4. Backdoors (1)
• Sometimes referred to as Trapdoor
• Secret build-in method for (unauthorised) access to a system
– Universal standard password
– Secret admin account
• Usually smuggled in by a third party
– Programmer who wants to gain access to the system once it is put into
operations
– Espionage
– Viruses and Trojans
– etc
Computer Security Management
Page 4
5. Backdoors (2)
• Can be inserted at any point in tool-chain
– Source code
– Compiler
– Executable
• Open source software less likely to contain a backdoor
• Symmetric Backdoor
– everybody who knows about the Backdoor can use it
• Asymmetric Backdoor
– can only be used by the attacker who plants it
– Based on asymmetric cryptography
Computer Security Management
Page 5
6. Finding backdoors
• Code reviews
– Only possible if the code is available (Open Source)
– Similar to white box testing
– Example: backdoor in Linux kernel's source code
• Disassembling and analysing of executables
– Can be done for programs and libraries
– Laborious and error prone
Computer Security Management
Page 6
7. Computer viruses (1)
• Term was introduced in 1983 by Fred Cohen
• Self-replicating code (viral code) that secretly embeds itself into a
host program without permission or knowledge of the owner/user
(infection)
• If the infected program is executed, the virus is executed as well
and tries to spread itself by infecting other programs
• Sometimes a virus is modifying its own code before it infects other
programs to avoid detection (no fixed signature, i.e. sequence of
instructions)
– Polymorphic virus re-encrypts itself with each infection
– Metamorphic virus re-writes its own code with each infection
Computer Security Management
Page 7
8. Computer viruses (2)
• Viruses usually carry a payload, i.e. serve another (criminal)
purpose
– Installing malicious software on the computer
– Deleting data and/or programs
– Encryption of data (blackmailing!)
• Different infection methods
– Boot sectors
– Executable files
– Macros in documents
– Scripts on web pages
Computer Security Management
Page 8
9. Boot sector viruses
• Oldest type of computer viruses
• Does not infect an executable but the boot sector of a floppy disk or
the Master Boot Record (MBR) of a hard disk
• MBRs and boot sectors contain a Boot Loader program that is
executed after the computer is switched on to load the operating
system
– Boot virus embeds itself into the Boot Loader
– It is executed when the BIOS tries to run the Boot Loader
– It then tries to infect the MBRs of installed hard drives before it carries out a
destructive action or before it loads the OS
• Today extinct
– Can easily be found by anti-virus software
– The virus is very limited in memory (444 Bytes!)
Computer Security Management
Page 9
10. File viruses (1)
• Embeds itself into an executable program file
• Different infection methods
– Overwriting viruses
– Companion viruses
– Parasitic viruses
Computer Security Management
Page 10
11. File viruses (2)
• Overwriting virus:
– Virus completely replaces the code of the infected program
– Easy to detect since the original program does not work anymore
– File size changed, can be detected by integrity-checking software
• Companion virus:
– infects an .EXE file by creating a matching file with a .COM extension that
contains the viral code and puts it into the same directory
– The OS gives preferences to .COM files over .EXE files and hence the viral code
is executed when the user starts the program
– It then carries out the spread routine before executing the original .EXE file
– Size of original file is not changed
Computer Security Management
Page 11
12. File viruses (3)
• Parasitic viruses modify the code of the infected file
• The infected file remains partially or fully functional
• Different types:
– Prepender
– Appender
– Entry Point Obscuring (inserting)
– Cavity filler
• Stealth virus:
– Tries to hide its existence
– Example: parasitic virus that intercepts system calls that return the size of a file
to fool integrity-checking software
Computer Security Management
Page 12
13. File viruses (4)
• Prepender virus:
– Places its code at the beginning of the file it infects
– Viral code is executed first when the infected file is executed
– File size increased, can be detected by integrity-checking software
• Appender virus:
– Places its code at the end of the file it infects
– Adjusting the file's entry point to cause its code to be executed before that of
the original file
– File size increased, can be detected by integrity-checking software
Computer Security Management
Page 13
14. File viruses (5)
• Entry Point Obscuring:
– Places its code in the middle of the files it infects
– May move a section of the original code to the end of the file, or simply push
the code aside to make space for its own code
– File size increased, can be detected by integrity-checking software
• Cavity filler:
– virus which seeks out unused space within the files it infects
– inserting its code into these gaps to avoid changing the size of the file
– not alerting integrity-checking software to its presence
Computer Security Management
Page 14
15. Macro viruses
• Relies on application programs that use documents with embedded
macros, e.g. MS Word, MS Excel, etc
• Viral code is programmed as a macro and embedded in an infected
document
• If an infected document is opened in the application program, the
macro is executed
• The macro tries to locate other documents of that type and embeds
copies of itself into the documents found
Computer Security Management
Page 15
16. Script viruses
• Very similar to macro viruses
• Uses web applications and script languages, e.g. JavaScript
• Normally, scripts are embedded in HTMP web pages to provide
additional functionality, e.g. dynamic web pages, guest books, etc
• Script virus embeds itself into HTML page
• Most browsers execute embedded scripts automatically!
