crack
• Attempting to reverse-calculate a password is
often called cracking.
• A cracking attack is a component of many
dictionary attacks
• It is used when a copy of password, obtained,
and compared If they are the same, the
password has been cracked
• It can be brute force and dictionary attack
 Software Attacks …

• Denial-of-Service (DoS) and Distributed Denial-of-

Service (DDoS)
• In a denial-of-service (DoS) attack, the attacker
sends a large number of requests to a target that
the target system becomes overloaded and cannot
respond to legitimate requests for service
• A distributed denial of- service (DDoS) is an attack in
which a coordinated stream of requests is launched
against a target from many locations at the same
time
 Software Attacks …

• Spoofing is a technique used to gain

unauthorized access to computers, wherein
the intruder sends messages with a source IP
address that has been forged to indicate that
the messages are coming from a trusted host
• Routers and firewall arrangements can offer
protection against IP spoofing
 Software Attacks …

• Man-in-the-middle or TCP hijacking attack, an

attacker monitors (or sniffs) packets from the
network, modifies them, and inserts them
back into the network.
• May uses IP spoofing to enable an attacker to
impersonate another entity on the network.
• It allows the attacker to eavesdrop as well as
to change, delete, reroute, add, forge, or
divert data.
 Software Attacks …

• A sniffer is a program or device that can monitor data

traveling over a network.
• Sniffers can be used both for legitimate network
management functions and for stealing information.
• Sniffers add risk to the network, because many systems
and users send information on local networks in clear
text.
• A sniffer program shows all the data going by, including
passwords, the data inside files—such as word-
processing documents—and screens full of sensitive
data from applications
 Software Attacks …

• social engineering is the process of using social skills

to convince people to reveal access credentials or
other valuable information to the attacker.
• A perpetrator posing as a person higher in the
organizational hierarchy than the victim.
• To prepare for this false representation, the
perpetrator may have used social engineering tactics
against others in the organization to collect
seemingly unrelated information that, when used
together, makes the false representation more
credible
 Hardware Threats

• Power Faults
– Sudden power failure, voltage spikes and brownout and
frequency shifts causes damages to system
• System Life
– System gets worn-out over a period of time
• Equipment Incompatibilities
– These occur due to improperly installed devices
• Problems with Magnets
Magnetic fields due to floppy disk, monitors and telephone
can damage stored data
 Counter measures
• There are many programs that can help you keep
viruses and other wildlife away from your system
and can wipe out the critters if they gain access
(virus protection programs)
• These products, and the system administration
procedures that go along with them, have two
overlapping goals:
• they don't let you run a program that's infected,
and they keep infected programs from damaging
your system.
 Firewalls
• A firewall protects your computer by
examining each information packet that
travels over the network.
• Clues to a packet's purpose can be read from
its destination address.
• Firewalls contain a list of allowed and
disallowed destinations and functions.
• Also keep track of outgoing packets, and open
up only if a packet is expected and returning.
 Antivirus
• Virus protection software uses two main
techniques:
• The first uses signatures, which are snapshots
of the code patterns of the virus.
• The antivirus program lurks in the background
watching files come and go until it detects a
pattern that aligns with one of its stored
signatures,
• then it sounds the alarm and maybe isolates
or quarantines the code.
 Antivirus…
• Alternatively, the virus protection program can
go looking for trouble.
• It can periodically scan the various disks and
memories of the computer, detecting and
reporting suspicious code segments, and
placing them in quarantine.
 Antivirus…
• One problem with signature-based virus
protection programs is that they require a
constant flow of new signatures in response
to evolving attacks.
• Their publishers stay alert for new viruses,
determine the signatures, and then make
them available as updated virus definition
tables to their users.
 Antivirus…
• Another problem is called the Zero Day problem.
Basically, this occurs when a user trips over a new virus
before the publisher discovers it and can issue an
updated signature.
• A third problem is that, just as with biological
pathogens, viruses can mutate. Sometimes this happens
accidentally; other times, it happens because a clever
programmer uses file compression software to change
the signature of the virus to elude signature detection.
• This means it can change its own form by introducing
extra statements or adding random numbers, to elude
signature detection.
 Antivirus…
• To counter these, virus protection publishers are
adding what is called heuristic detection features to
their wares.
• A heuristic is a rule or behavior. If a virus exhibits that
behavior, the antivirus software tries to stop it in the
act.
– For instance, a code s that suddenly accesses a critical
operating system area or file, or unexplained changes in
file size, particularly in system files, sudden decreases in
available hard disk space, or changes in file time or date
stamps.
 A MALWARE TAXONOMY
• Denial of service attack (DoS) - Attack that produces so
many requests of system resources in the computer under
attack—such as calls to the operating system, or opening
dialogs with other machines and then hanging onto the line
to tie it up—that normal functions on the targeted
computer are overwhelmed and cease.
• Distributed DoS attack (DDoS) - DoS attack launched from
many different computers, usually zombies hijacked for this
purpose.
• Rootkit - Malware, usually a small suite of programs, that
install a new account or steal an existing one, and then
elevate the security level of that account to the highest
degree (root for Unix, Administrator for Windows) so that
attackers can do their will without
Prepared by: Dr. Oliver obstruction. 53
• Sniffer - An attack, usually a Trojan horse, that
monitors computer transactions or keystrokes. A
keystroke logger, for instance, detects sensitive
information by monitoring the user’s keystrokes.
• Trojan horse - Malware named for its method of
getting past computer defenses by pretending to
be something useful.
• Zombie - A corrupted computer that is waiting
for instructions and commands from its master,
the attacker.

Prepared by: Dr. Oliver 54

Financial Effects of Malicious Programs
Spending time recovering from a virus steals
opportunity in a few ways:
• The time and effort it takes to takes to root out the
virus and repair the damage.
• The diversion of time and effort from what may have
been revenue production.
• The out and out loss of computer hardware (rare
these days) or documents, files, and applications that
either cannot be recovered, or for which the time and
expense of recovery can’t be justified.
Prepared by: Dr. Oliver 55
 END

Prepared by: Dr. Oliver 56