Slide 1

Logical Security threats Logical security Protects computer-based data from software-based and communications-based threats.Activity Least some of the logical security threats that you know ?

Viruse , backdoors, bombs , Worms, Bots, Trojians , spywares

Generally , known as Malicious Software

Malicious Softwareprograms exploiting system vulnerabilities.Also known as malware. Types:program fragments that need a host programe.g. viruses, logic bombs, and backdoors independent self-contained programse.g. worms, botsreplicating or notsophisticated threat to computer systems !4Perhaps the most sophisticated types of threats to computer systems are presented by programs that exploit vulnerabilities in computing systems. Such threats are referred to as malicious software, or malware. In this context, we are concerned with application programs as well as utility programs, such as editors and compilers, and kernel-level programs. This chapter examines malicious software, with a special emphasis on viruses and worms. The chapter begins with a survey of various types of malware, with a more detailed look at the nature of viruses and worms. We then turn to bots and rootkits. Throughout, the discussion presents both threats and countermeasures.Malicious software can be divided into two categories: those that need a host program, and those that are independent. The former are essentially fragments of programs that cannot exist independently of some actual application program, utility, or system program. Viruses, logic bombs, and backdoors are examples. The latter are self-contained programs that can be scheduled and run by the operating system. Worms and bot programs are examples.We can also differentiate between those software threats that do not replicate and those that do. The former are programs or fragments of programs that are activated by a trigger. Examples are logic bombs, backdoors, and bot programs. The latter consist of either a program fragment or an independent program that, when executed, may produce one or more copies of itself to be activated later on the same system or some other system. Viruses and worms are examples.You must know !In 1983, graduate student Fred Cohen first used the term virus in a paper describing a program that can spread by infecting other computers with copies of itself !In 1986, The Brain virus was the first virus designed to infect personal computer systems. by infecting floppy disks !

Viruses: intro.piece of software that infects programs(host)modifying them to include a copy of the virusso it executes secretly when host program is runUsually specific to operating systemtaking advantage of their details and weaknessesa typical virus goes through phases of:Dormant: idle (not found in all virus) Propagation: copy itself into other programs/disk areas Triggering: activated ( date, file, disk limit) Execution: perform the intended function(message, damage..6A virus is a malicious program that resides inside another program (its host). When the host is executed, the virus also executes. It tries to replicate itself by storing copies of itself in other programs. It may also decide to inflict damageA virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. A virus can do anything that other programs do. The difference is that a virus attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs. Most viruses carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems. During its lifetime, a typical virus goes through the following four phases: Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. Execution phase: The function is performed, which may be harmless, e.g. a message on the screen, or damaging, e.g. the destruction of programs and data filesActivity Is their any similarity between computer and biological virus ?A biological virus is a shell filled with genetic material that injects into a living cell, infecting it. The cell then starts manufacturing copies of the virus. A computer virus behaves similarly. It injects its contents, which is a short computer program, into a host computer, thereby infecting it. When the computer executes the virus code, it replicates the code, and also performs a task, normally damaging files or another software component of the computerVirus Structurecomponents:Infect - enables replicationTrigger - event that makes payload activatePayload - what it does

prepended / postpended / embedded

when infected program invoked, executes virus code then original program code

8A computer virus has three parts [AYCO06]: Infection mechanism:The means by which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector. Trigger: event or condition determining when the payload is activated or delivered. Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity. A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.Once a virus has gained entry to a system by infecting a single program, it is in a position to infect some or all other executable files on that system when the infected program executes. Thus, viral infection can be completely prevented by preventing the virus from gaining entry in the first place. Unfortunately, prevention is extraordinarily difficult because a virus can be part of any program outside a system. Thus, unless one is content to take an absolutely bare piece of iron and write all one's own system and application programs, one is vulnerable. The lack of access controls on early PCs is a key reason why traditional machine code based viruses spread rapidly on these systems. In contrast, while it is easy enough to write a machine code virus for UNIX systems, they were almost never seen in practice due to the existence of access controls on these systems prevented effective propagation of the virus.Virus Structure: pseudo-code

9A very general depiction of virus structure is shown in Figure 7.1 (based on [COHE94]). In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, is the first line of the program. An infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program first seeks out uninfected executable files and infects them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program.

