Presentation is loading. Please wait.

Presentation is loading. Please wait.

NET 311 Information Security

Published byColin Holmes Modified over 5 years ago

Similar presentations

Presentation on theme: "NET 311 Information Security"— Presentation transcript:

1 NET 311 Information Security
Networks and Communication Department Lecture 6: Malicious Software : Viruses (Chapter 21)

2 lecture contents: Malicious Software Viruses Types Phases
countermeasures 11-Nov-18 Networks and Communication Department

3 Viruses and Other Malicious Content
 computer viruses have got a lot of publicity .  one of a family of malicious software .  effects usually obvious.  have figured in news reports, fiction, movies (often exaggerated)  getting more attention than deserve  are a concern though 11-Nov-18 Networks and Communication Department

4 Malicious Software 11-Nov-18 Networks and Communication Department

5 Malicious Software 11-Nov-18 Networks and Communication Department
Zombie: Program activated on an infected machine that is activated to launch attacks on other machines. 11-Nov-18 Networks and Communication Department

6 11-Nov-18 Networks and Communication Department

7 Viruses Computer virus is a piece of software that infects programs by modifying them to include a copy of the virus. * so it executes secretly when host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs that is allowed by the privileges of the current user. Most viruses carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems. 7

8 Virus damage Usually, viruses do not do anything useful for their author; they are just pranks. Viruses range from the mildly annoying to the downright destructive. Steal personal information Delete files Steal software serial number 8

9 Virus damage Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files or attempt to destroy files. Some viruses cause unintended damage. Even benign viruses cause significant damage by occupying disk space and main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.

10 Targets of viruses Some viruses affect individual programs; therefore, there can be a copy of the virus in every program on the computer . Other viruses affect the operating system; therefore, there can be a copy of the virus on every computer disk. Some viruses are platform-dependent: they can work only within one particular operating system (of these viruses, 99% are oriented against the PC platform). Other viruses are platform-independent: these are macro viruses, working within a cross-platform environment (e.g. MS Word 10

11 A lesson Viruses cannot spread unless you run an infected program or open an infected document . Therefore, the good news is that a virus does not spread without human action to move it along, such as sharing a file or sending an .

12 Ways of attaching a virus to a program
Overwriting Appending For example, let us assume that a file with a program contains only executable instructions, and all these instructions are executed in order.

13 Before infecting An infected program is executed
A program to be infected

14 Overwriting An infected program is executed A program to be infected

15 Appending

16 Overwriting vs appending
If the virus overwrites the program, the program stops working, and the user will notice that immediately. If the virus appends itself to the program, the length of the program changes, and this is easy to check.

17 Example: Melissa Year: 1999
Melissa is a macro virus living in MS Word documents. Any hardware platform and operating system that supports these applications can be infected so It can spread on both PC and Mac platforms. Macro viruses are easily spread. A very common method is by electronic mail. Melissa is an virus. 1-The virus sends itself to everyone on the mailing list in the user’s package. 2-The virus does local damage on the user’s system. The virus uses the Visual Basic scripting language supported by the package. 11-Nov-18 Networks and Communication Department

18 Example: Stealth Stealth is a bomber aircraft which radars cannot discover. Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software . Thus, the entire virus, not just a payload is hidden. One example of a stealth virus was : a virus that uses compression so that the infected program is exactly the same length as an uninfected version. Far more sophisticated techniques are possible. For example, a virus can place intercept logic in disk I/O routines, so that when there is an attempt to read suspected portions of the disk using these routines, the virus will present back the original, uninfected program . Thus, stealth is not a term that applies to a virus as such but, rather, refers to a technique used by a virus to evade detection.

19 Stealth virus 1- A stealth virus infects both files and the operating system. 2- If you view or edit the infected file, it looks uninfected. 3- If you execute the infected file, it works as infected. 11-Nov-18 Networks and Communication Department

20 Polymorphic viruses creates copies during replication
that are functionally equivalent but have distinctly different bit patterns. A polymorphic virus changes its code every time when it infects a program. Therefore, it is more difficult to find it. For example, a polymorphic virus can distribute its code inside the original program.

