Unit 6: Malicious programs and

Protection LH 4
• Computer Viruses and Worms.

• Rabbits and Bacteria Defenses (Sandboxing,

Information flow metrics, reducing the rights,
malicious logic altering files, proof carrying
code and notion of trust).

• Antivirus and features.

Malicious Code/Malware

• Malicious logic is a set of instructions that cause a site’s security

policy to be violated.
• Malicious software, commonly known as malware, is any software
that brings harm to a computer system.
• Malware can be in the form of worms, viruses, Trojans, spyware,
adware and rootkits, etc, which steal protected data, delete
documents or add software not approved by a user.
• Malware is software designed to cause harm to a computer and user.
Viruses

• A computer virus is a piece of software that can “infect” other

programs by modifying them

• A computer virus, is designed to spread from host to host and has

the ability to replicate itself. computer viruses cannot reproduce
and spread without programming such as a file or document.

• Then, whenever the infected computer comes into contact with an

uninfected piece of software, a fresh copy of the virus passes into
the new program.

• The infection can be spread from computer to computer by

unsuspecting users who either swap disks or send programs to one
another over a network.
• A virus can do anything that other programs do , that is allowed by
the privileges of the current user.

• The difference is that a virus attaches itself to another program and

executes secretly when the host program is run.

During its lifetime, a typical virus goes through the following four
phases:
• Dormant phase Viruses typically don’t self-replicate or cause harm
upon infection. Rather, they remain idle . The first phase in a virus’s
infection cycle is the dormant phase. The virus won’t self-replicate,
nor will it delete, capture or modify data on the infected computer.

• Propagation phase: The virus places a copy of itself into other

programs or into certain areas on the disk. The copy may not be
identical to the propagating version. Each infected program will now
contain a clone of the virus, which will itself enter a propagation
phase.
• The propagation phase may include a process known as morphing..
Morphing means that the virus doesn’t create an exact copy of itself
when self-replicating. Rather, the virus changes its code. Morphing
is designed to make viruses harder to detect.

• Triggering phase:The trigger phase involves activation. Viruses

aren’t considered active until they enter the trigger phase. Upon
entering the trigger phase, viruses will initiate their malicious
activities.
• Viruses can be programmed to activate in response to different
triggers (event and time).

• Execution phase: The execution phase involves the release of a

payload. Viruses have a payload. The payload is the malicious code
that’s designed to harm or otherwise negatively affect the targeted
computer. payloads can delete data. Others can cause unwanted
pop-ups or advertisements.
• Most viruses carry out their work in a manner that
is specific to a particular operating system and, in
some cases, specific to a particular hardware
platform.
• Thus, they are designed to take advantage of the
details and weaknesses of particular systems
Worms
• As Like Virus worms don't require the activation of their host
file.

• Once a worm has entered system, it can then run, self-replicate and
propagate without a triggering event.

• A worm makes multiple copies of itself which then spread across

the network or through an internet connection.

• These copies will infect any inadequately protected computers and

servers that connect via the network or internet to the originally
infected device.

• Because each subsequent copy of a worm repeats this process of

self-replication, execution and propagation, worm-based infections
spread rapidly across computer networks and the internet at large.
• Usually, a worm is more dangerous than a virus, because it can
spread more quickly. For example, a worm could infect all of your
email contacts. It could then spread to all of your contacts’ contacts,
and then your contacts’ contacts’ contacts, and so on, creating
exponential growth with extraordinary potential for damage.

How Worms or Virus Get Spread :

• Electronic mail facility: A worm/virus mails a copy of itself to other

systems, so that its code is run when the e-mail or an attachment is
received or viewed.

• Remote execution capability: A worm/virus executes a copy of itself

on another system, either using an explicit remote execution facility
or by exploiting a program flaw in a network service to subvert its
operations.
• Remote login capability: A worm logs onto a remote system as a
user and then uses commands to copy itself from one system to the
other, where it then executes.

• The new copy of the worm program is then run on the remote
system where, in addition to any functions that it performs at that
system, it continues to spread in the same fashion.

• A network worm exhibits the same characteristics as a computer

virus: a dormant phase, a propagation phase, a triggering phase,
and an execution phase
 A Virus is a malicious executable
A Worm is a form of malware
code attached to another executable
that replicates itself and can
1. file which can be harmless or can
spread to different computers
modify or delete data.
via Network.

The main objective of worms is The main objective of viruses is to

2.
to eat the system resources. modify the information.
It doesn’t need a host to
It requires a host is needed for
3. replicate from one computer to
spreading.
another.
Worms can be controlled by Viruses can’t be controlled by
4.
remote. remote.
It does not need human action
5. It needs human action to replicate.
to replicate that
Its spreading speed is slower as
6 Its spreading speed is faster.
compared.
Rabbits and Bacteria

• Some malicious logic multiplies so rapidly that resources become

exhausted. This creates a denial of service attack.

• A bacterium or a rabbit is a program that absorbs all of some class of

resource.

