Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malicious and Mobile Code

Published byScott Banks Modified over 10 years ago

Similar presentations

Presentation on theme: "Malicious and Mobile Code"— Presentation transcript:

1 Malicious and Mobile Code
Lesson 09

2 Malicious Software Trojan Horses Viruses Worms Time (logic) bombs
A program that appears to do one thing (and may indeed do it) but that hides something else. Viruses a program that reproduces by attaching copies of itself to other programs, often carries a malicious “payload” Worms Does not need to attach itself to another program to reproduce, attempts to gain access to other systems on a network and then copies itself to these new systems Time (logic) bombs a program that is set to execute it’s payload upon a certain condition being met.

3 Trojan Horse Gets its name from the Trojan Horse of Antiquity
Commonly found with programs that sound “interesting” so folks will run them Requires that the program they are attached to is executed. Does not refer to just software Trojan ATM installed to collect pin numbers Earliest versions were probably login Trojans

4 Back Orifice & BO2K Originally released by cDc on 3 August It has reportedly been downloaded by 100,000’s of people since then. It gives "system admin" type privileges to a remote user by way of the computer's Internet link. Back Orifice can arrive disguised as a component of practically any software installation. It can be attached to other files or programs or run on its own. To the user installing an "infected" application, it will appear that all went normally. For BO2K see

5 Trojans: Detection and Prevention
Often you won’t know until something bad happens. Only run software you can trust. Install a virus checking program. Use hashing/checksum type utility to periodically check integrity of system routines.

6 Viruses MUST attach itself to another program.
Usually contains a nefarious code segment which may not be immediately noticed. Three major types Program boot macro

7 Viruses World Wide

8 Viruses - North America

9 Viruses World Wide, by virus

10 Details about a specific virus

11 Details about a specific virus

12 Viruses, some history Fred Cohen formalized the concept (as we know it today) as a Ph.D. student at USC in the early 1980’s. Published his dissertation while a professor at the University of Lehigh in 1984. Apple was first (1981) to see what today might be called a virus but it was benign. Indications of early Apple II virus at TAMU in 1981. First DOS virus was created at the Univ. of Lehigh and was thus called the Lehigh virus. A counter inside the virus incremented by 1 each infection When the counter reached four, the virus overwrote the FAT and boot sector with garbage, essentially destroying all data on the disk. It infected .COM files and added 555 bytes to the command.com file. Author of virus never determined.

13 Viruses, some more history
Next virus was the Brain virus. Probably written before the Lehigh virus but reported later. Authors not hard to find because they included their names, address, and a small commercial inside the virus. Writers from Pakistan. A floppy-only boot sector virus. Only invoked if machine booted from an infected disk. Wrote to six other sectors then marked them as “bad” Changed the volume label to “© Brain”, thus the name (Brain was the name of the company in the advertisement). Had some stealth techniques as any request to read the boot sector once infected would be directed to a copy of the original so it showed no infection. Carried no malicious payload, only the advertisement. A variation was created to “punish” Americans involved in SW piracy.

14 Viruses, the continuing saga...
Up until viruses were actually fairly rare. A couple of new viruses changed all of that. Jerusalem (aka Israel, Hebrew University, Friday the 13th, 1813, PLO) first isolated at Hebrew University in Israel in 1987 (though some believe it actually originated somewhere in Italy). A .COM and .EXE infector, added 1813 bytes to COM files and 1808 to EXE. Did not properly check for infection so kept reinfecting files (thus continually adding to their size -- a tipoff that something was up). Carried a payload which deleted files on Friday the 13th spawned many copy-cat viruses Stoned infected the master boot record (MBR) on a hard disk and the boot sector on a floppy disk Displayed message “Your PC is now Stoned!” Michelangelo Discovered in 1991 floppy diskette Boot Sector and hard disk Partition/MBR infector

