1. Computer Security: Principles and Practice Introduction
by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown & Susan Lincke
Lecture slides prepared by Dr Lawrie Brown for “Computer Security: Principles and Practice”, 1/e, by William Stallings and Lawrie Brown, Chapter 6 “Malicious Software”.
Chapter 6 – Malicious Software
= Malware

2. Study Sheet
Define attacks: cracking, script kiddies, cyberterrorist, phishing, spearphishing, pharming, drive-by download.
Define and provide examples for: social engineering, Denial Of Service.
Define and describe DDOS, logic bomb, worm, virus, trojan horse, backdoor, botnet, handler, bot, spyware, adware, root kit, spamware, crimeware.
Define and describe stealth virus, polymorphic virus, metamorphic virus, macro virus, boot sector virus, zero-day exploit, rate limiting, immune system
Describe why ‘ethical’ hackers are not completely ethical.
Define the 4 stages of viruses and worms
Define 4 mechanisms antivirus software uses to recognize or control viruses and worms
Chapter 6 summary.

3. FBI PRiorities
1. Protect the United States from terrorist attack 2. Protect the United States against foreign intelligence operations and espionage 3. Protect the United States against cyber-based attacks and high-technology crimes 4. Combat public corruption at all levels 5. Protect civil rights 6. Combat transnational/national criminal organizations and enterprises 7. Combat major white-collar crime 8. Combat significant violent crime 9. Support federal, state, local and international partners 10. Upgrade technology to successfully perform the FBI’s mission

4. The Problem of Network Security
The Internet allows an attacker to attack from anywhere in the world from their home desk.
They just need to find one vulnerability: a security analyst need to close every vulnerability.

5. Progress of Security Attacks
Threat Type
Year: Example Threats
Experiment
1984: Fred Cohen publishes “Computer Viruses: Theory and Experiments”
Vandalism
1988: Jerusalem Virus deletes all executable files on the system, on Friday the 13th.
1991: Michelangelo Virus reformats hard drives on March 6, M’s birthday.
Hactivism
2010: Anonymous’ Operation Payback hits credit card and communication companies with DDOS after companies refuse to accept payment for Wiki-Leaks.
Cyber-crime
2007: Zeus Trojan becomes ‘popular’; turns computers into zbots and spyware steals credit card (CC) numbers.
2008-9: Gonzales re-arrested for implanting spyware on WLANs, affecting 171 M CC.
2013: In July 160 M CC numbers are stolen via SQL Attack. In Dec. 70 M CC numbers are stolen through Target stores.
2016-7: Ransomware charges $522 to decrypt your disk; Petya/NotPetya does not.
2017: Cryptocurrency coin mining
Information Warfare
2007, 2008: Russia launches DDOS attack against Estonia, Georgia news, gov’t, banks
2010: Stuxnet worm disables 1000 of Iran’s nuclear centrifuges.
2016-7: N Korea Lazarus stole $81 M Bangladesh Centralbank, releases WannaCry ransomware to fund military operations.
Surveillance State
2012: Chinese affiliations attack U.S. businesses to steal intellectual property.
2013: Lavabit closes secure service rather than divulge corporate private key to NSA without customers’ knowledge.

6. History of Cyber-WAR YEAR FROM -> TO ATTACK DESCRIPTION 2007
Russia -> Estonia
DOS attacks on gov’t, financial inst., news
2008
Russia -> Georgia
DOS attacks on Internet, gov’t websites
US -> US
Malware to top aides of pres. candidates
2009
China->Embassies, foreign ministries
GhostNet malware: Command & Control software
2012
US, Israel -> Iran
Stuxnet Worm disables nuclear facilities
2010
India <->Pakistan
Hacker groups hit gov’t websites
2011
China -> Canada
Spyware virus causes shutdown of economic agencies
-> Iran, Middle East
Flame cyber-espionage malware
2013
N. Korea -> S. Korea
Dark Seoul Malware hits TV, banks; makes computers unusable.

