Malware - PowerPoint PPT Presentation

1 / 108
About This Presentation
Title:

Malware

Description:

registry scan which searches through the system registry database for trojans. ... Activated every Friday the 13th, the virus affects both .EXE and .COM files and ... – PowerPoint PPT presentation

Number of Views:260
Avg rating:3.0/5.0
Slides: 109
Provided by: bruce161
Category:
Tags: 13th | friday | malware | the

less

Transcript and Presenter's Notes

Title: Malware


1
Malware
2
  • Trap Door
  • Logic Bombs
  • Trojan Horses
  • Worms
  • Bacteria
  • Viruses
  • Mobile Code
  • Spyware

3
  • Malware collection of techniques/programs that
    produce undesirable effects on a computer system
    or network
  • Differentiate based on
  • Needs host program
  • Independent
  • Replicate
  • Dont replicate

4
Malware
Needs Host Program
Independent
Worms
Bacteria
Trapdoor
Virus
Logic Bomb
Trojan Horse
5
Trap Doors
  • Secret entry point to a program that bypasses
    normal security access procedures
  • Legitimate for testing/debugging
  • Recognizes some special input, user ID or
    unlikely sequence of events
  • Difficult to detect at use
  • Must detect during software development and
    software update

6
Logic Bombs
  • Code embedded in legitimate program that is set
    to explode when certain conditions met
  • Presence/absence certain files
  • Date
  • Particular user
  • Bomb may
  • Alter/delete files
  • Halt machine
  • Other damage

7
Trojan Horses
  • Apparently useful program or command procedure
    containing hidden code which performs harmful
    function
  • Trick users into running by disguise as useful
    program
  • Doesnt replicate itself
  • Used to accomplish functions indirectly that an
    unauthorized user not permitted
  • Used for destructive purposes

8
(No Transcript)
9
Backdoor Trojans
  • Opens backdoor on your computer that enables
    attackers to remotely access and control your
    machine
  • Also called remote access Trojans
  • Attackers find your machine by scanning ports
    used by Trojan
  • Common backdoor Trojans
  • Back Orifice
  • NetBus

10
  • Most anti-virus tools detect Trojans
  • Can also check open TCP ports against list of
    known Trojan ports
  • Type netstat an command
  • Look at listening ports
  • Lists of known Trojan port numbers available via
    Google search

11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Anti-Trojan Software
  • www.anti-trojan.net
  • Anti-Trojan 5.5 trojan scanner 21.95
  • Detects more than 9000 different types of trojan
    horses.
  • Uses three methods to find them
  • Port scan which gives you information if there
    are open ports on your computer.
  • registry scan which searches through the system
    registry database for trojans.
  • disk scan scans your hard disks for dangerous
    trojan files and removes them safely.

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
Worms
  • Programs that use network connections to spread
    from system to system
  • Once active on a system can behave as another
    form of malware
  • Propagates
  • Search for other systems to infect
  • Establish connection with remote system
  • Copy itself to remote system and executes

23
The Great Worm
  • Robert Morris released the most famous worm in
    1988
  • Crashed 6000 machines on the Internet (10)
  • Exploited bug in fingerd program
  • Bug in worm crashed machines which prevented the
    worm from spreading
  • Estimated damage 100 million
  • Three years probation, 400 hrs community service
    , 10,500 fine

24
Worm Code Red
  • Scans Internet for Windows NT or 2000 servers
    running IIS minus patch
  • Copies itself to server
  • Replicate itself for the first 20 days of each
    month
  • Replace WEB pages on infected servers with a page
    that declares Hacked by Chinese
  • Launch concerted attack on White House Web server
    to overwhelm it

25
Bacteria
  • Programs that do not explicitly damage files
  • Sole purpose is to replicate themselves within a
    system
  • Reproduce exponentially taking up
  • Processor capacity
  • Memory
  • Disk space

26
Viruses
  • Infect other programs by modifying them
  • First one written in 1983 by USC student Fred
    Cohen to demonstrate the concept
  • Approximately 53,000 exist
  • Modification includes copy of virus

