Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

1. MALICIOUS SOFTWARE
1

2. Overview
Introduction
Types of Malicious Software
o Backdoor/Trapdoor
o Logic Bomb
o Trojan Horse
Virus
o Nature of viruses
o Types of viruses
Virus Countermeasures
o Anti-virus approach
o Anti-virus technique
Worm
DDoS Attack
o DDos Description
o Construction of Attack
2

3. Program Definition
A computer program
Tells a computer what to do and how to do it.
Computer viruses, network worms,
Trojan Horse
These are computer programs.
3

4. Malicious software ?
Malicious Software (Malware) is a software that is included
or inserted in a system for harmful purposes.
OR
A Malware is a set of instructions that run on your computer
and make your system do something that an attacker
wants it to do.
4

5. The Malware Zoo
• Backdoor
• Logic Bomb
• Trojan horse
• Virus
• Worm
• Scareware
• Adware
5

6. Taxonomy of Malicious Programs
Malicious Programs
Need Host Program Independent
Trapdoors Logic Trojan Viruses Zombies Worms
Bombs Horses
Most current malicious code mixes all capabilities 6

7. Motivation
Why do malicious codes occur?
7

8. What it is good for ?
• Steal personal information
• Delete files
• Click fraud ?
• Steal software serial numbers
8

9. What to Infect
• Executable
• Interpreted file
• Kernel
• Service
• MBR
9

10. Auto start
• Folder auto-start
• Win.ini : run=[backdoor]" or
"load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys
• Init.d
10

11. Auto start
• Assign know extension (.doc) to the
malware
• Add a Registry key such as HKCUSOFTWAREMicrosoftWindows
CurrentVersionRun
• Add a task in the task scheduler
• Run as service
11

12. Setting it up to the entire web
 1.3% of the incoming search
queries to Google returned at
a least one malware site
 Visit sites with an army of
browsers in VMs, check for
changes to local system
 Indicate potentially harmful
sites in search results

13. Shared folder
13

14. Email propagation
14

15. Email again
15

16. Fake page !
16

17. P2P Files
• 35.5% malwares
17

18. Backdoor or Trapdoor
 secret entry point into a program
 allows those who know access by passing usual
security procedures
 Remains hidden to casual inspection
 Can be a new program to be installed
 Can modify an existing program
 Trap Doors can provide access to a system for
unauthorized procedures
 very hard to block in O/S
18

19. Trap Door Example
(a) Normal code.
(b) Code with a trapdoor inserted
19

20. Logic Bomb
• One of oldest types of malicious software
• Piece of code that executes itself when pre-defined
conditions are met
• Logic Bombs that execute on certain days are known as
Time Bombs
• Activated when specified conditions met
– E.g., presence/absence of some file
– particular date/time
– particular user
• When triggered typically damage system
– modify/delete files/disks, halt machine, etc.
20

21. Tracing Logic Bombs
• Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system
functions, the hardware, the hardware/software/firmware/operating
system interface, and the communications functions inside and
outside the computer
• Tools for data recovery, duplication and verification
21

22. Trojan Horse
22

23. Trojan Horse
• Trojan horse is a malicious program
that is designed as authentic, real and genuine
software.
• Like the gift horse left outside the gates of Troy by
the Greeks, Trojan Horses appear to be useful or
interesting to an unsuspecting user, but are actually
harmful.
23

24. Trojan Percentage
24

25. What Trojans can do ?
• Erase or overwrite data on a computer
• Spread other viruses or install a backdoor. In this case the
Trojan horse is called a 'dropper'.
• Setting up networks of zombie computers in order to launch
DDoS attacks or send Spam.
• Logging keystrokes to steal information such as passwords and
credit card numbers (known as a key logger)
• Phish for bank or other account details, which can be used for
criminal activities.
• Or simply to destroy data
• Mail the password file.
25

26. How can you be infected ?
• Websites: You can be infected by visiting a rogue website.
Internet Explorer is most often targeted by makers of
Trojans and other pests. Even using a secure web browser,
such as Mozilla's Firefox, if Java is enabled, your computer
has the potential of receiving a Trojan horse.
• Instant message: Many get infected through files sent
through various messengers. This is due to an extreme lack
of security in some instant messengers, such of AOL's
instant messenger.
• E-mail: Attachments on e-mail messages may contain
Trojans. Trojan horses via SMTP.
26