7. 2014 Ponemon Breach Cost by Industry
Prob. of Breach
Cost/rec
Churn rate
Communications
15.6%
219
1.2
Consumer
19.9%
196
2.6
Education
21.1%
254
2.0
Energy
7.5%
237
4.0
Financial
17.1%
236
7.1
Health care
19.2%
316
5.3
Hospitality
19.5% 93
2.9
Industry
9.0%
204
3.6
Media
19.7%
183
1.9
Pharmaceutical
16.9%
209
3.8
Public sector
23.8%
172
0.1
Research
11.5% 73
0.7
Retail
22.7%
125
1.4
Services
19.8%
223
4.2
Technology
18.9%
181
6.3
Transportation
13.5%
286
5.5

8. Crackers System Administrators Some scripts are useful
to protect networks…
Get info from hacker
bulletin boards
Cracker:
Computer-savvy
programmer creates
attack software
Dark Web
For Sale:
Credit Cards
Medical Insurance
Identification
Malware
Script Kiddies:
Know how to
execute programs
Criminals: Create & sell botnets -> spam
Sell credit card numbers,…
Nation States:
Cyber-warfare, spying, extortion, DDOS
Crimeware or
Attack Kit=$1K-2K
1 M addresses = $8
10,000 PCs = $1000

9. Other Hackers/Crackers:
Cyberterrorists
Cyberwar: National governments attack IT
Espionage: Accused: Russia, North Korea, China, France, South Korea, Germany, Israel, India, Pakistan, US.

10. Advanced Persistent Threat
Advanced: Combination of custom & common malware
Target: Business or Gov’t data/operation
Persistent: Extended period attack until target is compromised
Threat: Organized, capable, well-funded attacker
Source: Gov’t or criminal enterprise

11. Who-What-How Who What How Ransomware 56% Cmd & Cntrll 36% Phishing
Cyber-attacks
Organized Crime (50%)
Point of Sale
CC skimmers
Ransomware
Nation-States (12%)
DDOS
Data Breach 93%
Insiders (28%)
Ransomware 56%
Cmd & Cntrll 36%
Phishing
Cmd & Cntrl
Backdoor
Malware
Privilege misuse
Collusion
Partners abuse
Verizon 2018 Data Breach Investigations Report

12. A Common Means of Attack

13. Social Engineering I need a password reset. What is the passwd set to?
ABC Bank has
noticed a
problem with
your account…
This is John, the System Admin. What is your password?
I have come to repair your machine…
What ethnicity are you? Your mother’s maiden name?
Always be sure who you’re talking to before you give out information
and have some software patches

14. Phishing = Fake Email ABC BANK Spearfishing
Your bank account password is about to expire.
Please login…
Spearfishing
John:
Could you send Automated Services $1200?
Joe (CEO)
The bank has found
problems with your
account.
Please contact …”
“Greetings to good sir in USA. I am here wishing to offer you a good bargain in exchange for your help. You understand, I must now leave my home country of Nigeria where I have the ten million Euros in the bank, but I need a new place where to transfer it so when I reach my new home I can still feed my children. If you would please to offer me your bank number and information I will immediately send to you one million of the Euros…”

15. Pharming = Fake web pages
A fake web page may lead to a real web page
The fake web page looks like the real thing
Extracts account information
Login
Passwd
Welcome
To ABC
Bank

16. Drive-By Download Games:
A web site exploits a vulnerability in the visitor’s browser when the site is viewed
Games:
Vampires and Wolfmen
Planet of the Apes
Dungeons and Dragons

17. Social Engineering Phishing Pretexting 93% of Breaches
Gain Foothold
Techniques:
Malware>67%
Goals:
Financial 59%
Spying 41%
Pretexting
Dialogue
Obtain info, influence
Technique:
CEO impersonation
Human resources: W2 info->fraudulent tax returns
Finance: transfer $
Malware 10%
Financial: 95%
93% of Breaches
Prominent technique: 96%
Malicious attachment
Link to pharming website
78% do not click a single phish all year;
4% phish acceptance rate
Verizon 2018 Data Breach Investigations Report

18. Attack Kit - Crimeware
Attack kit = Crimeware: Tools which generate malware automatically
with varied propagation and payload mechanisms
Auto-rooter: Breaks into new machines remotely
Downloader: Original attack opens the door, then downloads the full attack software
Spammer program: Generates large volumes of unwanted

19. Exploit/Maintain Access
Abnormal way to enter
system, provided by
Programmer or
Vulnerability
Useful utility also performs
malicious function
Backdoor
Trojan Horse
Replaces system
executables: e.g.
Login, ls, du
to hide itself
User-Level Rootkit
A Backdoor is an abnormal way to enter a system. It may be left by a programmer
Or once the cracker has entered, they can expand their access and hide their break-in.
Bots
Spyware/Adware
Spyware collects info:
keystroke logger,
collect credit card #s,
Adware: insert ads,
filter search results
Slave forwards/performs
commands; spreads,
list addrs, DOS
attacks
Kernel-Level Rootkit
Replaces OS kernel:
e.g. process or file
control to hide

20. Root Kit
Root Kit
Upon penetrating a computer, a hacker installs a root kit
May enable:
Easy entrance for the hacker (and others)
Keystroke logger
Eliminates evidence of break-in
Modifies the operating system
Requires new OS install, when detected
Once a hacker has gained admin-level access, he can install tools for use in later sessions. These can include a backdoor for easy access, trojans to hide the hacker’s activities, etc.
Backdoor entry
Keystroke Logger
Hidden user

