Viruses

Kamalika Bhattacharjee
Asst. Prof., Dept. of CSE, NITT
Malware
● A broad category that includes rootkits, illicit servers, viruses, worms or a combination of all of
these is better known as malicious code.
● An important aspect of malware infections is to define the target or objective of the attacker.
○ If the target is a single host, then as single attack that provides a backdoor access is all
that is needed.
○ If the target is of a larger scale, then the attacker must cast a wider net of exploits that
are persistent and over time until enough of the victims are collected. Then, these hosts
act as Zombies that do what the attacker commands them to do.
○ The reasoning behind robot networks, better known as botnets is to ether steal
information or to set up a distribution network for other malware or pirated materials.
The Structure of Malicious Code
1. Infection Phase:

● A weakness in the system is sought out and then exploited.

● The exploit may come in the form of buffer overflows or single logic errors in which attackers
understand the sequence of expected steps better than the application developer(s).
● Attacker can then inject code into a running process.
○ A direct virus can infect their hosts by executing as stand-alone applications.
○ Logic Bombs can wait for an event to trigger the executable.
○ Terminate and Stay Resident (TSR) programs execute at various stages even after the
initial host application has been closed.

A logic bomb is a malicious code that activates on the trigger of an event such as a date and time or keystroke combination.
The Structure of Malicious Code
2. Spreading Phase:
● Depends on the objective
● If a virus is looking to drop code or breach data integrity, it will spread through file shares,
portable storage, email and boot sectors.
● Worms usually are typical with denial of service objectives and can spread using network
protocols with the end user having to trigger them.
3. Attack Phase:
● Modern malicious codes incorporate several types of payloads.
● A dropper is a code that leaves behind other malicious code that completes the gaining
access while maintaining an access loop.
● They can also use encryption and morphing techniques that allow them to evade detection
algorithms.
Infection Characteristics
● reside in RAM and replicate itself as a matter of a host application performing normal
activities.
● leave RAM and then copy itself to a secondary storage while waiting for another event to
call it back out of its dormancy.
● copy itself into the boot sector of a file or setup an auto-start from a removable media.
● transform itself though polymorphic means
● alter its host to avoid changing the file size or affecting detection criteria.
● encrypt the files it is targeting and hold them for ransom.
● slightly "break" a host causing unexpected events such as changing screen resolution,
turning the display upside down or cause "kernel panics", otherwise known as the "Blue
Screen Of Death" in Windows. This mimics common driver compatibility issues.
Infection Characteristics
● redirect the input/output (I/O) stream of an operating system function in order to avoid
detection.
● trigger events within its own code and make system calls. If the code is installed with a
rootkit, it can even hide completely from the operating system kernel.
● use the I/O processes that both involve memory access and network access to spread. They
can also access features of an operating system to access resource shares and directories to
facilitate their propagation.
● have a nuclear feature that will allow a remote attacker to ask their host victims to
self-destruct themselves because it is one way to cover the attacker's tracks
Types of Virus
● Hoax Virus - Triggers false alarms and causes hysteria. These viruses can be as
damaging as the genuine article. This virus is a good social engineering trick that can also
attack the reputation of the product as people will still consider it a hoax after it has been
proven differently.

● MBR (Master Boot Record) Virus - A boot sector virus will overwrite the boot sector
code and completely control the system during boot-up. It will then copy itself into
memory and will infect the boot sector of any other secondary storage media that is
inserted. This virus' intent is to damage the system at the next time it is restarted.

● Cavity Virus - A Cavity Virus is a file infecter that seeks out vulnerable programs (binary
executables) and modifies them to host the malicious code. Cavity viruses target critical
system files that were never expected to change and were not scanned.

● Multipartite Virus - This virus can use multiple means to infect systems.

The bootable volume on a HDD, USB or Floppy contain a small program located on the first available sector, (Cylinder 0, Head
0, Sector 1). It loads enough code into the memory to give the processor the instructions as to what to do.
Types of Virus
● Network Virus - This virus spreads itself through protocols that communicate across the
network and target file shares and email.

● Source Code Virus - Scripts that are downloaded from the Internet may have malicious code
inserted by either the original author or someone else that wants to intentionally compromise
the script. The spreading comes from advertising and sharing the code.

