1. Malicious Software and
Software Security

2. List of Topics
• Malicious Web
• Internet Security Issues
• Types of Internet Security Issues
• Computer Viruses
• Spyware
• Key-Loggers
• Secure Coding
• Electronic and Information Warfare

3. Malicious Web

4. Malicious Web
• A malicious website is a site that attempts to install malware (a general
term for anything that will disrupt computer operation, gather your
personal information or, in a worst-case scenario, gain total access to
your machine) onto your device
• Requires user action like visiting a website, giving permission to
access cookies, etc.
• Malicious websites often look like legitimate websites

5. Malicious Web
• they will ask you to install software that your computer appears to
need
Example:
A video website might ask you to install a codec, which is a small piece
of information a video player needs to run on a website.
You might be used to installing safe codecs, but it only takes one unsafe
installation to compromise your machine, and your sensitive
information along with it.
Similarly, the website might ask for permission to install one program,
but install a completely different one

6. Internet Security Threats

7. Malicious Software
• an internet user can be tricked or forced into downloading software
onto a computer that is of malicious intent.
• Such software comes in many forms, such as viruses, Trojan horses,
spyware, and worms.

8. Malicious Software
Malware
• Malware short for malicious software, is any software used to disrupt
computer operation, gather sensitive information, or gain access to
private computer systems.
• Malware is defined by its malicious intent, acting against the
requirements of the computer user, and does not include software that
causes unintentional harm due to some deficiency.

9. Malicious Software
Botnet
• A botnet is a network of zombie computers that have been taken over
by a robot or bot that performs large-scale malicious acts for the
creator of the botnet.
Virus
• Computer Viruses are programs that can replicate their structures or
effects by infecting other files or structures on a computer. The
common use of a virus is to take over a computer to steal data.

10. Malicious Software
Worms
• Computer worms are programs that can replicate themselves
throughout a computer network, performing malicious tasks
throughout.
Ransomware
• Ransomware is a type of malware which restricts access to the
computer system that it infects, and demands a ransom paid to the
creators of the malware in order for the restriction to be removed.

11. Malicious Software
Scareware
• Scareware is scam software of usually limited or no benefit,
containing malicious payloads, that is sold to consumers via certain
unethical marketing practices.
• The selling approach uses social engineering to cause shock, anxiety,
or the perception of a threat, generally directed at an unsuspecting
user.

12. Malicious Software
Trojan Horse
• A Trojan horse, commonly known as a Trojan, is a general term for
malicious software that pretends to be harmless, so that a user
willingly allows it to be downloaded onto the computer.
Key-Logger
• Key-Logger, Keystroke logging, often referred to as keylogging or
keyboard capturing, is the action of recording (logging) the keys
struck on a keyboard

13. Denial of Service Attacks
• A denial-of-service attack (DoS attack) or distributed denial-of-service
attack (DDoS attack) is an attempt to make a computer resource
unavailable to its intended users.
• Another way of understanding DDoS is seeing it as attacks in cloud
computing environment that are growing due to the essential
characteristics of cloud computing.
• Although the means to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of the concerted efforts to
prevent an Internet site or service from functioning efficiently or at all,
temporarily or indefinitely.

14. Phishing
• Phishing is an attack which targets online users for extraction of their
sensitive information such as username, password and credit card
information.
• Phishing occurs when the attacker pretends to be a trustworthy entity,
either via email or web page.
• Victims are directed to fake web pages, which are dressed to look
legitimate, via spoof emails, instant messenger/social media.
• Often tactics such as email spoofing are used to make emails appear to
be from legitimate senders, or long complex subdomains hide the real
website host.

15. Application Vulnerabilities
• Applications used to access Internet resources may contain security
vulnerabilities such as memory safety bugs or flawed authentication
checks.
• The most severe of these bugs can give network attackers full control
over the computer.
• Most security applications and suites are incapable of adequate
defence against these kinds of attacks.

16. Computer Virus

17. Computer Virus
• A piece of software that can infect other programs by modifying them
• Modification includes injecting the original program with a routine to
make copies of the virus program which can then go on to infect other
programs
• In it’s instructional code, virus carries instructions to make perfect
copies of itself
• Generally viruses embed themselves into a program

18. Parts of a Computer Virus
• Infection Mechanism: The means by which virus spreads, enabling it
to replicate. The mechanism is also referred to as Infection Vector.
• Trigger: The event or condition that determines when the payload is
activated or delivered.
• Payload: What the virus does besides spreading. The payload may
involve damage or may involve benign but noticeable activity.