27
Virus Structure
  • Usually pre-pended or postpended to executable
    program
  • When program invoked virus executes first, then
    original program
  • First seeks out uninfected executable files and
    infects them
  • Then performs some action

28
Four Stages of a Virus
  • Dormant
  • Idle until activated by some event
  • Propagation
  • Virus places identical copy of itself into other
    programs or system areas on disk

29
  • Triggering Phase
  • Virus activated to perform function for which it
    was intended
  • Based on
  • Date
  • Count of replications
  • Other system events

30
  • Execution Phase
  • Function performed which may be harmless or
    destructive
  • Usually OS or hardware specific
  • Takes advantage of details and weaknesses of
    system

31
How Virus are spread
  • Peer to peer networks
  • Via email attachments
  • Via media
  • FTP sites
  • Chat and instant messaging
  • Commercial software
  • Web surfing
  • Illegal software

32
Types of Viruses
  • Parasitic
  • Traditional virus and most common
  • Attaches itself to executable files and
    replicates
  • Memory resident
  • Lodges in memory are part of OS
  • Infects every program that executes

33
  • Boot sector
  • Infects master boot record or boot record
  • Spreads when system boots
  • Seldom seen anymore
  • Stealth
  • Designed to hide itself from detection by
    antivirus software

34
  • Polymorphic
  • Mutates with every infection
  • Functionally equivalent but distinctly different
    bit patterns
  • Inserts superfluous instructions or interchange
    order of independent instructions
  • Makes detection of signature of virus difficult
  • Mutation engine creates random key and encrypts
    virus
  • Upon execution the encrypted virus is decrypted
    and then run

35
  • Metamorphic
  • Structure of virus body changed
  • Decryption engine changed
  • Suspect file run in emulator and behavior analyzed

36
Mobile Code
  • Programming that specifies how applications
    exchange information on the WEB
  • Browsers automatically download and execute
    applications
  • Applications may be viruses

37
  • Common forms
  • Java Applets Java code embedded in WEB pages
    that run automatically when page downloaded
  • ActiveX Controls similar to Java applets but
    based on Microsoft technology, have total access
    to Windows OS

38
  • New threat (potential) of including mobile code
    in MP3 files
  • Macros languages embedded in files that can
    automatically execute commands without users
    knowledge
  • JavaScript
  • VBScript
  • Word/Excel

39
Macro Viruses
  • Make up two thirds of all viruses
  • Platform independent
  • Word documents are the common vehicle rather than
    executable code
  • Concept 1995 first Word macro virus
  • Easily spread

40
  • Office applications usually have internal
    language to perform repetitive operations
  • Macro executes sequence of keystrokes
  • Macro can copy itself to other documents, delete
    files, other damage
  • Some macros invoked by special key stroke
  • Some macros invoked automatically

41
  • Three types
  • Autoexecute template stored in Words startup
    directory, executed when Word started
  • Automacro executes when defined event occurs,
    open/close document, create new document,
    quitting Word
  • Command macro global macro file or attached to
    document, executed whenever the user invokes the
    command

42
Technique for spreading macro virus
  • Automacro / command macro is attached to Word
    document
  • Introduced into system by email or disk transfer
  • Document opened and macro executes
  • Macro copies itself to global macro file
  • When Word started next global macro active

43
Melissa Virus March 1999
  • Spread in Word documents via email
  • Once opened virus would send itself to the first
    50 people in Outlook address book
  • Infected normal.dot so any file opened latter
    would be infected
  • Used Visual Basic for applications
  • Fastest spreading virus ever seen

44
ILOVEYOU Virus May 2000
  • Contained code as an attachment
  • Sent copies to everyone in address book
  • Corrupted files on victims machine deleted
    mp3, jpg and other files
  • Searched for active passwords in memory and
    emailed them to Web site in the Philippines
  • Infected approximately 10 million computers and
    cost between 3 and 10 billion in lost
    productivity