21. Rootkit System Table Mods
Programs operating at the user level interact with the kernel through system calls. Thus, system calls are a primary target of kernel-level rootkits to achieve concealment. As an example of how rootkits operate, we look at the implementation of system calls in Linux. In Linux, each system call is assigned a unique syscall number. When a user-mode process executes a system call, the process refers to the system call by this number. The kernel maintains a system call table with one entry per system call routine; each entry contains a pointer to the corresponding routine.. The syscall number serves as an index into the system call table. [LEVI06] lists three techniques that can be used to change system calls:
• Modify the system call table: The attacker modifies selected syscall addresses stored in the system call table. This enables the rootkit to direct a system call away from the legitimate routine to the rootkit's replacement. Figure 7.8 shows how the knark rootkit achieves this.
• Modify system call table targets: The attacker overwrites selected legitimate system call routines with malicious code. The system call table is not changed.
• Redirect the system call table: The attacker redirects references to the entire system call table to a new table in a new kernel memory location.
If a kernel-level rootkit is detected, by any means, the only secure and reliable way to recover is to do an entire new OS install on the infected machine.

22. Other Malware
Logic Bomb: Functional software has a built-in malicious attack or failure mechanism
E.g., Software will malfunction if maintenance fee is not paid
Ransomware: E.g., Pay fee to decrypt software (or just pay fee)
Trojan Horse: E.g., Social Engineering: “Try this game…it is so cool”
Game also s password file.
A logic bomb will sit on your computer until some specific event happens, then it will execute.

23. Denial of Service
Single-Message DoS Attacks: Crash or disable system by attacking vulnerability
Flooder DoS Attack: Flood victim with requests
SYN Flooding: Flood victim host with TCP SYNs (which initiate session).
Smurf Attack: Broadcast Pings to third parties with source address of victim host
Amplification Attack: Uses Broadcast address (common in 2017)
Rabbit or Bacteria: Reproduces exponentially, using up system resources
Coin Mining: Your web browser mines cryptocurrencies (e.g., Monero) for money for attacker

24. Covert Channel Exfiltrate information outside the organization
E.g.: manipulate bits in a jpeg or mpeg
E.g.: carry out info in a Lady GaGa CD
E.g.: set bytes in an Excel spreadsheet

25. Mobile Malware Mobile apps can be:
Adware: Displays advertisements on other apps
Chargeware: Charges for services without explicit notification
Riskware: Reduces device security
Spyware: Gathers information for another party
Trojans: Features useful and unadvertised malicious intent

26. Malicious Software programs exploiting system vulnerabilities
known as malicious software or malware
program fragments that need a host program
e.g. viruses, logic bombs, and backdoors
independent self-contained programs
e.g. worms, bots
replicating or not
sophisticated threat to computer systems
Perhaps the most sophisticated types of threats to computer systems are presented by programs that exploit vulnerabilities in computing systems. Such threats are referred to as malicious software, or malware. In this context, we are concerned with application programs as well as utility programs, such as editors and compilers, and kernel-level programs. This chapter examines malicious software, with a special emphasis on viruses and worms. The chapter begins with a survey of various types of malware, with a more detailed look at the nature of viruses and worms. We then turn to bots and rootkits. Throughout, the discussion presents both threats and countermeasures.
Malicious software can be divided into two categories: those that need a host program, and those that are independent. The former are essentially fragments of programs that cannot exist independently of some actual application program, utility, or system program. Viruses, logic bombs, and backdoors are examples. The latter are self-contained programs that can be scheduled and run by the operating system. Worms and bot programs are examples.
We can also differentiate between those software threats that do not replicate and those that do. The former are programs or fragments of programs that are activated by a trigger. Examples are logic bombs, backdoors, and bot programs. The latter consist of either a program fragment or an independent program that, when executed, may produce one or more copies of itself to be activated later on the same system or some other system. Viruses and worms are examples.

