2. Overview
— IntroducAon
— Virus
— Worm
— Other
Malicious
SoEware
o
Backdoor/Trapdoor
o
Logic
Bomb
o
Trojan
Horse
— DDoS
ANack
o
DDos
DescripAon
o
ConstrucAon
of
ANack
2!
3. Program DefiniAon
A
computer
program
tells
a
computer
what
to
do
and
how
to
do
it
• Computer
viruses,
network
worms,
and
Trojan
Horse
are
computer
programs.
3!
4. Malicious
soEware
?
• Malicious
SoEware
(Malware)
is
a
soEware
that
is
included
or
inserted
in
a
system
for
harmful
purposes.
OR
• A
Malware
is
a
set
of
instrucAons
that
run
on
your
computer
and
make
your
system
do
something
that
an
aNacker
wants
it
to
do.
4!
6. Taxonomy
of
Malicious
Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Trojan
Viruses
Zombies
Worms
Bombs
Horses
Most current malicious code mixes all capabilities! 6!
7. What
it
is
good
for
?
• Steal
personal
informaAon
• Delete
files
• Click
fraud
• Steal
soEware
serial
numbers
7!
8. What
to
Infect
• Executable
• Interpreted
file
• Kernel
• Service
• Master
Boot
Record
8!
9. Virus
• Self-‐replicaAng
code,
aNaches
itself
to
another
program
and
executes
secretly
when
the
host
program
is
executed.
• No
Hidden
acAon
– Generally
tries
to
remain
undetected,
but
what
about
acAviAes,
such
as
deleted
files
?
9!
10. Parts
of
a
Virus
• Three
Parts
– InfecAon
Mechanism:
The
means
by
which
a
virus
spreads,
enabling
it
to
replicate,
also
referred
as
InfecAon
Vector.
– Trigger:
The
event
or
condiAon
that
determines
when
the
payload
is
acAvated
or
delivered.
– Payload:
The
payload
may
involve
damage
or
may
involve
benign
but
NOTICEABLE
acAvity.
11. Phases
–
Life
Cycle
• Dormant
phase
-‐
the
virus
is
idle
• Propaga1on
phase
-‐
the
virus
places
an
idenAcal
copy
of
itself
into
other
programs
• Triggering
phase
–
the
virus
is
acAvated
to
perform
the
funcAon
for
which
it
was
intended
• Execu1on
phase
–
the
funcAon
is
performed
11!
13. OperaAon
rouAne
• Operates
when
infected
code
executed
(execuAon
sequence)
– Jump
to
Main
Virus
program
– If
spread
(infecAon)
condiAon
then
{
For
target
files
:
if
not
infected,
then
alter
file
to
include
virus
}
– Perform
malicious
acAon
– Transfer
control
back
– Execute
normal
program
• If
the
infecAon
phase
is
rapid,
user
will
not
noAce
any
difference
between
the
execuAon
of
infected
program
and
uninfected
program.
14. Types
of
Viruses
• On
the
basis
of
target
• Boot
Sector
Infector:
Infects
master
boot
record
/
boot
record
(boot
sector)
of
a
disk
and
spreads
when
a
system
is
booted
with
an
infected
disk
(original
DOS
viruses).
They
are
Memory-‐resident
Virus.
• File
Infector
:
Infects
executable
files,
they
are
also
called
Parasi1c
Virus
as
they
aNach
their
self
to
executable
files
as
part
of
their
code.
Runs
whenever
the
host
program
is
executed.
• Macro
Virus
–Infects
files
with
macro
code
that
is
interpreted
by
the
relevant
applicaAon,
such
as
doc
or
excel
files.
14!
15. Types
of
Viruses
• On
the
basis
of
concealment
strategy
• Encrypted
Virus
–
A
porAon
of
virus
creates
a
random
encrypAon
key
and
encrypts
the
remainder
of
the
virus.
The
key
is
stored
with
the
virus.
When
the
virus
replicates,
a
different
random
key
is
generated.
• Stealth
Virus
-‐
explicitly
designed
to
hide
from
Virus
Scanning
programs.
• Polymorphic
Virus
-‐
mutates
with
every
new
host
to
prevent
signature
detecAon,
signature
detecAon
is
useless.
• Metamorphic
Virus
–
Rewrites
itself
completely
with
every
new
host,
may
change
their
behavior
and
appearance.
15!
16. Recent
addiAon:
Email
Virus
• Moves
around
in
e-‐mail
messages,
triggered
when
user
opens
aNachment
• Do
local
damages
on
the
user’s
system
• Propagates
very
quickly
• Replicates
itself
by
automaAcally
mailing
itself
to
dozens
of
people
in
the
vicAm’s
e-‐mail
address
book
16!
