SlideShare a Scribd company logo

Lecture 12 malicious software

R
rajakhurram

Malicious software, also known as malware, refers to programs that are intentionally designed to cause damage to a computer, server, client, or computer network. There are several types of malware including viruses, worms, Trojan horses, backdoors, and spyware. Viruses attach themselves to other programs and replicate when the host program is executed, while worms can replicate independently and propagate across networks. Trojan horses masquerade as legitimate programs to trick users into installing them. Distributed denial of service (DDoS) attacks aim to make networked services unavailable by flooding them with traffic from compromised systems.

Technology
Related topics:
Network Security
1 of 70
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
MALICIOUS SOFTWARE 1
Overview Introduction Types of Malicious Software o Backdoor/Trapdoor o Logic Bomb o Trojan Horse Virus o Nature of viruses o Types of viruses Virus Countermeasures o Anti-virus approach o Anti-virus technique Worm DDoS Attack o DDos Description o Construction of Attack 2
Program Definition A computer program Tells a computer what to do and how to do it. Computer viruses, network worms, Trojan Horse These are computer programs. 3
Malicious software ? Malicious Software (Malware) is a software that is included or inserted in a system for harmful purposes. OR A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. 4
The Malware Zoo • Backdoor • Logic Bomb • Trojan horse • Virus • Worm • Scareware • Adware 5
Taxonomy of Malicious Programs Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities 6
Motivation Why do malicious codes occur? 7
What it is good for ? • Steal personal information • Delete files • Click fraud ? • Steal software serial numbers 8
What to Infect • Executable • Interpreted file • Kernel • Service • MBR 9
Auto start • Folder auto-start • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Autoexec.bat • Config.sys • Init.d 10
Auto start • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service 11
Setting it up to the entire web  1.3% of the incoming search queries to Google returned at a least one malware site  Visit sites with an army of browsers in VMs, check for changes to local system  Indicate potentially harmful sites in search results
Shared folder 13
Email propagation 14
Email again 15
Fake page ! 16
P2P Files • 35.5% malwares 17
Backdoor or Trapdoor  secret entry point into a program  allows those who know access by passing usual security procedures  Remains hidden to casual inspection  Can be a new program to be installed  Can modify an existing program  Trap Doors can provide access to a system for unauthorized procedures  very hard to block in O/S 18
Trap Door Example (a) Normal code. (b) Code with a trapdoor inserted 19
Logic Bomb • One of oldest types of malicious software • Piece of code that executes itself when pre-defined conditions are met • Logic Bombs that execute on certain days are known as Time Bombs • Activated when specified conditions met – E.g., presence/absence of some file – particular date/time – particular user • When triggered typically damage system – modify/delete files/disks, halt machine, etc. 20
Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble erasing all traces of their code • Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer • Tools for data recovery, duplication and verification 21
Trojan Horse 22
Trojan Horse • Trojan horse is a malicious program that is designed as authentic, real and genuine software. • Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful. 23
Trojan Percentage 24
What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the Trojan horse is called a 'dropper'. • Setting up networks of zombie computers in order to launch DDoS attacks or send Spam. • Logging keystrokes to steal information such as passwords and credit card numbers (known as a key logger) • Phish for bank or other account details, which can be used for criminal activities. • Or simply to destroy data • Mail the password file. 25
How can you be infected ? • Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potential of receiving a Trojan horse. • Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger. • E-mail: Attachments on e-mail messages may contain Trojans. Trojan horses via SMTP. 26
Sample Delivery • Attacker will attach the Trojan to an e-mail with an enticing header. • The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. 27
Where They Live ? (1) • Autostart Folder The Autostart folder is located in C:WindowsStart MenuProgramsstartup and as its name suggests, automatically starts everything placed there. • Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan • System.ini Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe • Wininit.ini Setup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for Trojans to restart 28
Where They Live ? (2) • Winstart.bat Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user • Autoexec.bat It's a DOS auto-starting file and it's used as auto-starting method like this -> c:Trojan.exe • Config.sys Could also be used as an auto-starting method for Trojans • Explorer Startup Is an auto-starting method for Windows95, 98, ME, XP and if c:explorer.exe exists, it will be started instead of the usual c:WindowsExplorer.exe, which is the common path to the file. 29
What the attacker wants? • Credit Card Information (often used for domain registration, shopping with your credit card) • Any accounting data (E-mail passwords, Login passwords, Web Services passwords, etc.) • Email Addresses (Might be used for spamming, as explained above) • Work Projects (Steal your presentations and work related papers) • School work (steal your papers and publish them with his/her name on it) 30
Stopping the Trojan … The Horse must be “invited in” …. How does it get in? By: Downloading a file Installing a program Opening an attachment Opening bogus Web pages Copying a file from someone else 31
Virus • Self-replicating code • attaches itself to another program and executes secretly when the host program is executed. • No hidden action – Generally tries to remain undetected • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program 32
Virus Structure 33