19. Phases of a Computer Virus
• Dormant Phase: The virus is idle. The virus will eventually be
activated by some event, such as a date, the presence of another
program or file, or the capacity of the disk exceeding some limit.
• Propagation Phase: The virus places a copy of itself into other
programs or into certain system areas on the disk. The copy may not
be identical to the propagating version; viruses often morph to evade
detection. Each infected program will now contain a clone of the virus,
which will itself enter a propagation phase.

20. General Depiction of a Computer Virus
• A virus can be prepended or
post-pended to an executable
program
• In this case, the virus code, V, is
prepended to infected
programs, and it is assumed that
the entry point to the program,
when invoked, is the first line
of the program.

21. Compression Virus
• Previous virus can be detected easily because virus expands the size of
executable file
• A way to thwart such a simple means of detecting a virus is to
compress the executable file so that both the infected and uninfected
versions are of identical length.
• We assume that program P1 is infected with the virus CV.

22. Compression Virus
When this program is invoked, control passes to
its virus, which performs the following steps
1. For each uninfected file P2 that is found,
the virus first compresses that file to
produce , which is shorter than the original
program by the size of the virus.
2. A copy of the virus is prepended to the
compressed program.
3. The compressed version of the original
infected program, , is uncompressed.
4. The uncompressed original program is
executed.

23. Classification of Virus by Target
• Boot Sector Infector: Infects a master boot record or boot record and
spreads when a system is booted from the disk containing the virus.
• File Infector: Infects files that the operating system or shell consider
to be executable.
• Macro Virus: Infects files with macro code that is interpreted by an
application.

24. Classification of Virus by Concealment
Strategy
• Encrypted Virus: A typical approach is as follows. A portion of the
virus creates a random encryption key and encrypts the remainder of
the virus. The key is stored with the virus. When an infected program
is invoked, the virus uses the stored random key to decrypt the virus.
• Stealth Virus: A form of virus explicitly designed to hide itself from
detection by antivirus software. Thus, the entire virus, not just a
payload is hidden.

25. Classification of Virus by Concealment
Strategy
• Polymorphic virus: A virus that mutates with every infection,
making detection by the “signature” of the virus impossible.
• Metamorphic Virus: As with a polymorphic virus, a metamorphic
virus mutates with every infection. The difference is that a
metamorphic virus rewrites itself completely at each iteration,
increasing the difficulty of detection. Metamorphic viruses may
change their behaviour as well as their appearance.

26. Virus Toolkits
• Virus toolkit enables a relative novice to quickly create a number of
different viruses.
• Viruses created with toolkits tend to be less sophisticated than viruses
designed from scratch.
• The sheer number of new viruses that can be generated using a toolkit
creates a problem for antivirus schemes.

27. Virus Countermeasures

28. Virus Countermeasures
Prevention:
• Do not allow a virus to get into the system in the first place, or block
the ability of a virus to modify any files containing executable code or
macros.
• But this goal is, in general, impossible to achieve.

29. Antivirus Approaches
• Detection: Once the infection has occurred, determine that it has
occurred and locate the virus.
• Identification: Once detection has been achieved, identify the specific
virus that has infected a program.
• Removal: Once the specific virus has been identified, remove all
traces of the virus from the infected program and restore it to its
original state. Remove the virus from all infected systems so that the
virus cannot spread further.

30. Generations of Antivirus Software
• First Generation ( Simple Scanners )
• Second Generation ( Heuristic Scanners )
• Third Generation ( Activity Traps )
• Fourth Generation ( Full-Featured Protection )

31. First Generation : Simple Scanners
• A first-generation scanner requires a virus signature to identify a virus.
• The virus may contain “wildcards” but has essentially the same
structure and bit pattern in all copies.
• Such signature-specific scanners are limited to the detection of known
viruses.
• Another type of first-generation scanner maintains a record of the
length of programs and looks for changes in length.

32. Second Generation : Heuristic Scanners
• A second-generation scanner does not rely on a specific signature.
• Rather, the scanner uses heuristic rules to search for probable virus
infection.
• One class of such scanners looks for fragments of code that are often
associated with viruses.
• For example, a scanner may look for the beginning of an encryption
loop used in a polymorphic virus and discover the encryption key.
Once the key is discovered, the scanner can decrypt the virus to
identify it, then remove the infection and return the program to
service.