45
Preventative measures
  • MS offers optional macro virus protection tools
    that detects suspicious Word files
  • Office 2000 Word macro options
  • Signed macros from trusted sources
  • Users prompted prior to running macro
  • All macros run
  • Antivirus product vendors have developed tools to
    detect and correct macro viruses

46
Anti-virus Approaches
  • Prevention
  • Do not allow virus to enter system
  • Generally impossible to achieve
  • Detection
  • Determine infection has occurred
  • Locate virus

47
  • Identification
  • Once detection achieved
  • Identify specific virus
  • Removal
  • Remove all traces of virus from infected program
  • Restore program to original state

48
  • Sometimes removal is not possible then the
    file(s) must be discarded an an unaffected
    version of the file must be restored from backup
  • Antivirus software has evolved over four
    generations

49
Antivirus First Generation
  • Simple scanner
  • Scans for virus signature (bit pattern)
  • Scans for length in program size
  • Limited to detection of known viruses

50
Antivirus Second Generation
  • Does not rely on specific signature
  • Uses heuristic rules to search for probable virus
    infection
  • Looks for fragments of code often associated with
    viruses
  • Integrity checking via checksum appended to each
    program
  • Checksum is a encrypted hash

51
Antivirus Third Generation
  • Memory resident
  • ID virus by its actions rather than structure of
    infected program
  • Not driven by signature or heuristic
  • Small set of actions
  • Intervenes

52
Antivirus Fourth Generation
  • Variety of antivirus techniques
  • Scanning and activity trap components
  • Access control capability
  • Limits ability of virus to update files

53
A Modern Virus - Bugbear
  • The virus of the year
  • Blended threat worm by leveraging multiple
    infection paths
  • Comes as an attachment with random subject,
    message body and attachment file name

54
  • Executable file may have single or double
    extensions
  • Spoofs from header
  • Forwards itself to addresses in old emails on
    your system
  • Truly distinguishing feature is the size of the
    attachment 50,688 bytes

55
Bugbear What it does
  • Copies itself to a randomly named exe file
  • Makes registry changes
  • Adds itself to the startup folder
  • Mails itself to any address found on your
    computer
  • Copies itself to open Windows network shares
  • Attempts to disable AV and firewalls
  • Installs Trojan code and keystroke logger
  • Listens on port 36794

56
Advanced Antivirus Techniques-Generic Decryption
  • Enables antivirus program to detect most complex
    polymorphic virus
  • Contains the following
  • CPU emulator
  • Virus signature scanner
  • Emulation control module

57
  • Simulate decryption and execution of virus so can
    be detected
  • No damage to real system
  • Main question is how long to run intepretation

58
Advanced Antivirus Techniques-Digital Immune
System
  • Developed by IBM
  • Historically spread of viruses relatively slow
  • Antivirus software updated monthly
  • But now spreads faster due to
  • Integrated mail systems
  • Mobil program systems Java, ActiveX

59
  • General purpose emulation and detection system
  • Objective is to have rapid response and stamp out
    as soon as introduced

60
  • Virus enters an organization
  • Immune system automatically captures it
  • Analyzes it
  • Adds detection and shielding for it
  • Removes it
  • Passes info about virus to systems running IBM
    Antivirus

61
  • Monitoring program on each client detects
    suspicious activity and reports it
  • Administrative machine encrypts the sample and
    sends it to central virus analysis machine
  • Runs infected program in safe environment

62
  • Resulting prescription sent back to
    administrative machine
  • Administrative machine forwards prescription to
    infected client
  • Prescription also sent to other clients
  • Subscribers around world receive regular
    antivirus updates

63
(No Transcript)
64
History of Malware
  • 1949Theories for self-replicating programs are
    first developed.
  • 1981Apple Viruses 1, 2, and 3 are some of the
    first viruses "in the wild" or public domain.
    Found on the Apple II operating system, the
    viruses spread through Texas AM via pirated
    computer games.
  • 1983Fred Cohen, while working on his
    dissertation, formally defines a computer virus
    as "a computer program that can affect other
    computer programs by modifying them in such a way
    as to include a (possibly evolved) copy of
    itself". The name 'virus' was thought of by Len
    Adleman.

