Malicious Software

Definition of Malicious Code

 Malicious code is the term used to describe any code in any part of a software
system or script that is intended to cause undesired effects, security breaches
or damage to a system.

 Malicious code is a security threat that cannot be efficiently controlled by

conventional antivirus software alone.
 Malicious code describes a broad category of system security terms that
includes attack scripts, viruses, worms, Trojan horses, backdoors and malicious
active content.
 Malicious code can take the form of:
 Java Applets
 ActiveX Controls
 Scripting languages
 Browser plug-ins
Malicious Software Attacks

 Software that fulfills the deliberately harmful intent of an attacker when run is
called malicious code. For example, viruses, worms, and Trojan horses are
malicious code.

 Any programs (including macros and scripts) which are deliberately coded to
cause an unexpected or unwanted event on a user's PC or network come under
the definition of malicious code.

 Malware (or malicious software) targets text files such as batch files and
postscript files and the source code which contains commands that can be
executed by another program when run.

 In a malicious software attack an attacker inserts a malicious code into a

user's system to disrupt or disable the operating system or any other
application and destroying the important information stored.
Computer Viruses

 Computer viruses are software programs that are deliberately

designed to interfere with computer operation and record, corrupt, or
delete data, or spread themselves to other computers in the network or
throughout the Internet. Viruses often slow down the CPU and disk
speeds and cause other problems in the process.

 According to replication strategies Viruses are of two types:

 Non-resident Viruses
 Resident Viruses
Computer Viruses

 Non-Resident Viruses: after they reach the host they immediately

start searching for other hosts that could be infected, once found they
infect these targets and finally transfer control to the application
program which they infected.

 They mostly consist of a Finder Module and a Replication module.

 The Finder Module is responsible for finding new files to infect.

 As soon as the finder module encounters a new executable file, it

calls the replication module to infect the file.

Computer Viruses

 Resident Viruses: similar to non-resident viruses they

contain a replication module, however this module is not
called by a finder module.

 In case of a resident virus once the execution starts it loads

replication module into memory & transfers control to the
host program.

 The virus keeps running in the background and silently

infects new hosts when those files are accessed by other
programs or operating systems in the network.
Computer Viruses

 A traditional virus attaches itself to other useful programs and each

time that program runs, virus also runs and reproduces itself or does
some changes which damage system.

 There are mainly six types of viruses:

 File Infectors

 Boot Sector viruses

 Multipartite viruses

 Stealth viruses

 Polymorphic viruses

 Macro viruses
File infectors

 File infectors, also called parasitic viruses are the most common and
the most discussed, they attach themselves to executable files.

 Such a virus typically resides in memory and waits there for the user
to run another program, using such an event as a trigger to infect that
program as well.

 Thus they replicate simply through active use of the computer.

 There are many different types of file infectors, but the concept is
similar in all of them.
Boot Sector viruses

 Boot sector viruses or infectors reside in specific areas of the PC's

hard disk that are read and executed by the computer at boot time.

 Mainly boot sector viruses infect only the DOS (Disk Operating
System) boot sector, but there is a subtype called the MBR virus
which infects the master boot record.

 Because both of these areas of the hard disk are read during the boot
process, the virus uses this opportunity to get loaded into the memory.
 Boot Sector viruses

Boot Sector

Before infection: Bootstrap loader System

Initialization

Boot Sector

After infection: Virus System Bootstrap

Code Initialization loader
Multipartite viruses

 Multipartite Viruses: They are a combination of file

infectors and boot sector viruses.

 These viruses come in the system through infected media

(mostly floppies) and reside in memory.

 They then move to the boot sector of the hard drive, and
infect executable files stored on the hard drive from there
and spread across the filesystem.
Stealth viruses

 A stealth virus is a virus that uses various hiding

mechanisms to avoid detection by antivirus software.

 Sometimes stealth viruses are also described as viruses that

escape notice without being specifically designed to do so:
 either because the virus is new,
 or because the user hasn't updated their antivirus
software.