33. Third Generation : Activity Traps
• Third-generation programs are memory-resident programs that
identify a virus by its actions rather than its structure in an infected
program.
• Such programs have the advantage that it is not necessary to develop
signatures and heuristics for a wide array of viruses.
• Rather, it is necessary only to identify the small set of actions that
indicate an infection is being attempted and then to intervene.

34. Fourth Generation : Full-Featured Protection
• Fourth-generation products are packages consisting of a variety of
antivirus techniques used in conjunction.
• These include scanning and activity trap components.
• In addition, such a package includes access control capability, which
limits the ability of viruses to penetrate a system and then limits the
ability of a virus to update files in order to pass on the infection.

35. Fourth Generation : Full-Featured Protection
• Fourth-generation products are packages consisting of a variety of
antivirus techniques used in conjunction.
• These include scanning and activity trap components.
• In addition, such a package includes access control capability, which
limits the ability of viruses to penetrate a system and then limits the
ability of a virus to update files in order to pass on the infection.

36. Spyware

37. Spyware
• Spyware is software that aims to gather information about a person or
organization sometimes without their knowledge, that may send such
information to another entity without the consumer's consent.
• That asserts control over a device without the consumer's knowledge,
or it may send such information to another entity with the consumer's
consent, through cookies.

38. Types of Spyware
• Adware
• System Monitors
• Tracking Cookies
• Trojans
• Root-Kits
• Web Beacons

39. Routes of Infection
• Spyware does not necessarily spread in the same way as a virus or
worm because infected systems generally do not attempt to transmit or
copy the software to other computers.
• Spyware installs itself on a system by deceiving the user or by
exploiting software vulnerabilities.
• Spyware is installed without knowledge, or by using deceptive tactics.
• Spyware may try to deceive users by bundling itself with desirable
software.

40. Effects and Behaviours
• A spyware program rarely operates alone on a computer; an affected
machine usually has multiple infections.
• A spyware infestation can create significant unwanted CPU activity,
disk usage, and network traffic.
• Some spyware disables or even removes competing spyware
programs, on the grounds that more spyware-related annoyances
increase the likelihood that users will take action to remove the
programs.

41. Remedies and Prevention
• As the spyware threat has worsened, a number of techniques have
emerged to counteract it. These include programs designed to remove
or block spyware, as well as various user practices which reduce the
chance of getting spyware on a system.
• When a large number of pieces of spyware have infected a Windows
computer, the only remedy may involve backing up user data, and
fully reinstalling the operating system.
• For example, some spyware cannot be completely removed by
Symantec, Microsoft, PC Tools.

42. Anti-Spyware Software
Anti-Spyware Software works in two ways:
1. They can provide real-time protection in a manner similar to that of
anti-virus protection. They scan all incoming network data for
spyware and blocks any threats it detects.
2. Anti-spyware software programs can be used solely for detection
and removal of spyware software that has already been installed into
the computer. This kind of anti-spyware can often be set to scan on a
regular schedule.

43. Applications
• Identity theft and Fraud
• Digital Rights Management
• Browser Cookies
• Personal Relationships

44. Key-Loggers

45. Key-Loggers
• A key-logger (short for keystroke logger) is software that tracks or
logs the keys struck on your keyboard, typically in a covert manner so
that you don’t know that your actions are being monitored.
• This is usually done with malicious intent to collect your account
information, credit card numbers, user names, passwords, and other
private data.

46. Legitimate uses of Key-Loggers
• Parents can monitor their children’s online activity
• Law enforcement may use it to analyse and track incidents linked to
the use of personal computers
• Employers can make sure their employees are working instead of
surfing the web all day.

47. Types of Key-Loggers
• Key-Loggers
This version of Key-Loggers records each and every key strokes and
send it to the attacker.
• Screen-Loggers
This version of Key-Loggers take pictures of your screen after specific
time intervals and sends it to attackers.
Because of this you cannot be safe even in case if you’re using
onscreen keyboard

48. Key-Loggers (Classification)
• Hypervisor-based: The key-logger can theoretically reside in a
malware hypervisor running underneath the operating system, which
thus remains untouched. It effectively becomes a virtual machine.
• Kernel-based: A program on the machine obtains root access to hide
itself in the OS and intercepts keystrokes that pass through the kernel.
This method is difficult both to write and to combat.
• API-based: These keyloggers hook keyboard APIs inside a running
application. The keylogger registers keystroke events, as if it was a
normal piece of the application instead of malware. The keylogger
receives an event each time the user presses or releases a key.

