Malware

About This Presentation

Title:

Malware

Description:

registry scan which searches through the system registry database for trojans. ... Activated every Friday the 13th, the virus affects both .EXE and .COM files and ... – PowerPoint PPT presentation

Number of Views:258

Avg rating:3.0/5.0

Slides: 109

Provided by: bruce161

Category:

more less

Transcript and Presenter's Notes

Title: Malware

1
Malware
2

Trap Door
Logic Bombs
Trojan Horses
Worms
Bacteria
Viruses
Mobile Code
Spyware

Malware collection of techniques/programs that
produce undesirable effects on a computer system
or network
Differentiate based on
Needs host program
Independent
Replicate
Dont replicate

4
Malware
Needs Host Program
Independent
Worms
Bacteria
Trapdoor
Virus
Logic Bomb
Trojan Horse
5
Trap Doors

Secret entry point to a program that bypasses
normal security access procedures
Legitimate for testing/debugging
Recognizes some special input, user ID or
unlikely sequence of events
Difficult to detect at use
Must detect during software development and
software update

6
Logic Bombs

Code embedded in legitimate program that is set
to explode when certain conditions met
Presence/absence certain files
Date
Particular user
Bomb may
Alter/delete files
Halt machine
Other damage

7
Trojan Horses

Apparently useful program or command procedure
containing hidden code which performs harmful
function
Trick users into running by disguise as useful
program
Doesnt replicate itself
Used to accomplish functions indirectly that an
unauthorized user not permitted
Used for destructive purposes

8
(No Transcript)
9
Backdoor Trojans

Opens backdoor on your computer that enables
attackers to remotely access and control your
machine
Also called remote access Trojans
Attackers find your machine by scanning ports
used by Trojan
Common backdoor Trojans
Back Orifice
NetBus

Most anti-virus tools detect Trojans
Can also check open TCP ports against list of
known Trojan ports
Type netstat an command
Look at listening ports
Lists of known Trojan port numbers available via
Google search

11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Anti-Trojan Software

www.anti-trojan.net
Anti-Trojan 5.5 trojan scanner 21.95
Detects more than 9000 different types of trojan
horses.
Uses three methods to find them
Port scan which gives you information if there
are open ports on your computer.
registry scan which searches through the system
registry database for trojans.
disk scan scans your hard disks for dangerous
trojan files and removes them safely.

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
Worms

Programs that use network connections to spread
from system to system
Once active on a system can behave as another
form of malware
Propagates
Search for other systems to infect
Establish connection with remote system
Copy itself to remote system and executes

23
The Great Worm

Robert Morris released the most famous worm in
1988
Crashed 6000 machines on the Internet (10)
Exploited bug in fingerd program
Bug in worm crashed machines which prevented the
worm from spreading
Estimated damage 100 million
Three years probation, 400 hrs community service
, 10,500 fine

24
Worm Code Red

Scans Internet for Windows NT or 2000 servers
running IIS minus patch
Copies itself to server
Replicate itself for the first 20 days of each
month
Replace WEB pages on infected servers with a page
that declares Hacked by Chinese
Launch concerted attack on White House Web server
to overwhelm it

25
Bacteria

Programs that do not explicitly damage files
Sole purpose is to replicate themselves within a
system
Reproduce exponentially taking up
Processor capacity
Memory
Disk space

26
Viruses

Infect other programs by modifying them
First one written in 1983 by USC student Fred
Cohen to demonstrate the concept
Approximately 53,000 exist
Modification includes copy of virus

27
Virus Structure

Usually pre-pended or postpended to executable
program
When program invoked virus executes first, then
original program
First seeks out uninfected executable files and
infects them
Then performs some action

28
Four Stages of a Virus

Dormant
Idle until activated by some event
Propagation
Virus places identical copy of itself into other
programs or system areas on disk

Triggering Phase
Virus activated to perform function for which it
was intended
Based on
Date
Count of replications
Other system events

Execution Phase
Function performed which may be harmless or
destructive
Usually OS or hardware specific
Takes advantage of details and weaknesses of
system

31
How Virus are spread

Peer to peer networks
Via email attachments
Via media
FTP sites
Chat and instant messaging
Commercial software
Web surfing
Illegal software