• Resources of a specific class, such as file descriptors or process

table entry slots, may not affect currently running processes. They
will affect new processes.

• Viruses not carrying a logic bomb, often referred to by experts

as “bacteria” or “rabbits,” are not significantly destructive.
• Bacteria, or rabbit programs, make copies of themselves to
overwhelm a computer system's resources.

• Bacteria do not explicitly damage any files. Their sole purpose is

to replicate themselves.

• Bacteria reproduce exponentially, eventually taking up all the

processor capacity, memory, or disk space, denying the user access
to those resources.
Defenses
• Defending against malicious logic takes advantage of several
different characteristics of malicious logic to detect, or to block, its
execution.

• The defenses hamper the suspect behavior.

• They may allow malicious logic that does not expose the given
characteristic to proceed, and they may prevent programs that are
not malicious but do affect the given characteristic from proceeding.
Sandboxing
• A sandbox, in computer security, is a security mechanism in which a
separate, restricted environment is created and in which certain
functions are prohibited. A sandbox is often used when untested
code or untrusted programs from third-party sources are being used

• Programs are enabled in their own isolated area, where they can be
worked on without posing any threat to other programs.

• Sandboxes can look like a regular operating environment.

• Virtual machines are often used for what are referred to as runtime
sandboxes
Information Flow Metrics
• This approach is to limit the distance a virus can spread.

• Define the flow distance metric fd(x) for some information

x as follows:

• Initially, all information has fd(x) = 0. Whenever x is

shared, fd(x) increases by 1. Whenever x is used as input
to a computation, the flow distance of the output is the
maximum of the flow distance of the input.

• Information is accessible only while its flow distance

is less than some particular value.

• The limitation of this approach is disallowance for sharing.

• It defeats the purpose of multi-user systems

Reducing the rights

• The user can reduce the associated protection domain when running a
suspect program.

• This follows from the principle of least privilege.

• Although effective, this approach begs the question of how to determine

which entries should be in the authorization denial subsets.

• When the subsystem is invoked, it checks that the access is allowed.

• If not, it either denies the access or asks the user whether to permit the
access.

• This technique does not protect these files, but instead prevent other
files not named on the command line from being accessed.
Malicious Logic Altering Files

• Manipulation Detection Codes (MDC) are defined

as a class of checksum algorithms which can
detect both accidental and malicious
modifications of an electronic message or
document.

• Mechanisms using manipulation detection codes (or MDCs) apply

some function to a file to obtain a set of bits called the signature
block and then protect that block.

• If, after re-computing the signature block, the result differs from the
stored signature block, the file has changed, possibly as a result of
malicious logic altering the file.

• This mechanism relies on selection of good cryptographic

checksums.
• An assumption is that the signed file does not contain malicious
logic before it is signed.

• All integrity-based schemes rely on software that if infected may fail

to report tampering.

• Performance will be affected because encrypting the file or

computing the signature block may take a significant amount of
time.

• The encrypting key must also be secret because if it is not, then

malicious logic can easily alter a signed file without the change
being detected.
Proof-carrying code (PCC)
• Necula has proposed a technique (PCC) that combines specification
and integrity checking.
• It is a technique that allows a code receiver (user) to verify that the
code has desired safety property

How It works
• The “code producer” (author) generates a proof that the code meets
the desired safety property and integrates that proof with the
executable code.
• PCC is in form of binary and get delivered through the network or
other means to the end user.
• The consumer then validates the safety proof and, if it is correct, can
execute the code knowing that it meet that policy.
• The key idea is that the proof consists of elements drawn from the
native code.
• If the native code is changed in a way that violates the safety policy,
the proof is invalidated and will be rejected.
Notion of Trust
• The effectiveness of any security mechanism depends on the security of
the underlying base on which the mechanism is implemented and the
correctness of the implementation.

• If the trust in the base or in the implementation is misplaced, the

mechanism will not be secure.

• Trust is the belief in the competence of a machine or sensor to act

dependably, securely and reliably within a specified context.

• Research dealing with malicious logic assumes that the interface,

software, and/or hardware used to implement the proposed scheme will
perform exactly as desired, meaning that the trust is in the underlying
computing base, the implementation, and (if done) the verification.

• It is focus on “Trust but Verify” while todays most of the security model
focus on “Zero Trust” i.e “Never Trust and verify always”
Antivirus and Features

• Antivirus is a kind of software used to prevent, scan, detect and

delete viruses from a computer. Once installed, most antivirus
software runs automatically in the background to provide real-time
protection against virus attacks.

• It is better to prevent the system form the threat of Virus for which
we can use Antivirus. Meanwhile Use of Antivirus reduce the
Number of Attack but cannot eliminate it.
How Antivirus Works
• Antivirus have their own database with patterns that the viruses use.
On scanning of each file, if any file seems to repeat any of these
patterns, the antivirus blocks the file or deletes it.
• Antivirus Always works in Three step:

• Detection
• Identification
• Removal
• These antivirus programs follow different detection techniques and two
major ones are here-
– Heuristics-Based Detection
Heuristics-based detection takes place on “how do antivirus
programs detect and identify a virus.” The method detects the
viruses by examining the code of the file and observes any malicious
or suspicious properties.