● File Infector Virus - Executables and data files are often targets of the file infector. Office
documents are often targets as they are most likely to be emailed or copied.

● Macro Virus - The common social engineering technique that helps spread the infected files
is to rename the file extension in order to hide the fact that it is a script.

● Metamorphic Virus - This type of virus has the capability of re-writing itself.
Types of Virus
● Polymorpic Virus - This virus can change its appearance to avoid detection by the anti-virus
scanner. They can change themselves with encryption. It is not possible to detect a
polymorphic virus directly using signature analysis, the decryption engine can be detected.

● Stealth Virus - These viruses copy themselves to temporary locations leaving the infected
files to appear clean when they are scanned and can do this while hiding themselves from the
anti-virus counter-measures.

● Tunneling Virus - This virus hides itself from anti-virus applications by intercepting the
interrupt handlers of the operating system making sure the scanner never knows it is there.

● Camouflage Virus - This virus pretends to be a genuine application while masquerading as

having characteristics the anti-virus scanner is looking for in terms of what is deemed
allowable code.
Virus Detection Techniques
● Commercial and free-ware anti-virus scanners
○ How often new signatures updates are published?
○ Will the interface be intrusive to the user?
○ Does the software uninstall correctly and completely if there is a decision to remove it?
■ Viruses, worms, malware, Trojans and PUPs are all different classes of risks and
various products handle each class differently. You can find an all-in-one solution,
but expect to pay for it. As an alternative, there are also free software products out
there that can handle these classes separately.
● Host and Network Based Intrusion Detection Systems (IDS)
● Dissemblers and Debuggers
○ allow the analyst to take a byte-by-byte look at every instruction and step an application
takes when it executes
○ Used in reverse engineering
Trojan Horses
● A program that appears to perform desirable and necessary functions but also performs other
functions that the end user does not know about and most probably doesn't need is known as a
Trojan Horse.
● Defined by the SANS Institute as “a computer program that appears to have a useful function, but
also has a hidden and potentially malicious function”.
● Trojan horses require user intervention in order to perform their malicious or unauthorized activities;
in fact, a primary purpose of Trojan horses is to trick the user into executing the program or opening
the file containing the Trojan horse.
● Trojan horses are contrasted with viruses and worms in that Trojan horses do not replicate
●
● Usually has two parts, the client and the server.
○ The victim host will act as a server that provides data such as keylogging files, screenshots or
packet captures.
○ This data is sent back to the to a client that is being controlled by an attacker.
● One of the many means to deliver a malicious code payload to the target host
Types of Trojan Horses
● Remote Access Trojans
● Installs an illicit server with enough features to allow the attacker complete control of the
system.
● Creates a backdoor – “a feature built into a program by its designer, which allows them
to gain full or partial access to your system”
● Since the compromised host is acting as a server, the attacker must connect to it via a
client. Firewalls might prevent this.
● This leave two options: Find a port the firewall will pass and configure the server to
listen to that port or to get behind the firewall and run the client from there.
● Data Sending Trojans - Collects data about usage of the system and then send it back to
the attacker.
● Destructive Trojans - Destroy files on the system. It might also target system files such as
.dll or .ini files. It might go after data files like office documents. These Trojans may also
activate a Logic Bomb.
Types of Trojan Horses
● Denial of Service Trojans - Requires a cooperative effort from other infected hosts to attack
a single target with excessive traffic. By doing so, enough traffic is used that drains the
available bandwidth.

● Proxy Trojans - Make requests on behalf of a client. They are used to initiate new
connections to the target. Attackers also use a proxy server to hid the point of origin of the
real attack.

● FTP Trojans - Are ideal for transfers of large files.

● Security Software Disablers - Target anti-malware tools and personal firewalls.

● Document Trojans - Malware is delivered as attachments in office documents, emails, web

pages or media files. The attacker takes advantage of the tendency that users have to update
their operating systems but not the applications used every day.
Infection Vectors
● Instant Messenger Applications - Are used commonly for social engineering attacks. If a
contact masquerades or if the user opens their IM to accept invitations for strangers, the
acceptance of download opens them to risks.