Virus StructureSignatures sequence of bits that can be used to accurately identify the presence of a particular virus.The code consists of three stages,activation/trigger , replication/infect , and Operation/payloadVirus Payloadmalicious task of a virus. performed when the triggering condition is satisfied. types :display a message, such as Gotcha, a political slogan, or a commercial advertisementread a certain sensitive or private file. Such a virus is in fact spyware.slow the computer down by monopolizing and exhausting limited resources. completely deny any services to the user. Virus Payloaderase all the files on the host computerselect some files at random and change several bits in each file, also at random. referred to as data diddling, may be more serious, because it results in problems that seem to be caused by hardware failures, not by a virus.One step beyond data diddling is random deletion of filesrandom change of permissions.Produce sounds, animation.

Imaginea virus that makes random changes when a document is saved and remembersthe changes. When the document is again saved, the virus restores thechanged characters (some of which may in the meantime have been correctedby the user), randomly changes others, and remembers the new changes.Such a virus may drive the user crazy, but its constant interference will alsomake it easier to identify.12Infection strategies two types :Nonresident viruses: search for other hosts that can be infected, infect those targets, transfers control to the infected programResident virusesdo not search for hosts when they are started. Instead, it loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itselfn order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to theapplication programthey infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.Nonresident virusesNonresident viruses can be thought of as consisting of afinder moduleand areplication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.Resident virusesResident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer.Resident viruses are sometimes subdivided into a category offast infectorsand a category ofslow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful.

13Trigger Date or timeNumber of bootsGeneration counter of the virusNumber of keypresses on the keyboardAmount of free space on the hard driveAmount of minutes the machine has been idleName of an executed programBasically any event it the PC can be used as a trigger by a virus !.

Virus ClassificationBy targetboot sector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.file infector: Infects executable files macro virus: Infects files with macro code that is interpreted by an application.15There has been a continuous arms race between virus writers and writers of antivirus software since viruses first appeared. As effective countermeasures have been developed for existing types of viruses, new types have been developed. A virus classification by target includes the following categories: Boot sector infector:Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. File infector: Infects files that the operating system or shell consider to be executable. Macro virus: Infects files with macro code that is interpreted by an application. A virus classification by concealment strategy includes the following categories: Encrypted virus: the virus creates a random encryption key, stored with the virus, and encrypts the remainder of the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. Thus,the entire virus, not just a payload is hidden. Polymorphic virus: A virus that mutates with every infection, making detection by the signatureof the virus impossible. Metamorphic virus: As with a polymorphic virus ,a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance. File infector :two types

Virus ClassificationBy Hiding Methodsencrypted virus: creates a random encryption key, stored with the virus, and encrypts the remainder of the virus. Then, the virus uses the stored random key to decrypt the virus . virus replicates, a different random key is selected.stealth virus: designed to hide itself from detection by antivirus software. By restoring the size, modification date, and checksum of the infected file

Encrypted virus: the virus creates a random encryption key, stored with the virus, and encrypts the remainder of the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. Thus,the entire virus, not just a payload is hidden. Polymorphic virus: A virus that mutates with every infection, making detection by the signatureof the virus impossible. Metamorphic virus: As with a polymorphic virus ,a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance17encrypted virus

stealth virus

Virus Classification.Polymorphic virus: mutates and infects each new file as a different string of bits making detection by the signature of the virus impossible. Metamorphic virus: As with a polymorphic virus ,a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection

Virus Classification.A virus can modify itself and become a different string of bits simply by inserting several nop instructions in its code. A nop (no operation) is an instruction that does nothing.Virus Classification.Compression virus: In addition to mutating, a virus may hide itself in a compressed file in such a way that the bits with the virus part depend on the rest of the infected file and are therefore always different.

