Program and System Threats

- Reddhi Sekhar Basu(559)

PROGRAM AND SYSTEM THREATS

Trojan Horse
 A Trojan horse is a code segment that misuses
its environment.
 A Trojan, is a type of malware that
masquerades as a legitimate file or helpful
program possibly with the purpose of granting a
hacker unauthorized access to a computer.
 According to a survey conducted by
BitDefender from January to June 2009,
"Trojan-type malware is on the rise, accounting
for 83-percent of the global malware detected
in the world."

Trojan Horse
• Long search paths, such as are
common on UNIX systems,
exacerbate the Trojan horse
problem. For instance, the use of
“.” character in a search path, tells
the shell to include the current
directory in the search. So, if an
user A has “.” in his search path,
has set his current directory to
user B’s directory, and enters a
normal system command, the
command would be executed from
user B’s directory instead. The
program would run on user B’s
domain, allowing the program to
do anything that the user is
allowed to do, including deleting
files.

Popular Trojan Horses
• Netbus
• Subseven or Sub7
• Y3K Remote
Administration Tool
• Back Orifice
• Beast
• Zeus
• The Blachhole Exploit Kit
• Flashback Trojan

Login Emulator
An unsuspecting user logs in at a
terminal and notices that he has
apparently mistyped his password.
He tries again and is successful.
What has happened is that his
authentication key and password
have been stolen by the login
emulator that was left running on
the terminal by the thief. The
emulator stored away the password,
printed out a login error message,
and exited; the user was then
provided with a genuine login
prompt.

A Trojan may give a hacker remote access to a targeted
computer system. Operations that could be performed by
a hacker on a targeted computer system may include:
– Use of the machine as part of a botnet (e.g. to perform
automated spamming or to distribute Denial-of-Service
attacks)
– Electronic Money theft
– Data Theft(e.g. retrieving passwords or credit card
information)
– Installation of software, including third-party malware
– Downloading or uploading of files on the user's computer
– Modification deletion of files
– Crashing the Computer
– Anonymizing Internet Viewing

Trapdoor
• Trap Door is a type of security breach where the
designer of a program or a system leaves a hole in
the software that only he is capable of using.
• A Trap Door is a secret entry point into a program
that allows someone to gain access without normal
methods of access authentication.

Example of a trapdoor
Programmers have been arrested for
embezzling from banks by including rounding
errors in heir code, and having the occasional
half cents credited to their accounts. This
account crediting can add up to a large sum of
money, considering the number of
transactions that a large bank executes.

Trapdoors
• Trapdoors can be included in the compiler as
well. The compiler could generate standard
object code as well as a trapdoor, regardless of
the source code being compiled.
• Trapdoors pose a difficult problem since to
detect them we have to analyze all the source
code for all components of a system.

Stack and Buffer Overflow
• Stack or buffer overflow is the
most common way for an attacker
outside of the system, on a
network or dial-up connection to
gain unauthorized access to the
target system. This be used by the
unauthorised user for privilege
escalation.
• Buffer overflow attacks are
especially pernicious as it can be
run within a system and travel
over allowed communications
channels. They can even bypass
the security added by firewalls.

• The attacker exploits a bug in the program. The bug can
be a simple case of poor programming, in which the
programmer neglected to code bounds checking on an
input field. In this case, the attacker sends more data
than the program was expecting. Using trial and error,
or by examination of the source code of the attacked
program if it is available, the attacker determines the
vulnerability and writes a program to do the following:
1. Overflow an input field, command line argument, of
input buffer until it writes into the stack.
2. Overwrite the current return address on the stack
with the address of the exploit code loaded in the next
step.
3. Write a simple setoff code for the next space in the
stack that includes the commands that the attacker
wishes to execute (e.g. spawn a shell)

Worm
• A worm is a process that uses the
spawn mechanism to clobber system
performance.
• The worm spawns copies of itself,
using up system resources and
perhaps locking out system use by all
other processes.

Worms Spread
 independently of human action
 usually by utilizing a security hole in a piece
of software
 by scanning a network for another machine that has
a specific security hole and copies itself to the new
machine using the security hole

Morris Worm
• Robert Tappan Morris is an
American computer scientist,
best known for creating the
Morris Worm in 1988,
considered the first
computer worm on Internet
- and subsequently
becoming the first person
convicted under Computer
Fraud and Abuse Act.