49. Key-Loggers (Classification)
• Form grabbing based: Form grabbing-based key-loggers log web form
submissions by recording the web browsing on submit events. This happens
when the user completes a form and submits it, usually by clicking a button
or hitting enter.
• Javascript-based: A malicious script tag is injected into a targeted web
page, and listens for key events such as onKeyUp().
• Memory-injection-based: Memory Injection based key-loggers perform
their logging function by altering the memory tables associated with the
browser and other system functions. By patching the memory tables or
injecting directly into memory, this technique can be used by malware
authors to bypass Windows UAC (User Account Control). The Zeus and
SpyEye trojans use this method exclusively.

50. How Key-Loggers get installed
• Key-loggers spread in much the same way that other malicious
programs spread.
• Key-loggers are installed on your system when you open a file
attachment that you received via email, text message, P2P networks,
instant message or social networks.
• Key-loggers can also be installed just by you visiting a website if that
site is infected.

51. How to detect Key-loggers
• Key-loggers are tricky to detect.
• Some signs that you may have a key-logger on your device include:
slower performance when web browsing, your mouse or keystrokes
pause or don’t show up onscreen as what you are actually typing or if
you receive error screens when loading graphics or web pages.

52. How to prevent Key-loggers
• Use caution when opening attachments
• Watch your passwords
• Try an alternative keyboard layout
• Use a comprehensive security solution
• Protect all your devices
• PCs, Macs, smartphones and tablets
• with a solution like McAfee LiveSafe, that offers antivirus, firewall, as
well as identity and data protection.

53. Secure Coding
• Secure coding is the practice of developing computer software in a
way that guards against the accidental introduction of security
vulnerabilities.
• Defects, bugs and logic flaws are consistently the primary cause of
commonly exploited software vulnerabilities.
• Through the analysis of thousands of reported vulnerabilities, security
professionals have discovered that most vulnerabilities stem from a
relatively small number of common software programming errors.

54. Secure Coding
• By identifying the insecure coding practices that lead to these errors
and educating developers on secure alternatives, organizations can
take proactive steps to help significantly reduce or eliminate
vulnerabilities in software before deployment.

55. Buffer Overflow Prevention
• Buffer overflows, a common software security vulnerability, happen
when a process tries to store data beyond a fixed-length buffer.
• For example, if there are 8 slots to store items in, there will be a
problem if there is an attempt to store 9 items. In computer memory
the overflowed data may overwrite data in the next location which
can result in a security vulnerability (stack smashing) or program
termination (segmentation fault).

56. Buffer Overflow Prevention
An example of a C program prone to a buffer overflow is

57. Buffer Overflow Prevention
If the user input is larger than the destination buffer, a buffer overflow
will occur. To fix this unsafe program, use strncpy to prevent a possible
buffer overflow.

58. Buffer Overflow Prevention
Another secure alternative is to dynamically allocate memory on the
heap using malloc.

59. Format String Attack Prevention
• A Format String Attack is when a malicious user supplies specific
inputs that will eventually be entered as an argument to a function
that performs formatting, such as printf().
• The attack involves the adversary reading from or writing to the stack.
• The C printf function writes output to stdout. If the parameter of the
printf function is not properly formatted, several security bugs can be
introduced.

60. Format String Attack Prevention
• Below is a program that is vulnerable to a format string attack.
• A malicious argument passed to the program could be
“%s%s%s%s%s%s%s”, which can crash the program from improper
memory reads.

61. Integer Overflow Prevention
• Integer overflow occurs when an arithmetic operation results in an
integer too large to be represented within the available space. A
program which does not properly check for integer overflow
introduces potential software bugs and exploits.

62. Integer Overflow Prevention
• Below is a program which checks for overflow by confirming the sum
is greater than or equal to x and y. If the sum did overflow, the sum
would be less than x or less than y.

63. Integer Overflow Prevention
• Below is a program which checks for overflow by confirming the sum
is greater than or equal to x and y. If the sum did overflow, the sum
would be less than x or less than y.