32
Types of Viruses

Parasitic
Traditional virus and most common
Attaches itself to executable files and
replicates
Memory resident
Lodges in memory are part of OS
Infects every program that executes

Boot sector
Infects master boot record or boot record
Spreads when system boots
Seldom seen anymore
Stealth
Designed to hide itself from detection by
antivirus software

Polymorphic
Mutates with every infection
Functionally equivalent but distinctly different
bit patterns
Inserts superfluous instructions or interchange
order of independent instructions
Makes detection of signature of virus difficult
Mutation engine creates random key and encrypts
virus
Upon execution the encrypted virus is decrypted
and then run

Metamorphic
Structure of virus body changed
Decryption engine changed
Suspect file run in emulator and behavior analyzed

36
Mobile Code

Programming that specifies how applications
exchange information on the WEB
Browsers automatically download and execute
applications
Applications may be viruses

Common forms
Java Applets Java code embedded in WEB pages
that run automatically when page downloaded
ActiveX Controls similar to Java applets but
based on Microsoft technology, have total access
to Windows OS

New threat (potential) of including mobile code
in MP3 files
Macros languages embedded in files that can
automatically execute commands without users
knowledge
JavaScript
VBScript
Word/Excel

39
Macro Viruses

Make up two thirds of all viruses
Platform independent
Word documents are the common vehicle rather than
executable code
Concept 1995 first Word macro virus
Easily spread

Office applications usually have internal
language to perform repetitive operations
Macro executes sequence of keystrokes
Macro can copy itself to other documents, delete
files, other damage
Some macros invoked by special key stroke
Some macros invoked automatically

Three types
Autoexecute template stored in Words startup
directory, executed when Word started
Automacro executes when defined event occurs,
open/close document, create new document,
quitting Word
Command macro global macro file or attached to
document, executed whenever the user invokes the
command

42
Technique for spreading macro virus

Automacro / command macro is attached to Word
document
Introduced into system by email or disk transfer
Document opened and macro executes
Macro copies itself to global macro file
When Word started next global macro active

43
Melissa Virus March 1999

Spread in Word documents via email
Once opened virus would send itself to the first
50 people in Outlook address book
Infected normal.dot so any file opened latter
would be infected
Used Visual Basic for applications
Fastest spreading virus ever seen

44
ILOVEYOU Virus May 2000

Contained code as an attachment
Sent copies to everyone in address book
Corrupted files on victims machine deleted
mp3, jpg and other files
Searched for active passwords in memory and
emailed them to Web site in the Philippines
Infected approximately 10 million computers and
cost between 3 and 10 billion in lost
productivity

45
Preventative measures

MS offers optional macro virus protection tools
that detects suspicious Word files
Office 2000 Word macro options
Signed macros from trusted sources
Users prompted prior to running macro
All macros run
Antivirus product vendors have developed tools to
detect and correct macro viruses

46
Anti-virus Approaches

Prevention
Do not allow virus to enter system
Generally impossible to achieve
Detection
Determine infection has occurred
Locate virus

Identification
Once detection achieved
Identify specific virus
Removal
Remove all traces of virus from infected program
Restore program to original state

Sometimes removal is not possible then the
file(s) must be discarded an an unaffected
version of the file must be restored from backup
Antivirus software has evolved over four
generations

49
Antivirus First Generation

Simple scanner
Scans for virus signature (bit pattern)
Scans for length in program size
Limited to detection of known viruses

50
Antivirus Second Generation

Does not rely on specific signature
Uses heuristic rules to search for probable virus
infection
Looks for fragments of code often associated with
viruses
Integrity checking via checksum appended to each
program
Checksum is a encrypted hash

51
Antivirus Third Generation

Memory resident
ID virus by its actions rather than structure of
infected program
Not driven by signature or heuristic
Small set of actions
Intervenes

52
Antivirus Fourth Generation

Variety of antivirus techniques
Scanning and activity trap components
Access control capability
Limits ability of virus to update files

53
A Modern Virus - Bugbear

The virus of the year
Blended threat worm by leveraging multiple
infection paths
Comes as an attachment with random subject,
message body and attachment file name