65
  • 1986"Brain" "PC-Write Trojan" The common
    story is that two brothers from Pakistan named
    Basit and Amjad analysed the boot sector of a
    floppy disk and developed a method of infecting
    it with a virus dubbed "Brain" (the origin is
    generally accepted but not absolute). Because it
    spread widely on the popular MS-DOS PC system
    this is typically called the first computer
    virus even though it was predated by Cohen's
    experiments and the Apple II virus. That same
    year the first PC-based Trojan was released in
    the form of the popular shareware program
    PC-Write.
  • 1987"Stoned" is the first virus to infect the
    master boot record preventing it from starting up.

66
  • 1988One of the most common viruses, "Jerusalem",
    is unleashed. Activated every Friday the 13th,
    the virus affects both .EXE and .COM files and
    deletes any programs run on that day. An
    Indonesian programmer releases the first
    anti-virus software for the brain virus. The
    "Internet Worm" is released and crashed 5000
    computers.
  • 1989IBM releases the first commercial anti-virus
    products. Intensive anti-virus research
    commences. The "Dark Avenger" virus appears.
  • 1990Symantec launches Norton AntiVirus, one of
    the first anti-virus programs developed by a
    large company. Bulletin Boards (BBS) become a
    common way for virus writers to share code.

67
  • 1991"Tequila" is the first widespread
    polymorphic virus found in the wild. Polymorphic
    viruses make detection difficult for virus
    scanners by changing their appearance with each
    new infection. Virus construction kits can be
    downloaded from virus bulletin boards enabling
    almost anyone to write a virus. 9 in early 1991
    reported they had experienced a virus attack. By
    the end of the year that figure increased to
    63.
  • 19921300 viruses are in existence, an increase
    of 420 from December of 1990. The Michelangelo
    scare predicts 5 million computers will crash on
    March 6. Only 5,000-10,000 actually go down.

68
  • 1994Good Times email hoax tears through the
    computer community. The hoax warns of a malicious
    virus that will erase an entire hard drive just
    by opening an email with the subject line "Good
    Times". Though disproved, the hoax resurfaces
    every six to twelve months. In England, the
    writer if the "Pathogen" virus is found by
    Scotland Yard and sentenced to 18 months in jail.
    This is the first prosecution.

69
  • 1995The "Concept" macro virus appears. Written
    in Microsoft's WordBasic it can run on PCs and
    Macs running Microsoft Word. Being so easy to
    write, macro viruses become extensively
    widespread.
  • 1998Currently harmless and yet to be found in
    the wild, StrangeBrew is the first virus to
    infect Java files. The virus modifies CLASS files
    to contain a copy of itself within the middle of
    the file's code and to begin execution from the
    virus section.

70
  • 1999The Melissa virus, W97M/Melissa, executes a
    macro in a document attached to an email, which
    forwards the document to 50 people in the user's
    Outlook address book. The virus also infects
    other Word documents and subsequently mails them
    out as attachments. Melissa spread faster than
    any other previous virus and infected hundreds of
    thousands of PCs.
  • The "Chernobyl" virus hit in April making the
    hard drvie inaccessible causing wide spread
    damage.

71
  • Tristate is the first multi-program macro virus
    it infects Word, Excel, and PowerPoint files.
  • Bubbleboy is the first worm that would activate
    when a user simply opened and E-mail message in
    Microsoft Outlook (or previewed the message in
    Outlook Express). No attachment is necessary.
    Bubbleboy was the proof of concept Kak spread
    widely using this technique.