15 Viruses, more on Michelangelo
Michelangelo is a floppy diskette Boot Sector and hard disk Partition/MBR infector, and became fairly widespread after being discovered in April, It is potentially destructive, since variants will destroy data on the hard disk, and on floppies, on March 6 as well as other dates. If an infected diskette is in A> drive at boot-up, its Boot Sector (Sector 0) which contains the virus program will be read into memory. The virus then takes control of the system, and infects the hard disk when the boot-up is completed, copying its code to (cylinder&head 0, sector 1), moving Partition/MBR data to (cylinder&head 0, sector 7). Ordinarily, data are not lost from the hard disk from that alone, because DOS does not use the sector that the virus uses. However, if that sector is used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, problems can result. In its original form, Michelangelo was 480 bytes long, would not infect disks in B> drive, and moves Interrupt 12's return, denying use of memory between 638K and 640K to DOS, where the virus is resident. Thus CHKDSK will show total bytes memory, instead of The virus monitors Interrupt 13, and any DOS use of that to read/write (even the DIR command) triggers the virus to infect disks in A>, if not they are not already infected, or write-protected. It moves the diskette's original Boot record code to the area used by the Directory, and if the disk has files listed in the overwritten sector, this will cause the loss of entries of files, deleted files, and sub-directories in the root. The files could still be located in the file storage area of the disk, and could be recovered using a utility program, but since they are no longer listed in the Directory, they may be overwritten, as other files are later stored on the diskette. For its destructive phase, the virus checks the system date only when the PC is booted from an infected disk. (It thus can never activate on an XT, which boots with the date.) Otherwise, it will cause data loss on the specific date the particular variant uses. If it is thus triggered, Michelangelo begins overwriting at the start of the disk (where the Partition/MBR, Boot, File Allocation Tables, and Directory data are stored). After the user realizes that something is wrong, turns power off, and re-boots from a floppy, trying to access the hard disk results only in the message Invalid Drive Specification. At that point, exactly how much data were lost depends on how long it took to turn the power off. If the power is turned off quickly enough, the virus can be prevented from completing its job. Files located beyond the point at which the overwriting stopped (especially D: E: drives, if they existed) would still remain.

16 Program Infector viruses
Contaminates files that contain computer code, especially .EXE and .COM files but also .SYS and .DLL. About 85% of viruses (at one time) were program viruses.

17 File infection: Overwriting
Original uninfected program Rest of Original uninfected program Virus

18 File infection: appending
Virus header Virus header calls main virus body. Original uninfected program Original program Virus returns control to original program. Virus main body

19 Boot Viruses Computer operating systems typically set aside a portion of each disk for code to boot the computer. Under DOS, this section is called a boot sector on floppies or a master boot record (MBR) for hard disks. Boot Viruses (or System infectors) store themselves in this area and hence are invoked whenever the disk is used to boot the system.

20 Macro Viruses Manifested in an auto-exec macro embedded in document files of applications with a macro capability e.g. word processors, spreadsheets First one detected was the Concept virus that infected Microsoft Word document files. Detected in July 1995, by the fall it was the most frequently reported virus. Since the Concept virus, numerous macro viruses have been created.

21 Macro Viruses, some examples
FormatC -- (1997) deleted files on the hard disk Wazzu -- (1997) randomly moves up to 3 words in a document or else inserted the word Wazzu. WM/PolyPoster -- (1998) tries to post the user’s Word documents on public newsgroups such as alt.hacker, alt.2600, and alt.sex. ShareFun -- (1998) infects the global template so all documents will be infected, then 1 out of 4 times it will try to send an infected file to three random addresses in the user’s mail list.

22 Macro viruses : Melissa
Infects Word 97 and Word 2000 on Windows-based machines (Windows 95, Windows 98, and Windows NT). Spread by means of a specially-crafted message from someone who's been infected. Subject line reads: Subject: Important Message From name of infected user contains a line that reads: Here is that document you asked for ... don't show anyone else ;-) contains an attachment named LIST.DOC, which is an infected Word document.

23 Melissa (cont.) Each time an infected document is opened, the virus:
lowers macro security settings (Tools-Macro in Word 97 or Macro-Security in Word 2000) so as to permit macros to automatically run without warnings whenever documents are opened in the future. It then checks to see if the registry key HKEY_Current_User\Software\Microsoft\Office\Melissa? has the value ... by Kwyjibo. If it does not, or does not exist, the virus looks for an installed copy of Microsoft Outlook (not Outlook Express) and uses that to send copies of itself in the name of the infected user to up to 50 addresses in any Outlook address book available to the user. attaches itself to the normal.dot default template file, thereby allowing itself to propagate to arbitrary Word documents as they are opened. Carries a destructive payload triggered when opening or closing a document if the current number of minutes matches the current day of the month (eg, at 11:29 on March 29th). If so, the following text is inserted in the document: “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

24 Detection of and Protection against Viruses
Usually you won’t know until something bad happens. Don’t run programs you can’t trust. Shrinkwrap is not always a guarantee Install a virus checking program update it frequently Backup, backup, backup

25 Anti-Virus packages

26 Virus hoaxes

27 Worms “Program that propagates from one computer to another over a network by breaking into the computers in much the way that a hacker would break into them.” To do this they Need to find a machine break into it make a copy of itself on the new machine Like viruses, may or may not contain a destructive payload. Hybrid viruses/worms now exist

28 The Internet Worm Took advantage of flaws in standard UNIX SW
fingerd gets buffer overflow sendmail bug in debug option that allowed remote cmnd execution password guessing anybody could access encrypted password file Also simply attempted to take advantage of trusted relationships using rsh

29 The Internet Worm Two parts Made some attempts to hide itself
Main program collect information on other systems on network attempt penetration of these systems to send bootstrap pgm bootstrap program small (99 lines) C program would attempt to copy main worm on system and run it Made some attempts to hide itself would delete its own files as soon as it was running if a failure occurred, it deleted itself

30 The dictionary used by the Worm

31 Why did it cause so much damage?
There was no damaging payload Systems had problems simply because there were too many copies of the worm running on them. There was a check to see if a system was already infected, but 1 out of every 7 times it would ignore this check. Copies of worms marked for deletion still made one pass through the password file.