Executable file may have single or double
extensions
Spoofs from header
Forwards itself to addresses in old emails on
your system
Truly distinguishing feature is the size of the
attachment 50,688 bytes

55
Bugbear What it does

Copies itself to a randomly named exe file
Makes registry changes
Adds itself to the startup folder
Mails itself to any address found on your
computer
Copies itself to open Windows network shares
Attempts to disable AV and firewalls
Installs Trojan code and keystroke logger
Listens on port 36794

56
Advanced Antivirus Techniques-Generic Decryption

Enables antivirus program to detect most complex
polymorphic virus
Contains the following
CPU emulator
Virus signature scanner
Emulation control module

Simulate decryption and execution of virus so can
be detected
No damage to real system
Main question is how long to run intepretation

58
Advanced Antivirus Techniques-Digital Immune
System

Developed by IBM
Historically spread of viruses relatively slow
Antivirus software updated monthly
But now spreads faster due to
Integrated mail systems
Mobil program systems Java, ActiveX

General purpose emulation and detection system
Objective is to have rapid response and stamp out
as soon as introduced

Virus enters an organization
Immune system automatically captures it
Analyzes it
Adds detection and shielding for it
Removes it
Passes info about virus to systems running IBM
Antivirus

Monitoring program on each client detects
suspicious activity and reports it
Administrative machine encrypts the sample and
sends it to central virus analysis machine
Runs infected program in safe environment

Resulting prescription sent back to
administrative machine
Administrative machine forwards prescription to
infected client
Prescription also sent to other clients
Subscribers around world receive regular
antivirus updates

63
(No Transcript)
64
History of Malware

1949Theories for self-replicating programs are
first developed.
1981Apple Viruses 1, 2, and 3 are some of the
first viruses "in the wild" or public domain.
Found on the Apple II operating system, the
viruses spread through Texas AM via pirated
computer games.
1983Fred Cohen, while working on his
dissertation, formally defines a computer virus
as "a computer program that can affect other
computer programs by modifying them in such a way
as to include a (possibly evolved) copy of
itself". The name 'virus' was thought of by Len
Adleman.

1986"Brain" "PC-Write Trojan" The common
story is that two brothers from Pakistan named
Basit and Amjad analysed the boot sector of a
floppy disk and developed a method of infecting
it with a virus dubbed "Brain" (the origin is
generally accepted but not absolute). Because it
spread widely on the popular MS-DOS PC system
this is typically called the first computer
virus even though it was predated by Cohen's
experiments and the Apple II virus. That same
year the first PC-based Trojan was released in
the form of the popular shareware program
PC-Write.
1987"Stoned" is the first virus to infect the
master boot record preventing it from starting up.

1988One of the most common viruses, "Jerusalem",
is unleashed. Activated every Friday the 13th,
the virus affects both .EXE and .COM files and
deletes any programs run on that day. An
Indonesian programmer releases the first
anti-virus software for the brain virus. The
"Internet Worm" is released and crashed 5000
computers.
1989IBM releases the first commercial anti-virus
products. Intensive anti-virus research
commences. The "Dark Avenger" virus appears.
1990Symantec launches Norton AntiVirus, one of
the first anti-virus programs developed by a
large company. Bulletin Boards (BBS) become a
common way for virus writers to share code.

1991"Tequila" is the first widespread
polymorphic virus found in the wild. Polymorphic
viruses make detection difficult for virus
scanners by changing their appearance with each
new infection. Virus construction kits can be
downloaded from virus bulletin boards enabling
almost anyone to write a virus. 9 in early 1991
reported they had experienced a virus attack. By
the end of the year that figure increased to
63.
19921300 viruses are in existence, an increase
of 420 from December of 1990. The Michelangelo
scare predicts 5 million computers will crash on
March 6. Only 5,000-10,000 actually go down.

1994Good Times email hoax tears through the
computer community. The hoax warns of a malicious
virus that will erase an entire hard drive just
by opening an email with the subject line "Good
Times". Though disproved, the hoax resurfaces
every six to twelve months. In England, the
writer if the "Pathogen" virus is found by
Scotland Yard and sentenced to 18 months in jail.
This is the first prosecution.