27. Malware Propagation Classification
Infection
Of Executable
(e.g., Virus)
Social Engineering
(E.g., Phishing,
Pretexting
Watering hole,
Trojans)
Exploit of
Software
Vulnerability
(SQL Attack,
Worm)

28. Botnets: Command and Control
Botnets: Bots
Handler
Attacker
Bots: Host illegal movies,
music, pornography,
criminal web sites, …
Forward Spam for
financial gain
Sniffing traffic or
Keylogging
DDOS, spread bots
Manipulate voting games
Generate clicks for ads
Russia
Hungary
Because these networks span the world, it is very difficult for law enforcement to backtrack, find and prosecute the attacker. Multiple layers and countries can help to hide the attacker. In fact, laws vary in different countries, and law enforcement often has different priorities.
Zombies

29. Bots: Command & Control
program taking over other computers
hard to trace attacks
if coordinated form a botnet
characteristics:
remote control facility
via IRC/HTTP etc
spreading mechanism
attack software, vulnerability, scanning strategy
various counter-measures applicable
A bot (robot), also known as a zombie or drone, is a program that secretly takes over hundreds or thousands of Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot's creator. The collection of bots often is capable of acting in a coordinated manner; referred to as a botnet. A botnet exhibits three characteristics: the bot functionality, a remote control facility, and a spreading mechanism to propagate the bots and construct the botnet. Some uses of bots include: distributed denial-of-service attacks, spamming, sniffing traffic, keylogging, spreading new malware, installing advertisement add-ons and browser helper objects (bhos), attacking irc chat networks, manipulating online polls/games.
The remote control facility is what distinguishes a bot from a worm. A typical means of implementing the remote control facility is on an IRC (Internet relay chat) server. More recent botnets tend to avoid IRC mechanisms and use covert communication channels via protocols such as HTTP. Once a communications path is established between a control module and the bots, the control module can activate the bots, and even issue update commands that to download a file from some Internet location and execute it, making a more general-purpose tool that can be used for multiple attacks.
The first step in a botnet attack is for the attacker to infect a number of machines with bot software that will ultimately be used to carry out the attack. The essential ingredients in this phase of the attack are: Software that can carry out the attack; A vulnerability in a large number of systems; A strategy for locating vulnerable machines, a process known as scanning.
A number of the countermeasures discussed in this and the preceding chapter make sense against bots, including IDSs, honeypots, and digital immune systems.

30. Bot Uses DDOS attacks Spamming Spying Malware abuse
E.g., Internet Relay Chat overload
Spamming
Spying
Sniffing traffic
Keylogging
Malware abuse
Spread malware
Install advertisement add-ons: pay-for-clicks
Manipulating online games

31. Distributed Denial of Service
Zombies
Handler
Victim
Attacker
China
Russia
United
States
The terms ‘bot’ and ‘zombie’ are interchangeable. A ‘botnet’ is a large number of bots (or zombies) used for DDOS attacks.
Flooders generate a large volume of data to attack victims.
Can barrage a victim
server with requests,
causing the network
to fail to respond to anyone
Bots
Flooder

32. Dear John, This link is a cool web site
Virus
Dear John, This link is a cool web site
A virus attaches itself to a program, file, or disk
When the program is executed, the virus too is executed
When the program is given away (floppy/ ) the virus spreads
The virus may be benign or malignant but executes its load pay at some point (often upon contact)
Program A
Program A
Extra Code
infects

33. Viruses piece of software that infects programs
modifying them to include a copy of the virus
so it executes secretly when host program is run
a typical virus goes through phases of:
Dormant: Wait for file presence, date, event,…
Propagation: Spreading technique
Triggering: Complete full intention
Execution: Harmless or harmful
A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. A virus can do anything that other programs do. The difference is that a virus attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs. Most viruses carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems. During its lifetime, a typical virus goes through the following four phases:
• Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage.
• Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
• Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.
• Execution phase: The function is performed, which may be harmless, e.g. a message on the screen, or damaging, e.g. the destruction of programs and data files

34. Virus Structure components: prepended / postpended / embedded
infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign
prepended / postpended / embedded
when infected program invoked, executes virus code then original program code
can block initial infection (difficult)
or propogation (with access controls)
A computer virus has three parts [AYCO06]:
• Infection mechanism:The means by which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector.
• Trigger: event or condition determining when the payload is activated or delivered.
• Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.
A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.
Once a virus has gained entry to a system by infecting a single program, it is in a position to infect some or all other executable files on that system when the infected program executes. Thus, viral infection can be completely prevented by preventing the virus from gaining entry in the first place. Unfortunately, prevention is extraordinarily difficult because a virus can be part of any program outside a system. Thus, unless one is content to take an absolutely bare piece of iron and write all one's own system and application programs, one is vulnerable. The lack of access controls on early PCs is a key reason why traditional machine code based viruses spread rapidly on these systems. In contrast, while it is easy enough to write a machine code virus for UNIX systems, they were almost never seen in practice due to the existence of access controls on these systems prevented effective propagation of the virus.

35. Virus Structure
A very general depiction of virus structure is shown in Figure 7.1 (based on [COHE94]). In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, is the first line of the program. An infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program first seeks out uninfected executable files and infects them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program.