32 The fate of RTM Robert T. Morris, the author of the Internet Worm program, was convicted of a Federal felony in the case. The law involved was 18 USC 1030 (A)(5)(a), the Computer Crime and Abuse Act of He was found guilty in February of 1990 in US District Court in Syracuse, NY. In May of 1990, he was sentenced -- outside of Federal sentencing guidelines -- to 3 years of probation, 400 hours of community service, and $10,050 in fines plus probation costs. His lawyers appealed the conviction to the Circuit Court of Appeals, and the conviction was upheld. His lawyers then appealed to the Supreme Court, but the Court declined to hear the case -- leaving the conviction intact.

33 Hybrid viruses/worms CHRISTMA.EXEC
December 1987, two German university students Spread via messages when message read, recipient told to type Christmas started a program which displayed a Christmas tree then searched for the addresses of other users who had sent mail to or received mail from user and mailed a copy to them spread to 130 countries, was not intended to do any harm. Called a worm because it does not attach itself to another program.

34 Hybrid viruses/worms PrettyPark infects Windows 9x/NT files.
arrives via from infected users entitled C:\CoolProgs\Pretty Park.exe and containing the text “Test: Pretty Park.exe :)”. May display an icon of a character from the animated comedy series "Southpark". Attached is a program named Pretty Park.exe or Pretty~1.exe, which contains the worm's payload. When a user opens this program, the worm runs itself as a hidden application in Windows, copies itself to the Windows System directory as FILES32.VXD, and registers that program to run each time another application starts. Then, it mails itself every 30 minutes to each address in the user's address book using either Outlook or Outlook Express. A second function is to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the IRC server, the author of this worm could use the connection as a remote access trojan in order to get info such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.

35 Worms: Detection and Prevention
For Hybrid ones in , don’t run a program unless you are sure of its source and integrity. If in doubt contact the sender download to a disk and run on an isolated system first For network worms, protection takes the same form as protecting the network -- install patches and secure the system the same way you would to keep human intruders out. Often you will not detect a worm until after a problem may want to periodically check and routinely monitor system files -- especially any attempts to modify them.

36 Time/Logic Bombs Can be Trojan or stand-alone program.
Designed to invoke its payload upon a certain condition being met. Time bomb: at a specific time/date Logic bomb: should a certain condition be true Timothy Lloyd and Omega engineering 20 days after his dismissal a logic bomb deleted all of Omega’s design and production programs. USPA/IRA after employee fired, 186,000 client records deleted

37 Time/Logic Bombs: Prevention and Detection
Often very hard to detect until too late (i.e. until after it is activated). Will generally be the work of an insider this means they have access that will complicate finding this type of malicious software. Check programs set to always run or run upon startup Prosecute if it happens won’t save you but may discourage the next individual from trying it. Backup, backup, backup

38 Mobile Code Software obtained from remote systems outside of the current network that is transferred across a network and then downloaded and executed on a local system without explicit installation or execution by the recipient. Generally refers to executable code supplied by a Web server for execution on the client’s computer – generally Java, JavaScript, and ActiveX. “Malicious Mobile Code consists of mobile code software modules designed, employed, distributed, or activated with the intention of compromising the performance or security of information systems and computers, increasing access to those systems, providing the unauthorized disclosure of information, corrupting information, denying service, or stealing resources.”

39 Some approaches to mobile code security
Current techniques aimed at protecting a client of mobile code from sustaining damage are based on trusting the producer (by validating that the downloaded code is signed by the producer), by restricting the functionality of the mobile code (e.g. denying access to files).

40 Exam 1

41 Summary What is the Importance and Significance of this material?
How does this topic fit into the subject of “Voice and Data Security”?

Download ppt "Malicious and Mobile Code"

Similar presentations

M. Guymon - Pleasant Grove High - Spring 2003 VIRUSES Computer Technology Day 21.

M. Guymon - Pleasant Grove High - Spring 2003 VIRUSES Computer Technology Day 21.
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
Malicious Software Lesson 16. Malicious Software Trojan Horses A program that appears to do one thing (and may indeed do it) but that hides something.

Malicious Software Lesson 16. Malicious Software Trojan Horses A program that appears to do one thing (and may indeed do it) but that hides something.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Computer Viruses.

Computer Viruses.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
R. Stewart Fayetteville High School 2008- 2009 VIRUSES Computer Technology Day 21.

R. Stewart Fayetteville High School VIRUSES Computer Technology Day 21.
CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
VIRUSES and DESTRUCTIVE PROGRAMS

VIRUSES and DESTRUCTIVE PROGRAMS

Similar presentations

Ads by Google