● IRC (Internet Relay Chat) - This protocol, a Direct Client to Client (DCC) can be used to
transfer files over IRC. The acceptance of downloads leads to risks.

● Physical Access - Using this type of media, users can easily transfer risks from one
computer to another. USBs can be configured to auto run and can launch attacking tools
automatically to an unsuspecting system.

● Browser Drive-By's - Since many home users operate their systems as administrator, they
are unknowing opening themselves up to security risks. If the browser has an unpatched
vulnerability and they visit a malicious site, the exploit will have administrator rights when it
runs.
Infection Vectors
● Peer to Peer, Bit Torrent, File Sharing and Usenet
● Email Attachments
● File Sharing - Some peer to peer or older domains have the default hidden file share for the
root of a system drive available to every group with writable permissions. The attacker simply
uploads a script to the share file and then sets it to start whenever the machine is rebooted.
● Fake Programs - Since placing Google Ads on a website allows the site to be placed higher
in the search rankings, some attackers may use ads that users might click to run their
malicious code. It is possible to place a Trojan Horse into the bogus ad that will launch after it
has been downloaded to a victim's computer.
● Free Stuff - Users looking for hardware drivers, clip art, music files, screensavers, etc. can
find themselves downloading malicious code along with their "free stuff."
● Once the malicious has been accepted, it must be launched without the attacker having to
interact with the target. The first access is usually not the best way to sustain control of the
target host so a backdoor that will allow the attacker in will be installed.
Illicit Server Process Overview
● The attacker finds a server generator on the Internet and downloads it.

● Attacker uses this tool to configure the settings and capabilities of the server and compile it.

● The malicious server is then "wrapped" into another program that will seem like a legitimate
file. This creates the Trojan.

● The attacker then spreads the Trojan, whether targeted to one individual or to randomly
spread across hundreds or thousands of targets.

● The infected machines announce their presence by connecting to a chat room, sending an
email or an instant message. On an inside job, the attacker might scan for targets.

● The attacker uses the client portion of the illicit server to connect to infected targets or
communicates with them through the chat rooms or instant messages.

● At this point the attacker has taken control and is only limited by what the illicit server can do.
Worms
What Constitutes a Worm?

● Malicious Code: as “programs that are intentionally designed to perform some unauthorized (and
often harmful or undesirable) act,” and worms are typically considered to be one category of
malicious code.
● Network Propagation: Worms actively propagate over a network; a worm attacks another computer
directly over some network interface.
● Human Intervention: Worms are sometimes thought of as requiring little or no human assistance in
order to spread, whereas a virus traditionally has required user intervention to spread from one
machine to another
● Standalone or File-Infecting: As per F-Secure's Virus Glossary, a virus is “a computer program that
replicates by attaching itself to another object” and a worm is “a computer program that replicates
independently by sending itself to other systems”. However, there are many outside the anti-virus
community for whom, any program that replicates over the network could be considered a worm,
regardless of whether it infects files or acts as a standalone program.
Worms
● A worm is malicious code (standalone or file-infecting) that propagates over a network, with or
without human assistance.