36. Compression Virus
A virus such as the one just described is easily detected because an infected version of a program is longer than the corresponding uninfected one. A way to thwart such a simple means of detecting a virus is to compress the executable file so that both the infected and uninfected versions are of identical length. The code shown from Figure 7.2 [COHE94] shows in general terms the logic required. The key lines in this virus are numbered, and Figure 7.3 at the bottom from [COHE94] illustrates the operation. In this example, the virus does nothing other than propagate. As in the previous example, the virus may include a logic bomb. We assume that program P1 is infected with the virus CV. When this program is invoked, control passes to its virus, which performs the following steps:
1. For each uninfected file P2 that is found, the virus first compresses that file to produce , which is shorter than the original program by the size of the virus.
2. A copy of the virus is prepended to the compressed program.
3. The compressed version of the original infected program, , is uncompressed.
4. The uncompressed original program is executed.

37. Virus Target Classification
boot sector: Spreads when system is booted from disk containing virus
macro virus: Inserted in application file as script (e.g., MS Word doc.)
file infector: Infects executable in OS or shell
multipartite: Infects multiple ways/files
Difficult to clean, eradicate
There has been a continuous arms race between virus writers and writers of antivirus software since viruses first appeared. As effective countermeasures have been developed for existing types of viruses, new types have been developed. A virus classification by target includes the following categories:
• Boot sector infector:Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
• File infector: Infects files that the operating system or shell consider to be executable.
• Macro virus: Infects files with macro code that is interpreted by an application.
A virus classification by concealment strategy includes the following categories:
• Encrypted virus: the virus creates a random encryption key, stored with the virus, and encrypts the remainder of the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected.
• Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. Thus,the entire virus, not just a payload is hidden.
• Polymorphic virus: A virus that mutates with every infection, making detection by the “signature”of the virus impossible.
• Metamorphic virus: As with a polymorphic virus ,a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.

38. Virus Concealment Strategies
encrypted virus: Uses a random key to encrypt virus, and stores key with virus
stealth virus: Hides via encryption, file sizing, virus location, rootkit
polymorphic virus: Mutates new virus with each infection
metamorphic virus: Changes itself with each iteration; also polymorphic

39. Macro Virus became very common in mid-1990s since
platform independent
infect documents
easily spread
exploit macro capability of office apps
executable program embedded in MS Office doc
often a form of Basic
more recent releases include protection
recognized by many anti-virus programs
In the mid-1990s, macro viruses became by far the most prevalent type of virus. Macro viruses are particularly threatening for a number of reasons:
1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports Word can be infected.
2. Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program.
3. Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in Word and other office applications such as Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically, users employ macros to automate repetitive tasks and thereby save keystrokes. The macro language is usually some form of the Basic programming language. A user might define a sequence of keystrokes in a macro and set it up so that the macro is invoked when a function key or special short combination of keys is input. Successive releases of Word provide increased protection against macro viruses. For example, Microsoft offers an optional Macro Virus Protection tool that detects suspicious Word files and alerts the customer to the potential risk of opening a file with macros. Various antivirus (A/V) product vendors have also developed tools to detect and correct macro viruses. As in other types of viruses, the arms race continues in the field of macro viruses, but they no longer are the predominant virus threat.

40. E-Mail Viruses more recent development e.g. Melissa
exploits MS Word macro in attached doc
if attachment opened, macro activates
sends to all on users address list
does local damage
had no Dormant phase -> faster propagation
100k computers in 3 days
A more recent development in malicious software is the virus. The first rapidly spreading viruses, such as Melissa, made use of a Microsoft Word macro embedded in an attachment. If the recipient opens the attachment, the Word macro is activated. Then the virus sends itself to everyone on the mailing list in the user's package, and also does local damage.
At the end of 1999, a more powerful version of the virus appeared. This newer version can be activated merely by opening an that contains the virus rather than opening an attachment. The virus uses the Visual Basic scripting language supported by the package.
Thus we see a new generation of malware that arrives via and uses software features to replicate itself across the Internet. The virus propagates itself as soon as activated (either by opening an attachment of by opening the ) to all of the addresses known to the infected host. As a result, whereas viruses used to take months or years to propagate, they now do so in hours. This makes it very difficult for antivirus software to respond before much damage is done. Ultimately, a greater degree of security must be built into Internet utility and application software on PCs to counter the growing threat.