 Stealth viruses are not new: the first known virus for PCs,
Brain which was reportedly created by software developers as
an anti-piracy measure, was a stealth virus that infected the
boot sector of the storage device.
Polymorphic viruses

 Polymorphic viruses are complex file infectors that change

their physical form and still retain the same basic routines,
after every infection.

 Typically during each infection they encrypt their code to alter

their physical structure by changing the encryption keys every
time.

 This capability to change their physical structure can allows

polymorphic viruses to cheat antivirus scanners, and can
cause antivirus products to use complex patterns and new
scan engines every time a new polymorphic virus is released.
Polymorphic viruses

 Today one of the most sophisticated forms of polymorphism is

the Mutation Engine (MtE), which comes in the form of an
object module.
 Any virus can be made polymorphic by Using the Mutation
Engine which adds certain calls to its assembler source code
and links to the mutation-engine and random-number
generator modules.
 The advent of polymorphic viruses has made virus scanning
an increasingly difficult and expensive task for antivirus
developers.
 Adding more and more search strings to simple scanners
doesn’t not solve the problem of virus detection.
Macro viruses

 Macro viruses: A macro virus "infects" Microsoft Word or a similar

spreadsheet application and causes a sequence of actions to be
performed automatically when the application is started or some event
triggers it.

 Macro viruses tend to be relatively harmless in comparison to others.

Typically they could try to do the undesired insertion of some comic
text at certain points in a document when writing a line.

 Macro Viruses are platform independent and so can easily spread on

any platform like Microsoft, Macintosh or any other operating system.
Melissa Macro Virus

 Melissa was first found on March 26, 1999. It propagated infected e-

mails into the Internet mail systems which clogged and caused it to
shutdown. Originally Melissa was not designed for harm, but it
overflowed the servers and caused many unplanned problems.

 Melissa can spread on word processors like Microsoft Word 97 and

Word 2000. It can mass-mail itself from e-mail client Microsoft
Outlook 97 or Outlook 98.

 It does not work on any other versions of Word, nor can it mass-mail
itself via any other e-mail client such as Outlook Express or Windows
Mail (Outlook Express version in Windows Vista).
Melissa Macro Virus

 When the document infected by Melissa virus is opened for the first
time, the virus starts executing and checks whether the user's computer
is installed with MS Outlook.

 If Outlook is there then the virus sends email to first 50 mail addresses
found in the user’s address book, and then infects a central file called
NORMAL.DOT so that any files saved later would also contain the
virus.

 An attachment comes with the mail which is a Word file called

"list.doc," which contains the porn sites' addresses. The email sent by
the virus will contain the subject "Important Message From {user
name}”. The body of the email will contain “Here is that document
you asked for . . .don't show anyone else ;-)”.
Melissa Macro Virus

 After the mail is sent, or if the virus is not able to get any way to
spread due to lack of an Internet connection or Outlook, it spreads
itself by infecting other Word documents on the computer.

 It could also mail other infected documents as attachment. If the

mailed document contains some confidential data, the recipient of the
e-mail containing the document can view it.

 Then the worm's activation routine inserts quotes from the animated
television program ‘The Simpsons’ into other documents when the
minutes of the time of the computer's clock match the day of the
month (e.g., 7:09 on the 9th day of the month).
Melissa Macro Virus

 For example, the virus could insert the Bart Simpson quotation, "Twenty-two
points, plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here" into a user's active document.
Melissa Macro Virus

 The Melissa virus took advantage of features of the VBA (or Visual
Basic for Applications) programming language which is built into
Microsoft Word.

 It is a complete programming language and it can be programmed to

modify files and send e-mail messages.

 One of its useful but dangerous feature is auto-execute. Using this

feature programmer can insert a program into a document that runs
instantly whenever the document is opened. Melissa virus was
programmed in the same way.
Melissa Macro Virus

 To prevent the exploitation of this feature Microsoft applications have

a feature called Macro Virus Protection built into them. If we keep
the default option which is ON in case of Virus Protection, the auto-
execute feature is disabled.

 So when a document tries to auto-execute viral code, a dialog box

pops up with a warning to the user.