Compression Virus

23A virus such as the one just described is easily detected because an infected version of a program is longer than the corresponding uninfected one. A way to thwart such a simple means of detecting a virus is to compress the executable file so that both the infected and uninfected versions are of identical length. The code shown from Figure 7.2 [COHE94] shows in general terms the logic required. The key lines in this virus are numbered, and Figure 7.3 at the bottom from [COHE94] illustrates the operation. In this example, the virus does nothing other than propagate. As in the previous example, the virus may include a logic bomb. We assume that program P1 is infected with the virus CV. When this program is invoked, control passes to its virus, which performs the following steps:1. For each uninfected file P2 that is found, the virus first compresses that file to produce , which is shorter than the original program by the size of the virus.2. A copy of the virus is prepended to the compressed program.3. The compressed version of the original infected program, , is uncompressed.4. The uncompressed original program is executed.E-Mail Virusesmore recent developmente.g. Melissaexploits MS Word macro in attached docif attachment opened, macro activatessends email to all on users address listand does local damagethen saw versions triggered reading emailhence much faster propagation24A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in an attachment. If the recipient opens the e-mail attachment, the Word macro is activated. Then the e-mail virus sends itself to everyone on the mailing list in the user's e-mail package, and also does local damage.At the end of 1999, a more powerful version of the e-mail virus appeared. This newer version can be activated merely by opening an e-mail that contains the virus rather than opening an attachment. The virus uses the Visual Basic scripting language supported by the e-mail package.Thus we see a new generation of malware that arrives via e-mail and uses e-mail software features to replicate itself across the Internet. The virus propagates itself as soon as activated (either by opening an e-mail attachment of by opening the e-mail) to all of the e-mail addresses known to the infected host. As a result, whereas viruses used to take months or years to propagate, they now do so in hours. This makes it very difficult for antivirus software to respond before much damage is done. Ultimately, a greater degree of security must be built into Internet utility and application software on PCs to counter the growing threat.Virus CountermeasuresAnti-virusprevention - ideal solution but difficultrealistically need:detectionidentificationremovalif detect but cant identify or remove, must discard and replace infected program25The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. The next best approach is to be able to do the following: Detection: Once the infection has occurred, determine that it has occurred and locate the virus. Identification: Once detection has been achieved, identify the specific virus that has infected a program. Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further.If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected program and reload a clean backup version.

Tail chasing effectThe conclusion is that as many active processes as possible should be stopped before any attempt is made to clean viruses from a computer

Anti-Virus Evolutionvirus & antivirus tech have both evolvedearly viruses simple code, easily removedas become more complex, so must the countermeasuresgenerationsfirst - signature scannerssecond heuristics rule (structure)third - identify actionsfourth - combination packages27Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple code fragments and could be identified and purged with relatively simple antivirus software packages. As the virus arms race has evolved, both viruses and, necessarily, antivirus software have grown more complex and sophisticated. [STEP93] identifies four generations of antivirus software:A first-generation scanner requires a virus signature to identify a virus. The virus may contain "wildcards" but has essentially the same structure and bit pattern in all copies. Such signature-specific scanners are limited to the detection of known viruses. A second-generation scanner uses heuristic rules to search for probable virus infection, e.g to look for fragments of code that are often associated with viruses.. Another second-generation approach is integrity checking, using a hash function rather than a simpler checksum.Third-generation programs are memory-resident programs that identify a virus by its actions rather than structure in an infected program. These have the advantage that it is not necessary to develop signatures / heuristics, but only to identify the small set of actions indicating an infection is attempted and then intervene.Fourth-generation products are packages consisting of a variety of antivirus techniques used in conjunction. These include scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection.Propagation Using infected programs. the virus is executed every time the program is executed.Using interrupts that occurs each time an external disk drive or a DVD is inserted into a USB port. Once this interrupt occurs, the virus is executed as part of the interrupt-handling routine and it tries to infect the newly inserted volume.As an email attachment.Through infected softwares. useful program (a calculator, a nice clock, or a beautiful screen saver), embed a virus or a Trojan horse in it.Usually Sharing: Each time users share a computing resource such as a disk, a file, or a library routine, there is the risk of infectionWorms, Trojans,Worms Self-replicating program, similar to virus, but is self-contained.Usually propagates over network.using email, remote exec, remote login by exploiting service vulnerabilities.It often creates denial of service

Worms has phases like a virus:dormant, propagation, triggering, executionpropagation phase: searches for other systems, connects to it, copies self to it and runs1st implemented by Xerox Palo Alto labs in 1980ssearch for idle systems to use to run a computationally intensive task.

