SlideShare una empresa de Scribd logo

Isys20261 lecture 05

Descargar como PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 de 26
Computer Security Management (ISYS20261) Lecture 5 - Host-based Attacks Module Leader: Dr Xiaoqi Ma School of Science and Technology
Last Time: • CSI Computer Security Survey • Offers good overview • Three basic types of attacks: – Host-based Attacks – Network-based Attacks – Social Engineering • Host-based attacks: – Malicious Code – Malicious Software Computer Security Management Page 2
Today • Malicious Code – Backdoors – Computer Viruses • Malicious Software (Malware) – Computer Worms – Trojan Horses (Trojans) – Rootkits – Spyware Computer Security Management Page 3
Backdoors (1) • Sometimes referred to as Trapdoor • Secret build-in method for (unauthorised) access to a system – Universal standard password – Secret admin account • Usually smuggled in by a third party – Programmer who wants to gain access to the system once it is put into operations – Espionage – Viruses and Trojans – etc Computer Security Management Page 4
Backdoors (2) • Can be inserted at any point in tool-chain – Source code – Compiler – Executable • Open source software less likely to contain a backdoor • Symmetric Backdoor – everybody who knows about the Backdoor can use it • Asymmetric Backdoor – can only be used by the attacker who plants it – Based on asymmetric cryptography Computer Security Management Page 5
Finding backdoors • Code reviews – Only possible if the code is available (Open Source) – Similar to white box testing – Example: backdoor in Linux kernel's source code • Disassembling and analysing of executables – Can be done for programs and libraries – Laborious and error prone Computer Security Management Page 6
Computer viruses (1) • Term was introduced in 1983 by Fred Cohen • Self-replicating code (viral code) that secretly embeds itself into a host program without permission or knowledge of the owner/user (infection) • If the infected program is executed, the virus is executed as well and tries to spread itself by infecting other programs • Sometimes a virus is modifying its own code before it infects other programs to avoid detection (no fixed signature, i.e. sequence of instructions) – Polymorphic virus re-encrypts itself with each infection – Metamorphic virus re-writes its own code with each infection Computer Security Management Page 7
Computer viruses (2) • Viruses usually carry a payload, i.e. serve another (criminal) purpose – Installing malicious software on the computer – Deleting data and/or programs – Encryption of data (blackmailing!) • Different infection methods – Boot sectors – Executable files – Macros in documents – Scripts on web pages Computer Security Management Page 8
Boot sector viruses • Oldest type of computer viruses • Does not infect an executable but the boot sector of a floppy disk or the Master Boot Record (MBR) of a hard disk • MBRs and boot sectors contain a Boot Loader program that is executed after the computer is switched on to load the operating system – Boot virus embeds itself into the Boot Loader – It is executed when the BIOS tries to run the Boot Loader – It then tries to infect the MBRs of installed hard drives before it carries out a destructive action or before it loads the OS • Today extinct – Can easily be found by anti-virus software – The virus is very limited in memory (444 Bytes!) Computer Security Management Page 9
File viruses (1) • Embeds itself into an executable program file • Different infection methods – Overwriting viruses – Companion viruses – Parasitic viruses Computer Security Management Page 10
File viruses (2) • Overwriting virus: – Virus completely replaces the code of the infected program – Easy to detect since the original program does not work anymore – File size changed, can be detected by integrity-checking software • Companion virus: – infects an .EXE file by creating a matching file with a .COM extension that contains the viral code and puts it into the same directory – The OS gives preferences to .COM files over .EXE files and hence the viral code is executed when the user starts the program – It then carries out the spread routine before executing the original .EXE file – Size of original file is not changed Computer Security Management Page 11
File viruses (3) • Parasitic viruses modify the code of the infected file • The infected file remains partially or fully functional • Different types: – Prepender – Appender – Entry Point Obscuring (inserting) – Cavity filler • Stealth virus: – Tries to hide its existence – Example: parasitic virus that intercepts system calls that return the size of a file to fool integrity-checking software Computer Security Management Page 12
File viruses (4) • Prepender virus: – Places its code at the beginning of the file it infects – Viral code is executed first when the infected file is executed – File size increased, can be detected by integrity-checking software • Appender virus: – Places its code at the end of the file it infects – Adjusting the file's entry point to cause its code to be executed before that of the original file – File size increased, can be detected by integrity-checking software Computer Security Management Page 13
File viruses (5) • Entry Point Obscuring: – Places its code in the middle of the files it infects – May move a section of the original code to the end of the file, or simply push the code aside to make space for its own code – File size increased, can be detected by integrity-checking software • Cavity filler: – virus which seeks out unused space within the files it infects – inserting its code into these gaps to avoid changing the size of the file – not alerting integrity-checking software to its presence Computer Security Management Page 14