 Unfortunately, many people are unaware of macro viruses and when

they see this dialog they ignore it, so the virus keeps running.

 Many other people turn off this protection mechanism. So even in the
presence of safeguards the virus gets spread.
Melissa Macro Virus

 Solution for Macro Viruses: train all of your users about macro
viruses and encourage them to disable macros in Word or any product
that contains a macro language as this sort of problem is not limited to
Microsoft Word.

 General protection from Word Macro Viruses: For information

about macro viruses in general, you could review the document "Free
Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is
available at:
 http://www.nai.com/services/support/vr/free.asp
How to Prevent Computer Virus

 Do not run programs of unknown origin: Never download, install, or run

any program unless its source (may be a person or a company) is authenticated
and trusted.

 Filter network traffic: Reports to CERT/CC indicate that viruses use TCP
ports in the range 3127-3198. Depending on their network requirements Site
owners should block both inbound and outbound traffic to these ports, at the
host or the network level.

 Stay informed: Keep up to date with the latest news about viruses.
How to Prevent Computer Virus

 Beware of e-mail attachments: Do not open any e-mail attachment from

unreliable source or if you receive any unexpected file through the attachment,
especially if you are using Windows.

 Run and maintain an anti-virus product: Make sure to regularly update

your anti-virus product. For preventing infection at least once a week updating
is must because an increasing number of viruses cannot be "cleaned" by
simply running the "latest" virus checker if you are already infected.
Recovering from a system compromise

 Back up your files. back up your files on a regular basis. This can
save your valuable time that might be wasted while recovering your
lost data because of a virus problem.

 Make a rescue disk. If you own an IBM-type system create a

bootable floppy disk with the antivirus software on it, and keep it write
locked to use it later if the need arises.

 Get help. If you a receive a doubtful email that you believe contains a
virus, or think your machine may already be infected with a virus,
contact some ITS Help Desk number or ITS Help Desk Web site.
Antivirus Scanners

 Since 1987, when first virus appeared and infected ARPANET, many antivirus
programs have become available. Anti-virus programs are used to periodically
check your computer system for the best-known types of viruses and prevent
any later infection.

 Only an up-to-date antivirus software package cannot protect against all

malicious code, still for most users who use stand alone systems it remains the
best first-line of defense against malicious code attacks.
Computer Worms

 Worms - A small piece of software that uses computer networks and

security holes to replicate itself without affecting other programs is
called worm.

 Worms exploit vulnerabilities in operating systems, or trick users to

assist them to spread across the system.

 Once a worm reaches a network one copy of the worm scans the
network for another machine that has a specific security hole and if it
finds one It copies itself to the new machine using that security hole,
and then starts replicating itself from there.
Computer Worms

 Worms can also exist on a stand alone computer, in which case they will copy
themselves to various hard disk locations.

 Recent examples of worms included the Sasser worm and the Blaster worm.
These two can make your computer reboot.
Blaster Worm

 If your computer has started rebooting itself again and again, you may have
the W32.Blaster.Worm in case you are running Windows 2000 or Windows
XP.

 One message you could receive with W32.Blaster.Worm is:

Windows must now restart because the remote procedure call
(RPC) service terminated unexpectedly. The computer reboots
itself in 60 seconds.
Blaster Worm

 Another message is:

Generic Host Process for Win32 Services
Then: Remote Procedure Call (RPC) service terminated
unexpectedly.

 The main symptom is that your computer keeps rebooting itself after every
60 seconds.
Sasser Worm

 Computers running vulnerable versions of the Microsoft operating

systems like Windows XP and Windows 2000 or Windows 98 might
get infected by the Sasser worm.

 Sasser worm spreads without the help of the user by exploiting a

vulnerable network port, but you can fix this vulnerability by using a
properly configured firewall, or by downloading patches from
Windows Update.