21 Viruses Phases During its lifetime, a typical virus goes through the following four phases: Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. 11-Nov-18 Networks and Communication Department

22 Viruses Phases 3-Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. 4- Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. 11-Nov-18 Networks and Communication Department

23 Viruses Structure A computer virus has three parts:
• Infection mechanism: The means by which a virus spreads, enabling it to replicate .The mechanism is also referred to as the infection vector. • Trigger: The event or condition that determines when the payload is activated or delivered. • Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity. 11-Nov-18 Networks and Communication Department

24 Virus Structure when infected program invoked, executes virus code then original program code. A Simple Virus: The infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program may first seek out uninfected executable files and infect them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and an uninfected program. 11-Nov-18 Networks and Communication Department

25 Where do viruses come from?
Global Access Networks and Conferences, File Servers, FTP and BBS Local Access Networks Pirated Software General Access Personal Computers A bulletin board system, or BBS, is a computer server running software that allows users to connect to the system using a terminal program. Once logged in, the user can perform functions such as uploading and downloading software and data 11-Nov-18 Networks and Communication Department

26 Virus Countermeasures
The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place, or block the ability of a virus to modify any files containing executable code or macros . This goal is, in general, impossible to achieve. The next best approach is to be able to do the following: • Detection: Once the infection has occurred, determine that it has occurred and locate the virus. • Identification: Once detection has been achieved, identify the specific virus that has infected a program. • Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the virus cannot spread further. ** If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected file and reload a clean backup version. 11-Nov-18 Networks and Communication Department

27 Virus Countermeasures
Purchasing software Use only commercial software acquired from reliable, well-established vendors with significant reputations Example: open-source software seems to be safe, but can be infected 11-Nov-18 Networks and Communication Department

28 Virus Countermeasures
Keeping an eye on new software If possible, test all new software on an isolated computer and look for unexpected behavior Run an up-to-date antivirus program after installing new software Taking care with attachments Open attachments only when you know them to be safe . 11-Nov-18 Networks and Communication Department

29 Virus Countermeasures
System recovery Make a system image and store it safely Make and retain backup copies of executable system files Data Recovery Back up all your work regularly and store backups safely This rule not only protects you against viruses but e.g. against computer theft 11-Nov-18 Networks and Communication Department

30 Virus Countermeasures
Antivirus programs Antivirus programs are otherwise known as virus detectors or virus scanners Use them, and update them regularly Signature Simple virus detectors search files looking for a given signature in them. A signature is a piece of code typical of a particular virus. 11-Nov-18 Networks and Communication Department

31 Virus Countermeasures
Data integrity checking Use validation and data integrity checking utilities. They check file information(check sums, sizes, attributes, last modification dates etc.). You should periodically compare such database information with actual hard drive contents, because any inconsistency might be a signal of presence of a Trojan horse or virus. Immunizers: With these programs, disk files are modified in such a way that the virus considers them already infected. 11-Nov-18 Networks and Communication Department

32 Digital Immune System 11-Nov-18 Networks and Communication Department
A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present. The monitoring program forwards a copy of any program thought to be infected to an administrative machine within the organization. 2. The administrative machine encrypts the sample and sends it to a central virus analysis machine. 3. This machine creates an environment in which the infected program can be safely run for analysis . Techniques used for this purpose include emulation, or the creation of a protected environment within which the suspect program can be executed and monitored. The virus analysis machine then produces a prescription for identifying and removing the virus. 4. The resulting prescription is sent back to the administrative machine. 5. The administrative machine forwards the prescription to the infected client. 6. The prescription is also forwarded to other clients in the organization. 7. Subscribers around the world receive regular antivirus updates that protect them from the new virus. 11-Nov-18 Networks and Communication Department

33 Behavior-Blocking Software
Figure 21.5 illustrates the operation of a behavior blocker. Behavior-blocking software runs on server and desktop computers and is instructed through policies set by the network administrator to let benign actions take place but to intercede when unauthorized or suspicious actions occur. The module blocks any suspicious software from executing. A blocker isolates the code in a sandbox, which restricts the code’s access to various OS resources and applications. The blocker then sends an alert. 11-Nov-18 Networks and Communication Department

34 References Cryptography and Network Security: Principles and practice’, William Stallings Fifth edition, 2011. Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 21 – “Malicious Software”. Lecture slides by Dr Alexei Vernitski, University of Essex , 2013 11-Nov-18 Networks and Communication Department

Download ppt "NET 311 Information Security"

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
By:Tanvi lotliker TE COMPUTER

By:Tanvi lotliker TE COMPUTER
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.

CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.

Similar presentations

Ads by Google