Macro viruses • Relies on application programs that use documents with embedded macros, e.g. MS Word, MS Excel, etc • Viral code is programmed as a macro and embedded in an infected document • If an infected document is opened in the application program, the macro is executed • The macro tries to locate other documents of that type and embeds copies of itself into the documents found Computer Security Management Page 15
Script viruses • Very similar to macro viruses • Uses web applications and script languages, e.g. JavaScript • Normally, scripts are embedded in HTMP web pages to provide additional functionality, e.g. dynamic web pages, guest books, etc • Script virus embeds itself into HTML page • Most browsers execute embedded scripts automatically! • If executed, it tries to spread or carries out its payload Computer Security Management Page 16
How to protect against computer viruses • Use anti-virus software with up-to-date signature database • Install software patches immediately (OS and applications) • Disable macros in applications unless you really need them • Disable scripting in web browsers Computer Security Management Page 17
Computer Worms • Self-replicating computer program that secretly copies itself to other computers without permission or knowledge of the owner/user (infection) • It uses a network to send copies of itself to other nodes (computers) • It may do so without any user intervention but sometimes some user action is required (email worms) • Unlike viruses, worms do not need to attach themselves to an existing program • Worms always consume network bandwidth and might carry a payload, e.g. to install backdoors on infected machines Computer Security Management Page 18
How to protect against computer worms • Use a firewall • Install software patches immediately (OS and applications) • Do not open unexpected emails or run unknown email attachments Computer Security Management Page 19
Trojan Horses (Trojans) • Malicious software (malware) that appears to perform a desirable function but also performs undisclosed malicious functions • Term is derived from the classical story of the Trojan Horse • Always requires some user action to install • Trojans usually installs malware (payload) to – Gain unauthorised remote access (backdoors) – Destruct data – Download even more malware (spyware) – Disable security software – Start denial-of-service attacks • Once the malware is installed, deleting the Trojan does not help! Computer Security Management Page 20
How to protect against Trojans • Do not install software from an unknown source • Do not run attachments from unexpected emails • Use anti-virus software with up-to-date signature database Computer Security Management Page 21
Rootkits (1) • Malicious program that hides malicious files or folders from normal sight • Often used by malware to conceal its presence and activities • The term rootkit applied originally to the UNIX-based operating systems • It is a collection of tools to enable a user to obtain root (administrator-level) access to a system and to conceal any changes they might make • Such tools often included malicious versions of standard system monitoring programs which would hide the rootkit operators' activities • More recently: malware using stealth techniques Computer Security Management Page 22
Rootkits (2) • Rootkits can operate at a number of levels • Application level – replacing or adjusting the settings of system software to prevent the display of certain information • Operating system level – hooking certain system functions – inserting modules or drivers into the operating system kernel • Firmware level/virtualisation level – firmware and/or virtual machines are activated before the operating system and thus even harder to detect while the system is running Computer Security Management Page 23
Rootkits (3) • Example: in 2005, Sony BMG caused a scandal by including a rootkit on music CDs, in an attempt to enforce DRM; it allowed anyone who knew about the rootkit to gain administrator rights on an infected machine • Rootkit binaries are easy to detect using anti-virus software • However, once they run they are hidden and hence very difficult to detect • Might be detected using anti-spyware software • Detection based on analysis of the behaviour of a system • Rootkits are difficult to remove once detected! Computer Security Management Page 24
Spyware/Adware • Software that collects private information or monitors user behaviour secretly • The term spyware essentially covers any software that gathers information and passes it to a third party without adequate permission from the owner of the data • Examples – Keylogger: monitors the keys pressed and thus records any sensitive data, such as passwords, entered by the user – Password stealer: steals user data such as login IDs/passwords – Packet analyser (sniffer): intercepts and logs traffic passing over a digital network – Cookies: allows the identification of a computer/user, e.g. for tracking etc • Adware: software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed ( privacy-invasive software) Computer Security Management Page 25
Summary • Host-based attacks are carried out using malicious code and software – Code: Backdoors and viruses – Software: Worms, trojans, rootkits, spyware, … • The sophistication increases all the time which led to an arms race between the developers of malicious software and security software • The baddies are usually one step ahead • They are professionals, highly trained and educated • Usually linked to organised crime Computer Security Management Page 26