● Categories of Worm
○ E-mail (and other client application) worms
○ Windows file sharing worms
○ Traditional worms
Email Worms of Note
Windows File Sharing Worms of Note
Traditional Worms of Note
Common malicious software distribution agents
Other Malware
Spyware:
● Type of Trojan horse malware that is used to collect and compile information about a computer user
or groups of users without their knowledge.
● Used to track computer users’ web browsing histories as well as a type of “adware” that displays
unsolicited pop-up advertisement banners aimed specifically at a computer user based on his or her
web browsing history and cookies.
● Data collected typically include personal information (e.g., Social Security number, driver license
number), financial information, login credentials, and Internet Protocol (IP) addresses.
● Typically, a computer user brings spyware into his or her computer system when he or she installs
free software from the Internet or when he or she visits infected websites
Other Malware
Keylogger
● Trojan horse malware
● Used to collect personal information or data from computer users without their knowledge
● This type of malware logs or saves the keystrokes – including mouse movements – made by a
computer user in a file, and the information is subsequently used to obtain personal information such
as Social Security number, password, etc.
● A news article published in the Wall Street Journal revealed that Facebook and other websites have
been tracking the browsing history of web users. A discovery that Cambridge Analytica, a political
consulting firm, was able to access personal information of millions of Facebook users raised serious
concerns and fueled the debate over users’ privacy.
● In particular, advocates and lawmakers have pushed Facebook to implement a mechanism whereby
nonusers could find out what the company knows about them as well as drafted legislation that
includes provisions requiring users’ consent before data are collected
Other Malware
Botnets
● A botnet is a group of Internet-connected devices, such as a group of computers, with each device
running one or more web robots.
● A web robot, or simply bot, is a software application that runs automated tasks over the Internet.
● The hallmark of a bot is its ability to perform simple, repetitive tasks at a much faster rate than a
human.
● Bots are used for a variety of purposes with the most popular being web spidering, also known as
web crawling, a mechanism that enables Internet search companies such as Google or Yahoo
analyze millions of files on servers throughout the world.
● Bots could also be used as email blockers or filters in situations where a speedy response is
needed.
● Can also be malevolent and destructive when they are deployed by cyber criminals.
● In recent years, they have become a commodity that can be rented or bought.
● Used for malicious purposes such as infecting computer systems, stealing personal data, sending
spam emails, etc.
Other Malware
Botnets
● A botnet of infected computers is usually controlled by a “botmaster” or “bot herder.”
● A botnet could remain dormant for months or years before it is activated or instructed to launch an
attack.
● The developers of botnets do not use their own computers to distribute malware. They use
“remote-controlled bots” or “zombie computers” to carry out the task. “Zombie computers” are
computers that have been compromised by a hacker to perform a malicious task.
● An important and lethal aspect is their ability to execute distributed denial-of-service (DDoS) attacks.
○ A DDoS attack occurs when multiple systems, via the Internet Protocol addresses, submit as many requests as
possible to a single Internet computer or service with the intention of overloading it and preventing it from
servicing legitimate requests.
○ DDoS attacks often result in a complete crash of a website for long periods of time.
○ Strategy of having multiple systems carry out the attack, as opposed to a single system, results in a near
instantaneous flooding of traffic directed at the targeted computer or service.
○ The employment of multiple computer systems also prevents system administrators from tracking, identifying,
and shutting down the infected machines since the incoming traffic originates from many different sources
Other Malware
Rootkits

● Software used to “hide” malware and botnets by masking the fact that a computer’s operating
system has been compromised.
● Allow malware and botnets to “hide” by disguising as files that antivirus software will overlook.
● Known for their ability to provide access to a targeted system through the installation of a backdoor,
so unauthorized users such as hackers could enter and perform their nefarious functions.
● Also known for their stealth or their ability to conceal their existence.
● Designed to take control of a computer system in such a way that even after they appear to have
been removed, they often return when a system is rebooted.
● They are able to delete any trace of their installation after they have invaded a system.
● Since they are difficult to detect and remove, rootkits represent a particularly troublesome form of
malware
Other Malware
Rootkits
● Rootkits could also be written and developed for legitimate and useful functions.
● Originally designed as a tool for computer system administrators to monitor and manage their
systems. Specifically, they served as a backdoor for system administrators to access if necessary.
● The two main types of rootkits are user mode and kernel mode.
○ In the user mode, when a computer user accesses his/her workstation, the malware will provide
its controller backdoor access to the computer application that runs on the user’s account.
○ In the kernel mode, the malware operates inside the network as normal drivers of hardware
(e.g., graphic card, sound card, mouse, etc.)
● Since kernel mode rootkits are executed at the highest access level in a computer’s operating
system and CPU, they require more advanced knowledge and skill and are therefore more difficult to
write and create compared to user mode rootkits
Other Malware
Ransomware
● Designed to prevent computer users from accessing their systems or the content of files or data on their
computer’s hard drive unless they made a payment.
● Developers of ransomware typically use public-key cryptography to create the malware.
● Requires a “ransom” from computer users before they can access their systems, files, or data again.
● When activated, it encrypts the target files or data stored on the local or mapped network drives and then
displays a message informing the user that his or her files/data have been encrypted, and unless a
payment is made by a specified date, the user will lose his or her files/data (i.e., the private key to decrypt
the information will be deleted).
● Malware controller is usually the only person with access to the private key and the key is usually stored on
the malware controller’s server.
● However, it has been reported that even when a ransomware has been made, in some cases, the affected
files or data remained encrypted with the user unable to access them. So, the question of whether victims
of ransomware should pay the ransom or not has been raised and debated.
Other Malware
Scareware
● A type of malware which employs deceptive means to create anxiety, shock, or the perception of a
threat in order to manipulate computer users into buying unwanted software.
● Tricks users into believing that their computer has been infected with a virus and then suggests that
they download and pay for the fake antivirus software to remove it. The fake antivirus software is
packaged such that it resembles legitimate security software in order to deceive consumers.
● One common type of scareware is pop-up advertisement windows or banners that display a text
message stating that the user’s computer may have been infected with a harmful spyware and
immediate removal is required. These pop-ups are designed to look like they come from the user’s
operating system albeit they are actually a webpage.
● The label of “scareware” can also be applied to shocking images, sounds, or video employed by
pranksters to cause public anxiety or panic. For example, in 1991, a malicious software called
NightMare was released, and when the file is run, it changed the entire screen of a computer to an
image of a skull while playing a horrifying shriek on the audio channels.
Other Malware
Drive-by downloads:

● Malware that infects computer systems when users browse or visit websites that have been
infected.
● Can also infect computer systems when users open an email attachment, click on a download
link, or click on a deceptive pop-up window.
● The installation or downloading of the malware usually occurs without the computer user’s
knowledge (i.e., via a virus or spyware), but it could also occur with the authorization of the user
but the user is not aware of the consequences (e.g., when the download also installs an
unknown, malicious program).
● Could also infect vulnerable systems even when the users do not click on a downloading link.
● The codes for this malware are written in such a manner that allows the malware to search for
browser or system vulnerabilities and automatically infect the vulnerable systems.
Other Malware
Drive-by downloads:

● The process commences with the creation of the malicious content that the author of the malware
wishes to distribute.
● Next, the author locates a host for the malicious content.
● The author could host the content on his own server, on a legitimate website that has been
compromised, or on a legitimate website that unknowingly distributes the malicious content through
a third party service (i.e., an advertisement).
● When the malicious content has been loaded onto a computer system, the author or controller of the
malware works on exploiting the vulnerabilities specific to that system.
Intrusion Detection Systems
● [NIST] intrusion as an attempt to compromise CIA, or to bypass the security mechanisms of a computer or
network
● Intrusion detection is the process monitoring the events occurring in a computer system or network, and
analyzing them for signs of intrusions.
● An intrusion detection system (IDS) is a device or software application that monitors a network for malicious
activity or policy violations.
● Any malicious activity or violation is typically reported or collected centrally using a security information and
event management system.
● Some IDSs are capable of responding to detected intrusion upon discovery. These are classified as
intrusion prevention systems (IPS).
● An intrusion detection system acts as an adaptable safeguard technology for system security after
traditional technologies fail.
● Usage:
○ Placed at a strategic point or points within a network to monitor traffic to and from all devices on the network
○ Perform an analysis of passing traffic, and match the traffic that is passed on the subnets to the library of
known attacks
○ Once an attack is identified, or abnormal behaviour is sensed, the alert can be sent to the administrator
IDS Detection Types
● Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic
● Host-based intrusion detection systems (HIDS): A system that monitors important operating system files
● Signature-based:
○ Detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or
known malicious instruction sequences used by malware.
○ The terminology originates from antivirus software, which refers to these detected patterns as
signatures.
○ Although can easily detect known attacks, impossible to detect new attacks, for which no pattern is
available.
● Anomaly-based:
○ designed to detect and adapt to unknown attacks, primarily due to the explosion of malware.
○ This detection method uses machine learning to create a defined model of trustworthy activity, and then
compare new behaviour against this trust model.
○ based on the assumption that an attack on a computer system will be noticeably different from normal
system activity, and an intruder will exhibit a pattern of behaviour different from that of the normal user.
○ While this approach enables the detection of previously unknown attacks, it can suffer from false
positives: previously unknown legitimate activity can accidentally be classified as malicious.
Pros and Cons of Intrusion Detection Methodologies
Approaches to
Anomaly Detection
Approaches to
Misuse Detection
(signature based)
Overview of IDS Taxonomy
Evasion Techniques
● Fragmentation: To send fragmented packets allows attackers to stay under the radar, bypassing the
detection system’s ability to detect the attack signature.
● Avoiding defaults: A port utilized by a protocol does not always provide an indication to the protocol
that’s being transported. If an attacker had reconfigured it to use a different port, the IDS may not be
able to detect the presence of a trojan.
● Coordinated, low-bandwidth attacks: Coordinating a scan among numerous attackers, or even
allocating various ports or hosts to different attackers. This makes it difficult for the IDS to correlate
the captured packets and deduce that a network scan is in progress.