Types of Viruses • Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. • Memory-resident Virus - Lodges in main memory as part of the residual operating system. • Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). • Stealth Virus - explicitly designed to hide from Virus Scanning programs. • Polymorphic Virus - mutates with every new host to prevent signature detection. Application then runs normally 34
Virus Phases • Dormant phase - the virus is idle • Propagation phase - the virus places an identical copy of itself into other programs • Triggering phase – the virus is activated to perform the function for which it was intended • Execution phase – the function is performed 35
Email Virus • Moves around in e-mail messages • Triggered when user opens attachment • hence propagates very quickly • Replicates itself by automatically mailing itself to dozens of people in the victim’s e-mail address book 36
Examples of risky file types • The following file types should never be opened if… – .EXE – .PIF – .BAT – .VBS – .COM 37
How Viruses Work (1) • Virus written in some language e.g. C, C++, Assembly etc. • Inserted into another program – use tool called a “dropper” • Virus dormant until program executed – then infects other programs – eventually executes its “payload” 38
How Viruses Work (2) • An executable program • With a virus at the front • With the virus at the end • With a virus spread over free space within program 39
Anti-virus • It is not possible to build a perfect virus/ malware detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type : – Scanner – Real time monitor 40
Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code 41
Popular Fallacies If I never log off then my computer can never get a virus If I lock my office door then my computer can never get a virus Microsoft will protect me 42
And a Few More I got this disc from my (boss, friend) so it must be okay You cannot get a virus by opening an attachment from someone you know But I only downloaded one file My friend who knows a lot about computers showed me this really cool site… 43
Zombie • The program which secretly takes over another networked computer and force it to run under a common command and control infrastructure. • then uses it to indirectly launch attacks  E.g., DDoS, phishing, spamming, cracking (difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are now the major delivery method of spam. • Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers. 44
Worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention. 45
Comparision of Worm Features 1) Computer Virus: •Needs a host file •Copies itself •Executable 2) Network Worm: •No host (self-contained) •Copies itself •Executable 3) Trojan Horse: • No host (self-contained) •Does not copy itself •Imposter Program 46
Worm: History • Runs independently – Does not require a host program • Propagates a fully working version of itself to other machines  History ◦ Morris worm was one of the first worms distributed over Internet  Two examples ◦ Morris – 1998, ◦ Slammer – 2003 47
Worm Operation • worm has phases like those of viruses: – Dormant (inactive; rest) – propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system – triggering – execution 48
Morris Worm • best known classic worm • released by Robert Morris in 1988 • targeted Unix systems • using several propagation techniques • if any attack succeeds then replicated self 49
Slammer (Sapphire) Worm • When • Jan 25 2003 • How • Exploit Buffer-overflow with MS SQL • Scale • At least 74,000 hosts • Random Scanning • Randomly select IP addresses • Cost • Caused ~ $2.6 Billion in damage 50
Slammer Scale The diameter of each circle is a function of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent locations 51
The worm itself …  System load ◦ Infection generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down • Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to continue the infection while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -r -n‘, /etc/hosts, … • Worm did not: – Delete system's files, modify existing files, install Trojan horses, record or transmit decrypted passwords, capture super user privileges 52
Adware 53
Scareware / Rouge/ Fake antivirus 54
Typical Symptoms • File deletion • File corruption • Visual effects • Pop-Ups • Computer crashes • Slow Connection • Spam Relaying 55
No Sure Protection! • Most attacks come from the INSIDE • Keep secured logs of all code modifications • Keep back-ups of all vital system information • Install anti-virus software on computers (keep it current) • Assume every disc, CD, etc is suspect, no matter who gave it to you 56
Distributed Denial of Service • A denial-of-service attack is an attack that causes a loss of service to users, typically the loss of network connectivity. • CPU, memory, network connectivity, network bandwidth, battery energy • Hard to address, especially in distributed form 57
DDoS Mechanism • Goal: make a service unusable. • How: overload a server, router, network link, by flooding with useless traffic • Focus: bandwidth attacks, using large numbers of “zombies” 58
How it works? • The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. • Victim's IP address. • Victim's port number. • Attacking packet size. • Attacking inter-packet delay. • Duration of attack. 59
Example 1 • Ping-of-death – IP packet with a size larger than 65,536 bytes is illegal by standard – Many operating system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted. – Routers forward each packet independently. – Routers don’t know about connections. – Complexity is in end hosts; routers are simple. 60
Example 1
Example 2 • TCP handshake • SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the victim – The host victim must allocate new data structures to each SYN request – legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections – Not a bandwidth consumption attack • IP Spoofing 62
From DoS to DDoS 63
From DoS to DDoS 64
How Internet Looks Like? 65
How Internet Looks Like? 66
Distributed Reflection DoS Attack 67
DDoS Countermeasures • Three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source trace back & identification (after) 68
Summary • have considered: – various malicious programs – trapdoor, logic bomb, Trojan horse, zombie – viruses – worms – countermeasures – distributed denial of service attacks 69
Q&A 70