64. Electronic and Information
Warfare

65. Electronic and Information Warfare
"Coming to grips with information warfare...is like the effort of the
blind men to discover the nature of the elephant: the one who touched
its leg called it a tree, another who touched its tail called it a rope, and
so on. Manifestations of information warfare are similarly
perceived...Taken together all the respectably held definitions of the
elephant suggest that there is little that is not information warfare.“
~Martin Libicki
[Information Warfare Author]

66. Weapons of Information Warfare
• Information Collection
• Information Transport
• Information Protection
• Information Manipulation
• Information Disturbance, Degradation and Denial

67. Information Collection
• Information collection is included as part of information warfare
because the information revolution implies the rise of a mode of
warfare in which the side that knows more will enjoy decisive
advantage.
• The idea is that the more information one has, the higher is his/her
situational awareness, which leads to better battle plans and, hopefully,
better outcomes.
• In information warfare, information collection is much less dangerous
and much more complete because these technologies can be used to
infiltrate situations and gather accurate information with minimal loss
of fidelity.

68. Information Transport
• Collecting a large amount of comprehensive information is certainly good
practice, but collection is of little value if the information sits in a storage facility,
unused.
• As such, the ability to transport information into the hands of those who need it, in
a timely manner, is another essential aspect of information warfare.
• The tools used in this domain are not exactly weapons, but rather civilian
technologies put to use in military situations.
• The most important of these tools is communication infrastructure, composed of
networks of computers, routers, telephone lines, fiber optic cable, telephones,
televisions, radios, and other data transport technologies and protocols.
• Without these technologies, the ability to transport information in the real-time
fashion required by today's standards would be impossible.

69. Information Protection
• One of the most broadly agreed upon aspects of information warfare is the
need to minimize the amount of information to which your opponent has
access.
• A large part of this is protecting the information you have from capture by
the other side.
• The weapons used to protect the security of our information fall into two
classes.
• First are those technologies that physically protect our vital data storage
facilities, computers, and transport mechanisms, including bomb and bullet
proof casings and intrusion prevention mechanisms such as locks and
fingerprint scans.

70. Information Protection
• Second, and perhaps more important, are technologies that prevent
bits from being seen and intercepted by the enemy.
• This certainly includes basic computer security technologies such as
passwords, as well as more sophisticated technologies like encryption.
• By scrambling its own messages and unscrambling those of the other
side, each side performs the quintessential act of information warfare,
protecting its own view of reality while degrading that of the other
side.

71. Information Manipulation
• Information manipulation in the context of information warfare is the
alteration of information with intent to distort the opponent's picture of
reality.
• This can be done using a number of technologies, including computer
software for editing text, graphics, video, audio, and other information
transport forms.
• Design of the manipulated data is usually done manually so those in
command have control over what picture is being presented to the
enemy, but the aforementioned technologies are commonly used to
make the physical manipulation process faster .

72. Information Disturbance, Degradation and
Denial
• The final aspects of information warfare, according to our earlier
definition, are disturbance, degradation, and denial.
• All three techniques are means to the same general end - preventing
the enemy from getting complete, correct information.
• Because of their similarity, many of the same weapons are used to
achieve one or more of the goals.
• Some of the more popular weapons used to wage these types of
information warfare are spoofing, noise introduction, jamming, and
overloading.

73. Information Disturbance, Degradation and
Denial
• Spoofing is a technique used to degrade the quality of the information
being sent to the enemy.
• The enemy's flow of information is disturbed by the introduction of a
spoof, or fake message, into that flow.
• The technique works because it allows you to provide false
information to the targeted competitor's collection systems to induce
this organization to make bad decisions based upon this faulty
information.

74. Information Disturbance, Degradation and
Denial
• Another way to disturb the information being received by one's
opponent is to introduce noise into the frequency they are
using. Background noise makes it difficult for the enemy to separate
the actual message from the noise. This is a particularly useful
technique if the enemy is using forms of wireless communication,
since those frequencies can be tapped without having to actually link
into a physical network of cables.

75. Information Disturbance, Degradation and
Denial
• Jamming is a technique used to achieve denial that involves
intercepting signals sent between two communications links or
between a sensor and a link.
• The signal is intercepted, then jammed or stopped from further
progress toward its intended destination.
• In most cases, that same signal is stored by the captor as intelligence
information and used to determine the enemy's view of its own
position in the contest.

76. Information Disturbance, Degradation and
Denial
• Overloading is technique used to deny information to the enemy in
both military and civilian settings.
• By sending a volume of data to the enemy's communication system
that is too large for it to handle, one causes a crash or severe
degradation of the system's ability to deliver information.
• The system is so busy dealing with the overload, it is unable to
deliver the essential information to those who need it. This tactic is
referred to as a "denial of service" attack, and has been proven both
easy and effective.
• At one point, a college student was even able to bring down the
Whitehouse email server simply by sending 8000 copies of an email
message at one time!