System Security-Virus and Worms

8/3/2019 System Security-Virus and Worms

1/26

SYSTEM SECURITY-Malicious Software

System

Security-VirusandW

orms

1


2/26

CONTENT

Viruses and Related Threats

Virus Countermeasures

Distributed Denial of Service Attacks

2

SystemSecurity-VirusandWorm

s


3/26

1. Malicious Software:

S/W that is intentionally inserted into a system

for a harmful purpose.2. Virus:

A piece of S/W that can infect other programsby modifying them.

3. Worm:A program that replicate itself and send copies

from computer to computer across n/w.

It usually performs some unwanted functions.

4. DDoS.

3


s


4/26

4

SystemSecurity-VirusandWorms

Malicious Programs

Host Dependent Host Independent

BackdoorLogic BombTrojan HorsesVirus

WormsZombie


5/26

BACKDOOR (OR) TRAPDOOR:

A secret entry point into a program.

Lets an unscrupulous programmer to gain accessto the program without using the usual securityaccess procedures.

Commonly used by developers while developingan application with authentication procedure.

It is invoked either by a special sequence of codeor triggering from an user ID or unlikely sequenceof events.

Difficult to implement OS controls.

Requires good S/W development & update. 5


s


6/26

LOGIC BOMB:

One of oldest types of program threat, predatingviruses and worms.

Code embedded in legitimate program and is set toexplode when certain conditions are met.

Examples:

presence/absence of some file

particular date/time

particular user

When triggered typically damages the entire system

modify/delete files/disks, halt machine, etc

6


s


7/26

TROJAN HORSE:

Program or command procedure containing hiddencode that when invoked performs unwanted orharmful function.

Appears as superficially attractive

e.g. game, s/w upgrade etc Accomplish functions indirectly that an

unauthorized user cant accomplish directly.

Often used to propagate a virus/worm or install a

backdoor or simply to destroy data.

7


s


8/26

ZOMBIE:

Program which secretly takes over anothercomputer in the n/w, then uses it to indirectly launchattacks.

Often used to launch distributed denial of service(DDoS) attacks.

Exploits known flaws in network systems

In short, Zombie is a program activated on aninfected machine that is activated to launch attackson other machines.

8


s


9/26

VIRUS:

A piece of software that can infect other programsby modifying(self replicating) them which can go toinfect other programs.

Makes a fresh copy of its own whenever a newuninfected piece of S/W is found.

When host program is run, all its replicas will infectthe system performing any function.

Viruses carry out their function specific to aparticular OS.

Example: Virus designed for Windows cant affectLinux and vice versa.

9


s


10/26

VIRUS OPERATION:

1. Dormant Phase:

Idle state and waiting for an event to activate it.

2. Propagation Phase:

Replicating its copy to other uninfected areason the disk. Making clones.

3. Triggering Phase:

Activating the host to perform a function it was

intended to.4. Execution Phase:

Function of the virus is performed.10


s


11/26

VIRUS STRUCTURE:

program V :=

{goto main;

1234567;

subroutine infect-executable := {loop:

file := get-random-executable-file;

if (first-line-of-file = 1234567) then goto loop

else prepend V to file; }

subroutine do-damage := {whatever damage is to be done}

subroutine trigger-pulled := {return true if condition holds}

main: main-program := {infect-executable;

if trigger-pulled then do-damage;

goto next;}

next:

}11


s


12/26

VIRUS TYPES:

Parasitic virus:

Attaches itself to executable files andreplicates when it is run.

Memory-resident virus: Lodges in MM as a part of resident system.

Infects all programs that are executed.

Boot sector virus:

Spreads when a system is booted with a diskcontaining virus.

Stealth:

Hides itself from detection from Antivirus S/W. 12


s


13/26

VIRUS TYPES: (CONT.)

Polymorphic virus:

Mutates with every infection.

Does not rewrite its code at each iteration.

Metamorphic virus:

Mutates with every infection.

Rewrites its code at each iteration increasing itsdifficulty of detection.

13


s


14/26

MACRO VIRUSES:

Platform independent.

Usually infects office files.

OS that supports the document file gets infected.

