Information Security

Lecture 7

Malicious Software & Attacks

Malicious Software – “Presentation Outline”

 What is malicious software?

 Categories of malicious software.
 Different malicious software – viruses, worms, Trojan Horse etc.
 More description about viruses :
✓ Desirable properties of viruses.
✓ Identifying infected files and programs.
✓ Where do viruses reside.
✓ Identifying and detecting viruses – virus signature.
✓ Effect of Virus attack on computer system.
 Protection against attacks by malicious software – preventing
infection.
 References.
What is Malicious Software:

➢ Software deliberately designed to harm

computer systems.

➢ Malicious software program causes undesired actions

in information systems.

➢ Spreads from one system to another through:

• E-mail (through attachments)
• Infected floppy disks
• Downloading / Exchanging of corrupted files
• Embedded into computer games
 Malicious Software - Categories

Malicious Software

Viruses Rabbit Hoaxes Trojan Horse Spyware Trapdoor Worms

Boot Viruses File Viruses Time Bomb Logic Bomb

 Types of Malicious Software

 Virus : These are the programs that spread to

other software in the system .i.e., program that
incorporates copies of itself into other programs.
Usually requires a user interaction

 Virus Classification by target:

▪ Boot sector virus :
▪ File virus :
▪ Macro virus
▪ Multipartite virus
Virus Classification by target

 Boot sector virus :

 infect boot sector of systems
 become resident.
 activate while booting machine
 File virus :
 Infects program files.
 activates when program is run
 Macro virus A macro virus is a computer virus written in the same macro
language as the software it infects — common victims include
 Multipartite virus Microsoft Excel and Word. Because they target software rather
than systems, macro viruses can infect any operating system.
 Virus
 Virus has 3 parts
 Infection Mechanism
 The means by which a virus spreads or propagates or enables it to replicate
 Also called infection vector

 Trigger
 The event or condition that determines when the payload is activated or delivered
 Also called logic bomb

 Payload
 What the virus does, besides spreading
 This involves damage or any activity
 Virus Classification by concealment strategy

Polymorphic Virus Stealth Virus Companion Virus

Produces Using various
Armored Virus
modified & fully techniques to A type of virus Creates new
operational code. avoid detection. designed to program instead
thwart attempts
of modifying
of analysis &
Produces new Complex reverse Existing program.
& different code programming engineering
every time when methods used to
virus is copied & design code, so Reports Executed by
transmitted to a difficult to repair false values to shell, instead of
new host. infected file. programs as original program.
they read files
Difficult to or data from
detect & remove. storage media.
 Rabbit : This malicious software replicates itself
without limits. Depletes some or all the system’s
resources.

❑ Re-attacks the infected systems – difficult recovery.

❑ Exhausts all the system’s resources such as CPU

time, memory, disk space.

❑ Depletion of resources thus denying user access to

those resources.
 Hoaxes : False alerts of spreading viruses.

❑ e.g., sending chain letters.

❑ message seems to be important to recipient, forwards

it to other users – becomes a chain.

❑ Exchanging large number of messages (in chain)

floods the network resources – bandwidth wastage.

❑ Blocks the systems on network – access denied due to

heavy network traffic.
 Trojan Horse : This is a malicious program
with unexpected additional functionality. It includes
harmful features of which the user is not aware.

❑ Perform a different function than what these are

advertised to do (some malicious action e.g., steal the
passwords).
❑ Neither self-replicating nor self-propagating.
❑ User assistance required for infection.
❑ Infects when user installs and executes infected
programs.
❑ Some types of trojan horses include Remote Access
Trojans (RAT), KeyLoggers, Password-Stealers (PSW),
and logic bombs.
❑ Transmitting medium :
1. spam or e-mail
2. a downloaded file
3. a disk from a trusted source
4. a legitimate program with the Trojan inside.

❑ Trojan looks for your personal information and sends it to the Trojan writer
(hacker). It can also allow the hacker to take full control of your system.