41. Brain Virus
Lodges in upper memory then sets upper memory bound below itself
Replaces interrupt vector for disk reads to screen disk read calls. Calls interrupt handler after screening.
Places itself in the boot sector and six other sectors on disk
Marks sectors as ‘bad’ so they will not get overwritten.
Variants erase disks or destroy file allocation table

42. Virus Countermeasures
prevention - ideal solution but difficult
realistically need:
detection
identification
removal
if detect but can’t identify or remove, must discard and replace infected program
But what has cracker done in the mean time?
The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. The next best approach is to be able to do the following:
• Detection: Once the infection has occurred, determine that it has occurred and locate the virus.
• Identification: Once detection has been achieved, identify the specific virus that has infected a program.
• Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further.
If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected program and reload a clean backup version.

43. Anti-Virus Evolution virus & antivirus tech have both evolved
early viruses simple code, easily removed
more complex viruses -> more complex countermeasures
4 generations:
first - signature scanners
second – heuristics
Integrity checking & fragment recognition
third - identify actions (e.g., decompression)
fourth - combination packages
Limit access control to system & files
Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple code fragments and could be identified and purged with relatively simple antivirus software packages. As the virus arms race has evolved, both viruses and, necessarily, antivirus software have grown more complex and sophisticated. [STEP93] identifies four generations of antivirus software:
A first-generation scanner requires a virus signature to identify a virus. The virus may contain "wildcards" but has essentially the same structure and bit pattern in all copies. Such signature-specific scanners are limited to the detection of known viruses.
A second-generation scanner uses heuristic rules to search for probable virus infection, e.g to look for fragments of code that are often associated with viruses.. Another second-generation approach is integrity checking, using a hash function rather than a simpler checksum.
Third-generation programs are memory-resident programs that identify a virus by its actions rather than structure in an infected program. These have the advantage that it is not necessary to develop signatures / heuristics, but only to identify the small set of actions indicating an infection is attempted and then intervene.
Fourth-generation products are packages consisting of a variety of antivirus techniques used in conjunction. These include scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection.

44. Antivirus, Antispyware
Scheduled scans
Antivirus updates
Real-time file access protection
protection
Popular: Norton, McAfee,Panda, Fprot, AVG
Real-time protection
Scheduled scans
Browser hijack protection
Auto updates
Popular: Spybot, Ad-aware, MS Windows Defender
All-in-one also includes
URL Filter
Content inspection: packet content

45. Generic Decryption runs executable files through GD scanner:
CPU emulator to interpret instructions
virus scanner to check known virus signatures
emulation control module to manage process
lets virus decrypt itself in interpreter
periodically scan for virus signatures
issue is how long to interpret and scan?
tradeoff chance of detection vs time delay
More sophisticated antivirus approaches and products continue to appear. In this subsection, we highlight some of the most important, starting with the 3rd Generation: Identify Actions.
Generic decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds. In order to detect encrypted viruses, executable files are run through a GD scanner:
• CPU emulator: A software-based virtual computer that interprets instructions in an executable file rather than executing them on the underlying processor.
• Virus signature scanner: scans the target code looking for known virus signatures.
• Emulation control module: Controls the execution of the target code.
At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the virus, that code is interpreted. In effect, the virus does the work for the antivirus program by exposing the virus. Periodically, the control module interrupts interpretation to scan the target code for virus signatures. During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment. The most difficult design issue with a GD scanner is to determine how long to run each interpretation. Typically, virus elements are activated soon after a program begins executing, but this need not be the case. The longer the scanner emulates a particular program, the more likely it is to catch any hidden viruses. However, the antivirus program can take up only a limited amount of time and resources before users complain.

46. Digital Immune System
The digital immune system is a comprehensive (3rd and 4th Generation) approach to virus protection developed by IBM and subsequently refined by Symantec. The objective of this system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to other systems so that it can be detected before it is allowed to run elsewhere, as Figure 7.4 illustrates:
1. A monitoring program on each PC uses a variety of heuristics to infer that a virus may be present, and forwards a copy to an administrative machine.
2. The admin machine encrypts this and sends it to a central virus analysis machine.
3. This machine creates an environment in which the infected program can be safely run for analysis. The virus analysis machine then produces a prescription for identifying and removing the virus.
4. The resulting prescription is sent back to the administrative machine.
5. The administrative machine forwards the prescription to the infected client.
6. The prescription is also forwarded to other clients in the organization.
7. Subscribers worldwide receive regular antivirus updates to protect from new virus
The success of the digital immune system depends on the ability of the virus analysis machine to detect new and innovative virus strains. By constantly analyzing and monitoring the viruses found in the wild, it should be possible to continually update the digital immune software to keep up with the threat.