17. Examples
of
risky
file
types
• The
following
file
types
should
never
be
opened
if…
– .EXE
– .PIF
– .BAT
– .VBS
– .COM
17!
18. Viruses
PropagaAon
• Virus
wriNen
in
some
language
e.g.
C,
C++,
Assembly
etc.
• Inserted
into
another
program
– use
tool
called
a
“dropper”
• Virus
dormant
unAl
program
executed
– then
infects
other
programs
– eventually
executes
its
“payload”
18!
19. Viruses
PropagaAon
• An
executable
program
• With
a
virus
at
the
front
(File
size
is
increased)
• With
the
virus
at
the
end
(File
size
is
increased)
• With
a
virus
spread
over
free
space
within
program
19!
20. Viruses
PropagaAon
(a)
A
program
(b)
Infected
program
(c)
Compressed
infected
program
(d)
Encrypted
virus
(e)
Compressed
virus
with
encrypted
compression
code
20!
21. AnA-‐virus
• It
is
not
possible
to
build
a
perfect
virus/malware
detector.
• Analyze
system
behavior
• Analyze
binary
to
decide
if
it
a
virus
• Type
:
– Scanner
– Real
Ame
monitor
21!
22. AnA-‐virus
• Scanners
– First
GeneraAon,
relied
on
signature.
– Second
GeneraAon,
relied
on
heurisAc
rules
or
integrity
checking
(e.g.
checksum
appended
to
a
program).
• Real
Ame
Monitors
• Third
GeneraAon,
memory
resident
and
idenAfy
virus
by
its
acAons
(behaviour).
• Fourth
GeneraAon,
combinaAon
of
different
capabiliAes.
22!
23. Worm
A computer worm is a self-replicating computer
virus. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.!
23!
24. Comparision
of
Worm
Features
1)
Computer
Virus:
• Needs
a
host
file
• Copies
itself
• Executable
2)
Network
Worm:
• No
host
(self-‐contained)
• Copies
itself
• Executable
3)
Trojan
Horse:
•
No
host
(self-‐contained)
• Does
not
copy
itself
• Imposter
Program
24!
25. Worm:
History
• Runs
independently
– Does
not
require
a
host
program
• Propagates
a
fully
working
version
of
itself
to
other
machines
— History
◦ Morris
worm
was
one
of
the
first
worms
distributed
over
Internet
— Two
examples
◦ Morris
–
1998,
◦ Slammer
–
2003
25!
26. Worm
OperaAon
• Worm
has
similar
phases
like
a
virus:
• Dormant
(inacAve;
rest)
• PropagaAon
• Search
for
other
systems
to
infect
• Establish
connecAon
to
target
remote
system
• Replicate
self
onto
remote
system
– Triggering
– ExecuAon
26!
27. Morris
Worm
• Best
known
classic
worm
• Released
by
Robert
Morris
in
1988
• Targeted
Unix
systems
• Using
several
propagaAon
techniques
• If
any
aNack
succeeds
then
replicated
self
27!
28. Slammer
(Sapphire)
Worm
• When
• Jan
25
2003
• How
• Exploit
Buffer-‐overflow
with
MS
SQL
• Random
Scanning
• Randomly
select
IP
addresses
• Cost
• Caused
~
$2.6
Billion
in
damage
28!
29. Slammer
Scale
The
diameter
of
each
circle
is
a
funcAon
of
the
number
of
infected
machines,
so
large
circles
visually
under
represent
the
number
of
infected
cases
in
order
to
minimize
overlap
with
adjacent
locaAons
29!
30. The
worm
itself
…
— System
load
◦ InfecAon
generates
a
number
of
processes
◦ Password
cracking
uses
lots
of
resources
◦ Thousands
of
systems
were
shut
down
• Tries
to
infect
as
many
other
hosts
as
possible
– When
worm
successfully
connects,
leaves
a
child
to
conAnue
the
infecAon
while
the
parent
keeps
trying
new
hosts
– find
targets
using
several
mechanisms:
'netstat
-‐r
-‐n‘,
/etc/hosts,
• Worm
DO
NOT:
– Delete
system's
files,
modify
exisAng
files,
install
Trojan
horses,
record
or
transmit
decrypted
passwords,
capture
super
user
privileges
30!
