System Security-Virus and Worms
-
Upload
surangma-parashar -
Category
Documents
-
view
218 -
download
0
Transcript of System Security-Virus and Worms
-
8/3/2019 System Security-Virus and Worms
1/26
SYSTEM SECURITY-Malicious Software
System
Security-VirusandW
orms
1
-
8/3/2019 System Security-Virus and Worms
2/26
CONTENT
Viruses and Related Threats
Virus Countermeasures
Distributed Denial of Service Attacks
2
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
3/26
1. Malicious Software:
S/W that is intentionally inserted into a system
for a harmful purpose.2. Virus:
A piece of S/W that can infect other programsby modifying them.
3. Worm:A program that replicate itself and send copies
from computer to computer across n/w.
It usually performs some unwanted functions.
4. DDoS.
3
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
4/26
4
SystemSecurity-VirusandWorms
Malicious Programs
Host Dependent Host Independent
BackdoorLogic BombTrojan HorsesVirus
WormsZombie
-
8/3/2019 System Security-Virus and Worms
5/26
BACKDOOR (OR) TRAPDOOR:
A secret entry point into a program.
Lets an unscrupulous programmer to gain accessto the program without using the usual securityaccess procedures.
Commonly used by developers while developingan application with authentication procedure.
It is invoked either by a special sequence of codeor triggering from an user ID or unlikely sequenceof events.
Difficult to implement OS controls.
Requires good S/W development & update. 5
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
6/26
LOGIC BOMB:
One of oldest types of program threat, predatingviruses and worms.
Code embedded in legitimate program and is set toexplode when certain conditions are met.
Examples:
presence/absence of some file
particular date/time
particular user
When triggered typically damages the entire system
modify/delete files/disks, halt machine, etc
6
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
7/26
TROJAN HORSE:
Program or command procedure containing hiddencode that when invoked performs unwanted orharmful function.
Appears as superficially attractive
e.g. game, s/w upgrade etc Accomplish functions indirectly that an
unauthorized user cant accomplish directly.
Often used to propagate a virus/worm or install a
backdoor or simply to destroy data.
7
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
8/26
ZOMBIE:
Program which secretly takes over anothercomputer in the n/w, then uses it to indirectly launchattacks.
Often used to launch distributed denial of service(DDoS) attacks.
Exploits known flaws in network systems
In short, Zombie is a program activated on aninfected machine that is activated to launch attackson other machines.
8
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
9/26
VIRUS:
A piece of software that can infect other programsby modifying(self replicating) them which can go toinfect other programs.
Makes a fresh copy of its own whenever a newuninfected piece of S/W is found.
When host program is run, all its replicas will infectthe system performing any function.
Viruses carry out their function specific to aparticular OS.
Example: Virus designed for Windows cant affectLinux and vice versa.
9
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
10/26
VIRUS OPERATION:
1. Dormant Phase:
Idle state and waiting for an event to activate it.
2. Propagation Phase:
Replicating its copy to other uninfected areason the disk. Making clones.
3. Triggering Phase:
Activating the host to perform a function it was
intended to.4. Execution Phase:
Function of the virus is performed.10
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
11/26
VIRUS STRUCTURE:
program V :=
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}11
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
12/26
VIRUS TYPES:
Parasitic virus:
Attaches itself to executable files andreplicates when it is run.
Memory-resident virus: Lodges in MM as a part of resident system.
Infects all programs that are executed.
Boot sector virus:
Spreads when a system is booted with a diskcontaining virus.
Stealth:
Hides itself from detection from Antivirus S/W. 12
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
13/26
VIRUS TYPES: (CONT.)
Polymorphic virus:
Mutates with every infection.
Does not rewrite its code at each iteration.
Metamorphic virus:
Mutates with every infection.
Rewrites its code at each iteration increasing itsdifficulty of detection.
13
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
14/26
MACRO VIRUSES:
Platform independent.
Usually infects office files.
OS that supports the document file gets infected.
Does not affect executable files but only documentfiles.
Later versions of office have intended securitytowards Macro viruses.
Common method of spreading is by E-mail.
14
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
15/26
E-MAIL VIRUSES:
Spread using email with attachment containing amacro virus. E.g. Melissa
Sends itself to everyone on the mailing list in the
users e-mail package. Triggered when user opens attachment or worse
even when mail viewed by using scripting featuresin mail agent.
Hence propagate very quickly. Does local damage.
15
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
16/26
WORMS:
A program that replicates itself and send somecopies from computer to computer.
Needs a human to invoke it.
Once it is active within a system, the machineserves as an automated launching pad for attackson other machines.
Does not infect a program but could implant anTrojan horse or perform any destructive action thatcan infect the performance of the system.
16
SystemSecurity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
17/26
WORM OPERATION:
Dormant:
Propagation:
search for other systems to infect
establish connection to target remote system
replicate self onto remote system
Triggering:
Execution:
17
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
18/26
MORRIS WORM:
Released in Internet by Robert Morris in 1998.
Designed for UNIX systems.
Logins to remote host as legitimate user
Cracks password file Retrieve user ids and corresponding password.
Exploits a bug to give info about remote user.
Exploits a trapdoor to send and receive mails
Then attacks the command interpreter.
18
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
19/26
VIRUS COUNTERMEASURES:
Only Solution is to prevent it.
Do not allow virus to enter the system (which isgenerally impossible)
Antivirus approach: Detection
Identification
Removal
19
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
20/26
GENERATIONS OF ANTIVIRUS S/W:
First generation: (simple scanners) scanner uses virus signature to identify virus or change in length of programs
Second generation: (heuristic scanners) uses heuristic rules to spot viral infection or uses crypto hash of program to spot changes
Third generation: (activity traps) memory-resident programs identify virus by
actionsFourth generation: (full featured protection)
packages with a variety of antivirus techniqueslike access control capability.
E.g. scanning & activity traps, access-controls20
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
21/26
ADVANCED ANTIVIRUS TECHNIQUES:
1. Generic Decryption:
Enables antivirus program to detect even themost complex polymorphic viruses.
Every executable file should be run in the GDscanner which has CPU emulator, Virus signscanner and Emulation control module.
2. Digital Immune System:
Developed by IBM.To solve threats in a network.
Integrated mail systems
Mobile program systems 21
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
22/26
DIGITAL IMMUNE SYSTEM:
22
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
23/26
3. Behavior Blocking System:
Integrates with the OS of host
Monitors the behavior
Blocks potentially malicious S/W that would harmthe system.
Disadvantage is when a virus runs beforeexpressing its behavior it would cause a great deal
in harming the system.
23
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
24/26
DISTRIBUTED DENIAL OF SERVICE ATTACKS:
An attempt to make the users to prevent using thatusing that service.
A serious threat over network(s) by a singleattacker.
Consumes targets resources.
Based on types of resource consumed
Internal resource attack
Attack consuming data transmission resources
Based on type of attack
Direct DDoS
Reflector DDoS 24
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
25/26
CONSTRUCTING ATTACK NETWORK:
Create a S/W that would carry out the attack.
It should be triggered at the particular time.
Triggering should cause vulnerability in multiple
systems. Information about the vulnerability should be
informed to the attacker.
Selecting the system:
Random (IP address) Hit list (analyzing vulnerable machines and then attack)
Topological (Finding hosts from infected machine)
Local subnet (within the LAN) 25
SystemSe
curity-VirusandWorm
s
-
8/3/2019 System Security-Virus and Worms
26/26
DDOS COUNTERMEASURES:
Prevention and preemption
Before the attack
Detection and filtering
During the attack
Source trace back and identification
During and after the attack
26
SystemSe
curity-VirusandWorm
s