• If executed, it tries to spread or carries out its payload
Computer Security Management
Page 16
17. How to protect against computer viruses
• Use anti-virus software with up-to-date signature database
• Install software patches immediately (OS and applications)
• Disable macros in applications unless you really need them
• Disable scripting in web browsers
Computer Security Management
Page 17
18. Computer Worms
• Self-replicating computer program that secretly copies itself to other
computers without permission or knowledge of the owner/user
(infection)
• It uses a network to send copies of itself to other nodes (computers)
• It may do so without any user intervention but sometimes some
user action is required (email worms)
• Unlike viruses, worms do not need to attach themselves to an
existing program
• Worms always consume network bandwidth and might carry a
payload, e.g. to install backdoors on infected machines
Computer Security Management
Page 18
19. How to protect against computer worms
• Use a firewall
• Install software patches immediately (OS and applications)
• Do not open unexpected emails or run unknown email attachments
Computer Security Management
Page 19
20. Trojan Horses (Trojans)
• Malicious software (malware) that appears to perform a desirable
function but also performs undisclosed malicious functions
• Term is derived from the classical story of the Trojan Horse
• Always requires some user action to install
• Trojans usually installs malware (payload) to
– Gain unauthorised remote access (backdoors)
– Destruct data
– Download even more malware (spyware)
– Disable security software
– Start denial-of-service attacks
• Once the malware is installed, deleting the Trojan does not help!
Computer Security Management
Page 20
21. How to protect against Trojans
• Do not install software from an unknown source
• Do not run attachments from unexpected emails
• Use anti-virus software with up-to-date signature database
Computer Security Management
Page 21
22. Rootkits (1)
• Malicious program that hides malicious files or folders from normal
sight
• Often used by malware to conceal its presence and activities
• The term rootkit applied originally to the UNIX-based operating
systems
• It is a collection of tools to enable a user to obtain root
(administrator-level) access to a system and to conceal any changes
they might make
• Such tools often included malicious versions of standard system
monitoring programs which would hide the rootkit operators'
activities
• More recently: malware using stealth techniques
Computer Security Management
Page 22
23. Rootkits (2)
• Rootkits can operate at a number of levels
• Application level
– replacing or adjusting the settings of system software to prevent the display of
certain information
• Operating system level
– hooking certain system functions
– inserting modules or drivers into the operating system kernel
• Firmware level/virtualisation level
– firmware and/or virtual machines are activated before the operating system and
thus even harder to detect while the system is running
Computer Security Management
Page 23
24. Rootkits (3)
• Example: in 2005, Sony BMG caused a scandal by including a
rootkit on music CDs, in an attempt to enforce DRM; it allowed
anyone who knew about the rootkit to gain administrator rights on
an infected machine
• Rootkit binaries are easy to detect using anti-virus software
• However, once they run they are hidden and hence very difficult to
detect
• Might be detected using anti-spyware software
• Detection based on analysis of the behaviour of a system
• Rootkits are difficult to remove once detected!
Computer Security Management
Page 24
25. Spyware/Adware
• Software that collects private information or monitors user
behaviour secretly
• The term spyware essentially covers any software that gathers
information and passes it to a third party without adequate
permission from the owner of the data
• Examples
– Keylogger: monitors the keys pressed and thus records any sensitive data, such
as passwords, entered by the user
– Password stealer: steals user data such as login IDs/passwords
– Packet analyser (sniffer): intercepts and logs traffic passing over a digital
network
– Cookies: allows the identification of a computer/user, e.g. for tracking etc
• Adware: software package which automatically plays, displays, or
downloads advertisements to a computer after the software is
installed ( privacy-invasive software)
Computer Security Management
Page 25
26. Summary
• Host-based attacks are carried out using malicious code and
software
– Code: Backdoors and viruses
– Software: Worms, trojans, rootkits, spyware, …
• The sophistication increases all the time which led to an arms race
between the developers of malicious software and security software
• The baddies are usually one step ahead
• They are professionals, highly trained and educated
• Usually linked to organised crime
Computer Security Management
Page 26