Morris Worm

Disk containing the source code for the Morris
Worm held at the Boston Museum of Science

Morris Worm
 Once in place, the main program undertook systematic attempts to
discover user passwords. This happened in 3 stages:
1. Trying simple cases of no passwords or passwords
constructed of account user name combinations.
2. Using comparisons with an internal dictionary of 432
password choices.
3. Trying each word in the online UNIX dictionary
This elaborate and efficient 3-stage password cracking algorithm
enabled the worm to gain further access to other user accounts on
the infected system.
 With each new access the worm searched for already active copies
of itself. If it found one the new copy exited except for every
seventh instance.

Computer Viruses
A virus is a fragment of code embedded in a
legitimate program unlike a worm which is
structured as a complete, standalone
program.

Spread of Viruses
• Viruses are spread by users
downloading viral programs
from public bulletin boards
or exchanging disks
containing an infection.
• Exchange of Microsoft
Office documents are a
common form of virus
transmission these days
because these documents
contain so-called macros
which are Visual Basic
programs.

Classification of Viruses
NON-RESIDENT VIRUSES
• Non-resident viruses can be
thought of as consisting of a
finder module and a
replication module. The
finder module is responsible
for finding new files to
infect. For each new
executable file the finder
module encounters, it calls
the replication module to
infect that file.

RESIDENT VIRUSES
• The virus loads the
replication module into
memory when it is executed
instead and ensures that
this module is executed
each time the operating
system is called to perform
a certain operation.

Classification (contd.)
POLYMORPHIC VIRUS
• Change virus’s signature
each time.
• It’s designed to avoid
detection by antivirus
software.
• It acts like a chameleon.

STEALTH VIRUS
• It use some tactics to avoid
detection such as altering
its file size, concealing itself
in memory, and Modifies
parts of the system that can
be used to detect it.

Creeper Virus
The Creeper virus was first
detected on ARPANET. Creeper
was an experimental selfreplicating program written by
Bob
Thomas
at
BBN
Technologies in 1971. Creeper
used the ARPANET to infect
DEC
PDP-10
computers
running the TENEX operating
system. Creeper gained access
via the ARPANET and copied
itself to the remote system
where the message, "I'm the
creeper, catch me if you can!"
was displayed. The Reaper
program was created to delete
Creeper.

Michelangelo Virus
On March 6, 1992, the 517th
birthday of Michelangelo,
the Michelangelo virus was
scheduled to erase infected
hard disk files. But because
of the extensive popularity
surrounding the virus, most
sites had detected and
destroyed the virus before it
was activated, so it caused
little or no damage.

Love Bug Virus
• In 2000, the Love Bug
became very widespread. It
appeared to be a love note
sent by the friend of the
receiver. Once invoked, by
opening the Virtual Basic
script, it propagated by
sending itself to the first
users in user’s email contact
list. It just clogged user’s
inbox and email systems, but
was relatively harmless.

Protection against Viruses
• The problem of viruses can be dealt with by using
antivirus software. They work by searching all the
programs on a system for the specific pattern of
instructions known to make up a virus. When
they find a known pattern, they remove the
instructions, disinfecting the program.
• The best protection against virus is the method of
safe computing : purchasing unopened software
from vendor and avoiding free or pirated copies
from public sources or disk exchange.

Worms v/s Viruses
WORMS
 rely little or not at all on
humans to spread

VIRUSES
 dependent upon a host file

 spread across a network

 need the help of humans to
spread

 spread rapidly

 take a while to spread

Denial of Service
 Denial of service does not involve stealing of
resources or gaining information, but rather
disabling legitimate use of a system or facilty.
 It is easier than breaking into a machine.
 They are network based.
 They fall into 2 categories:
1. An attack that uses so many facility
resources that, in essence, no work can be done.

2. An attack that disrupts the network
facility of the computer.
 It is impossible to prevent Denial of Service
attacks. Frequently it is difficult to determine if a
system slowdown is due to surge in use or an attack.

Program and System Threats

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Program and System Threats (20)

More from Reddhi Basu (6)

Recently uploaded (20)

Program and System Threats