Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITD 2323 Lesson 3 – Viruses and other Malicious Codes Prepared by Izwan Suhadak Ishak Lecturer FITM, UNISEL.

Published byBrendan Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "ITD 2323 Lesson 3 – Viruses and other Malicious Codes Prepared by Izwan Suhadak Ishak Lecturer FITM, UNISEL."— Presentation transcript:

1 ITD 2323 Lesson 3 – Viruses and other Malicious Codes Prepared by Izwan Suhadak Ishak Lecturer FITM, UNISEL

2 Introduction Programs are seldom security threats Programs operate on data, taking actions only when data and state changes trigger Program are invisible, even what they are doing Malicious people make programs serve as vehicle to access and change data

3 Why worry about this? We don’t like the unexpected Malicious codes (programs) behave in unexpected ways INSTALL or SETUP command in a software does a lot of things: create files, delete files, rename files – hopefully they are doing the ‘right’ things

4 Malicious codes do much HARM! What can they do? Write a message on the screen Stop a running program Generate a sound Erase a file… and many others Oh, and they can just WAIT! Planted to lie dormant (at first!) Undetected, UNTIL some event triggers

5 …continued Triggering factors: Time, date, interval Event, condition, count, combination or random Runs under user’s authority – without our knowledge!

6 Types of Malicious Program Malicious Program Needs hosts program Trapdoor Logic Bombs Trojan Horse Virus Independent ZombieWorms REPLICATE

7 Kinds of Malicious Code Malicious code or rogue program General name of unanticipated or undesired effects in programs or parts, caused by an agent intent on damage Eliminates unintentional errors Excludes coincidence Agent: writer of program or person who causes its distribution

8 …continued… Virus: program than can pass on malicious code to other nonmalicious programs by modifying them Can be transient or resident Transient: virus has a life that depends on host, start and ends when the host is running Resident: locates itself in memory – can remain active or be activated as a stand-alone program

9 …continued… Trojan Horse: keeps some information for later malicious use Logic Bomb: ‘detonates’ or goes off when a specified condition occurs Time Bomb: logic bomb whose trigger is date or time Trapdoor (aka Backdoor): a feature in a program where someone can access the program other than by the normal direct call. Could be done intentionally or for maintenance purpose

10 …continued Worm: spread copies of itself through network Spread copies as a stand-alone program Rabbit: self-replicates without bound Intention is to exhaust computing resources

11 In short… Code TypeCharacteristics VirusAttaches itself to program and propagates copies of itself to other programs Trojan HorseContains unexpected, additional functionality Logic BombTriggers action when condition occurs Time BombTriggers action when specified time occurs TrapdoorAllows unauthorized access to functionality WormPropagates copies of itself through network RabbitReplicates itself without limit to exhaust resource

12 How Viruses Attach? Virus will start doing its dirty work or activated by being executed E.g. during installation, virus could install itself on a harddisk, and also in any and all executing programs in memory That’s the only time a virus needs human intervention, the rest, it can do it on its own

13 …continued A more common mean of activation is as an attachment to an email message Attachments usually have.exe, therefore NEVER NEVER NEVER EVER open up an attachment of an email from unknown senders!!!! (or even known, you can never know..)

14 Logic Bomb Also called: Slag Code A programming code, inserted/embedded intentionally in a legitimate program, and it is set to execute (or ‘explode’) when certain conditions are met Triggers action when specified time occurs ‘Explosion’, may be designed to erase files, delete files, shut down system, display messages, etc. Example: “Friday the 13th” – duplicated itself every Friday and 13th of the month to cause system shutdown Millennium Time Bomb – design to take advantage of concern over Y2K

15 Trojan Horse A hidden code that performs unexpected or unauthorized actions Main difference between trojan horse and virus is the inability of trojan horse to replicate itself Example: Change protection code of other user’s files Used in a compiler to insert codes when certain programs are compiled, this is hard to detect Collect passwords of a user