27. Sample Delivery
• Attacker will attach the Trojan to an e-mail with an enticing
header.
• The Trojan horse is typically a Windows executable program
file, and must have an executable file extension such as
.exe, .com, .scr, .bat, or .pif. Since Windows is configured by
default to hide extensions from a user, the Trojan horse's
extension might be "masked" by giving it a name such as
'Readme.txt.exe'. With file extensions hidden, the user would
only see 'Readme.txt' and could mistake it for a harmless text
file.
27

28. Where They Live ? (1)
• Autostart Folder
The Autostart folder is located in C:WindowsStart
MenuProgramsstartup and as its name suggests, automatically starts
everything placed there.
• Win.ini
Windows system file using load=Trojan.exe and run=Trojan.exe to execute
the Trojan
• System.ini
Using Shell=Explorer.exe trojan.exe results in execution of every file after
Explorer.exe
• Wininit.ini
Setup-Programs use it mostly; once run, it's being auto-deleted, which is
very handy for Trojans to restart
28

29. Where They Live ? (2)
• Winstart.bat
Acting as a normal bat file trojan is added as @trojan.exe to hide its
execution from the user
• Autoexec.bat
It's a DOS auto-starting file and it's used as auto-starting method like this ->
c:Trojan.exe
• Config.sys
Could also be used as an auto-starting method for Trojans
• Explorer Startup
Is an auto-starting method for Windows95, 98, ME, XP and if c:explorer.exe
exists, it will be started instead of the usual c:WindowsExplorer.exe, which
is the common path to the file.
29

30. What the attacker wants?
• Credit Card Information (often used for domain
registration, shopping with your credit card)
• Any accounting data (E-mail passwords, Login
passwords, Web Services passwords, etc.)
• Email Addresses (Might be used for spamming, as
explained above)
• Work Projects (Steal your presentations and work
related papers)
• School work (steal your papers and publish them with
his/her name on it)
30

31. Stopping the Trojan …
The Horse must be “invited in” ….
How does it get in? By:
Downloading a file
Installing a program
Opening an attachment
Opening bogus Web pages
Copying a file from someone else
31

32. Virus
• Self-replicating code
• attaches itself to another program and executes secretly when
the host program is executed.
• No hidden action
– Generally tries to remain undetected
• Operates when infected code executed
If spread condition then
For target files
if not infected then alter to include virus
Perform malicious action
Execute normal program
32

33. Virus Structure
33

34. Types of Viruses
• Parasitic Virus - attaches itself to executable files as part of their code.
Runs whenever the host program runs.
• Memory-resident Virus - Lodges in main memory as part of the residual
operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads when the
operating system boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus - mutates with every new host to prevent signature
detection.
Application then runs normally
34

35. Virus Phases
• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
copy of itself into other programs
• Triggering phase – the virus is activated to perform
the function for which it was intended
• Execution phase – the function is performed
35

36. Email Virus
• Moves around in e-mail messages
• Triggered when user opens attachment
• hence propagates very quickly
• Replicates itself by automatically mailing itself to dozens
of people in the victim’s e-mail address book
36

37. Examples of risky file types
• The following file types should never be
opened if…
– .EXE
– .PIF
– .BAT
– .VBS
– .COM
37

38. How Viruses Work (1)
• Virus written in some language e.g. C,
C++, Assembly etc.
• Inserted into another program
– use tool called a “dropper”
• Virus dormant until program executed
– then infects other programs
– eventually executes its “payload”
38

39. How Viruses Work (2)
• An executable program
• With a virus at the front
• With the virus at the end
• With a virus spread over free space within program
39

40. Anti-virus
• It is not possible to build a perfect virus/
malware detector.
• Analyze system behavior
• Analyze binary to decide if it a virus
• Type :
– Scanner
– Real time
monitor
40

41. Antivirus and Anti-Antivirus Techniques
(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code
41

42. Popular Fallacies
If I never log off then my computer can never get a
virus
If I lock my office door then my computer can never
get a virus
Microsoft will protect me
42

43. And a Few More
I got this disc from my (boss, friend) so it must be okay
You cannot get a virus by opening an attachment from
someone you know
But I only downloaded one file
My friend who knows a lot about computers
showed me this really cool site…
43

44. Zombie
• The program which secretly takes over another networked
computer and force it to run under a common command
and control infrastructure.
• then uses it to indirectly launch attacks
 E.g., DDoS, phishing, spamming, cracking
(difficult to trace zombie’s creator)
• Infected computers — mostly Windows machines — are
now the major delivery method of spam.
• Zombies have been used extensively to send e-mail spam;
between 50% to 80% of all spam worldwide is now sent by
zombie computers.
44

