Presentation is loading. Please wait.

Presentation is loading. Please wait.

NS-H0503-02/11041 Malicious Software. NS-H0503-02/11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information.

Published byLorin Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "NS-H0503-02/11041 Malicious Software. NS-H0503-02/11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information."— Presentation transcript:

1 NS-H0503-02/11041 Malicious Software

2 NS-H0503-02/11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information has become an integral part of the structure of society Information needs to be trusted if it is to be useful, the breakdown of trust removes value from the information protected.

3 NS-H0503-02/11043 What are we protecting against? Deletion or destruction Alteration (Detected or undetected) Unauthorised Access (Privacy) Loss of productivity

4 NS-H0503-02/11044 Who is the enemy? External Threats Virus Attacks Hacker Attacks Theft of data Sabotage Natural Disaster

5 NS-H0503-02/11045 Hackers, Crackers & SK’s What is a Hacker? Traditionally used a term of respect High level user, talented in programming Renowned for finding previously undiscovered and often unexpected uses for computer systems and networks

6 NS-H0503-02/11046 Black Hat Hacker May be Amateur or Professional May attempt to destroy or alter data Will often use known security flaws to create a ”beachhead” Attempts to gain Administrator or root access Will prey on systems users’ naïveté or carelessness Will attempt to remove all traces of intrusion

7 NS-H0503-02/11047 Black Hat Arsenal Trojan programs “Spy ware” programs Password stealers Password crackers

8 NS-H0503-02/11048 Black Hat Tactics Exploit published or known security flaws to gain access User impersonation and deception Eavesdropping on Email correspondence

9 NS-H0503-02/11049 White Hat Hacker Cyber Idealist Often very active in online discussion Very competitive Wishes to expose poor programming and claim credit for being the “first” to find errors Feels compelled to inform cyber community of security issues

10 NS-H0503-02/110410 Are they a Problem? Not Interested in stealing / altering data Often use carriers with weak payload or none at all Often view security in an abstract form (a challenge or test of cyber strength) May warn users of potential security risks without thought of reward

11 NS-H0503-02/110411 The White Hat Dilemma Software is often “unsecured” when released Software producers are not always responsive to warnings Should a security flaw be published if there is no solution? The conflict of idealism and commercial reality

12 NS-H0503-02/110412 Script Kiddies Not true hackers (i.e. relatively unskilled) Often immature Use tools devised by skilled hackers Will destroy data without understanding the implications of their actions Seeking attention from their peer group

13 NS-H0503-02/110413 Malicious Programs Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

14 NS-H0503-02/110414 Taxanomy of Malicious Programs Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses BacteriaWorms Malicious Programs Zombie Replicate

15 NS-H0503-02/110415 Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).

16 NS-H0503-02/110416 Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

17 NS-H0503-02/110417 What is a Virus? A program that is designed explore or exploit the security of a system Originally designed to perform useful functions they were given the name “daemons” Daemons are independent processes that have a “life” of their own. Daemons run in the background of a operating system and perform specified operations at predefined times or in response to certain events.

18 NS-H0503-02/110418 Common Vectors of infection Removable media (Floppy disk, CDROM) Network Connections (LAN, WAN and Internet) –Email (Most Common) –WWW (Becoming more common e.g Nimda) –FTP (Rare)

19 NS-H0503-02/110419 The Daemon evolves A Daemon can be used to “retrieve” passwords or other secure information and send them to an unauthorised user or third party. Viruses have further evolved over time, and exhibit similar strategies to their biological namesakes.

20 NS-H0503-02/110420 Boot Sector Infection Infect the Boot Sector of a Floppy disk Manually transferred by users sharing files via the floppy disk media Example: “The Brain Virus” (First recorded MSDOS virus)

21 NS-H0503-02/110421 Basic or Overwriting Viruses/Worms Begin by infecting a single file May take residence in memory spread without any attempt to evade detection Usually limited to a single host Examples: The "Jerusalem" and Melissa (I Love You) Viruses

22 NS-H0503-02/110422 Trojan or Malware Viruses Comprising of a Carrier and a Payload Disguise themselves as a harmless file or even a “useful” program Payload is triggered by either an internal counter or external trigger Example: Michael Angelo virus

23 NS-H0503-02/110423 Polymorph or Mutating Viruses Attempts to evade detection by changing its shape and size randomly May employ tactics such as encryption May also have retro-virus characteristics Example: W32.Magistr email worm