16 Zombie A program secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace the zombie’s creator Used in DoS (denial-of-service) attacks, typically against targeted websites Planted on hundreds of computers belonging to unsuspecting third parties. They are used to overload target by launching a lot of network traffic E.g.: Trinoo is an attack tool released in late Dec ’99 that performs a distributed DoS attack

17 Appended to program Original Program += Original Program Virus Code Virus Code

18 Virus Surrounding a Program Original Program Virus Code Physically Original Program Virus Code (Pt A) Virus Code (Pt B)

19 Integrated Viruses Modified Program Original Program += Virus Code

20 Home for viruses Virus writer find these qualities appealing It is hard to detect It is not easily destroyed or deactivated It spreads infection widely It can reinfect its home program or other programs It is easy to create It is machine independent and operating system independent

21 Boot Sector Virus Formerly a fairly popular type Control begins when computer is started Virus breaks the chain in the bootstrap loader and usually before any detection tools are active to avoid detection

22 Memory-Resident Virus Happens after booting is done Happens usually when routine codes are executed, like interpreting keys pressed, codes that handle error condition, etc. Virus writers attach viruses to these routine codes because it can just be done SO MANY TIMES!!!

23 Other homes Application programs Usually stored in macros Libraries A good place to stay ;) Shared by many, can infect many too! Other transmission media Compilers, loaders, linkers, runtime monitors, runtime debuggers, even virus control programs!

24 Prevention Do not share executable code with an infected source Use only commercial software acquired from reliable, well- established vendors Test all new software on an isolated computer Open attachments only when you know them to be safe Make recoverable system image and store it safely Make and retain backup copies of executable system files Use virus detectors (or virus scanners) regularly and update them daily

25 Truths and Misconceptions Viruses can infect only Microsoft Windows system – FALSE! Viruses can modify ‘hidden’ or ‘read-only’ files – TRUE! Viruses can appear only in data files, or only in Word documents, or only in programs – FALSE!

26 …continued… Viruses spread only on disks or only in email – FALSE! Viruses cannot remain in memory after a complete power off/power on reboot – TRUE! Viruses cannot infect hardware – TRUE! Viruses can be malevolent (nasty!), benign (not bad), or benevolent (not bad too) – TRUE!

27 Targeted Malicious Codes Trapdoor – undocumented entry point to a module Inserted during code development, maybe to test on a module, to provide ‘hooks’ by which to connect future modifications or enhancements, or to allow access if module should fail in the future Verdict: trapdoors allow a programmer access to a program once it is placed in production

28 Examples of trapdoors Complex computing system are hard to develop and test Programmers usually test module by module, called unit testing Then all components are ‘added’ to make an integration testing Programmers tend to bypass certain processes and add in additional codes to ‘make life easier’

29 Causes of trapdoors Developers usually remove trapdoors (or the ‘additional codes’ made during testing phase However, trapdoors can persist in production programs because programmers: FORGET to remove them Intentionally leave them in the program for testing Intentionally leave them in the program for maintenance of the finished program, or Intentionally leave them in the program as a covert (hidden, secret) means of access to the component after it becomes an accepted part of a production system

30 Additional information Types of viruses Boot viruses: These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting. Examples: Form, Disk Killer, Michelangelo, and Stone virus Program viruses: These infect executable program files, such as those with extensions like.BIN,.COM,.EXE,.OVL,.DRV (driver) and.SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk. Examples: Sunday, Cascade

31 …continued… Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk. Examples: Invader, Flip, and Tequila Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory. Examples: Frodo, Joshi, Whale

32 …continued… Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect. Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101 Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers. Examples: DMV, Nuclear, Word Concept.

33 …continued Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.

34 Parting words… Bonne chance dans tes examens la semaine prochaine Good Luck in your exams next week

35 A la prochaine fois See you next time

Download ppt "ITD 2323 Lesson 3 – Viruses and other Malicious Codes Prepared by Izwan Suhadak Ishak Lecturer FITM, UNISEL."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Created by Dragon Lee May-2003. Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.

Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Similar presentations

Ads by Google