Malicious Program

1
Malicious Program

• Network Security
• Politeknik Elektronika Negeri Surabaya
• 2007

2
Adware Definition

• Adware is simply an application that displays
  advertisements while it is running.
• Adware is advertising supported software.
• Adware contains a disclosure statement in the End
  User License Agreement stating its intentions.

3
Adware Examples
4
Adware Hazards

• Installs separate advertising components on your
  system that downloads ads and wastes system
  resources even after the associated program is
  removed.
• Some applications connect to ad servers over the
  Internet and consume network bandwidth while
  potentially compromising the security of your
  info.

5
Adware Solutions

• Install and run anti-adware tools like Ad-Aware.

6
Spyware
7
Spyware Definition

• Spyware is a generic term describing software
  whose purpose is to collect demographic and usage
  information (name, email address, website visits)
  from your computer, usually for advertising and
  marketing purposes.
• Spyware gathers the information covertly without
  the users knowledge.

8
Spyware Hazards

• Install separate components on your system as
  well, but records keystrokes and other
  information which can contain sensitive materials
  like username password, credit card numbers,
  etceteras.
• The spyware uses routines to mail out these logs
  and activities via email or posting it to a
  certain page on the web, so attackers can view
  them at anytime.

9
Cookies

• Q What are cookies?
• A Cookies are unique identifiers placed on your
  computer by a web server.
• Cookies are passive text strings which can be no
  larger than 4k but are typically only between
  20-40 characters long

10
Cookies dispelling myths

• Cookies cannot collect personal information about
  users. The only way a cookie can contain this
  type of information is if you tell it to a
  particular website and that site chooses to
  include it in a cookie.
• Cookie security is such that only the
  originating domain can use the contents of a
  cookie
• Cookies are not scripts, though they may be
  written by a script. Cookies are not executable.

11
Cookies so whats the big deal?

• Often times the use of cookies are harmless and
  even helpful at times. However more often than
  not companies employ the use of cookies to track
  a users activity on websites. This activity is
  then logged and a history of a users surfing
  habits can be maintained usually in order to
  target specific individuals with specific
  advertisements. . Information about a user can
  be swapped and sold from company to company to
  achieve a very comprehensive profile of any given
  user.

12
Bundled Software

• Today, there are a large number of programs used
  to share files over the Internet. The most
  popular of these are peer to peer programs which
  are anonymous to use and free to download
• However, these programs are notorious for their
  reputation of having bundled 3rd party software
  which is installed when the main program is
  installed, often without the users knowledge

13
Key Loggers

• Q What are key loggers?
• A A key logger is a program that runs in the
  background recording all keystrokes. Though many
  key loggers can be seen in the running process
  list good key loggers will change their names in
  the process list to something inconspicuous.
  Even better key loggers can make themselves
  totally invisible from the process list.

14
Key Loggers

• Q Why are key loggers so easy to find?
• A Key loggers are not only used maliciously.
  There are many other uses for key loggers such
  as
• Making sure children are using the internet
  appropriately and safely
• Ensuring that employees are not misusing company
  computers
• Safeguarding against lost information in the
  event of a power outage or other unforeseen
  circumstances.

15
Spyware Solutions

• Install and run anti-spyware software like Spybot.

16
Malware Definition

• Malware, or malicious software, is any software
  developed for the purpose of doing harm to a
  computer system.
• Malware is the most dangerous of these programs
  since it has the potential to destroy ones
  computer system.

17
Malware

• Virus
• Trojans
• Worms

18
Malware Hazards

• Worms and viruses can self-replicate and are
  usually hidden in executable files or parts of
  applications that can cause extensive damage to a
  computer system.
• A trojan horse is harmful code disguised as a
  legitimate program that can cause malfunctions in
  a system and even allow a stranger to overtake
  your computer.

19
Malware Solutions

• Install and run antivirus software and use a
  firewall to prevent them from gaining access.

20
Trojan Programs

• Jenis serangan yang menimbulkan perubahan secara
  bertahap tanpa diketahui dan bersifat fatal
• Mampu menyamar menjadi program biasa
• Menyembunyikan
• Backdoors
• Rootkits
• Memungkinkan penyerangan jarak jauh

21
(No Transcript)
22
Apa yang dilakukan trojan ?