More Related Content

PDF
Malicious software
rajakhurram
 
PPTX
DoS or DDoS attack
stollen_fusion
 
PDF
What is malware
Malcolm York
 
PPTX
Denial of service
garishma bhatia
 
PPTX
Virus and malware presentation
Amjad Bhutto
 
PDF
Malware detection-using-machine-learning
Security Bootcamp
 
PDF
Malware and security
Gurbakash Phonsa
 
PPT
Email Security : PGP & SMIME
Rohit Soni
 
Malicious software
rajakhurram
 
DoS or DDoS attack
stollen_fusion
 
What is malware
Malcolm York
 
Denial of service
garishma bhatia
 
Virus and malware presentation
Amjad Bhutto
 
Malware detection-using-machine-learning
Security Bootcamp
 
Malware and security
Gurbakash Phonsa
 
Email Security : PGP & SMIME
Rohit Soni
 

What's hot (20)

PPTX
Malware classification using Machine Learning
Japneet Singh
 
PDF
Malware classification and detection
Chong-Kuan Chen
 
PPTX
Malware
Anoushka Srivastava
 
PPTX
trojan horse- malware(virus)
NamanKikani
 
PPTX
Malware analysis
Prakashchand Suthar
 
PPTX
Ransomware attack
Amna
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PDF
Authentication techniques
IGZ Software house
 
PPT
Virus part2
Ajay Banyal
 
PPT
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
PPTX
Intrusion prevention system(ips)
Papun Papun
 
PPTX
Malware ppt
Faiz Khan
 
PPTX
Network security ppt
OECLIB Odisha Electronics Control Library
 
PPTX
SQL INJECTION
Anoop T
 
PDF
Cyber security
Bhavin Shah
 
PPTX
Security threats and safety measures
Dnyaneshwar Beedkar
 
PPTX
Dos n d dos
sadhana21297
 
PPTX
Tools and methods used in cyber crime
shubhravrat Deshpande
 
PPTX
Password Cracking
Sagar Verma
 
PPTX
User authentication
CAS
 
Malware classification using Machine Learning
Japneet Singh
 
Malware classification and detection
Chong-Kuan Chen
 
Malware
Anoushka Srivastava
 
trojan horse- malware(virus)
NamanKikani
 
Malware analysis
Prakashchand Suthar
 
Ransomware attack
Amna
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Authentication techniques
IGZ Software house
 
Virus part2
Ajay Banyal
 
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Intrusion prevention system(ips)
Papun Papun
 
Malware ppt
Faiz Khan
 
Network security ppt
OECLIB Odisha Electronics Control Library
 
SQL INJECTION
Anoop T
 
Cyber security
Bhavin Shah
 
Security threats and safety measures
Dnyaneshwar Beedkar
 
Dos n d dos
sadhana21297
 
Tools and methods used in cyber crime
shubhravrat Deshpande
 
Password Cracking
Sagar Verma
 
User authentication
CAS
 
Ad

Viewers also liked (20)

