System Security-Virus and Worms
System Security-Virus and Worms
System Security-Virus and Worms
SYSTEM SECURITY
1
-Malicious Software
CONTENT
Viruses and Related Threats Virus Countermeasures Distributed Denial of Service Attacks
1. Malicious Software: S/W that is intentionally inserted into a system for a harmful purpose. 2. Virus: A piece of S/W that can infect other programs by modifying them. 3. Worm: A program that replicate itself and send copies from computer to computer across n/w. It usually performs some unwanted functions. 4. DDoS.
Malicious Programs
LOGIC BOMB:
One of oldest types of program threat, predating viruses and worms. Code embedded in legitimate program and is set to explode when certain conditions are met. Examples:
TROJAN HORSE:
Program or command procedure containing hidden code that when invoked performs unwanted or harmful function. Appears as superficially attractive e.g. game, s/w upgrade etc Accomplish functions indirectly that an unauthorized user cant accomplish directly. Often used to propagate a virus/worm or install a backdoor or simply to destroy data.
ZOMBIE:
Program which secretly takes over another computer in the n/w, then uses it to indirectly launch attacks. Often used to launch distributed denial of service (DDoS) attacks. Exploits known flaws in network systems In short, Zombie is a program activated on an infected machine that is activated to launch attacks on other machines.
VIRUS:
A piece of software that can infect other programs by modifying(self replicating) them which can go to infect other programs. Makes a fresh copy of its own whenever a new uninfected piece of S/W is found. When host program is run, all its replicas will infect the system performing any function. Viruses carry out their function specific to a particular OS. Example: Virus designed for Windows cant affect Linux and vice versa.
VIRUS OPERATION:
1. Dormant Phase: Idle state and waiting for an event to activate it. 2. Propagation Phase: Replicating its copy to other uninfected areas on the disk. Making clones. 3. Triggering Phase: Activating the host to perform a function it was intended to. 4. Execution Phase: Function of the virus is performed.
10
VIRUS STRUCTURE:
program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then dodamage; goto next;} next: }
11
VIRUS TYPES:
Parasitic virus: Attaches itself to executable files and replicates when it is run. Memory-resident virus:
Lodges in MM as a part of resident system. Infects all programs that are executed.
Boot sector virus: Spreads when a system is booted with a disk containing virus. Stealth: Hides itself from detection from Antivirus S/W.
12
Polymorphic virus:
Mutates with every infection. Does not rewrite its code at each iteration.
Metamorphic virus:
Mutates with every infection. Rewrites its code at each iteration increasing its difficulty of detection.
13
MACRO VIRUSES:
Platform independent. Usually infects office files. OS that supports the document file gets infected. Does not affect executable files but only document files. Later versions of office have intended security towards Macro viruses. Common method of spreading is by E-mail.
14
E-MAIL VIRUSES:
E.g. Melissa
Sends itself to everyone on the mailing list in the users e-mail package. Triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent. Hence propagate very quickly. Does local damage.
15
WORMS:
A program that replicates itself and send some copies from computer to computer. Needs a human to invoke it. Once it is active within a system, the machine serves as an automated launching pad for attacks on other machines. Does not infect a program but could implant an Trojan horse or perform any destructive action that can infect the performance of the system.
16
WORM OPERATION:
Dormant: Propagation: search for other systems to infect establish connection to target remote system replicate self onto remote system Triggering: Execution:
17
MORRIS WORM:
Released in Internet by Robert Morris in 1998. Designed for UNIX systems. Logins to remote host as legitimate user
Exploits a bug to give info about remote user. Exploits a trapdoor to send and receive mails Then attacks the command interpreter.
18
VIRUS COUNTERMEASURES:
Only Solution is to prevent it. Do not allow virus to enter the system (which is generally impossible) Antivirus approach:
19
scanner uses virus signature to identify virus or change in length of programs Second generation: (heuristic scanners) uses heuristic rules to spot viral infection or uses crypto hash of program to spot changes Third generation: (activity traps) memory-resident programs identify virus by actions Fourth generation: (full featured protection) packages with a variety of antivirus techniques like access control capability. E.g. scanning & activity traps, access-controls
20
21
22
3. Behavior Blocking System: Integrates with the OS of host Monitors the behavior Blocks potentially malicious S/W that would harm the system. Disadvantage is when a virus runs before expressing its behavior it would cause a great deal in harming the system.
23
24
Random (IP address) Hit list (analyzing vulnerable machines and then attack) Topological (Finding hosts from infected machine) Local subnet (within the LAN)
25
DDOS COUNTERMEASURES:
26