31. Backdoor
or
Trapdoor
— Secret
entry
point
into
a
program
— Allows
those
who
know
access
by
passing
usual
security
procedures
— Remains
hidden
to
casual
inspecAon
— Can
be
a
new
program
to
be
installed
— Can
modify
an
exisAng
program
— Trap
doors
can
provide
access
to
a
system
for
unauthorized
procedures
— Very
hard
to
block
in
O/S
31!
32. Trap
Door
Example
(a)
Normal
code.
(b)
Code
with
a
trapdoor
inserted
32!
33. Logic
Bomb
• One
of
oldest
types
of
malicious
soEware
• Piece
of
code
that
executes
itself
when
pre-‐defined
condiAons
are
met
• Logic
Bombs
that
execute
on
certain
days
are
known
as
Time
Bombs
• AcAvated
when
specified
condiAons
met
– E.g.,
presence/absence
of
some
file
– parAcular
date/Ame
– parAcular
user
• When
triggered
typically
damage
system
– modify/delete
files/disks,
halt
machine,
etc.
33!
34. Tracing
Logic
Bombs
• Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system
functions, the hardware, the hardware/software/firmware/
operating system interface, and the communications functions
inside and outside the computer
• Example of benign logical fun
– http://googletricks.com/top-25-fun-google-tricks/
– Type zerg rush in google
34!
36. Trojan
Horse
• Trojan
horse
is
a
malicious
program
that
is
designed
as
authenAc,
real
and
genuine
soEware.
• Like
the
giE
horse
leE
outside
the
gates
of
Troy
by
the
Greeks,
Trojan
Horses
appear
to
be
useful
or
interesAng
to
an
unsuspecAng
user,
but
are
actually
harmful.
36!
38. What
Trojans
can
do
?
• Erase
or
overwrite
data
on
a
computer
• Spread
other
viruses
or
install
a
backdoor.
In
this
case
the
Trojan
horse
is
called
a
'dropper'.
• Sevng
up
networks
of
zombie
computers
in
order
to
launch
DDoS
aNacks
or
send
Spam.
• Logging
keystrokes
to
steal
informaAon
such
as
passwords
and
credit
card
numbers
(known
as
a
key
logger)
• Phish
for
bank
or
other
account
details,
which
can
be
used
for
criminal
acAviAes.
• Or
simply
to
destroy
data
• Mail
the
password
file.
38!
39. How
can
you
be
infected
?
• Websites:
You
can
be
infected
by
visiAng
a
rogue
website.
Internet
Explorer
is
most
oEen
targeted
by
makers
of
Trojans
and
other
pests.
Even
using
a
secure
web
browser,
such
as
Mozilla's
Firefox,
if
Java
is
enabled,
your
computer
has
the
potenAal
of
receiving
a
Trojan
horse.
• Instant
message:
Many
get
infected
through
files
sent
through
various
messengers.
This
is
due
to
an
extreme
lack
of
security
in
some
instant
messengers,
such
of
AOL's
instant
messenger.
• E-‐mail:
ANachments
on
e-‐mail
messages
may
contain
Trojans.
Trojan
horses
via
SMTP.
39!
40. Sample
Delivery
• ANacker
will
aNach
the
Trojan
to
an
e-‐mail
with
an
enAcing
header.
• The
Trojan
horse
is
typically
a
Windows
executable
program
file,
and
must
have
an
executable
file
extension
such
as
.exe,
.com,
.scr,
.bat,
or
.pif.
Since
Windows
is
configured
by
default
to
hide
extensions
from
a
user,
the
Trojan
horse's
extension
might
be
"masked"
by
giving
it
a
name
such
as
'Readme.txt.exe'.
With
file
extensions
hidden,
the
user
would
only
see
'Readme.txt'
and
could
mistake
it
for
a
harmless
text
file.
40!
41. Where
They
Live
?
(1)
• Autostart
Folder
The
Autostart
folder
is
located
in
C:WindowsStart
MenuPrograms
startup
and
as
its
name
suggests,
automaAcally
starts
everything
placed
there.
• Win.ini
Windows
system
file
using
load=Trojan.exe
and
run=Trojan.exe
to
execute
the
Trojan
• System.ini
Using
Shell=Explorer.exe
trojan.exe
results
in
execuAon
of
every
file
aEer
Explorer.exe
• Wininit.ini
Setup-‐Programs
use
it
mostly;
once
run,
it's
being
auto-‐deleted,
which
is
very
handy
for
Trojans
to
restart
41!
42. Where
They
Live
?