PPTX
Malicious Software
Hamza Muhammad
 
PPT
Malicious software
msdeepika
 
PPTX
Philippine Handicrafts
Grace Valila
 
PDF
Lecture malicious software
rajakhurram
 
PPT
Malicious
Khyati Rajput
 
PPT
Trojan Horse Presentation
ikmal91
 
PPTX
MALICIOUS SOFTWARE VIRUS WORM TROJAN HORSE ANTI VIRUS
sohail awan
 
PPT
Computer Malware
aztechtchr
 
PPT
Network Security Threats and Solutions
Colin058
 
PPTX
Malicious Software Identification
sandeep shergill
 
PDF
ethical-hacking-guide
Matt Ford
 
PPTX
Types of security services
PLN9 Security Services Pvt. Ltd.
 
PDF
Малоресурсная криптография - Сергей Мартыненко
HackIT Ukraine
 
PPT
Common hacking tactics
Fariha Khudzri
 
PDF
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
jsnyder40
 
PPT
Malicious Code
Yahya Electone
 
PPT
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
PDF
Spies, Lies & Secrets: 37 Industrial Espionage Tactics that Threaten to Kill ...
Scueto77
 
PPTX
Keylogger
frank
 
PPT
Trojan horse
Gaurang Rathod
 
Malicious Software
Hamza Muhammad
 
Malicious software
msdeepika
 
Philippine Handicrafts
Grace Valila
 
Lecture malicious software
rajakhurram
 
Malicious
Khyati Rajput
 
Trojan Horse Presentation
ikmal91
 
MALICIOUS SOFTWARE VIRUS WORM TROJAN HORSE ANTI VIRUS
sohail awan
 
Computer Malware
aztechtchr
 
Network Security Threats and Solutions
Colin058
 
Malicious Software Identification
sandeep shergill
 
ethical-hacking-guide
Matt Ford
 
Types of security services
PLN9 Security Services Pvt. Ltd.
 
Малоресурсная криптография - Сергей Мартыненко
HackIT Ukraine
 
Common hacking tactics
Fariha Khudzri
 
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
jsnyder40
 
Malicious Code
Yahya Electone
 
PE Packers Used in Malicious Software - Part 1
amiable_indian
 
Spies, Lies & Secrets: 37 Industrial Espionage Tactics that Threaten to Kill ...
Scueto77
 
Keylogger
frank
 
Trojan horse
Gaurang Rathod
 
Ad

Similar to Lecture 12 malicious software (20)