72
  • 2000The "Love Bug", also known as the "ILoveYou"
    and "LoveLetter" virus, sends itself out via
    Outlook, much like Melissa. From the Phillipines,
    the virus comes as a VBS attachment and deletes
    files, including MP3, MP2, and JPG. It also sends
    usernames and passwords to the virus' author.
    "LoveLetter" spread over the US and Europe in 6
    hours and infected 2.5 million PCs causing an
    estimated 8.7 billion in damage.
  • "W97M.Resume.A", a new variation of the "Melissa"
    virus, is determined to be in the wild. The
    "resume" virus acts much like "Melissa", using a
    Word macro to infect Outlook and spread itself.

73
  • The "Stages" virus, disguised as a joke email
    about the stages of life, spreads across the
    Internet. Unlike previous viruses, "Stages" is
    hidden in an attachment with a false ".txt"
    extension, making it easier to lure recipients
    into opening it. Until now, it has generally been
    safe to assume the text files are safe.
  • August 2000 saw the first Trojan developed for
    the Palm PDA. Called "Liberty" and developed by
    Aaron Ardiri the co-developer of the Palm Game
    Boy emulator Liberty, the Trojan was developed as
    an uninstall program and was distributed to a few
    people to help foil those who would steal the
    actual software. When it was accidentally
    released to the wider public Ardiri helped
    contain its spread.

74
  • 2001The Anna Kournikova virus, also known as
    VBS/SST, which masquerades as a picture of Tennis
    Star Anna Kournikova, operates in a similar
    manner to Melissa and The Love Bug. It spreads by
    sending copies of itself to the entire address
    book in Microsoft Outlook. It is believed that
    this virus was created with a so-called virus
    creation kit, a program which can enable even a
    novice programmer to create these malicious
    programs.
  • In May, the HomePage email virus hit no more than
    10,000 users of Microsoft Outlook. When opened,
    the virus redirected users to sexually explicit
    Web pages. Technically known as VBSWG.X, the
    virus spread quickly through Asia and Europe, but
    was mostly prevented in the U.S. because of
    lessons learned in earlier time zones. The author
    of the virus is said to live in Argentina, and
    have authored the Kournikova virus earlier in the
    year.

75
  • The Code Red I and II worms attacked computer
    networks in July and August. According to
    Computer Economics they affected over 700,000
    computers and caused upwards of 2 billion in
    damages. A worm spreads through external and
    (then) internal computer networks, as opposed to
    a virus which infects computers via email and
    certain websites. Code Red took advantage of a
    vulnerability in Microsoft's Windows 2000 and
    Windows NT server software. Microsoft developed a
    patch to protect networks against the worm, and
    admits that they too were attacked. Other major
    companies affected include ATT, and the AP.

76
  • On July 25, W32/Sircam Malicious Code appears,
    spreading through e-mail and unprotected network
    shares. The code affects both the infected
    computer as well as all those in its e-mail
    address book.
  • The W32/Nimda worm, taking advantage of back
    doors left behind by the Code Red II worm, is the
    first to propagate itself via several methods,
    including e-mail, network shares and an infected
    Web site. The worm spreads from client to Web
    server by scanning for back doors.

77
  • Computer Associates International, Inc. (CA), the
    world's leading provider of eBusiness management
    solutions, released its "2001 Top 10 Virus
    Threats" list. The list is based on reports
    tracked by the company's eTrust Global Antivirus
    Research Centers. The list, in order of
    frequency, is as follows
  • 1. Win32.Badtrans.B, 2. Win32.Sircam.137216, 3.
    Win32.Magistr, 4. Win32.Badtrans.13312, 5.
    Win32.Magistr.B, 6. Win32.Hybris.B, 7. Win95.MTX,
    8. Win32.Nimda.A, 9. VBS.VBSWG.Generic, 10.
    Win32.Goner.A

78
  • 2002The Klezworm infects executables by creating
    a hidden copy of the original host file and then
    overwriting the original file with itself. The
    hidden copy is encrypted, but contains no viral
    data. The name of the hidden file is the same as
    the original file, but with a random extension.
  • Nimda is a mass-mailing worm that utilizes
    multiple methods to spread itself. The name of
    the virus came from the reversed spelling of
    "admin". The worm sends itself out by email,
    searches for open network shares, attempts to
    copy itself to unpatched or already vulnerable
    Microsoft IIS web servers, and is a virus
    infecting both local files and files on remote
    network shares.