Recomendados

Compter virus and its solution
Compter virus and its solutionCompter virus and its solution
Compter virus and its solution
Manoj Dongare
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
rajakhurram
 
Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Malicious Software Identification
Malicious Software IdentificationMalicious Software Identification
Malicious Software Identification
sandeep shergill
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Program security
Program securityProgram security
Program security
G Prachi
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
Neha Kurale
 

Recomendados

Compter virus and its solution
Compter virus and its solutionCompter virus and its solution
Compter virus and its solution
Manoj Dongare
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
rajakhurram
 
Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Malicious Software Identification
Malicious Software IdentificationMalicious Software Identification
Malicious Software Identification
sandeep shergill
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Program security
Program securityProgram security
Program security
G Prachi
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
Neha Kurale
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
ssuser1eca7d
 
Malicious
MaliciousMalicious
Malicious
Khyati Rajput
 
Malicious software
Malicious softwareMalicious software
Malicious software
msdeepika
 
Malicious software
Malicious softwareMalicious software
Malicious software
Dr.Florence Dayana
 
Cryptography presentation
Cryptography presentationCryptography presentation
Cryptography presentation
K.m Riajul Islam
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Virus and malware presentation
Virus and malware presentationVirus and malware presentation
Virus and malware presentation
Amjad Bhutto
 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5
Lubov Putsko
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remedies
Manish Kumar
 
Virusppt
ViruspptVirusppt
Virusppt
Suman Bose
 
Malicious Software and Virus
Malicious Software and Virus Malicious Software and Virus
Malicious Software and Virus
Tasif Tanzim
 
Mitppt
MitpptMitppt
Mitppt
Aarti Prakash
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
Education
 
Virus and antivirus final ppt
Virus and antivirus final pptVirus and antivirus final ppt
Virus and antivirus final ppt
aritradutta22
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
Mirza Adnan Baig
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Introduction to computer lec (4)
Introduction to computer lec (4)Introduction to computer lec (4)
Introduction to computer lec (4)
Samiullah Khan
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Computer virus
Computer virusComputer virus
Computer virus
Rahul Baghla
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
Wiliam Ferraciolli
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13
Wiliam Ferraciolli
 

Más contenido relacionado

La actualidad más candente

Malicious software
Malicious softwareMalicious software
Malicious software
msdeepika
 

La actualidad más candente (20)

Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
 
Malicious
MaliciousMalicious
Malicious
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Cryptography presentation
Cryptography presentationCryptography presentation
Cryptography presentation
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Virus and malware presentation
Virus and malware presentationVirus and malware presentation
Virus and malware presentation
 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remedies
 
Virusppt
ViruspptVirusppt
Virusppt
 
Malicious Software and Virus
Malicious Software and Virus Malicious Software and Virus
Malicious Software and Virus
 
Mitppt
MitpptMitppt
Mitppt
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
 
Virus and antivirus final ppt
Virus and antivirus final pptVirus and antivirus final ppt
Virus and antivirus final ppt
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Introduction to computer lec (4)
Introduction to computer lec (4)Introduction to computer lec (4)
Introduction to computer lec (4)
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Computer virus
Computer virusComputer virus
Computer virus
 

Destacado

Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
Wiliam Ferraciolli
 

Destacado (8)

Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 

Similar a Isys20261 lecture 05

Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
Reddhi Basu
 
CSC439-Sp2013-Module-9-Spring2013-Malware.pdf
CSC439-Sp2013-Module-9-Spring2013-Malware.pdfCSC439-Sp2013-Module-9-Spring2013-Malware.pdf
CSC439-Sp2013-Module-9-Spring2013-Malware.pdf
kd123is123live
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
Neetu Jain
 

Similar a Isys20261 lecture 05 (20)

Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Thur Venture
Thur VentureThur Venture
Thur Venture
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Regression
RegressionRegression
Regression
 
Sangeetha Venture
Sangeetha VentureSangeetha Venture
Sangeetha Venture
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and Worms
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
CSC439-Sp2013-Module-9-Spring2013-Malware.pdf
CSC439-Sp2013-Module-9-Spring2013-Malware.pdfCSC439-Sp2013-Module-9-Spring2013-Malware.pdf
CSC439-Sp2013-Module-9-Spring2013-Malware.pdf
 
Kinds of Viruses
Kinds of VirusesKinds of Viruses
Kinds of Viruses
 
Ch14 security
Ch14 securityCh14 security
Ch14 security
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
 
FCS Presentation.pptx
FCS Presentation.pptxFCS Presentation.pptx
FCS Presentation.pptx
 

Más de Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
Wiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
Wiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
Wiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
Wiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
Wiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
Wiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
Wiliam Ferraciolli
 

Más de Wiliam Ferraciolli (18)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 