❑ Different types of Trojan Horses :

1. Remote access Trojan takes full control of your
system and passes it to the hacker.
2. The data-sending Trojan sends data back to the hacker by means of e-mail.
e.g., Key-loggers – log and transmit each keystroke.
3. The destructive Trojan has only one purpose: to destroy and delete
files. Unlikely to be detected by anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines computing
power of all computers/systems it infects to launch an attack on
another computer system. Floods the system with traffic, hence it
crashes.
5. The FTP Trojan opens port 21 (the port for FTP transfer) and lets the
attacker connect to your computer using File Transfer Protocol (FTP).
6. The security software disabler Trojan is designed to stop or kill
security programs such as anti-virus software, firewalls, etc., without
you knowing it.
 Spyware :

❑ Spyware programs explore the files in an

information system.
❑ Information forwarded to an address specified in
Spyware.
❑ Spyware can also be used for investigation of
software users or preparation of an attack.
 Worms :

❑ program that spreads copies of itself through a network.

❑ Does irrecoverable damage to the computer system.
❑ Stand-alone program, spreads only through network.
❑ Also performs various malicious activities other than spreading itself to
different systems e.g., deleting files.

❑ Attacks of Worms:
❑ Deleting files and other malicious actions on systems.
❑ Communicate information back to attacker e.g., passwords, other
proprietary information.
❑ Disrupt normal operation of system, thus denial of service attack (DoS) –
due to re-infecting infected system.
❑ Worms may carry viruses with them.
Means of spreading Infection by Worms :

 Infects one system, gain access to trusted host lists on

infected system and spread to other hosts.

 Another method of infection is penetrating a system

by guessing passwords.

 By exploiting widely known security holes, in case,

password guessing and trusted host accessing fails.
 VIRUSES – More Description
Desirable properties of Viruses :

✓ Virus program should be hard to detect by

anti-virus software.
✓ Viruses should be hard to destroy or deactivate.
✓ Spread infection widely.
✓ Should be easy to create.
✓ Be able to re-infect.
✓ Should be machine / platform independent, so that it
can spread on different hosts.
Detecting virus infected files/programs :

❖ Virus infected file changes – gets bigger.

❖ Modification detection by checksum :

> Use cryptographic checksum/hash function
e.g., SHA, MD5.
> Add all 32-bit segments of a file and store the sum
(i.e., checksum).
Examples
Identifying Viruses :
❑ A virus is a unique program.
❑ It inserts in a deterministic manner.
❑ The pattern of object code and where it is inserted
provides a signature to the virus program.
❑ This virus signature can be used by virus scanners to
identify and detect a virus.
❑ Some viruses try to hide or alter their signature:
❑ Random patterns in meaningless places.
❑ Self modifying code –polymorphic viruses,
metamorphic
❑ Encrypt the code, change the key frequently.
Places where viruses live :

▪ Boot sector
▪ Memory resident
▪ Disk – Applications and data stored on disk.
▪ Libraries – stored procedures and classes.
▪ Compiler
▪ Virus checking program infected by virus – unable to
detect that particular virus signature.
Effect of Virus attack on computer system

➢ Virus may affect user’s data in memory – overwriting.

➢ Virus may affect user’s program – overwriting.

➢ Virus may also overwrite system’s data or programs –

corrupting it – disrupts normal operation of system.

➢ “Smashing the Stack” – Buffer overflow due to

execution of program directed to virus code.
Preventing infection by malicious software :

✓ Use only trusted software, not pirated software.

✓ Test all new software on isolated computer system.
✓ Regularly take backup of the programs.
✓ Use anti-virus software to detect and remove viruses.
✓ Update virus database frequently to get new virus signatures.
✓ Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
✓ Make sure that the e-mail attachments are secure.
✓ Do not keep a floppy disk in the drive when starting a program,
unless sure that it does not include malicious software, else
virus will be copied in the boot sector.