79
Virus Detection and Prevention Tips
  • Do not open an email from an unknown,
    suspicious or untrustworthy source
  • Do not open any files attached to an email
  • Turn off preview pane in email client
  • Enable macro virus protection in all your
    applications
  • Beware of pirated software
  • Dont accept files while chatting or messaging

80
  • Do not download any files from strangers.
  • Exercise caution when downloading files from the
    Internet.
  • Turn on view file extensions so you can see what
    type of file you are downloading
  • Save files to disk on download rather than launch
    application
  • Update your anti-virus software regularly.
  • Back up your files on a regular basis.

81
Antivirus Features
  • Signature scanning
  • Heuristic Scanning
  • Manual Scanning
  • Real Time scanning
  • E-mail scanning
  • Download scanning
  • Script scanning
  • Macro scanning
  • Price
  • Update subscription cost

82
Norton Antivirus 2003
83
Options
84
Script Blocking
85
Scanning
86
(No Transcript)
87
E-Mail Scanning
88
Instant Messenger
89
Live Update
90
Live Update
91
Spyware
92
Spyware
  • Spyware is software/hardware that spies on what
    you do on your computer
  • Often is it employs a user's Internet connection
    in the background (the so-called "backchannel")
    without their knowledge or explicit permission.
  • Installed without the users knowledge with
    shareware/freeware

93
Spyware Capabilities
  • Record addresses of Web pages visited
  • Record recipient addresses of each email you
    send
  • Record the sender addresses of each email you
    receive
  • Recording the contents of each email you
    send/receive
  • Record the contents of IM messages
  • Record the contents of each IRC chat
  • Recording keyboard keystrokes
  • Record all Windows activities

94
Who Uses Spyware
  • Corporations to monitor computer usage of
    employees
  • Computer crackers to capture confidential
    information
  • Parents to monitor use of family computer
  • Advertising and marketing companies to assemble
    marketing data to serve personalized ads to
    individual users

95
Spyware Software
  • Keystroke loggers
  • Invisible KeyKey Monitor
  • KeyLogger Stealth
  • Spector
  • E-mail monitors
  • IamBigBrother
  • MailGuard
  • MailMarshall
  • MIMEsweeper
  • Surveillance
  • iOpus STARR
  • Silent Watch
  • SpyAgent
  • WinSpy

96
www.spychecker.com
97
(No Transcript)
98
Spyware use examples
  • Real networks profiling their users' listening
    habits
  • Aureate/Radiate and Conducent Technologies whose
    advertising, monitoring, and profiling software
    sneaks into our machines without our knowledge or
    permission
  • Comet Cursor which secretly tracks our
  • web browsing
  • GoHip who hijacks our web browser and alters our
    eMail signatures

99
Ad-Adware
  • From www.lavasoftUSA.com
  • Scans system for known spyware and allows you to
    safely remove them
  • Allows backup before delete

100
(No Transcript)
101
(No Transcript)
102
(No Transcript)
103
(No Transcript)
104
(No Transcript)
105
(No Transcript)
106
(No Transcript)
107
(No Transcript)
108
TSAdBot
  • TSAdBot, from Conducent Technologies
    (formerly TimeSink), is distributed with many
    freeware and shareware programs, including the
    Windows version of the compression utility PKZip.
    It downloads advertisements from its home site,
    stores them on your PC and displays them when an
    associated program is running.
  • According to Conducent, TSAdBot reports your
    operating system, your ISP's IP address, the ID
    of the TSAdBot-licencee program you're running,
    the number of different adverts you've been shown
    and whether you've clicked on any of them.
Write a Comment
User Comments (0)
About PowerShow.com