System Security-Virus and Worms

System Security - Virus and Worms
SYSTEM SECURITY
1
-Malicious Software
CONTENT
Viruses and Related Threats Virus Countermeasures Distributed Denial of Service Attacks
1. Malicious Software: S/W that is intentionally inserted into a system for a harmful purpose. 2. Virus: A piece of S/W that can infect other programs by modifying them. 3. Worm: A program that replicate itself and send copies from computer to computer across n/w. It usually performs some unwanted functions. 4. DDoS.
Malicious Programs
Host Dependent Backdoor Logic Bomb Trojan Horses Virus
Host Independent Worms Zombie
BACKDOOR (OR) TRAPDOOR:

A secret entry point into a program. Lets an unscrupulous programmer to gain access to the program without using the usual security access procedures. Commonly used by developers while developing an application with authentication procedure. It is invoked either by a special sequence of code or triggering from an user ID or unlikely sequence of events. Difficult to implement OS controls. Requires good S/W development & update.
LOGIC BOMB:
One of oldest types of program threat, predating viruses and worms. Code embedded in legitimate program and is set to explode when certain conditions are met. Examples:
presence/absence of some file particular date/time particular user

When triggered typically damages the entire system
modify/delete files/disks, halt machine, etc

6
TROJAN HORSE:
Program or command procedure containing hidden code that when invoked performs unwanted or harmful function. Appears as superficially attractive e.g. game, s/w upgrade etc Accomplish functions indirectly that an unauthorized user cant accomplish directly. Often used to propagate a virus/worm or install a backdoor or simply to destroy data.
ZOMBIE:
Program which secretly takes over another computer in the n/w, then uses it to indirectly launch attacks. Often used to launch distributed denial of service (DDoS) attacks. Exploits known flaws in network systems In short, Zombie is a program activated on an infected machine that is activated to launch attacks on other machines.
VIRUS:
A piece of software that can infect other programs by modifying(self replicating) them which can go to infect other programs. Makes a fresh copy of its own whenever a new uninfected piece of S/W is found. When host program is run, all its replicas will infect the system performing any function. Viruses carry out their function specific to a particular OS. Example: Virus designed for Windows cant affect Linux and vice versa.
VIRUS OPERATION:
1. Dormant Phase: Idle state and waiting for an event to activate it. 2. Propagation Phase: Replicating its copy to other uninfected areas on the disk. Making clones. 3. Triggering Phase: Activating the host to perform a function it was intended to. 4. Execution Phase: Function of the virus is performed.
10
VIRUS STRUCTURE:
program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then dodamage; goto next;} next: }
11
VIRUS TYPES:
Parasitic virus: Attaches itself to executable files and replicates when it is run. Memory-resident virus:
Lodges in MM as a part of resident system. Infects all programs that are executed.
Boot sector virus: Spreads when a system is booted with a disk containing virus. Stealth: Hides itself from detection from Antivirus S/W.
12
VIRUS TYPES: (CONT.)
Polymorphic virus:
Mutates with every infection. Does not rewrite its code at each iteration.
Metamorphic virus:
Mutates with every infection. Rewrites its code at each iteration increasing its difficulty of detection.
13
MACRO VIRUSES:
Platform independent. Usually infects office files. OS that supports the document file gets infected. Does not affect executable files but only document files. Later versions of office have intended security towards Macro viruses. Common method of spreading is by E-mail.
14
E-MAIL VIRUSES:
Spread using email with attachment containing a macro virus.
E.g. Melissa
Sends itself to everyone on the mailing list in the users e-mail package. Triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent. Hence propagate very quickly. Does local damage.
15
WORMS:
A program that replicates itself and send some copies from computer to computer. Needs a human to invoke it. Once it is active within a system, the machine serves as an automated launching pad for attacks on other machines. Does not infect a program but could implant an Trojan horse or perform any destructive action that can infect the performance of the system.
16
WORM OPERATION:

Dormant: Propagation: search for other systems to infect establish connection to target remote system replicate self onto remote system Triggering: Execution:
17
MORRIS WORM:
Released in Internet by Robert Morris in 1998. Designed for UNIX systems. Logins to remote host as legitimate user
Cracks password file Retrieve user ids and corresponding password.
Exploits a bug to give info about remote user. Exploits a trapdoor to send and receive mails Then attacks the command interpreter.
18
VIRUS COUNTERMEASURES:
Only Solution is to prevent it. Do not allow virus to enter the system (which is generally impossible) Antivirus approach:
Detection Identification Removal
19
GENERATIONS OF ANTIVIRUS S/W:

First
generation: (simple scanners)

scanner uses virus signature to identify virus or change in length of programs Second generation: (heuristic scanners) uses heuristic rules to spot viral infection or uses crypto hash of program to spot changes Third generation: (activity traps) memory-resident programs identify virus by actions Fourth generation: (full featured protection) packages with a variety of antivirus techniques like access control capability. E.g. scanning & activity traps, access-controls
20
ADVANCED ANTIVIRUS TECHNIQUES:

1. Generic Decryption: Enables antivirus program to detect even the most complex polymorphic viruses. Every executable file should be run in the GD scanner which has CPU emulator, Virus sign scanner and Emulation control module. 2. Digital Immune System: Developed by IBM. To solve threats in a network.
Integrated mail systems Mobile program systems
21
DIGITAL IMMUNE SYSTEM:
22
3. Behavior Blocking System: Integrates with the OS of host Monitors the behavior Blocks potentially malicious S/W that would harm the system. Disadvantage is when a virus runs before expressing its behavior it would cause a great deal in harming the system.
23
DISTRIBUTED DENIAL OF SERVICE ATTACKS:

An attempt to make the users to prevent using that using that service. A serious threat over network(s) by a single attacker. Consumes targets resources. Based on types of resource consumed
Internal resource attack Attack consuming data transmission resources

Based on type of attack
Direct DDoS Reflector DDoS
24
CONSTRUCTING ATTACK NETWORK:

Create a S/W that would carry out the attack. It should be triggered at the particular time. Triggering should cause vulnerability in multiple systems. Information about the vulnerability should be informed to the attacker. Selecting the system:
Random (IP address) Hit list (analyzing vulnerable machines and then attack) Topological (Finding hosts from infected machine) Local subnet (within the LAN)
25
DDOS COUNTERMEASURES:
Prevention and preemption
Before the attack

Detection and filtering
During the attack
Source trace back and identification
During and after the attack
26

System Security-Virus and Worms

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Security-Virus and Worms

Uploaded by

Copyright:

Available Formats

System Security - Virus and Worms