Computer Security: Principles and

Practice

Malicious Software
Malicious Software
• programs exploiting system vulnerabilities
• known as malicious software or malware
– program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
– independent self-contained programs
• e.g. worms, bots
– replicating or not
• sophisticated threat to computer systems

2
Malware Terminology
• Virus: attaches itself to a program
Example: ILOVEYOU Virus
A famous email virus from 2000, which spread by tricking users into opening an email attachment
titled "ILOVEYOU." It replicated itself and overwrote important files.

• Worm: propagates copies of itself to other computers

Example: Morris Worm
Released in 1988, it exploited vulnerabilities in Unix systems and spread across networks,
causing significant slowdowns.

• Logic bomb: “explodes” when a condition occurs

Example: Chernobyl Virus (CIH)
Activated on specific dates (e.g., April 26) and caused severe damage by overwriting data on the
hard drive and BIOS.

3
Malware Terminology
• Trojan horse: fakes/contains additional functionality
Example: Zeus Trojan
A banking Trojan designed to steal sensitive financial information by logging keystrokes and
capturing credentials

• Backdoor (trapdoor): allows unauthorized access to functionality

Example: Back Orifice
A backdoor used to control Windows computers remotely, allowing attackers to execute arbitrary
commands.

• Mobile code: moves unchanged to heterogeneous platforms

Example: JavaScript-Based Malware
Malicious JavaScript embedded in websites that execute in the browser to steal data or infect
systems.

• Spammer and flooder programs: large volume of unwanted “pkts”

Example: Mirai Botnet
A botnet that infected IoT devices, enabling attackers to launch massive spam and DDoS attacks
by flooding networks with traffic.

4
Malware Terminology
• Keyloggers: capture keystrokes
Example: Invisible KeyLogger Stealth
Software that silently records every keystroke typed by the user, including sensitive information like
passwords.

• Rootkit: sophisticated hacker tools to gain root-level access

Example: Sony BMG Rootkit
Discovered in 2005, this rootkit was installed on users’ systems via CDs, making the system
vulnerable while hiding its own presence.

• Zombie, bot: software on infected computers that launch attack

on others
Example: Conficker
A worm that created a botnet of infected computers, allowing attackers to remotely control them for
malicious purposes.

5
Malware Terminology
Adware: Software that displays unwanted advertisements and often tracks user
activity, typically for marketing purposes.
Example: Fireball
A type of adware that infected millions of devices, hijacking browsers to display intrusive ads.

Auto-Rooter: Malicious software that exploits vulnerabilities to gain root or

administrative access to a system without user consent.
Example: RootMe
A tool used by attackers to automate root access exploits on vulnerable systems.

Macro Virus: A type of virus written in a macro language, which infects documents
and automates malicious actions when the document is opened.
Example: Melissa Virus
A macro virus that spread via Microsoft Word documents, infecting systems and emailing itself to
contacts.

6
Viruses
• piece of software that infects programs
– modifying them to include a copy of the virus
– so it executes secretly when host program is run

• specific to operating system and hardware

– taking advantage of their details and weaknesses
• a typical virus goes through phases of:
– dormant: idle
– propagation: copies itself to other program
– triggering: activated to perform functions
– execution: the function is performed

7
Virus Structure
• components:
– infection mechanism - enables replication
– trigger - event that makes payload activate
– payload - what it does, malicious or benign
• prepended / postpended / embedded
• when infected program invoked, executes virus
code then original program code
• can block initial infection (difficult)
• propagation controlled with access controls
• Patch Tuesday concept

8
Virus Structure
Patch Tuesday concept:
• Patch Tuesday is the name for the day Microsoft releases security
patches, updates, and bug fixes for their software
• Patch Tuesday was introduced in 2003 in response to criticism from
customers, security experts, and industry analysts. Other major software
vendors have since adopted the practice.
• When it happens: The second Tuesday of every month
• What it's for: To provide a predictable way to keep systems secure and
maintain performance
• Why it's important: Updates help prevent cybercriminals from exploiting
security vulnerabilities
• Other names: Also known as Update Tuesday
• Other releases: Microsoft also releases "C" and "D" releases in the third
and fourth weeks of the month, respectively
• Critical updates: Microsoft may release critical security updates outside of
Patch Tuesday, called "Out-of-band" releases

9
Virus Structure

10
 Compression Virus

P1 is infected

11
Virus Classification
• categories
– boot sector: infect a master boot record
– file infector: infects executable OS files
– macro virus: infects files to be used by an app
– multipartite virus: infects different file types; harder to
eradicate
• concealment
– encrypted virus: encrypted; key stored in virus; each replicate
as a different session key
– stealth virus: hides itself (e.g., compression, code mutation)
– polymorphic virus: recreates with diff “signature”
– metamorphic virus: recreates with diff signature and behavior

12
Macro Virus
• became very common in mid-1990s since
– platform independent
– infect documents
– easily spread
• exploit macro capability of office apps
– executable program embedded in office doc
– often a form of Basic
• more recent releases include protection
• recognized by many anti-virus programs

13
E-Mail Viruses
• more recent development
• e.g. Melissa
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list
– and does local damage
• then saw versions triggered reading email
• hence much faster propagation

14
Worms
• replicating program that propagates over
network
– using email, remote exec, remote login, file sharing,
USB drives
• has phases like a virus:
– dormant, propagation, triggering, execution
• propagation phase: searches for other systems, connects to it,
copies self to it and runs

• concept seen in Brunner’s “Shockwave Rider”

• implemented by Xerox Palo Alto labs in 1980’s

15
Morris Worm
• one of best know worms
• released by Robert Morris in 1988
– Affected 6,000 computers; cost $10-$100 M
• various attacks on UNIX systems
– cracking password file to use login/password to
logon to other systems
– exploiting a bug in the finger protocol
– exploiting a bug in sendmail
– port scanning