1995The "Concept" macro virus appears. Written
in Microsoft's WordBasic it can run on PCs and
Macs running Microsoft Word. Being so easy to
write, macro viruses become extensively
widespread.
1998Currently harmless and yet to be found in
the wild, StrangeBrew is the first virus to
infect Java files. The virus modifies CLASS files
to contain a copy of itself within the middle of
the file's code and to begin execution from the
virus section.

1999The Melissa virus, W97M/Melissa, executes a
macro in a document attached to an email, which
forwards the document to 50 people in the user's
Outlook address book. The virus also infects
other Word documents and subsequently mails them
out as attachments. Melissa spread faster than
any other previous virus and infected hundreds of
thousands of PCs.
The "Chernobyl" virus hit in April making the
hard drvie inaccessible causing wide spread
damage.

Tristate is the first multi-program macro virus
it infects Word, Excel, and PowerPoint files.
Bubbleboy is the first worm that would activate
when a user simply opened and E-mail message in
Microsoft Outlook (or previewed the message in
Outlook Express). No attachment is necessary.
Bubbleboy was the proof of concept Kak spread
widely using this technique.

2000The "Love Bug", also known as the "ILoveYou"
and "LoveLetter" virus, sends itself out via
Outlook, much like Melissa. From the Phillipines,
the virus comes as a VBS attachment and deletes
files, including MP3, MP2, and JPG. It also sends
usernames and passwords to the virus' author.
"LoveLetter" spread over the US and Europe in 6
hours and infected 2.5 million PCs causing an
estimated 8.7 billion in damage.
"W97M.Resume.A", a new variation of the "Melissa"
virus, is determined to be in the wild. The
"resume" virus acts much like "Melissa", using a
Word macro to infect Outlook and spread itself.

The "Stages" virus, disguised as a joke email
about the stages of life, spreads across the
Internet. Unlike previous viruses, "Stages" is
hidden in an attachment with a false ".txt"
extension, making it easier to lure recipients
into opening it. Until now, it has generally been
safe to assume the text files are safe.
August 2000 saw the first Trojan developed for
the Palm PDA. Called "Liberty" and developed by
Aaron Ardiri the co-developer of the Palm Game
Boy emulator Liberty, the Trojan was developed as
an uninstall program and was distributed to a few
people to help foil those who would steal the
actual software. When it was accidentally
released to the wider public Ardiri helped
contain its spread.

2001The Anna Kournikova virus, also known as
VBS/SST, which masquerades as a picture of Tennis
Star Anna Kournikova, operates in a similar
manner to Melissa and The Love Bug. It spreads by
sending copies of itself to the entire address
book in Microsoft Outlook. It is believed that
this virus was created with a so-called virus
creation kit, a program which can enable even a
novice programmer to create these malicious
programs.
In May, the HomePage email virus hit no more than
10,000 users of Microsoft Outlook. When opened,
the virus redirected users to sexually explicit
Web pages. Technically known as VBSWG.X, the
virus spread quickly through Asia and Europe, but
was mostly prevented in the U.S. because of
lessons learned in earlier time zones. The author
of the virus is said to live in Argentina, and
have authored the Kournikova virus earlier in the
year.

The Code Red I and II worms attacked computer
networks in July and August. According to
Computer Economics they affected over 700,000
computers and caused upwards of 2 billion in
damages. A worm spreads through external and
(then) internal computer networks, as opposed to
a virus which infects computers via email and
certain websites. Code Red took advantage of a
vulnerability in Microsoft's Windows 2000 and
Windows NT server software. Microsoft developed a
patch to protect networks against the worm, and
admits that they too were attacked. Other major
companies affected include ATT, and the AP.

On July 25, W32/Sircam Malicious Code appears,
spreading through e-mail and unprotected network
shares. The code affects both the infected
computer as well as all those in its e-mail
address book.
The W32/Nimda worm, taking advantage of back
doors left behind by the Code Red II worm, is the
first to propagate itself via several methods,
including e-mail, network shares and an infected
Web site. The worm spreads from client to Web
server by scanning for back doors.

