Computer Security: Principles and

Practice

Chapter 6: Malicious Software

The current threat and vulnerability

landscape
Goals and Learning Objectives
The learning objectives for this section is to
understand the current malware threats and
vulnerability landscape and how these malware
are generated to exploit assets.

2
Malware
“A program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity, or availability of the
victim’s data, applications, or operating system
or otherwise annoying or disrupting the victim.”

3
Malicious software

• Programs exploiting system vulnerabilities

• Known as malicious software or malware
– program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
– independent self-contained programs
• e.g. worms, bots
– replicating or not
• Sophisticated threat to computer systems

4
 Classification of Malware
• How is spreads or propagates to reach the
desired target; exploit of software
vulnerabilities; drive-by-download; and social
engineering attacks.

• The actions or payloads it performs once a

target is reached; theft of service; theft of
information from the system; keylogging or
spyware programs; and stealthing.

5
Malicious software pt 2

6
Some terms
• Payload: actions of the malware
• Crimeware: kits for building malware; include
propagation and payload mechanisms
– Zeus, Sakura, Blackhole, Phoenix, etc
• APT (advanced persistent threats)
– Advanced: sophisticated
– Persistent: attack over an extended period of time
– Threat: selected targets (capable, well-funded
attackers)

7
Viruses
• Piece of software that infects programs
– modifying them to include a copy of the virus
– so it executes secretly when host program is run
• Specific to operating system and hardware
– taking advantage of their details and weaknesses
• A typical virus goes through phases of:
– dormant: idle
– propagation: copies itself to other program
– triggering: activated to perform functions
– execution: the function is performed

8
Virus structure

• Components:
– infection mechanism: enables replication
– trigger: event that makes payload activate
– payload: what it does, malicious or benign
• Prepended/postpended/embedded
• When infected program invoked, executes virus
code then original program code
• Can block initial infection (difficult) or
propagation (with access controls)

9
Virus classification
• By target
– boot sector: infect a master boot record
– file infector: infects executable OS files
– macro virus: infects files to be used by an app
– multipartite: infects multiple ways

• By concealment
– encrypted virus: encrypted; key stored in virus
– stealth virus: hides itself (e.g., compression)
– polymorphic virus: recreates with diff “signature”
– metamorphic virus: recreates with diff signature and
behavior

10
Macro and scripting viruses
• Became very common in mid-1990s since
– platform independent
– infect documents
– easily spread
• Exploit macro capability of Office apps
– executable program embedded in office doc
– often a form of Basic
• More recent releases include protection
• Recognized by many anti-virus programs

11
E-Mail Viruses
• More recent development
• Melissa
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list and does local
damage

12
Worms

• Replicating program that propagates over net

– using email, remote exec, remote login
• Has phases like a virus:
– dormant, propagation, triggering, execution
– propagation phase: searches for other systems, connects to it,
copies self to it and runs
• May disguise itself as a system process
• Concept seen in Brunner’s “Shockwave Rider”
• Implemented by Xerox Palo Alto labs in 1980’s

13
Mobile code
Scripts, macros or other portable instructions
Popular ones: JavaScript, ActiveX, VBScript
Heterogeneous platforms
From a remote system to a local system
Can act as an agent for viruses, works, and Trojan
horses
Mobile phone works: communicate the Bluetooth
connections (e.g., CommWarrior on Symbian but
attempts on Android and iPhone)

14
Client-side vulnerabilities
• Drive-by-downloads: common in recent attacks
• Exploits browser vulnerabilities (when a user
visits a website controlled by the attacker or a
compromised website)
• Clickjacking

15
Social engineering, spam, email,
Trojans
• Spam (much better protection now)
• Trojan horse: looks like a useful tool but
contains hidden code

16
Other forms of malware
Ransomware

17
Payload
Data destruction, theft
Data encryption (ransomware)
Real-world damage
Stuxnet: caused physical damage also (targeted to
Siemens industrial control software)
Logic bomb

18
Payload attack agents: bots
(zombie/drone)
Program taking over other computers and launch
attacks
hard to trace attacks
If coordinated form a botnet
Characteristics:
– remote control facility (distinguishing factor)
• via IRC/HTTP etc
spreading mechanism
• attack software, vulnerability, scanning strategy
Various counter-measures applicable (IDS,
honeypots, …)
19
Uses of bots
DDoS
Spamming
Sniffing traffic
Keylogging
Spreading malware
Installing advertisement
Manipulating games and polls

20
Payload: information theft
Credential theft, key loggers, spyware
Phishing identify theft
Spear phishing (act as a trusted source for a
specific target)

21
Payload: rootkits and backdoor

Set of programs installed for admin access

Malicious and stealthy changes to host O/S
May hide its existence
subverting report mechanisms on processes, files, registry entries etc
May be persistent (survives reboot) or memory-based
Do not rely on vulnerabilities
installed via Trojan
installed via hackers
Backdoor: often by programmers

22
Denial-of-service, Chapter 7

Denial of service (DoS) an action that prevents or impairs

the authorized use of networks, systems, or applications
by exhausting resources such as central processing units
(CPU), memory, bandwidth, and disk space
Attacks (overload or invalid request services that consume
significant resources)
network bandwidth
system resources
application resources
Have been an issue for some time (25% of respondents to
an FBI survey)

23
Countermeasures
• Prevention
• Detection, identification, removal
• Requirement
– generality
– Timeliness
– Resiliency
– Minimal DoS costs
– Transparency
– Global/local coverage (inside and outside attackers)

24
Summary
• introduced types of malicious software
– incl backdoor, logic bomb, trojan horse, mobile
• virus types and countermeasures
• worm types and countermeasures
• bots
• Rootkits
• Lab Work: The Exploit Formulation Process,
generating and using these malware to exploit
our assets

25
Lab Work: The exploit formulation process-
generating and using these
malicious softwares to exploit our
target/asset. (Break Conf & Availa)
Asset 1: Microsoft Windows OS x64
Asset 2: Metasploitable2

Attack Tools: kali Linux/Ubuntu with metasploit,

nmap, Msfvenom, Veil, Armetage,
Nmap/Nessus, etc

Mode of Attacks:Remote and Client-Side-Attack

26
Our Remote Attack Tree
Imagine we have the IP address of our target and is up and
running.
- check target’s OS.
- what is the OS version?
- scan for vulnerabilities.
- check for open ports and
services
- check service versions.
-search online for exploits.

• Why do we need OS and service versions?

27
28
29