 Sasser worm exploited a specific hole that Microsoft had documented

in its MS04-011 bulletin and a patch had been released seventeen days
earlier.
Sasser Worm

 Sasser was first noticed in April 30, 2004 and started spreading on
computers by exploiting a buffer overflow in the component known as
LSASS (Local Security Authority Subsystem Service) on the affected
operating systems and therefore is known as Sasser.

 It scans different ranges of IP addresses and connects to victims'

computers mostly through TCP port 445 but Microsoft has analyzed
that it may also spread through port 139.

 Several variants called Sasser.B, Sasser.C, and Sasser.D also exist

(with the original named Sasser.A) which appeared a few days after
the original worm released .
Sasser Worm

 Prior to the release of the worm, Microsoft already had patched the LSASS
vulnerability in the April 2004 installment of its monthly security packages.

 It is speculated that the worm writers had reverse-engineered the patch and
discover this vulnerability, and planned to attack millions of computers whose
operating system had not been upgraded with the security update.
The worm makes the LSASS.EXE to crash and by default such system will start rebooting
after the crash. And the following Window gets displayed:
Sasser Worm
Morris Worm

 This worm was released by Robert Morris in 1988 and is the

best known classic worm which was made to target Unix
systems.

 It mostly uses these propagation techniques:

 simple passwords are cracked by accessing local pwd
file.
 bugs in finger daemon are exploited.
 in sendmail daemon the debug trapdoor is exploited.

 If it gets success in any of these attacks then it replicates

itself.
Recent Worm Attacks

 Code Red 2
 It included a backdoor which was installed to allow
remote control for the attacker.

 Nimda
 This worm used multiple infection mechanisms such
as: email, shares, web client, IIS, Code Red 2
backdoor.
Trojan Horses

 Trojan horse - A Trojan pretends to be a useful and harmless

program but it waits in memory until it is ready to achieve its
destructive purpose.

 They are most commonly used to create a back door in the system for
the intruders to access and then use your computer for their malicious
purposes.

 Trojan horses don’t replicate on their own, but they use a dangerous
file transfer capability so that it would become easier for an attacker to
upload other viruses on the infected computer.
Trojan Horses

 A Trojan horse always requires the computer user to run a seemingly

harmless program in which it is hidden so, it can never automatically
infect a computer.

 Once this seemingly harmless program is run, the Trojan horse will
write some malicious lines of code to the startup routine of the
computer so that it is loaded whenever the computer is booted up.

 After it is loaded, the attacker can remotely instruct the infected

computer. Now attacker can view any of the stored files on the
infected computer's hard drive, and can destroy or modify the data or
destruct the filesystem of the computer.
Trojan Horses

 Sub7 and BackOrifice are two of many infamous examples of Trojan

horses, both of which open a back door on an infected computer for
the malicious users and allow them to connect remotely, and to
completely control that computer.

 Sub7 was originally created for Windows, where the Windows client
can only control the Windows version of the server.

 But recently a Macintosh operating system version was released for

both client and the server and a Macintosh client can control both the
Macintosh and Windows versions of the server.
Trojan Horses

 BackOrifice is Windows-only as far as the server goes,

but there is a Macintosh client for the Trojan.

 Neither of these Trojan horses run on Linux in any form.

 One newer type of Trojan horse is a backdoor Trojan,

which installs an executable file on systems.

 By altering the Registry (Windows central database for

system settings and user preferences), the backdoor Trojan
also launches when you start your computer.
Types of Malicious Software Attacks
Trap doors:

 It is a secret entry point into a program that allows someone, that

is aware of the trapdoor, to gain access without going through
usual security access procedure.

 Trap doors have been used legitimately by programmers to debug

and test programs for many years.

 It becomes a threat when they are used by unscrupulous

programmers to gain unauthorized access.
Other Types of Malicious Software
Attacks
Hijacking Attacks:

 The attacker takes control of (hijacks) a TCP session (after

authentication at the beginning of the session) to gain access to
data or network resources using the identity of a legitimate
network user.

 During a hijacking attack, the attacker can participate in the TCP

session and access the packets when they pass from one host to
another.