A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions. To replicate itself, a network worm uses some sort of network vehicle such as email, remote execution or remote login capabilities. The new copy of the worm program is then run on the remote system where, in addition to any functions that it performs at that system, it continues to spread in the same fashion. A network worm exhibits the same characteristics as a computer virus: a dormant phase, a propagation phase, a triggering phase, and an execution phase. The propagation phase generally: searches for other systems to infect by examining host tables or similar repositories of remote system addresses; establishes a connection with a remote system; and copies itself to the remote system and cause the copy to be run. The network worm may also attempt to determine whether a system has previously been infected before copying itself to the system. In a multiprogramming system, it may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. The concept of a computer worm was introduced in John Brunners 1975 SF novel The Shockwave Rider. The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s. It was a nonmalicious search for idle systems to use to run a computationally intensive task. As with viruses, network worms are difficult to counter.

32What makes it different ?A virus propagates when users send email, launch programs, or carry storage media between computers. A worm propagates itself throughout the Internet by exploiting security weaknesses in applications and protocols we all use.Has the highest speed of propagation.The main feature of worms, a feature that distinguishes them from viruses and Trojan horses is their speed of propagation33Worm Propagation Model

34[ZOU05] describes a model for worm propagation based on an analysis of recent worm attacks. The speed of propagation and the total number of hosts infected depend on a number of factors, including the mode of propagation, the vulnerability or vulnerabilities exploited, and the degree of similarity to preceding attacks. For the latter factor, a an attack that is a variation on a recent previous attack may be countered more effectively than a more novel attack. Figure 7.6 shows the dynamics for one, typical, set of parameters. Propagation proceeds through three phases. In the initial phase, the number of hosts increases exponentially. To see that this is so, consider a simplified case in which a worm is launched from a single host and infects two nearby hosts. Each of these hosts infects two more hosts, and so on. This results in exponential growth. After a time, infecting hosts waste some time attacking already-infected hosts, which reduces the rate of infection. During this middle phase, growth is approximately linear, but the rate of infection is rapid. When most vulnerable computers have been infected, the attack enters a slow finish phase as the worm seeks out those remaining hosts that are difficult to identify. Clearly, the objective in countering a worm is to catch the worm in its slow start phase, at a time when few hosts have been infected.

Worm damages future worms may pose a threat to the Internet, to E-commerce, and to computer communications and this threat may be much greater and much more dangerous than that posed by other types of malicious software.Worm damage scenariosWorm that has infected several million computers on the Internet may have the potential for a global catastrophe.could launch vast DoS attacks . That can bring down not only E-commerce sites, but sensitive military sites or the root domain name servers of the Internet.

A worm that has infected several million computers on the Internet may have the potential for a global catastrophe. Here are just three possible scenarios:Such a worm could launch vast DoS attacks that are out of the reach of current protection technologies. Such powerful attacks can bring down not only E-commerce sites, but sensitive military sites or the root domain name servers of the Internet. Such an attack may be an ideal tool in the hands of terrorists or may be perpetrated intentionally by a rogue nation to serve as a prelude to a large-scale war.It is well known that rogue software often searches for sensitive information such as passwords and credit card numbers, but a wide-spread worm may blindly search for any kind of information based on a set of keywords. This type of a needle in a haystack search is inefficient, but with millions of worms searching simultaneously, it may produce quick results.A well-known adage says you cant fool all the people all the time, but when the same false message arrives from millions of computers it may fool all the people some of the time. A wide-spread worm may cause much confusion and disrupt the lives of many by sending misinformation from millions of computers or just by making public the sensitive data it had discovered.