Does not affect executable files but only documentfiles.

Later versions of office have intended securitytowards Macro viruses.

Common method of spreading is by E-mail.

14


s


15/26

E-MAIL VIRUSES:

Spread using email with attachment containing amacro virus. E.g. Melissa

Sends itself to everyone on the mailing list in the

users e-mail package. Triggered when user opens attachment or worse

even when mail viewed by using scripting featuresin mail agent.

Hence propagate very quickly. Does local damage.

15


s


16/26

WORMS:

A program that replicates itself and send somecopies from computer to computer.

Needs a human to invoke it.

Once it is active within a system, the machineserves as an automated launching pad for attackson other machines.

Does not infect a program but could implant anTrojan horse or perform any destructive action thatcan infect the performance of the system.

16


s


17/26

WORM OPERATION:

Dormant:

Propagation:

search for other systems to infect

establish connection to target remote system

replicate self onto remote system

Triggering:

Execution:

17

SystemSe

curity-VirusandWorm

s


18/26

MORRIS WORM:

Released in Internet by Robert Morris in 1998.

Designed for UNIX systems.

Logins to remote host as legitimate user

Cracks password file Retrieve user ids and corresponding password.

Exploits a bug to give info about remote user.

Exploits a trapdoor to send and receive mails

Then attacks the command interpreter.

18

SystemSe

curity-VirusandWorm

s


19/26

VIRUS COUNTERMEASURES:

Only Solution is to prevent it.

Do not allow virus to enter the system (which isgenerally impossible)

Antivirus approach: Detection

Identification

Removal

19

SystemSe

curity-VirusandWorm

s


20/26

GENERATIONS OF ANTIVIRUS S/W:

First generation: (simple scanners) scanner uses virus signature to identify virus or change in length of programs

Second generation: (heuristic scanners) uses heuristic rules to spot viral infection or uses crypto hash of program to spot changes

Third generation: (activity traps) memory-resident programs identify virus by

actionsFourth generation: (full featured protection)

packages with a variety of antivirus techniqueslike access control capability.

E.g. scanning & activity traps, access-controls20

SystemSe

curity-VirusandWorm

s


21/26

ADVANCED ANTIVIRUS TECHNIQUES:

1. Generic Decryption:

Enables antivirus program to detect even themost complex polymorphic viruses.

Every executable file should be run in the GDscanner which has CPU emulator, Virus signscanner and Emulation control module.

2. Digital Immune System:

Developed by IBM.To solve threats in a network.

Integrated mail systems

Mobile program systems 21

SystemSe

curity-VirusandWorm

s


22/26

DIGITAL IMMUNE SYSTEM:

22

SystemSe

curity-VirusandWorm

s


23/26

3. Behavior Blocking System:

Integrates with the OS of host

Monitors the behavior

Blocks potentially malicious S/W that would harmthe system.

Disadvantage is when a virus runs beforeexpressing its behavior it would cause a great deal

in harming the system.

23

SystemSe

curity-VirusandWorm

s


24/26

DISTRIBUTED DENIAL OF SERVICE ATTACKS:

An attempt to make the users to prevent using thatusing that service.

A serious threat over network(s) by a singleattacker.

Consumes targets resources.

Based on types of resource consumed

Internal resource attack

Attack consuming data transmission resources

Based on type of attack

Direct DDoS

Reflector DDoS 24

SystemSe

curity-VirusandWorm

s


25/26

CONSTRUCTING ATTACK NETWORK:

Create a S/W that would carry out the attack.

It should be triggered at the particular time.

Triggering should cause vulnerability in multiple

systems. Information about the vulnerability should be

informed to the attacker.

Selecting the system:

Random (IP address) Hit list (analyzing vulnerable machines and then attack)

Topological (Finding hosts from infected machine)

Local subnet (within the LAN) 25

SystemSe

curity-VirusandWorm

s


26/26

DDOS COUNTERMEASURES:

Prevention and preemption

Before the attack

Detection and filtering

During the attack

Source trace back and identification

During and after the attack

26

SystemSe

curity-VirusandWorm

s

System Security-Virus and Worms

Documents

Transcript of System Security-Virus and Worms