Malicious Software. Chapter 6. Computer Security: Principles and Practice презентация

Malware

“A program that is inserted into a system, usually covertly, with

Malicious software

Programs exploiting system vulnerabilities
Known as malicious software or malware
program fragments

Malware Terminology
Payload: actions of the malware
Virus: attaches itself to a program
Worm:

Viruses

Piece of software that infects programs
modifying them to include a copy

Virus structure

Components:
infection mechanism: enables replication
trigger: event that makes payload activate
payload: what

Virus structure

A virus such as the one just described is easily detected

Compression virus

P1 is infected

Virus classification

By target
boot sector: infect a master boot record
file infector: infects

Macro and scripting viruses

Became very common in mid-1990s since
platform independent
infect documents
easily

E-Mail Viruses

More recent development
Melissa
exploits MS Word macro in attached doc
if attachment

Virus countermeasures

Prevention: ideal solution but difficult
Realistically need:
detection: determine what occurred
identification: identify

Anti-virus evolution

Virus & antivirus tech have both evolved
Early viruses simple code,

Generic decryption (GD)

Runs executable files through GD scanner:
CPU emulator to interpret

Digital immune system

A monitoring pgm infers a virus, sends a copy

Behavior-blocking software Integrates with the OS; looks for bad behavior

Monitored behaviors:
Attempts to

Worms

Replicating program that propagates over net
using email, remote exec, remote login

Worm Propagation Model (based on recent attacks)

exponential rate of infection

linear rate

Morris worm

One of best known worms
Released by Robert Morris in 1988
Affected

More recent worm attacks

Melissa
1998: exploiting Microsoft Word macro embedded in

State of worm technology

Multiplatform: not limited to Windows
Multi-exploit: Web servers, emails,

Worm countermeasures

Overlaps with anti-virus techniques
Once worm on system A/V can detect
Worms

Proactive worm containment (PWC)

PWC agent monitors
outgoing traffic for
increased activity
2. When

Mobile code

Scripts, macros or other portable instructions
Popular ones: JavaScript, ActiveX, VBScript
Heterogeneous

Client-side vulnerabilities

Drive-by-downloads: common in recent attacks
Exploits browser vulnerabilities (when a user

Social engineering, spam, email, Trojans

“Tricking” users to assist in the compromise

Payload

What actions a malware will take on the system?
Data destruction, theft
Data

Payload attack agents: bots (zombie/drone)

Program taking over other computers and launch

Uses of bots

DDoS
Spamming
Sniffing traffic
Keylogging
Spreading malware
Installing advertisement
Manipulating games and polls

Payload: information theft

Credential theft, key loggers, spyware
Phishing identify theft
Spear phishing (act

A backdoor is a secret entry point into a program to

Payload: backdoor and rootkits

A rootkit is a set of programs

Rootkit System Table Mods A Unix Example

User API calls refer to a

Countermeasures for Malware

Prevention:
Ensure all systems are as current as possible, with

Countermeasures for Malware

If prevention fails, use technical mechanisms to support the