Isys20261 lecture 05

  • 1. Computer Security Management (ISYS20261) Lecture 5 - Host-based Attacks Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Last Time: • CSI Computer Security Survey • Offers good overview • Three basic types of attacks: – Host-based Attacks – Network-based Attacks – Social Engineering • Host-based attacks: – Malicious Code – Malicious Software Computer Security Management Page 2
  • 3. Today • Malicious Code – Backdoors – Computer Viruses • Malicious Software (Malware) – Computer Worms – Trojan Horses (Trojans) – Rootkits – Spyware Computer Security Management Page 3
  • 4. Backdoors (1) • Sometimes referred to as Trapdoor • Secret build-in method for (unauthorised) access to a system – Universal standard password – Secret admin account • Usually smuggled in by a third party – Programmer who wants to gain access to the system once it is put into operations – Espionage – Viruses and Trojans – etc Computer Security Management Page 4
  • 5. Backdoors (2) • Can be inserted at any point in tool-chain – Source code – Compiler – Executable • Open source software less likely to contain a backdoor • Symmetric Backdoor – everybody who knows about the Backdoor can use it • Asymmetric Backdoor – can only be used by the attacker who plants it – Based on asymmetric cryptography Computer Security Management Page 5
  • 6. Finding backdoors • Code reviews – Only possible if the code is available (Open Source) – Similar to white box testing – Example: backdoor in Linux kernel's source code • Disassembling and analysing of executables – Can be done for programs and libraries – Laborious and error prone Computer Security Management Page 6
  • 7. Computer viruses (1) • Term was introduced in 1983 by Fred Cohen • Self-replicating code (viral code) that secretly embeds itself into a host program without permission or knowledge of the owner/user (infection) • If the infected program is executed, the virus is executed as well and tries to spread itself by infecting other programs • Sometimes a virus is modifying its own code before it infects other programs to avoid detection (no fixed signature, i.e. sequence of instructions) – Polymorphic virus re-encrypts itself with each infection – Metamorphic virus re-writes its own code with each infection Computer Security Management Page 7
  • 8. Computer viruses (2) • Viruses usually carry a payload, i.e. serve another (criminal) purpose – Installing malicious software on the computer – Deleting data and/or programs – Encryption of data (blackmailing!) • Different infection methods – Boot sectors – Executable files – Macros in documents – Scripts on web pages Computer Security Management Page 8
  • 9. Boot sector viruses • Oldest type of computer viruses • Does not infect an executable but the boot sector of a floppy disk or the Master Boot Record (MBR) of a hard disk • MBRs and boot sectors contain a Boot Loader program that is executed after the computer is switched on to load the operating system – Boot virus embeds itself into the Boot Loader – It is executed when the BIOS tries to run the Boot Loader – It then tries to infect the MBRs of installed hard drives before it carries out a destructive action or before it loads the OS • Today extinct – Can easily be found by anti-virus software – The virus is very limited in memory (444 Bytes!) Computer Security Management Page 9
  • 10. File viruses (1) • Embeds itself into an executable program file • Different infection methods – Overwriting viruses – Companion viruses – Parasitic viruses Computer Security Management Page 10
  • 11. File viruses (2) • Overwriting virus: – Virus completely replaces the code of the infected program – Easy to detect since the original program does not work anymore – File size changed, can be detected by integrity-checking software • Companion virus: – infects an .EXE file by creating a matching file with a .COM extension that contains the viral code and puts it into the same directory – The OS gives preferences to .COM files over .EXE files and hence the viral code is executed when the user starts the program – It then carries out the spread routine before executing the original .EXE file – Size of original file is not changed Computer Security Management Page 11
  • 12. File viruses (3) • Parasitic viruses modify the code of the infected file • The infected file remains partially or fully functional • Different types: – Prepender – Appender – Entry Point Obscuring (inserting) – Cavity filler • Stealth virus: – Tries to hide its existence – Example: parasitic virus that intercepts system calls that return the size of a file to fool integrity-checking software Computer Security Management Page 12
  • 13. File viruses (4) • Prepender virus: – Places its code at the beginning of the file it infects – Viral code is executed first when the infected file is executed – File size increased, can be detected by integrity-checking software • Appender virus: – Places its code at the end of the file it infects – Adjusting the file's entry point to cause its code to be executed before that of the original file – File size increased, can be detected by integrity-checking software Computer Security Management Page 13
  • 14. File viruses (5) • Entry Point Obscuring: – Places its code in the middle of the files it infects – May move a section of the original code to the end of the file, or simply push the code aside to make space for its own code – File size increased, can be detected by integrity-checking software • Cavity filler: – virus which seeks out unused space within the files it infects – inserting its code into these gaps to avoid changing the size of the file – not alerting integrity-checking software to its presence Computer Security Management Page 14