PPT
Computer Virus
diarfirstdiarfirst
 
PPTX
Virus vs worms vs trojans
Sreekanth Narendran
 
PPTX
Botnets Attacks.pptx
MuhammadRehan856177
 
PPT
6unit1 virus and their types
Neha Kurale
 
PPT
Isys20261 lecture 05
Wiliam Ferraciolli
 
PPTX
Kinds of Viruses
jenniel143
 
PPTX
Viruses & worms
vivek pratap singh
 
PPT
Computer security: hackers and Viruses
Wasif Ali Syed
 
PPT
Trojan horse nitish nagar
Nitish Nagar
 
PPT
10-malware and online safety preacuations
DarrenDonaire1
 
PPTX
lecture-11-30052022-103626am.pptx
Zarwashgulrez
 
PPTX
Information about malwares and Attacks.pptx
malikmuzammil2326
 
PPTX
Virus and its CounterMeasures -- Pruthvi Monarch
Pruthvi Monarch
 
PPTX
CHAPTER 5 - COMPUTER VIRUSERS & MALWARE.pptx
WinnieKonguNzuki
 
PPTX
Cryptography presentation
K.m Riajul Islam
 
PPTX
Virus and its types 2
Saud G
 
PPTX
Compter virus and its solution
Manoj Dongare
 
PPTX
Program and System Threats
Reddhi Basu
 
PPT
Computer virus
Rahul Baghla
 
PPTX
Computer virus & its cure
shubhamverma2711
 
Computer Virus
diarfirstdiarfirst
 
Virus vs worms vs trojans
Sreekanth Narendran
 
Botnets Attacks.pptx
MuhammadRehan856177
 
6unit1 virus and their types
Neha Kurale
 
Isys20261 lecture 05
Wiliam Ferraciolli
 
Kinds of Viruses
jenniel143
 
Viruses & worms
vivek pratap singh
 
Computer security: hackers and Viruses
Wasif Ali Syed
 
Trojan horse nitish nagar
Nitish Nagar
 
10-malware and online safety preacuations
DarrenDonaire1
 
lecture-11-30052022-103626am.pptx
Zarwashgulrez
 
Information about malwares and Attacks.pptx
malikmuzammil2326
 
Virus and its CounterMeasures -- Pruthvi Monarch
Pruthvi Monarch
 
CHAPTER 5 - COMPUTER VIRUSERS & MALWARE.pptx
WinnieKonguNzuki
 
Cryptography presentation
K.m Riajul Islam
 
Virus and its types 2
Saud G
 
Compter virus and its solution
Manoj Dongare
 
Program and System Threats
Reddhi Basu
 
Computer virus
Rahul Baghla
 
Computer virus & its cure
shubhamverma2711
 

More from rajakhurram (12)

PPT
Lecture 11 wifi security
rajakhurram
 
PPTX
Lecture 10 intruders
rajakhurram
 
PPT
Lecture 9 key distribution and user authentication
rajakhurram
 
PPT
Lecture 7 certificates
rajakhurram
 
PPT
Lecture 6 web security
rajakhurram
 
PPT
Lecture 5 ip security
rajakhurram
 
PPT
Lecture 4 firewalls
rajakhurram
 
PPT
Lecture 3b public key_encryption
rajakhurram
 
PPT
Lecture3a symmetric encryption
rajakhurram
 
PDF
Lecture2 network attack
rajakhurram
 
PPT
Lecture1 Introduction
rajakhurram
 
PPT
Lecture 8 mail security
rajakhurram
 
Lecture 11 wifi security
rajakhurram
 
Lecture 10 intruders
rajakhurram
 
Lecture 9 key distribution and user authentication
rajakhurram
 
Lecture 7 certificates
rajakhurram
 
Lecture 6 web security
rajakhurram
 
Lecture 5 ip security
rajakhurram
 
Lecture 4 firewalls
rajakhurram
 
Lecture 3b public key_encryption
rajakhurram
 
Lecture3a symmetric encryption
rajakhurram
 
Lecture2 network attack
rajakhurram
 
Lecture1 Introduction
rajakhurram
 
Lecture 8 mail security
rajakhurram
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
A Presentation on Artificial Intelligence
memembruh336
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Lecture 12 malicious software