● Address spoofing/proxying: Attackers can obscure the source of the attack by using poorly
secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and
bounced by a server, it makes it very difficult to detect.
● Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight
adjustments to the attack architecture, detection can be avoided.
Intrusion Prevention System
● An automated network security device used to monitor and respond to potential threats.
● Like an intrusion detection system (IDS), an IPS determines possible threats by examining network traffic.
● Because an exploit may be carried out very quickly after an attacker gains access, intrusion prevention
systems administer an automated response to a threat, based on rules established by the network
administrator.
● The main functions of an IPS are to
○ identify suspicious activity,
○ log relevant information,
○ attempt to block the activity, and
○ finally to report it
● IPSs include firewalls, anti-virus software, and anti-spoofing software.
● Organizations can use an IPS for other purposes, such as identifying problems with security policies,
documenting existing threats and deterring individuals from violating security policies
● An intrusion prevention system acts as an adaptable safeguard technology for system security after
traditional technologies.
Intrusion Prevention System
● The ability to prevent intrusions through an automated action, without requiring IT intervention
means lower costs and greater performance flexibility
● An intrusion prevention system works by actively scanning forwarded network traffic for malicious
activities and known attack patterns.
● The IPS engine analyzes the network traffic and continuously compares the bitstream with its
internal signature database for known attack patterns.
● It might drop a packet determined to be malicious, and follow up this action by blocking all future
traffic from the attacker’s IP address or port.
● Legitimate traffic can continue without any perceived disruption in service.
● It can also perform more complicated observation and analysis, such as watching and reacting to
suspicious traffic patterns or packets.
● An IPS will typically record information related to observed events, notify security administrators, and
produce reports.
● To help secure a network, an IPS can automatically receive prevention and security updates in order
to continuously monitor and block emerging Internet threats.
IPS Classification
● Network-based intrusion prevention system (NIPS): Analyzes protocol activity across the entire
network, looking for any untrustworthy traffic.
● Wireless intrusion prevention system (WIPS): Analyzes network protocol activity across the
entire wireless network, looking for any untrustworthy traffic.
● Host-based intrusion prevention system (HIPS): A secondary software package that follows a
single host for malicious activity, and analyzes events occurring within the host.
● Network behaviour analysis (NBA): Examines network traffic to identify threats that generate
strange traffic flows.
○ Most common threats are distributed denial of service attacks, various forms of malware, and
policy abuses. pattern matching to detect attacks.
○ By making slight adjustments to the attack architecture, detection can be avoided.
IPS Detection Methods
● Signature-based detection: Signature-based IDS monitors packets in the network and compares
with predetermined attack patterns, known as “signatures”.
● Statistical anomaly-based detection: An anomaly-based IDS will monitor network traffic and
compare it to expected traffic patterns.
○ The baseline will identify what is “normal” for that network – what sort of packets are generally
through the network and what protocols are used.
○ It may raise a false positive alarm for the legitimate use of bandwidth if the baselines are not
intelligently configured.
● Stateful protocol analysis detection: This method identifies protocol deviations by comparing
observed events with pre-determined activity profiles of normal activity.
Intrusion Countermeasures
Many IPS can also respond to a detected threat by actively preventing it from succeeding. They use several
response techniques, which involve:

● Changing the security environment, for example, by configuring a firewall to increase protections
against previously unknown vulnerabilities.
● Changing the attack’s content, for example, by replacing otherwise malicious parts of an email, like
false links, with warnings about the deleted content.
● Sending automated alarms to system administrators, notifying them of possible security breaches.
● Dropping detected malicious packets.
● Resetting a connection.
● Blocking traffic from the offending IP address
IPS vs IDS