37Morris Wormone of best know wormsreleased by Robert Morris in 1988various attacks on UNIX systemsdiscover other hostscracking password file to use login/password to logon to other systemsexploiting a bug in the finger protocolexploiting a bug in sendmail.if succeed have remote shell accesssent bootstrap program to copy worm over38Until the current generation of worms, the best known was the worm released onto the Internet by Robert Morris in 1988. The Morris worm was designed to spread on UNIX systems and used a number of different techniques for propagation. When a copy began execution, its first task was to discover other hosts known to this host that would allow entry from this host. The worm performed this task by examining a variety of lists and tables, including system tables that declared which other machines were trusted by this host, users' mail forwarding files, tables by which users gave themselves permission for access to remote accounts, and from a program that reported the status of network connections. For each discovered host, the worm tried a number of methods for gaining access: It attempted to log on to a remote host as a legitimate user, having cracked the local password file, and assuming that many users use the same password on different systems. It exploited a bug in the finger protocolIt exploited a trapdoor in the debug option of the remote sendmail process.If any of these attacks succeeded, the worm achieved communication with the operating system command interpreter. It then sent this interpreter a short bootstrap program, issued a command to execute that program, and then logged off. The bootstrap program then called back the parent program and downloaded the remainder of the worm. The new worm was then executed.

Other Worm AttacksCode Red: July 2001 exploiting Microsoft Internet Information Server (IIS) bug to penetrate and spreadprobes random IP addressdoes DDoS attack activities and reactivates periodicallyconsumes significant net capacity when activeinfected nearly 360,000 servers in 14 hoursCode Red II variant includes backdoorallowing a hacker to direct activities of victim computers39The contemporary era of worm threats began with the release of the Code Red worm in July of 2001. Code Red exploits a security hole in the Microsoft Internet Information Server (IIS) to penetrate and spread. It also disables the system file checker in Windows. The worm probes random IP addresses to spread to other hosts. During a certain period of time, it only spreads. It then initiates a denial-of-service attack against a government Web site by flooding the site with packets from numerous hosts. The worm then suspends activities and reactivates periodically. In the second wave of attack, Code Red infected nearly 360,000 servers in 14 hours. In addition to the havoc it causes at the targeted server, Code Red can consume enormous amounts of Internet capacity, disrupting service. Code Red II is a variant that targets Microsoft IISs. In addition, this newer worm installs a backdoor allowing a hacker to direct activities of victim computers.In early 2003, the SQL Slammer worm appeared. This worm exploited a buffer overflow vulnerability in Microsoft SQL server. The Slammer was extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes. Late 2003 saw the arrival of the Sobig.f worm, which exploited open proxy servers to turn infected machines into spam engines. At its peak, Sobig.f reportedly accounted for one in every 17 messages and produced more than one million copies of itself within the first 24 hours.Mydoom is a mass-mailing e-mail worm that appeared in 2004. It followed a growing trend of installing a backdoor in infected computers, thereby enabling hackers to gain remote access to data such as passwords and credit card numbers. Mydoom replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.Other Worm AttacksSQL Slammer: early 2003attacks MS SQL Servercompact and very rapid spreadMydoom: 2004mass-mailing e-mail worminstalled remote access backdoor in infected systemsflooded the Internet with 100 million infected messages in 36hrs

In early 2003, the SQL Slammer worm appeared. This worm exploited a buffer overflow vulnerability in Microsoft SQL server. The Slammer was extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes. Late 2003 saw the arrival of the Sobig.f worm, which exploited open proxy servers to turn infected machines into spam engines. At its peak, Sobig.f reportedly accounted for one in every 17 messages and produced more than one million copies of itself within the first 24 hours.Mydoom is a mass-mailing e-mail worm that appeared in 2004. It followed a growing trend of installing a backdoor in infected computers, thereby enabling hackers to gain remote access to data such as passwords and credit card numbers. Mydoom replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.