45. Worm
A computer worm is a self-replicating
computer program. It uses a network to send
copies of itself to other nodes and do so
without any user intervention.
45

46. Comparision of Worm Features
1) Computer Virus: •Needs a host file
•Copies itself
•Executable
2) Network Worm: •No host (self-contained)
•Copies itself
•Executable
3) Trojan Horse: • No host (self-contained)
•Does not copy itself
•Imposter Program 46

47. Worm: History
• Runs independently
– Does not require a host program
• Propagates a fully working version of itself to other machines
 History
◦ Morris worm was one of the first worms distributed over Internet
 Two examples
◦ Morris – 1998,
◦ Slammer – 2003
47

48. Worm Operation
• worm has phases like those of viruses:
– Dormant (inactive; rest)
– propagation
• search for other systems to infect
• establish connection to target remote system
• replicate self onto
remote system
– triggering
– execution
48

49. Morris Worm
• best known classic worm
• released by Robert Morris in 1988
• targeted Unix systems
• using several propagation techniques
• if any attack succeeds then replicated self
49

50. Slammer (Sapphire) Worm
• When
• Jan 25 2003
• How
• Exploit Buffer-overflow with MS SQL
• Scale
• At least 74,000 hosts
• Random Scanning
• Randomly select IP addresses
• Cost
• Caused ~ $2.6 Billion in damage
50

51. Slammer Scale
The diameter of each circle is a function of the number of infected machines, so large
circles visually under represent the number of infected cases in order to minimize overlap
with adjacent locations
51

52. The worm itself …
 System load
◦ Infection generates a number of processes
◦ Password cracking uses lots of resources
◦ Thousands of systems were shut down
• Tries to infect as many other hosts as possible
– When worm successfully connects, leaves a child to continue the
infection while the parent keeps trying new hosts
– find targets using several mechanisms: 'netstat -r -n‘, /etc/hosts, …
• Worm did not:
– Delete system's files, modify existing files, install Trojan horses, record or
transmit decrypted passwords, capture super user privileges
52

53. Adware
53

54. Scareware / Rouge/
Fake antivirus
54

55. Typical Symptoms
• File deletion
• File corruption
• Visual effects
• Pop-Ups
• Computer crashes
• Slow Connection
• Spam Relaying
55

56. No Sure Protection!
• Most attacks come from the INSIDE
• Keep secured logs of all code modifications
• Keep back-ups of all vital system information
• Install anti-virus software on computers (keep it
current)
• Assume every disc, CD, etc is suspect, no matter who
gave it to you
56

57. Distributed Denial of Service
• A denial-of-service attack is an attack that
causes a loss of service to users, typically the
loss of network connectivity.
• CPU, memory, network connectivity, network
bandwidth, battery energy
• Hard to address, especially in distributed form
57

58. DDoS Mechanism
• Goal: make a service unusable.
• How: overload a server, router, network
link, by flooding with useless traffic
• Focus: bandwidth attacks, using large
numbers of “zombies”
58

59. How it works?
• The flood of incoming messages to the target system
essentially forces it to shut down, thereby denying
service to the system to legitimate users.
• Victim's IP address.
• Victim's port number.
• Attacking packet size.
• Attacking inter-packet delay.
• Duration of attack.
59

60. Example 1
• Ping-of-death
– IP packet with a size larger than 65,536 bytes is
illegal by standard
– Many operating system did not know what to do
when they received an oversized packet, so they
froze, crashed or rebooted.
– Routers forward each packet independently.
– Routers don’t know about connections.
– Complexity is in end hosts; routers are simple.
60

61. Example 1

62. Example 2
• TCP handshake
• SYN Flood
– A stream of TCP SYN packets directed to a listening TCP port at the victim
– The host victim must allocate new data structures to each SYN request
– legitimate connections are denied while the victim machine is waiting
to complete bogus "half-open" connections
– Not a bandwidth consumption attack
• IP Spoofing
62

63. From DoS to DDoS
63

64. From DoS to DDoS
64

65. How Internet Looks Like?
65

66. How Internet Looks Like?
66

67. Distributed Reflection DoS Attack
67

68. DDoS Countermeasures
• Three broad lines of defense:
1. attack prevention & preemption (before)
2. attack detection & filtering (during)
3. attack source trace back & identification (after)
68

69. Summary
• have considered:
– various malicious programs
– trapdoor, logic bomb, Trojan horse, zombie
– viruses
– worms
– countermeasures
– distributed denial of service attacks
69

70. Q&A
70