  • 15. Macro viruses • Relies on application programs that use documents with embedded macros, e.g. MS Word, MS Excel, etc • Viral code is programmed as a macro and embedded in an infected document • If an infected document is opened in the application program, the macro is executed • The macro tries to locate other documents of that type and embeds copies of itself into the documents found Computer Security Management Page 15
  • 16. Script viruses • Very similar to macro viruses • Uses web applications and script languages, e.g. JavaScript • Normally, scripts are embedded in HTMP web pages to provide additional functionality, e.g. dynamic web pages, guest books, etc • Script virus embeds itself into HTML page • Most browsers execute embedded scripts automatically! • If executed, it tries to spread or carries out its payload Computer Security Management Page 16
  • 17. How to protect against computer viruses • Use anti-virus software with up-to-date signature database • Install software patches immediately (OS and applications) • Disable macros in applications unless you really need them • Disable scripting in web browsers Computer Security Management Page 17
  • 18. Computer Worms • Self-replicating computer program that secretly copies itself to other computers without permission or knowledge of the owner/user (infection) • It uses a network to send copies of itself to other nodes (computers) • It may do so without any user intervention but sometimes some user action is required (email worms) • Unlike viruses, worms do not need to attach themselves to an existing program • Worms always consume network bandwidth and might carry a payload, e.g. to install backdoors on infected machines Computer Security Management Page 18
  • 19. How to protect against computer worms • Use a firewall • Install software patches immediately (OS and applications) • Do not open unexpected emails or run unknown email attachments Computer Security Management Page 19
  • 20. Trojan Horses (Trojans) • Malicious software (malware) that appears to perform a desirable function but also performs undisclosed malicious functions • Term is derived from the classical story of the Trojan Horse • Always requires some user action to install • Trojans usually installs malware (payload) to – Gain unauthorised remote access (backdoors) – Destruct data – Download even more malware (spyware) – Disable security software – Start denial-of-service attacks • Once the malware is installed, deleting the Trojan does not help! Computer Security Management Page 20
  • 21. How to protect against Trojans • Do not install software from an unknown source • Do not run attachments from unexpected emails • Use anti-virus software with up-to-date signature database Computer Security Management Page 21
  • 22. Rootkits (1) • Malicious program that hides malicious files or folders from normal sight • Often used by malware to conceal its presence and activities • The term rootkit applied originally to the UNIX-based operating systems • It is a collection of tools to enable a user to obtain root (administrator-level) access to a system and to conceal any changes they might make • Such tools often included malicious versions of standard system monitoring programs which would hide the rootkit operators' activities • More recently: malware using stealth techniques Computer Security Management Page 22
  • 23. Rootkits (2) • Rootkits can operate at a number of levels • Application level – replacing or adjusting the settings of system software to prevent the display of certain information • Operating system level – hooking certain system functions – inserting modules or drivers into the operating system kernel • Firmware level/virtualisation level – firmware and/or virtual machines are activated before the operating system and thus even harder to detect while the system is running Computer Security Management Page 23
  • 24. Rootkits (3) • Example: in 2005, Sony BMG caused a scandal by including a rootkit on music CDs, in an attempt to enforce DRM; it allowed anyone who knew about the rootkit to gain administrator rights on an infected machine • Rootkit binaries are easy to detect using anti-virus software • However, once they run they are hidden and hence very difficult to detect • Might be detected using anti-spyware software • Detection based on analysis of the behaviour of a system • Rootkits are difficult to remove once detected! Computer Security Management Page 24
  • 25. Spyware/Adware • Software that collects private information or monitors user behaviour secretly • The term spyware essentially covers any software that gathers information and passes it to a third party without adequate permission from the owner of the data • Examples – Keylogger: monitors the keys pressed and thus records any sensitive data, such as passwords, entered by the user – Password stealer: steals user data such as login IDs/passwords – Packet analyser (sniffer): intercepts and logs traffic passing over a digital network – Cookies: allows the identification of a computer/user, e.g. for tracking etc • Adware: software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed ( privacy-invasive software) Computer Security Management Page 25
  • 26. Summary • Host-based attacks are carried out using malicious code and software – Code: Backdoors and viruses – Software: Worms, trojans, rootkits, spyware, … • The sophistication increases all the time which led to an arms race between the developers of malicious software and security software • The baddies are usually one step ahead • They are professionals, highly trained and educated • Usually linked to organised crime Computer Security Management Page 26