 The attacker can take control of a TCP session between two hosts
and replace one of the hosts (by disconnecting) and continue
communication with the other host as being one of the original
party to the session.
 Other Types of Malicious Software
Attacks

Port Scanning attacks:

 Attacker scans the networking components i.e. computers and

other devices, connected to the Internet to see which TCP and
UDP ports and services on the system are active.

 Port scanning attacks are often the first step taken by hacker to
determine where system vulnerability exists.
 Other Types of Malicious Software
Attacks

Eavesdropping attack /sniffing:

 It is sometimes called sniffing, where an attacker tries to gain

access to private network communications using a tool such as
Dsniff or Network Monitor.

 It includes both traditional communication and wireless

communication across the network wire, in order to steal the
content of the communication itself or to obtain user names and
passwords for future software attacks.
 Other Types of Malicious Software
Attacks

IP Spoofing attack:

 Attacker creates IP packets with a forged source IP address and

uses those packets to gain access to a remote system.

Replay attack:

 Attacker captures (through eavesdropping or sniffing) network

traffic in the form of packets and stores it for retransmission at a
later time to gain unauthorized access to a specific host on a
network.

 This attack is particularly successful when an attacker captures

packets that contain user names, passwords, or other
authentication data.
 Other Types of Malicious Software
Attacks

Misuse of privilege attack:

 Attacker misuses his or her administrative privileges to gain access
to sensitive data.

 This type of attack generally involves an employee with some level

of administrative privileges, whether it be over a single machine,
group of machines, or some portion of the network.

Password Attack:

 Attacker attempts to guess user passwords, either manually or

through the use of scripts, to gain access to a single system, an
application, or a network.

 Attacker may crack encrypted password files.

 Other Types of Malicious Software
Attacks
Man–in–the middle attack:

 Attacker inserts himself between two hosts to gain access to their

data transmissions.

 Attacker intercepts data transmitted from a source computer and

responds to the data as if it (the attacker) is the intended
destination.

 These attacks are used to gain access to user names, passwords,

and network infrastructure information for future attacks or to
gain access to the content of the packets being transmitted.
Back door attack:

 Attacker creates a mechanism for gaining access to a computer

using a piece of software or by creating a bogus user account.

 The mechanism itself is called the backdoor, and if it isn't found

and removed, it can survive forever, listening on one of the ports
and giving an attacker an easy way to enter into the system and
execute almost every command.

 Often this mechanism survives after the initial intrusion has been
discovered and resolved.
 Botnets

 A botnet is a collection of
compromised computers
(bots), under the control of a
single entity, usually through
the mechanism of a single
command and control server
(a botnet controller).

 Any computer connected to

the Internet—preferably with
a broadband connection is a
desirable base of computing
power to be used as a bot.
 Botnets

 Examples : Conficker,Kraken,Srizbi…
 Most spam is sent from bots
 Most worms and viruses today are being used to
put bot software on end-user computers.
 Most denial of service attacks are originated from
bots.
 Bots can be used as proxies for almost any kind of
malicious activity on the Internet, providing a
buffer between the miscreant and the action.
 Denial of Service

 A denial-of-service attack (DoS attack) is an attempt to make a

computer resource unavailable to its intended users
 A DoS attack can be perpetrated in a number of ways.
 Consumption of computational resources, such as bandwidth, disk

space, or processor time

 Disruption of configuration information, such as routing information.

 Disruption of state information, such as unsolicited resetting of TCP

sessions.
 Disruption of physical network components.
 Denial of service attack:

Attacker attempts to disable systems that provide network

services (usually computers or routers connected directly to
the Internet) in one of the following ways:

1. Flooding a network link with more data than the available

bandwidth can manage.

1. Sending data that's meant to exploit flaws in an application.

 Distributed denial of service attacks:

 Attacker hijacks or manipulates

multiple computers (through the
use of zombies or drones) on
disparate networks to carry out a
DoS attack.

 The main purpose of a DoS or

DDoS (Distributed DoS) attack is
to disrupt an organization's
Internet communications to
cause embarrassment or to force
the organization to waste time
and money in responding to the
attack and bringing their systems
back online.