– This is a more advanced type of detection technology to spot the

virus in real-time. The files having modified threat patterns are
recognized using this detection type.

– Behavioral Detection
As its name implies, the method looks for the suspicious behavior of
a file. If a file is found to be changing the host files or releasing any
malicious code, then the antivirus blocks it right away.
• Identification: Once detection has been
achieved, identify the specific virus that has
infected a program.

• Removal: Once the specific virus has been

identified, remove all traces of the virus from the
infected program and restore it to its original
state.

• Remove the virus from all infected systems so

that the virus cannot spread further.

• If detection succeeds but either identification or

removal is not possible, then the alternative is to
discard the infected file and reload a clean
• Advances in virus and antivirus technology go hand in hand. With
Advancement in Virus Antivirus has also updated itself and has been
categorized into four generation.

First generation: simple scanners

• A first-generation scanner requires a virus
signature to identify a virus.
• The virus may contain “wildcards” but has
essentially the same structure and bit pattern in
all copies.
• Such signature-specific scanners are limited to
the detection of known viruses.
• Another type of first-generation scanner
maintains a record of the length of programs and
looks for changes in length.
• A second-generation scanner does not rely on a specific signature.
Rather, the scanner uses heuristic rules to search for probable virus
infection. One class of such scanners looks for fragments of code that
are often associated with viruses

• For example, a scanner may look for the beginning of an encryption

loop used in a polymorphic virus and discover the encryption key.

• Once the key is discovered, the scanner can decrypt the virus to
identify it, then remove the infection and return the program to
service.

• Another second-generation approach is integrity checking. A

checksum can be appended to each program. If a virus infects the
program without changing the checksum, then an integrity check will
catch the change
• Third-generation programs are memoryresident programs that
identify a virus by its actions rather than its structure in an infected
program.
• Such programs have the advantage that it is not necessary to develop
signatures and heuristics for a wide array of viruses.
• Rather, it is necessary only to identify the small set of actions that
indicate an infection is being attempted and then to intervene.

• Fourth-generation products are packages consisting of a variety of

antivirus techniques used in conjunction.
• These include scanning and activity trap components.
• In addition, such a package includes access control capability, which
limits the ability of viruses to penetrate a system and then limits the
ability of a virus to update files in order to pass on the infection.
• With fourth-generation packages, a more comprehensive defense
strategy is employed, broadening the scope of defense to more
general-purpose computer security measures.
Feature of Antivirus

• Virus Detection And Removal

• A good security program should be able to detect all types of
security threats such as viruses, spyware and other types of malware
in compressed or uncompressed form. This is an important point to
keep in mind when shopping for an antivirus program.
• It should be able to detect viruses but also remove them from your
device.

Firewall:
• After removing all the threats from a device ensures the continual
safety with the help of a powerful firewall. The powerful firewall
helps in keeping away all the incoming threats.
User-Friendliness
• The security product should be simple and user-friendly enough
for anyone who uses it. In simple words, it should be easily
understandable, even when it’s running a complicated program
in the background. Also, it should not slow down your
system significantly.

Scheduled scans
• Any antivirus solution can be put to use upon request, but some
of them can be adjusted to run a scheduled scan at a convenient
time for you, for example, once a day at midnight. On top of
that, good antivirus software can quarantine malicious files
instantly, without requesting your confirmation.

Data encryption
• You can use antivirus software to encrypt your hard disk or
separate files so that hackers can’t get access to them in case
your computer is stolen. Chances of decrypting the files locked
this way are basically non-existent.
Traffic encryption
• Traffic encryption safeguards your sensitive information whenever
you connect to public networks. With this feature, all outgoing traffic
will be encrypted, which leaves cybercriminals no chance to
intercept and steal your passwords, personal or financial
information.

Malicious sites access

• Antivirus software should rely on an internal database of potentially
malicious websites to warn the user about the danger and even go
as far as blocking access to a specific website.

Email protection
• Many antiviruses are capable of filtering spam in your email box. To
do this, they turn to the database of unreliable domains and use
algorithms for capturing spam. However, this feature may not be a
good fit if you have a high volume of incoming emails because
there’s a small chance an important message can be filtered out.
• Backup: During bad times, especially when your computer is under
attack, it is better to run the backup without taking any chances. Any
good antivirus program will sport this feature by default and will
help you in restoring that backup when all the issues have settled
down.

Social media Protection:

• Reckless use of Social Media provide an
advantageous platform for hackers to implant
viruses and malware on the computers. The
intentions of hackers may vary but they never do
any good to the computer user.
• A good antivirus software will send alerts to the
user when a Facebook phishing scam or a Twitter
malicious link has been detected