Lecture: Malicious Code

CIS 3360 Ratan K. Guha

Malicious Code 2

Overview and Reading Assignments

Defining malicious logic Types Action by Viruses

Reading Assignments: Chapter 4

Malicious Code 3

Malicious Logic

Set of instructions that cause site security policy to be violated

Malicious Code 4

A broad term used to describe computer programs that are created to inflict harm to computer system. The terms also includes programs that are annoying and intrusive in general.

The term includes: viruses, worms, trojan horses, spyware, ad-ware etc.

Malware – (“malicious” + “software”)

Malware Terminology Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot

Types of Malicious Code Viruses

Recursively replicates a possibly evolved copy of itself by including a header or footer stub in the bodies of healthy programs.

Infect host file or system area

First described by Fred Cohen in 1984.

Whenever an infected program is launched, the stub is executed first which carries out malicious activity before allowing the program to execute.

Cannot spread to other computers on their own.

6Malicious Code

Malicious Code 7

Elk Cloner First known computer virus written around 1982 by a

15-year-old high school student named Rich Skrenta for Apple II systems. [Wikipedia]

Message displayed 50th system boots:“Elk Cloner: The program with a personality

It will get on all your disks It will infiltrate your chips

Yes it's Cloner!

It will stick to you like glue It will modify ram too Send in the Cloner!”

http://www.skrenta.com/cloner/

Types of Malicious Code

Worm Network viruses replicating on networks Copies itself from computer to computer Execute itself automatically on a remote machine without

any extra help from a user Typically standalone programs without a host program More categories

Mailers and mass mailer worms: send themselves in an E-mail

Octopus: exists as a set of programs on more than one computer on a network likely to be more prevalent in the future

Rabbits: exists as a single copy of itself at any point in time as it jumps around on networked hosts

Malicious Code 8

Malicious Code 9

Morris Worm

First known worm - November 2, 1988 Author - Robert Tappan Morris Infected BSD Unix systems Son of Robert Morris, the former chief scientist at the

National Computer Security Center, a division of the National Security Agency (NSA).

Morris received his Ph.D. in computer science from Harvard University in 1999 and is a professor at MIT.

Source : Wikipedia Robert Morris is the first person convicted under the

1986 Computer Fraud and Abuse Act

Malicious Code 10

Some Well Known Worms….

Brain Took 5 years to do $50 million damage

Melissa, March 1999 Word 97, Word 2000: $300 million in damages Approximately 4 days, 150,000 systems infected

ILOVEYOU, May 2000 Outlook: As much as $10 billion in damages Approximately 24 hours, 500,000 systems infected

Code Red I IIS flaws, with fixes published months earlier 360,000 systems in 14 hours, several billion in damages

Sapphire Worm Saturday, January 25 2003 Exploit: UDP Buffer Overflow, Microsoft SQL Server (Not malicious) Due to large numbers of scans, large sections of backbone

providers shut down Time to 90% infection of vulnerable hosts: 10 Minutes

Malicious Code 11

Model of Spreading of Worms N: total number of vulnerable hosts I(t): number of infected hosts at time t S(t): number of susceptible hosts at time t where

we say that a host is susceptible if it is vulnerable but not infected yet

β: infection rate, which is a constant associated with the speed of propagation of the worm

Model:I(0) = 1 ; at time 0 1 host was infectedS(0) = N – 1 ; number of susceptible host at

time 0I(t + 1) = I(t) + β x I(t) x S(t)S(t + 1) = N – I(t + 1)

Malicious Code 12

Spreading of Worms - Example

Types of Malicious Code

Logic bombs (4.1.2 pp 177- 179) A programmed malfunction of a legitimate

application Trojan Horse

Trick user into executing malicious code that performs malicious activities

More categories Backdoor (Trapdoors): Allows remote connections to

systems Password-stealing Trojans

13Malicious Code

Types of Malicious Code Injectors

Install virus code in memory Rootkits

Malware to help intruders gain access to systems while avoiding detection

Malicious Code 14

Facts:• 97,467: the number of known computer viruses in existence (2005)• 1,200: the number of new virus discovered every month

Malicious Code 15

Monetary Losses