(2)
• Winstart.bat
AcAng
as
a
normal
bat
file
trojan
is
added
as
@trojan.exe
to
hide
its
execuAon
from
the
user
• Autoexec.bat
It's
a
DOS
auto-‐starAng
file
and
it's
used
as
auto-‐starAng
method
like
this
-‐>
c:Trojan.exe
• Config.sys
Could
also
be
used
as
an
auto-‐starAng
method
for
Trojans
• Explorer
Startup
Is
an
auto-‐starAng
method
for
Windows95,
98,
ME,
XP
and
if
c:
explorer.exe
exists,
it
will
be
started
instead
of
the
usual
c:Windows
Explorer.exe,
which
is
the
common
path
to
the
file.
42!
43. What
the
aNacker
wants?
• Credit
Card
InformaAon
(oEen
used
for
domain
registraAon,
shopping
with
your
credit
card)
• Any
accounAng
data
(E-‐mail
passwords,
Login
passwords,
Web
Services
passwords,
etc.)
• Email
Addresses
(Might
be
used
for
spamming,
as
explained
above)
• Work
Projects
(Steal
your
presentaAons
and
work
related
papers)
• School
work
(steal
your
papers
and
publish
them
with
his/
her
name
on
it)
43!
44. Stopping
the
Trojan
…
The
Horse
must
be
“invited
in”
….
How
does
it
get
in?
By:
Downloading
a
file
Installing
a
program
Opening
an
aNachment
Opening
bogus
Web
pages
Copying
a
file
from
someone
else
44!
45. Zombie
• The
program
which
secretly
takes
over
another
networked
computer
and
force
it
to
run
under
a
common
command
and
control
infrastructure.
• Uses
it
to
indirectly
launch
aNacks,
e.g.,
DDoS,
phishing,
spamming,
cracking
• Difficult
to
trace
zombie’s
creator)
• Infected
computers
—
mostly
Windows
machines
—
are
now
the
major
delivery
method
of
spam.
• Zombies
have
been
used
extensively
to
send
e-‐mail
spam;
between
50%
to
80%
of
all
spam
worldwide
is
now
sent
by
zombie
computers.
45!
48. Where
malware
Lives:
Auto
start
• Folder
auto-‐start
• Win.ini
:
run=[backdoor]"
or
"load=[backdoor]".
• System.ini
:
shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys
• Init.d
48!
49. Auto
start
• Assign
know
extension
(.doc)
to
the
malware
• Add
a
Registry
key
such
as
HKCUSOFTWAREMicroso=
Windows
CurrentVersionRun
• Add
a
task
in
the
task
scheduler
• Run
as
service
49!
50. Web
— 1.3%
of
the
incoming
search
queries
to
Google
returned
at
a
least
one
malware
site
— Visit
sites
with
an
army
of
browsers
in
VMs,
check
for
changes
to
local
system
— Indicate
potenAally
harmful
sites
in
search
results
57. Distributed Denial of Service
• A
denial-‐of-‐service
aKack
is
an
aNack
that
causes
a
loss
of
service
to
users,
typically
the
loss
of
network
connecAvity.
• CPU,
memory,
network
connecAvity,
network
bandwidth,
baNery
energy
• Hard
to
address,
especially
in
distributed
form
57!
58. DDoS
Mechanism
• Goal:
make
a
service
unusable.
• How:
overload
a
server,
router,
network
link,
by
flooding
with
useless
traffic
• Focus:
bandwidth
aNacks,
using
large
numbers
of
“zombies”
58!
59. How
it
works?
• The
flood
of
incoming
messages
to
the
target
system
essenAally
forces
it
to
shut
down,
thereby
denying
service
to
the
system
to
legiAmate
users.
• VicAm's
IP
address.
• VicAm's
port
number.
• ANacking
packet
size.
• ANacking
inter-‐packet
delay.
• DuraAon
of
aNack.
59!
60. Example
1
• Ping-‐of-‐death
– IP
packet
with
a
size
larger
than
65,536
bytes
is
illegal
by
standard
– Many
operaAng
system
did
not
know
what
to
do
when
they
received
an
oversized
packet,
so
they
froze,
crashed
or
rebooted.
– Routers
forward
each
packet
independently.
– Routers
don’t
know
about
connecAons.
– Complexity
is
in
end
hosts;
routers
are
simple.
60!
62. Example
2
• TCP
handshake
• SYN
Flood
– A
stream
of
TCP
SYN
packets
directed
to
a
listening
TCP
port
at
the
vicAm
– The
host
vicAm
must
allocate
new
data
structures
to
each
SYN
request
– legiAmate
connecAons
are
denied
while
the
vicAm
machine
is
waiAng
to
complete
bogus
"half-‐open"
connecAons
– Not
a
bandwidth
consumpAon
aNack
• IP
Spoofing
62!