• Dengan Trojan, penyerang dapat mengakses
  password, sehingga mampu membaca dokumen,
  menghapus file,menampilkan pesan di layar

23
Trojan Ternama
24
Utility Trojan

• Beast
• Phatbot
• Amitis
• QAZ
• Back Orifice
• Back Orifice 2000

25
Utility Trojan

• Tini
• NetBus
• SubSeven
• Netcat
• Donald Dick
• Let me rule
• RECUB

26
Backdoors

• Penyerang berusaha mengambil alih sistem dan
  menginstall backdoor untuk mengakses lebih lanjut
  
• Backdoor mencoba mendengar port dan mencari akses

27
Back Doors

• Lewat jalan belakang
• Tidak harus melewati otentikasi
• Berusaha mempertahankan akses ke sistem
• Awalnya masuk lewat pintu depan
• Masih bekerja walaupun pintu depan ditutup
• Penyerang yang memiliki akses back door
  memiliki sistem

28
Trojan Horse Backdoor Tools

• Windows backdoor yg populer
• Back Orifice 2000 (BO2K)
• NetBus
• Sub7
• Lanfiltrator
• Hack-a-tack
• The Virtual Network Computer (VNC)
• remote administration tool often used as a
  backdoor

29
Back Orifice
30
RootKits

• Mengganti komponen key system
• Lebih sukar dideteksi dibanding Trojan Horse -
  Backdoors
• Terdiri dari rootkit biasa dan rootkit kernel
• Membutuhkan akses root untuk instalasi

31
File-File Penting Yang Diserang

• Server configuration file
• Networking configuration file
• System configuration file
• Crontabs
• Setuserid program
• Setgroupid program

32
Virus Definition

• Istilah computer virus pertama kali digunakan
  oleh Fred Cohen dalam papernya yangberjudul
  Computer Viruses Theory and Experiments pada
  tahun 1984
• We define a computer virus as a program that
  can infectother programs by modifying them to
  include a possibly evolvedcopy of itself. With
  the infection property, a virus can spread
  throughout a computer system or network usingthe
  authorizations of every user using it to infect
  their programs.Every programs that gets infected
  may also act as a virus andthus the infection
  grows.

33
Sifat Dasar Virus

• mempunyai kemampuan untuk menjangkiti
  (menginfeksi)program lain dan menyebar.

34
Sejarah Virus

• Tahun 1981, Virus in the wild pertama
  ditemukan.

35
Jenis Virus

• File infector virus
• Boot sector virus
• Multipartite virus
• Macro virus
• Stealth virus
• Polymorphic virus
• Companion virus
• Tunneling virus
• Fast Infectors Virus
• Slow Infectors Virus
• Armoured virus

36
Cara Penyebaran

• Boot Sector
• File
• Macro
• Email Worm

37
Jenis Anti Virus

• Scanners
• Program yang memeriksa filefile executable untuk
  menemukan rangkaian kode yang merupakan bagian
  dari komputer virus yang telah diketahuisebelumnya
  .
• Monitors
• program yang tinggal (besifat residensial) di
  dalam memorykomputer untuk secara terus menerus
  memonitor fungsi dari sistem operasi yang bekerja
  
• integrity checkers
• program yang mampu mendeteksi objek executable
  lainyang telah dimodifikasi dan mendeteksi
  infeksi dari sebuah virus

38
Scanner

• Terdiri dari
• Search EngineDatabase yang berisi rangkaian kode
  sekuensial dari virus yang telah diketahui
  sebelumnya (sering kali disebut juga virus
  signatures atau scan strings).
• Kelemahan yang dimiliki scannners adalah
  Scanners harus tetap dijaga agar up-to-date
  secara terus menerus karena scannershanya dapat
  mendeteksi virus yang telah diketahui sebelumnya

39
Monitor

• Pendeteksian sebuah virus dilakukan dengan
  memonitor fungsi-fungsi yang diindikasikan
  berbahaya dan memiliki sifat seperti sebuah
  virus, seperti merubah isi dari sebuah file yang
  executable dan tindakan-tindakan yang mem-bypass
  sistem operas.
• Ketika sebuah program mencoba melakukan hal-hal
  di atas, maka monitors akan memblok eksekusi dari
  program tersebut.
• Kelemahan porgram monitors lainnya adalah
  kesalahan yang kerap kali dilakukannyamengingat
  pendeteksian virus didasarkan pada
  kelakuan-kelakuan seperti yang disebutkan diatas,
  sehingga kerap kali fungsi dari sebuah program
  lain (yang bukan merupakan viruskomputer)
  dianggap sebagai sebuah virus

40
Integrity Checkers

• Integrity checkers bekerjadengan cara menghitung
  checksum (menghitung integritas) dari kode-kode
  program yangexecutable dan menyimpannya di dalam
  sebuah database. Kemudian secara periodikchecksum
  dari program-program tersebut akan dihitung ulang
  dan dibandingkan dengandatabase checksum
  tersebut.
• Tipe Integrity Checker
• Off-line integerity checkers
• Integrity checkers akan di-attach pada file
  executable dengan bantuan program khusus tertentu
  
• integrity checkers yang bersifat residensial
  (mendiami) memori danakan melakukan perhitungan
  ketika objek executable dieksekusi.