40Mobile Phone Wormsfirst appeared on mobile phones in 2004target smartphone which can install softwarethey communicate via Bluetooth or MMSdisable phone, delete data on phone, or send premium-priced messagesE.g. CommWarrior, launched in 2005replicates using Bluetooth to nearby phonesand via MMS using address-book numberscopies itself to the removable memory cardWorms first appeared on mobile phones in 2004. These worms communicate through Bluetooth wireless connections or via the multimedia messaging service (MMS). The target is the smartphone, which is a mobile phone that permits users to install software applications from sources other than the cellular network operator. Mobile phone malware can completely disable the phone, delete data on the phone, or force the device to send costly messages to premium- priced numbers. An example of a mobile phone worm is CommWarrior, which was launched in 2005. This worm replicates by means of Bluetooth to other phones in the receiving area. It also sends itself as an MMS file to numbers in the phone's address book and in automatic replies to incoming text messages and MMS messages. In addition, it copies itself to the removable memory card and inserts itself into the program installation files on the phone. 41Recent Malware attack

Worm TechnologyPresent highest level of development

Multiplatform: not only windowsmulti-exploit: browsers, e-mail, serversultrafast spreading: prior Internet IP scan Polymorphic: different codes per attackMetamorphic: different behavior patternstransport vehicles: for other malwareszero-day exploit : unknown vulnerability 43The state of the art in worm technology includes the following: Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX. Multi-exploit: New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications. Ultrafast spreading: One technique to accelerate the spread of a worm is to conduct a prior Internet scan to accumulate Internet addresses of vulnerable machines. Polymorphic: To evade detection, skip past filters, and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques. Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation. Transport vehicles: Because worms can rapidly compromise a large number of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service bots. Zero-day exploit: To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.Worm Countermeasuresanti-virusworms also cause significant net activityworm defense approaches include:signature-based worm scan filteringfilter-based worm containment: content/codepayload-classification-based worm containmentexamine packets using anomaly detection techniques threshold random walk scan detectionexploits randomness in picking destinations to connectrate limiting and rate haltinglimits the rate of scanlike traffic from an infected hostimmediately blocks outgoing traffic when a threshold is exceeded44There is considerable overlap in techniques for dealing with viruses and worms. Once a worm is resident on a machine, antivirus software can be used to detect it. In addition, because worms propagation generates considerable network activity, the monitoring of that activity can lead form the basis of a worm defense. Have classes: Signature-based worm scan filtering: generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. Filter-based worm containment: focuses on worm content rather than a scan signature. The filter checks a message to determine if it contains worm code.Payload-classification-based worm containment: examine packets to see if they contain a worm using anomaly detection techniques Threshold random walk (TRW) scan detection: exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation Rate limiting: limits the rate of scanlike traffic from an infected host. Rate halting: immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or diversity of connection attempts. Rate halting can integrate with a signature- or filter-based approach so that once a signature or filter is generated, every blocked host can be unblocked; as with rate limiting, rate halting techniques are not suitable for slow, stealthy worms. Trojan Horseapparently useful , program with hidden side-effects which is usually superficially attractiveE.g. game, software upgrade, screen saver etc when run performs some additional tasksUsually designed primarily to give hackers access to system often used to propagate a virus/worm or install a backdooror simply to destroy data

45A Trojan horse is a useful, or apparently useful, program or command procedure (eg game, utility, s/w upgrade etc) containing hidden code that performs some unwanted or harmful function that an unauthorized user could not accomplish directly. Commonly used to make files readable, propagate a virus or worm or backdoor, or simply to destroy data.

Damages Download files to the infected computer.Make registry changes to the infected computer. Delete files on the infected computer. Disable a keyboard, mouse, or other peripherals. Shut down or reboot the infected computer. Run selected applications or terminate open applications. Disable virus protection or other computer security softwareRemove files from the infected computer.Download files to the infected computer.Make registry changes to the infected computer. Delete files on the infected computer. Steal passwords and other confidential information. Log keystrokes of the computer user. Rename files on the infected computer. Disable a keyboard, mouse, or other peripherals. Shut down or reboot the infected computer. Run selected applications or terminate open applications. Disable virus protection or other computer security software