24 NS-H0503-02/110424 Multipartite Viruses Combine File infection with MBR infection Employ anti-detection measures such as stealth, encryption, retro-virus and Trojan type behaviours These Viruses are the most sophisticated of all and therefore carry the greatest potential to damage data Example: W95.Babylonia Y2K Virus (Masqueraded as a Y2K fix)

25 NS-H0503-02/110425 Viruses a piece of self-replicating code attached to some other code –cf biological virus both propagates itself & carries a payload –carries code to make copies of itself –as well as code to perform some covert task

26 NS-H0503-02/110426 Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed

27 NS-H0503-02/110427 Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and email programs, if possible

28 NS-H0503-02/110428 Virus Operation virus phases: –dormant – waiting on trigger event –propagation – replicating to programs/disks –triggering – by event to execute payload –execution – of payload details usually machine/OS specific –exploiting features/weaknesses

29 NS-H0503-02/110429 Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.

30 NS-H0503-02/110430 Types of Viruses can classify on basis of how they attack parasitic virus memory-resident virus boot sector virus stealth polymorphic virus macro virus

31 NS-H0503-02/110431 Email Virus spread using email with attachment containing a macro virus –cf Melissa triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent usually targeted at Microsoft Outlook mail agent & Word/Excel documents

32 NS-H0503-02/110432 Worms replicating but not infecting program typically spreads over a network –cf Morris Internet Worm in 1988 –led to creation of CERTs using users distributed privileges or by exploiting system vulnerabilities widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS major issue is lack of security of permanently connected systems, esp PC's

33 NS-H0503-02/110433 Worm Operation worm phases like those of viruses: –dormant –propagation search for other systems to infect establish connection to target remote system replicate self onto remote system –triggering –execution

34 NS-H0503-02/110434 Logic Bomb one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met –eg presence/absence of some file –particular date/time –particular user when triggered typically damage system –modify/delete files/disks

35 NS-H0503-02/110435 Trojan Horse program with hidden side-effects which is usually superficially attractive –eg game, s/w upgrade etc when run performs some additional tasks –allows attacker to indirectly gain access they do not have directly often used to propagate a virus/worm or install a backdoor or simply to destroy data

36 NS-H0503-02/110436 Zombie program which secretly takes over another networked computer then uses it to indirectly launch attacks often used to launch distributed denial of service (DDoS) attacks exploits known flaws in network systems

37 NS-H0503-02/110437 Virus Countermeasures viral attacks exploit lack of integrity control on systems to defend need to add such controls typically by one or more of: –prevention - block virus infection mechanism –detection - of viruses in infected system –reaction - restoring system to clean state

38 NS-H0503-02/110438 Anti-Virus Software first-generation –scanner uses virus signature to identify virus –or change in length of programs second-generation –uses heuristic rules to spot viral infection –or uses program checksums to spot changes third-generation –memory-resident programs identify virus by actions fourth-generation –packages with a variety of antivirus techniques –eg scanning & activity traps, access-controls

39 NS-H0503-02/110439 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

40 NS-H0503-02/110440 Advanced Antivirus Techniques Generic Decryption (GD) –CPU Emulator –Virus Signature Scanner –Emulation Control Module For how long should a GD scanner run each interpretation?

41 NS-H0503-02/110441 Advanced Anti-Virus Techniques generic decryption –use CPU simulator to check program signature & behavior before actually running it digital immune system (IBM) –general purpose emulation & virus detection –any virus entering org is captured, analyzed, detection/shielding created for it, removed

42 NS-H0503-02/110442 Advanced Antivirus Techniques

43 NS-H0503-02/110443 Behavior-Blocking Software integrated with host O/S monitors program behavior in real-time –eg file access, disk format, executable mods, system settings changes, network access for possibly malicious actions –if detected can block, terminate, or seek ok has advantage over scanners but malicious code runs before detection

44 NS-H0503-02/110444 Recommended Reading and WEB Sites Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 CERT Coordination Center (WEB Site) AntiVirus Online (IBM’s site)

Download ppt "NS-H0503-02/11041 Malicious Software. NS-H0503-02/11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 19 Fourth Edition by William Stallings.
Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.

Cryptography and Network Security Malicious Software Third Edition by William Stallings Lecturer: Dr. Saleem Alzoubi.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
After this session, you should be able to:

After this session, you should be able to:
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: –masquerader.

Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: –masquerader.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google