47. Behavior-Blocking Software
Unlike heuristics or fingerprint-based scanners, behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. This is a feature of 4th generation antivirus or similar IDS (Intrusion Detection System) packages. The behavior blocking software then blocks potentially malicious actions before they can affect the system. Monitored behaviors can include
• Attempts to open, view, delete, and/or modify files;
• Attempts to format disk drives and other unrecoverable disk operations;
• Modifications to the logic of executable files or macros;
• Modification of critical system settings, such as start-up settings;
• Scripting of and instant messaging clients to send executable content; and
• Initiation of network communications.
Figure 7.5 illustrates its operation. Behavior-blocking software runs on server and desktop computers and is instructed through policies set by the network administrator to let benign actions take place but to intercede when unauthorized or suspicious actions occur. The module blocks any suspicious software from executing. A blocker isolates the code in a sandbox, which restricts the code's access to various OS resources and applications. The blocker then sends an alert. Because behavior blocker can block suspicious software in real-time, it has an advantage over such established antivirus detection techniques as fingerprinting or heuristics. Behavior blocking alone has limitations. Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked. (E.g., move system files around)

48. Worm
Worm: Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate.
To Joe
To Ann
To Jill
List:

49. Worms replicating program that propagates over net
using , remote exec, remote login
has phases like a virus:
dormant, propagation, triggering, execution
propagation phase: automatically ‘scans’ for other systems, connects to it, copies self to it and runs
fast spread phase: each infection spreads to n other nodes, exponentially
may disguise itself as a system process
A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions. To replicate itself, a network worm uses some sort of network vehicle such as , remote execution or remote login capabilities. The new copy of the worm program is then run on the remote system where, in addition to any functions that it performs at that system, it continues to spread in the same fashion. A network worm exhibits the same characteristics as a computer virus: a dormant phase, a propagation phase, a triggering phase, and an execution phase. The propagation phase generally: searches for other systems to infect by examining host tables or similar repositories of remote system addresses; establishes a connection with a remote system; and copies itself to the remote system and cause the copy to be run. The network worm may also attempt to determine whether a system has previously been infected before copying itself to the system. In a multiprogramming system, it may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. The concept of a computer worm was introduced in John Brunner’s 1975 SF novel “The Shockwave Rider”. The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s. It was a nonmalicious search for idle systems to use to run a computationally intensive task. As with viruses, network worms are difficult to counter.

50. Morris Worm one of best know worms released by Robert Morris in 1988
various attacks on UNIX systems
cracking password file to use login/password to logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail to issue commands
if succeed have remote shell access
Until the current generation of worms, the best known was the worm released onto the Internet by Robert Morris in The Morris worm was designed to spread on UNIX systems and used a number of different techniques for propagation. When a copy began execution, its first task was to discover other hosts known to this host that would allow entry from this host. The worm performed this task by examining a variety of lists and tables, including system tables that declared which other machines were trusted by this host, users' mail forwarding files, tables by which users gave themselves permission for access to remote accounts, and from a program that reported the status of network connections. For each discovered host, the worm tried a number of methods for gaining access:
It attempted to log on to a remote host as a legitimate user, having cracked the local password file, and assuming that many users use the same password on different systems.
It exploited a bug in the finger protocol
It exploited a trapdoor in the debug option of the remote sendmail process.
If any of these attacks succeeded, the worm achieved communication with the operating system command interpreter. It then sent this interpreter a short bootstrap program, issued a command to execute that program, and then logged off. The bootstrap program then called back the parent program and downloaded the remainder of the worm. The new worm was then executed.

51. Morris Worm – cont’d
Created by Robert Morris, convicted 1990, received $10K fine & 3 years jail, 400 hours community service
Unintended Effect: Denial of service due to resource exhaustion: Worms created more worms (even on same machine)
Once system penetrated
Send a bootstrap loader with 99 lines of C code to be executed on target machine
Downloader: Fetch rest of worm, verified by password
Stealth: encrypted itself, deleted original version, changed name periodically

52. Worm Technology Multiplatform: Unix, Windows, …
Multi-exploit: travels in multiple ways
Polymorphic: generations mutate
Metamorphic: self-mutating & polymorphic
Transport vehicles: auto-builds bots
Zero-day exploit: attacks a vulnerability before vulnerability is known
The state of the art in worm technology includes the following:
• Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX.
• Multi-exploit: New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, , file sharing, and other network-based applications.
• Ultrafast spreading: One technique to accelerate the spread of a worm is to conduct a prior Internet scan to accumulate Internet addresses of vulnerable machines.
• Polymorphic: To evade detection, skip past filters, and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques.
• Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation.
• Transport vehicles: Because worms can rapidly compromise a large number of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service bots.
• Zero-day exploit: To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.