16
Worm Propagation Model (based on recent attacks)

linear rate of infection

exponential rate of infection

17
Recent Worm Attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
– consumes significant net capacity when active
– 360,000 servers in 14 hours
• Code Red II variant includes backdoor: hacker controls the
worm
• SQL Slammer (exploited buffer-overflow vulnerability)
– early 2003, attacks MS SQL Server
– compact and very rapid spread
• Mydoom (100 M infected messages in 36 hours)
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Stuxnet: targets industrial control systems; slow spread use
no less than four zero-day vulnerabilities

18
Famous Worms
Melissa 1998 e-mail worm
first to include virus, worm and Trojan in one package
Code Red July 2001 exploited Microsoft IIS bug
probes random IP addresses
consumes significant Internet capacity when active

Code Red II August 2001 also targeted Microsoft IIS

installs a backdoor for access
Nimda September 2001 had worm, virus and mobile code characteristics
spread using e-mail, Windows shares, Web servers, Web clients, backdoors

SQL Slammer Early 2003 exploited a buffer overflow vulnerability in SQL server
compact and spread rapidly
Sobig.F Late 2003 exploited open proxy servers to turn infected machines into spam engines

Mydoom 2004 mass-mailing e-mail worm

installed a backdoor in infected machines
Warezov 2006 creates executables in system directories
sends itself as an e-mail attachment
can disable security related products

Conficker November 2008 exploits a Windows buffer overflow vulnerability

(Downadup) most widespread infection since SQL Slammer
Stuxnet 2010 restricted rate of spread to reduce chance of detection
targeted industrial control systems

19
Worm Technology
• multiplatform: not limited to Windows
• multi-exploit: Web servers, emails, file sharing …
• ultrafast spreading: do a scan to find vulnerable hosts
• polymorphic: each copy has a new code
• metamorphic: change appearance/behavior
• transport vehicles (e.g., for DDoS)
• zero-day exploit of unknown vulnerability (to
achieve max surprise/distribution)

20
Mobile Code
• scripts/micros (portable) code that can be
transmitted to a heterogeneous collection of
platforms
• Java scripts, ActiveX, Java applets, VBScript
• how: often via email attachment, Internet
downloads, cross-site scripting
• Mobile phone worms
– Cabir work … CommWarrior (communicate via
Bluetooth devices)

21
Drive-By-Downloads
• exploits browser vulnerabilities to download
and install malware on the system when the
user views a Web page controlled by the
attacker
• in most cases does not actively propagate
• spreads when users visit the malicious Web
page
– “free” music/video and webpages

22
Bots (Zombie/Drone)
• program taking over other computers and
launch attacks
– hard to trace attacks
• if coordinated, form a botnet
• characteristics:
– remote control facility (distinguishing factor)
– spreading mechanism
• attack software, vulnerability, scanning strategy
• common attack: DDoS, spamming, sniff traffic
• various counter-measures applicable (IDS,
honeypots, …)

23
Rootkits

• set of programs installed for admin access

• malicious and stealthy changes to host O/S
• may hide its existence
– subverting report mechanisms on processes, files, registry
entries etc
• may be persistent (survives reboot) or memory-based
• do not rely on vulnerabilities
– installed via Trojan
– installed via hackers
• range of countermeasures needed

24
Countermeasures
• most important solution to the threat of malware is
prevention
– policy
– awareness
– vulnerability mitigation
– threat mitigation
• if prevention fails, technical mechanisms can be
used to support the following threat mitigation
options:
– detection
– identification
– removal

25
Virus Countermeasures
• prevention - ideal solution but difficult
• realistically need:
– detection: determine what occurred
– identification: identify the specific virus
– removal: remove all traces
• if detect but can’t identify or remove, must
discard and replace infected program

26
Anti-Virus Evolution
• virus & antivirus tech have both evolved
• early viruses simple code, easily removed
• as viruses become more complex, so must the
countermeasures
• generations
– first - signature scanners (bit patterns all the same)
– second – heuristics (integrity checks; checksums)
– third - identify actions (find by actions they do)
– fourth - combination packages

27
Worm Countermeasures
• overlaps with anti-virus techniques (A/V can
detect)
• worms also cause significant net activity
• worm defense approaches include:
– signature-based worm scan filtering: define signatures
– filter-based worm containment (focus on contents)
– threshold random walk scan detection (limit the rate of
scan-like traffic)
– rate limiting and rate halting (limit outgoing traffic when
a threshold is met)

28
 Countermeasure: Digital Immune
System

1. A monitoring pgm infers a virus, sends a copy to an adm machine

2. Adm encrypts, sends to a central analysis machine
3. Central analysis: Safe exec of virus, analyze, give a prescription
4. Prescription sent back to the adm machines
5. Adm machine forwards to all clients
6. Prescription forwarded to other organizations
7. Subscribers worldwide receive regular updates
IBM/Symantec Project

29
Network Based Worm Defense

30
Behavior-Blocking Software
Integrates with the OS; looks for bad behavior

Monitored behaviors:
-Attempts to open, view, delete, modify
files
-Attempts to format drives
-Modifications to the logic of executables
-Modifications to critical system settings
-Scripting of emails to send exec contents

31
Countermeasure: Generic Decryption
• runs executable files through GD scanner:
– CPU emulator to interpret instructions
– virus scanner to check known virus signatures
– emulation control module to manage process
• lets virus decrypt itself in interpreter
• periodically scan for virus signatures
• let virus do the work for an antivirus program
by exposing it in a controlled environment

32
Summary

• introduced types of malicous software

– incl backdoor, logic bomb, trojan horse, mobile
• virus types and countermeasures
• worm types and countermeasures
• bots
• rootkits

33