  • 2. Overview Introduction Types of Malicious Software o Backdoor/Trapdoor o Logic Bomb o Trojan Horse Virus o Nature of viruses o Types of viruses Virus Countermeasures o Anti-virus approach o Anti-virus technique Worm DDoS Attack o DDos Description o Construction of Attack 2
  • 3. Program Definition A computer program Tells a computer what to do and how to do it. Computer viruses, network worms, Trojan Horse These are computer programs. 3
  • 4. Malicious software ? Malicious Software (Malware) is a software that is included or inserted in a system for harmful purposes. OR A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. 4
  • 5. The Malware Zoo • Backdoor • Logic Bomb • Trojan horse • Virus • Worm • Scareware • Adware 5
  • 6. Taxonomy of Malicious Programs Malicious Programs Need Host Program Independent Trapdoors Logic Trojan Viruses Zombies Worms Bombs Horses Most current malicious code mixes all capabilities 6
  • 8. What it is good for ? • Steal personal information • Delete files • Click fraud ? • Steal software serial numbers 8
  • 9. What to Infect • Executable • Interpreted file • Kernel • Service • MBR 9
  • 10. Auto start • Folder auto-start • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Autoexec.bat • Config.sys • Init.d 10
  • 11. Auto start • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service 11
  • 12. Setting it up to the entire web  1.3% of the incoming search queries to Google returned at a least one malware site  Visit sites with an army of browsers in VMs, check for changes to local system  Indicate potentially harmful sites in search results
  • 17. P2P Files • 35.5% malwares 17
  • 18. Backdoor or Trapdoor  secret entry point into a program  allows those who know access by passing usual security procedures  Remains hidden to casual inspection  Can be a new program to be installed  Can modify an existing program  Trap Doors can provide access to a system for unauthorized procedures  very hard to block in O/S 18
  • 19. Trap Door Example (a) Normal code. (b) Code with a trapdoor inserted 19
  • 20. Logic Bomb • One of oldest types of malicious software • Piece of code that executes itself when pre-defined conditions are met • Logic Bombs that execute on certain days are known as Time Bombs • Activated when specified conditions met – E.g., presence/absence of some file – particular date/time – particular user • When triggered typically damage system – modify/delete files/disks, halt machine, etc. 20
  • 21. Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble erasing all traces of their code • Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer • Tools for data recovery, duplication and verification 21
  • 23. Trojan Horse • Trojan horse is a malicious program that is designed as authentic, real and genuine software. • Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful. 23
  • 25. What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the Trojan horse is called a 'dropper'. • Setting up networks of zombie computers in order to launch DDoS attacks or send Spam. • Logging keystrokes to steal information such as passwords and credit card numbers (known as a key logger) • Phish for bank or other account details, which can be used for criminal activities. • Or simply to destroy data • Mail the password file. 25
  • 26. How can you be infected ? • Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potential of receiving a Trojan horse. • Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger. • E-mail: Attachments on e-mail messages may contain Trojans. Trojan horses via SMTP. 26
  • 27. Sample Delivery • Attacker will attach the Trojan to an e-mail with an enticing header. • The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. 27
  • 28. Where They Live ? (1) • Autostart Folder The Autostart folder is located in C:WindowsStart MenuProgramsstartup and as its name suggests, automatically starts everything placed there. • Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan • System.ini Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe • Wininit.ini Setup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for Trojans to restart 28
  • 29. Where They Live ? (2) • Winstart.bat Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user • Autoexec.bat It's a DOS auto-starting file and it's used as auto-starting method like this -> c:Trojan.exe • Config.sys Could also be used as an auto-starting method for Trojans • Explorer Startup Is an auto-starting method for Windows95, 98, ME, XP and if c:explorer.exe exists, it will be started instead of the usual c:WindowsExplorer.exe, which is the common path to the file. 29
  • 30. What the attacker wants? • Credit Card Information (often used for domain registration, shopping with your credit card) • Any accounting data (E-mail passwords, Login passwords, Web Services passwords, etc.) • Email Addresses (Might be used for spamming, as explained above) • Work Projects (Steal your presentations and work related papers) • School work (steal your papers and publish them with his/her name on it) 30
  • 31. Stopping the Trojan … The Horse must be “invited in” …. How does it get in? By: Downloading a file Installing a program Opening an attachment Opening bogus Web pages Copying a file from someone else 31
  • 32. Virus • Self-replicating code • attaches itself to another program and executes secretly when the host program is executed. • No hidden action – Generally tries to remain undetected • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program 32
  • 34. Types of Viruses • Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. • Memory-resident Virus - Lodges in main memory as part of the residual operating system. • Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). • Stealth Virus - explicitly designed to hide from Virus Scanning programs. • Polymorphic Virus - mutates with every new host to prevent signature detection. Application then runs normally 34
  • 35. Virus Phases • Dormant phase - the virus is idle • Propagation phase - the virus places an identical copy of itself into other programs • Triggering phase – the virus is activated to perform the function for which it was intended • Execution phase – the function is performed 35