53. Worm Countermeasures overlaps with anti-virus techniques
once worm on system A/V can detect
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
puts speed limit on scanning / fignerprinting actions
There is considerable overlap in techniques for dealing with viruses and worms. Once a worm is resident on a machine, antivirus software can be used to detect it. In addition, because worms propagation generates considerable network activity, the monitoring of that activity can lead form the basis of a worm defense. Have classes:
Signature-based worm scan filtering: generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host.
Filter-based worm containment: focuses on worm content rather than a scan signature. The filter checks a message to determine if it contains worm code.
Payload-classification-based worm containment: examine packets to see if they contain a worm using anomaly detection techniques
Threshold random walk (TRW) scan detection: exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation
Rate limiting: limits the rate of scanlike traffic from an infected host.
Rate halting: immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or diversity of connection attempts. Rate halting can integrate with a signature- or filter-based approach so that once a signature or filter is generated, every blocked host can be unblocked; as with rate limiting, rate halting techniques are not suitable for slow, stealthy worms.

54. Proactive Worm Containment
The Proactive Worm Containment (PWC) scheme is host based software that looks for surges in the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts. When such a surge is detected, the software immediately blocks its host from further connection attempts. A deployed PWC system consists of a PWC manager and PWC agents in hosts. Figure 7.7 from the text is an example of an architecture that includes PWC, which operates as detailed:
A PWC agent monitors outgoing traffic for scan activity, determined by a surge in UDP / TCP connection attempts to remote hosts. If a surge is detected, the agent: 1) issues an alert to local system; 2) blocks all outgoing connection attempts; 3) transmits the alert to the PWC manager; and 4) starts a relaxation analysis.
B. A PWC manager receives an alert, and propagates the alert to all other agents.
C. The host receives an alert, and must decide whether to ignore the alert. If the time since the last incoming packet has been sufficiently long so that the agent would have detected a worm if infected, then the alert is ignored. Otherwise, the agent assumes that it might be infected and performs the following actions:(1) blocks all outgoing connection attempts from the specific alerting port;and (2) starts a relaxation analysis.
D. Relaxation analysis. An agent monitors outgoing activity for a fixed window of time to see if outgoing connections exceed a threshold. If so, blockage is continued and relaxation analysis is repeated until the outgoing connection rate drops below the threshold, at which time the agent removes the block. If the threshold continues to be exceeded over a sufficient number of relaxation windows, the agent isolates the host and reports to the PWC manager.
Meanwhile, a signature extractor functions as a passive sensor that monitors all traffic and attempts to detect worms by signature analysis.
Looks for surges in the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts. When such a surge is detected, the software immediately blocks its host from further connection attempts.

55. Network Based Worm Defense
The key element of a network-based worm defense is worm monitoring software. Two types of monitoring software are needed:
• Ingress monitors: located at the border between the enterprise network and the Internet, in a border router, external firewall, separate passive monitor, or honeypot.
• Egress monitors: located at the egress point of individual LANs on the enterprise network as well as at the external border, in a LAN router or switch, external firewall or honeypot. The two types of monitors can be collocated. It is designed to catch the source of a worm attack by monitoring outgoing traffic for signs of scanning etc.
Worm monitors can act in the manner of intrusion detection systems and generate alerts to a central administrative system. It is also possible to implement a system that attempts to react in real time to a worm attack, so as to counter zero-day exploits effectively. This is similar to the approach taken with the digital immune system (Figure 7.4). Figure 7.8 shows an example of a worm countermeasure architecture that works as :
Sensors deployed at various network locations detect a potential worm.
2. and send alerts to a central server that correlates / analyzes incoming alerts.
3. forwards info to a protected environment, where worm is sandboxed for analysis
4. protected system tests the suspicious software against an appropriately instrumented version of the targeted application to identify the vulnerability.
5. protected system generates one or more software patches and tests these.
6. system sends the patch to the application host to update the targeted application.

56. Summary: Malware Payload Classification
Theft of Information:
E.g. Keyloggers,
spyware, pharming,
exfiltration, ramscraper,
stolen credentials
Stealth: Hide presence:
Rootkit, backdoors,
viruses/worms
Ransomware: demands ransom before it will continue working
Theft of Service
Botnet, Denial of Service
DDOS, adware, spammers,
Command & control
Corruption of System
Or Files
Virus, worm, rootkit,
ransomware

57. Summary: Malware Controls
Countermeasures:
Ingress Monitor: Are traffic (flows) entering network valid?
Egress Monitor: Is traffic exiting network valid?
Host Scanner: Are actions on the computer suspicious?
Malware Countermeasure: Are actions by the program suspicious?
Distributed Intelligence: Host-based and perimeter sensors, intelligence analysis