Computer Associates International, Inc. (CA), the
world's leading provider of eBusiness management
solutions, released its "2001 Top 10 Virus
Threats" list. The list is based on reports
tracked by the company's eTrust Global Antivirus
Research Centers. The list, in order of
frequency, is as follows
1. Win32.Badtrans.B, 2. Win32.Sircam.137216, 3.
Win32.Magistr, 4. Win32.Badtrans.13312, 5.
Win32.Magistr.B, 6. Win32.Hybris.B, 7. Win95.MTX,
8. Win32.Nimda.A, 9. VBS.VBSWG.Generic, 10.
Win32.Goner.A

2002The Klezworm infects executables by creating
a hidden copy of the original host file and then
overwriting the original file with itself. The
hidden copy is encrypted, but contains no viral
data. The name of the hidden file is the same as
the original file, but with a random extension.
Nimda is a mass-mailing worm that utilizes
multiple methods to spread itself. The name of
the virus came from the reversed spelling of
"admin". The worm sends itself out by email,
searches for open network shares, attempts to
copy itself to unpatched or already vulnerable
Microsoft IIS web servers, and is a virus
infecting both local files and files on remote
network shares.

79
Virus Detection and Prevention Tips

Do not open an email from an unknown,
suspicious or untrustworthy source
Do not open any files attached to an email
Turn off preview pane in email client
Enable macro virus protection in all your
applications
Beware of pirated software
Dont accept files while chatting or messaging

Do not download any files from strangers.
Exercise caution when downloading files from the
Internet.
Turn on view file extensions so you can see what
type of file you are downloading
Save files to disk on download rather than launch
application
Update your anti-virus software regularly.
Back up your files on a regular basis.

81
Antivirus Features

Signature scanning
Heuristic Scanning
Manual Scanning
Real Time scanning
E-mail scanning
Download scanning

Script scanning
Macro scanning
Price
Update subscription cost

82
Norton Antivirus 2003
83
Options
84
Script Blocking
85
Scanning
86
(No Transcript)
87
E-Mail Scanning
88
Instant Messenger
89
Live Update
90
Live Update
91
Spyware
92
Spyware

Spyware is software/hardware that spies on what
you do on your computer
Often is it employs a user's Internet connection
in the background (the so-called "backchannel")
without their knowledge or explicit permission.
Installed without the users knowledge with
shareware/freeware

93
Spyware Capabilities

Record addresses of Web pages visited
Record recipient addresses of each email you
send
Record the sender addresses of each email you
receive
Recording the contents of each email you
send/receive

Record the contents of IM messages
Record the contents of each IRC chat
Recording keyboard keystrokes
Record all Windows activities

94
Who Uses Spyware

Corporations to monitor computer usage of
employees
Computer crackers to capture confidential
information
Parents to monitor use of family computer
Advertising and marketing companies to assemble
marketing data to serve personalized ads to
individual users

95
Spyware Software

Keystroke loggers
Invisible KeyKey Monitor
KeyLogger Stealth
Spector
E-mail monitors
IamBigBrother
MailGuard
MailMarshall
MIMEsweeper

Surveillance
iOpus STARR
Silent Watch
SpyAgent
WinSpy

96
www.spychecker.com
97
(No Transcript)
98
Spyware use examples

Real networks profiling their users' listening
habits
Aureate/Radiate and Conducent Technologies whose
advertising, monitoring, and profiling software
sneaks into our machines without our knowledge or
permission
Comet Cursor which secretly tracks our
web browsing
GoHip who hijacks our web browser and alters our
eMail signatures

99
Ad-Adware

From www.lavasoftUSA.com
Scans system for known spyware and allows you to
safely remove them
Allows backup before delete

100
(No Transcript)
101
(No Transcript)
102
(No Transcript)
103
(No Transcript)
104
(No Transcript)
105
(No Transcript)
106
(No Transcript)
107
(No Transcript)
108
TSAdBot

TSAdBot, from Conducent Technologies
(formerly TimeSink), is distributed with many
freeware and shareware programs, including the
Windows version of the compression utility PKZip.
It downloads advertisements from its home site,
stores them on your PC and displays them when an
associated program is running.
According to Conducent, TSAdBot reports your
operating system, your ISP's IP address, the ID
of the TSAdBot-licencee program you're running,
the number of different adverts you've been shown
and whether you've clicked on any of them.