  • 36. Email Virus • Moves around in e-mail messages • Triggered when user opens attachment • hence propagates very quickly • Replicates itself by automatically mailing itself to dozens of people in the victim’s e-mail address book 36
  • 37. Examples of risky file types • The following file types should never be opened if… – .EXE – .PIF – .BAT – .VBS – .COM 37
  • 38. How Viruses Work (1) • Virus written in some language e.g. C, C++, Assembly etc. • Inserted into another program – use tool called a “dropper” • Virus dormant until program executed – then infects other programs – eventually executes its “payload” 38
  • 39. How Viruses Work (2) • An executable program • With a virus at the front • With the virus at the end • With a virus spread over free space within program 39
  • 40. Anti-virus • It is not possible to build a perfect virus/ malware detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type : – Scanner – Real time monitor 40
  • 41. Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code 41
  • 42. Popular Fallacies If I never log off then my computer can never get a virus If I lock my office door then my computer can never get a virus Microsoft will protect me 42
  • 43. And a Few More I got this disc from my (boss, friend) so it must be okay You cannot get a virus by opening an attachment from someone you know But I only downloaded one file My friend who knows a lot about computers showed me this really cool site… 43
  • 44. Zombie • The program which secretly takes over another networked computer and force it to run under a common command and control infrastructure. • then uses it to indirectly launch attacks  E.g., DDoS, phishing, spamming, cracking (difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are now the major delivery method of spam. • Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers. 44
  • 45. Worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention. 45
  • 46. Comparision of Worm Features 1) Computer Virus: •Needs a host file •Copies itself •Executable 2) Network Worm: •No host (self-contained) •Copies itself •Executable 3) Trojan Horse: • No host (self-contained) •Does not copy itself •Imposter Program 46
  • 47. Worm: History • Runs independently – Does not require a host program • Propagates a fully working version of itself to other machines  History ◦ Morris worm was one of the first worms distributed over Internet  Two examples ◦ Morris – 1998, ◦ Slammer – 2003 47
  • 48. Worm Operation • worm has phases like those of viruses: – Dormant (inactive; rest) – propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system – triggering – execution 48
  • 49. Morris Worm • best known classic worm • released by Robert Morris in 1988 • targeted Unix systems • using several propagation techniques • if any attack succeeds then replicated self 49
  • 50. Slammer (Sapphire) Worm • When • Jan 25 2003 • How • Exploit Buffer-overflow with MS SQL • Scale • At least 74,000 hosts • Random Scanning • Randomly select IP addresses • Cost • Caused ~ $2.6 Billion in damage 50
  • 51. Slammer Scale The diameter of each circle is a function of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent locations 51
  • 52. The worm itself …  System load ◦ Infection generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down • Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to continue the infection while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -r -n‘, /etc/hosts, … • Worm did not: – Delete system's files, modify existing files, install Trojan horses, record or transmit decrypted passwords, capture super user privileges 52
  • 53. Adware 53
  • 54. Scareware / Rouge/ Fake antivirus 54
  • 55. Typical Symptoms • File deletion • File corruption • Visual effects • Pop-Ups • Computer crashes • Slow Connection • Spam Relaying 55
  • 56. No Sure Protection! • Most attacks come from the INSIDE • Keep secured logs of all code modifications • Keep back-ups of all vital system information • Install anti-virus software on computers (keep it current) • Assume every disc, CD, etc is suspect, no matter who gave it to you 56
  • 57. Distributed Denial of Service • A denial-of-service attack is an attack that causes a loss of service to users, typically the loss of network connectivity. • CPU, memory, network connectivity, network bandwidth, battery energy • Hard to address, especially in distributed form 57
  • 58. DDoS Mechanism • Goal: make a service unusable. • How: overload a server, router, network link, by flooding with useless traffic • Focus: bandwidth attacks, using large numbers of “zombies” 58
  • 59. How it works? • The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. • Victim's IP address. • Victim's port number. • Attacking packet size. • Attacking inter-packet delay. • Duration of attack. 59
  • 60. Example 1 • Ping-of-death – IP packet with a size larger than 65,536 bytes is illegal by standard – Many operating system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted. – Routers forward each packet independently. – Routers don’t know about connections. – Complexity is in end hosts; routers are simple. 60
  • 62. Example 2 • TCP handshake • SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the victim – The host victim must allocate new data structures to each SYN request – legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections – Not a bandwidth consumption attack • IP Spoofing 62
  • 63. From DoS to DDoS 63
  • 64. From DoS to DDoS 64
  • 65. How Internet Looks Like? 65
  • 66. How Internet Looks Like? 66
  • 68. DDoS Countermeasures • Three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source trace back & identification (after) 68
  • 69. Summary • have considered: – various malicious programs – trapdoor, logic bomb, Trojan horse, zombie – viruses – worms – countermeasures – distributed denial of service attacks 69
  • 70. Q&A 70

Editor's Notes

  • #39: Payload: The essential data that is being carried within a packet or other transmission unit. The payload does not include the "overhead" data required to get the packet to its destination.