4748Other types Back doors/Trap doorsIt is a program that allows attackers to access a system, bypassing the normal authentication mechanismsBombIt is a program which lies dormant until a particulate date/time or a program logic is activatedLogic bomb or Time bombBackdoors are programs that allow a third-party attacker to access and to some degree control a machine remotely.Backdoors are largely Trojans and are dealt with correctly bymost anti-virus products. Note that commercially-developedremote administration tools are called PUPs by AVERT andMcAfee products.The bomb checks the system date and does nothing until a pre-programmed date and time is reached. At that point, the logic bomb activates and executes its code.The classic use for a logic bomb is to ensure payment for software. If payment is not made by a certain date, the bomb activates and the software automatically deletes itself.

Some back doors are placed in the software by the original programmer and others are placed on systems through a system compromise, such as a virus or worm. Usually, attackers use back doors for easier and continued access to a system after it has been compromised.49Types of MalwareSpywaresare programs, cookies, or registry entries that track your activity and send that data off to someone who collects this data for their own purposesThe type of information stolen varies considerablyemail login detailsIP and DNS addresses of the computerusers Internet habits bank details used to access accounts or make online purchases etc 4950Types of MalwareAdwareis software that is installed on your computer to show you advertisements These may be in the form of pop-ups, pop-unders, advertisements embedded in programs, or placed on top of ads in web sites, etcKey loggeris a program that captures and records user keystrokesE.g. whenever a user enters a password, bank account numbers, credit card number, or other information, the program logs the keystrokeThe keystrokes are often sent over the Internet to the hackerRecord all typed keystrokes by the users on computer!5051Types of MalwareDialersare programs that set up your modem connection to connect to the Internet often to charge illicit phone usage feesare targeted to users of dial up internet servicesSpamis unsolicited bulk e-mail which is sent in massive quantities to unsuspecting Internet email users. Most spam tries to Sell products and services. A more dangerous category of spam tries toConvince the recipient to share their bank account numbers, credit card numbers, or logins & passwords to their online banking systems/servicesIt is also used for phishing and to spread malicious codeDialer is a program that uses a computers modem to establish a dialup connection to the internetDialers are targeted to users of dialup Internet services. Users of broadband lines such asDSL, LAN or similar are not affected, because their computers usually have no modems installed.Their activity usually results in receiving high phone bills

5152Types of MalwareRootkit is a set of tools and utilities that a hacker can use to maintain access once they have hacked a system. The rootkit tools allow them conceal their actions by hiding their files and processes and erasing their activityBot/ZombieThese are small programs that are inserted on computers by attackers to allow them to control the system remotely without the users consent or knowledgeBotnets :groups of computers infected by bots and controlled remotely by the owner of the botsComputers that are infected with a bot are generally referred to as zombies

This person can then send commands which include updating the bot, downloading a new threat, displaying advertising, sending spam or launching denial of service attacks. If an attacker installs a backdoor or other malicious program, the system administrator may notice the new program and remove it, ending the hackers ability to access the system in the future. The goal of a rootkit is to disguise the existence of malicious programs on a system.

Once the bots has been successfully installed in a computer , this computer becomes a zombie, unable to resist the commands of the bot commander.

53Types of MalwareExploitit a piece of software, a command, or a methodology that attacks particular security vulnerabilitytakes advantage of a particular weakness e.g. OS, application programsPhishingis not an application. It's the process of attempting to acquire sensitive user information with fake websites.It's an example of social engineering techniques used to fool usersCommon targets for phishingOnline payment systems such as e-bank, e-commerce aremost commonly targeted by phishing as users need to frequently enter their usernames and passwords

Exploits are not always malicious in intentthey are sometimes used only as a way of demonstrating that vulnerability existsHowever, they are a common component of malware the owners of the system or application issue a "fix" orpatchin response. Users of the system or application are responsible for obtaining the patch

53Home workRead about the following topics :Famous virus attacksVirus writers Self replicating programs (Quines)Different types of virus naming.CPU interrupts Multiple-threat malwaresRegistry filesGD Scanners