IPS
Host-Based vs Network-Based solutions

network
Firewalls
● Security devices used to stop or mitigate unauthorized access to private networks connected to the
Internet, especially intranets.
● The only traffic allowed on the network is defined via firewall policies – any other traffic attempting to
access the network is blocked.
● Network firewalls sit at the front line of a network, acting as a communications liaison between
internal and external devices.
● Can be configured so that any data entering or exiting the network has to pass through it.
● Accomplishes this by examining each incoming message and rejecting those that fail to meet the
defined security criteria.
● When properly configured, a firewall allows users to access any of the resources they need while
simultaneously keeping out unwanted users, hackers, viruses, worms or other malicious programs
trying to access the protected network.
● In addition, a firewall can log all traffic coming into or leaving a network, and manage remote access
to a private network through secure authentication certificates and logins.
Firewall Schematics
● Usually comprises two packet filtering routers creating a restricted access
network called the DMZ (demilitarized zone).
● DMZ is an area or sub-network between the inside and outside networks that
is partially protected.
● DMZ acts as a buffer between the internal (trusted) and external (untrusted)
networks. This configuration attempts to satisfy a number of goals:
○ Protect hosts on the internal (inside) network from attacks from the
outside
○ Allow machines located in the DMZ to be accessed from the outside
and thus be able to provide services to the outside world or serve as
stepping stones linking hosts from the internal network to the hosts in
the outside world
○ Enforce an organization wide security policy, which may include
restrictions unrelated to security, for example, access to certain
websites during office hours
● One or more gateway machines may be located in the DMZ.
● Outside filter protects the gateway from attack, while the inside gateway
guards against the consequences of a compromised gateway
Firewall Schematics
● The positioning of the hosts in the DMZ makes them more vulnerable, which is why they are usually
configured with special attention to their security.
● Such hosts are sometimes referred to as bastion hosts.
● Bastion hosts, while they are general-purpose computers running a general-purpose operating system,
usually have highly specialized configurations allowing them to run only the designated services and
nothing more.
○ minimize the risk that an attacker may use a service unrelated to the function of the machine to gain
a foothold.
● software installed on bastion hosts is a subset of the standard distribution so that a potential intruder will
not be able to use the compromised machine to launch attacks on other machines in the network.
● Administrators must assume that eventually hosts in the DMZ will be compromised and establish recovery
strategies.
○ Strategies may include steps to contain the attack, to gather evidence of the break-in or information
about the attacker, and so on.
○ Regardless of the adopted strategy, the system administrator must be able to restore service on the
compromised machine as soon as possible.
● Detecting and understanding the attacks that take place against hosts in the DMZ or perhaps the internal
network are important aspects of a firewall.
● Intrusion detection systems (IDSs) may also be installed in the DMZ to detect and sometimes respond to
attacks.
Firewalls
● Hardware firewalls:
○ These firewalls are released either as standalone products for corporate use, or more often,
as a built-in component of a router or other networking device.
○ They are considered an essential part of any traditional security system and network
configuration.
○ Almost always come with a minimum of four network ports that allow connections to multiple
systems.
○ For larger networks, a more expansive networking firewall solution is available.
● Software firewalls:
○ These are installed on a computer, or provided by an OS or network device manufacturer.
○ Can be customized, and provide a smaller level of control over functions and protection
features.
○ Can protect a system from standard control and access attempts but have trouble with more
sophisticated network breaches.
Firewall Types
● Application-layer:
○ This is a hardware appliance, software filter, or server plug-in.
○ It layers security mechanisms on top of defined applications, such as FTP servers, and defines
rules for HTTP connections. These rules are built for each application, to help identify and
block attacks to a network.
● Packet Filtering:
○ This filter examines every packet that passes through the network – and then accepts or
denies it as defined by rules set by the user.
○ Packet filtering can be very helpful, but it can be challenging to properly configure.
○ Vulnerable to IP spoofing.
● Circuit-level:
○ This firewall type applies a variety of security mechanisms once a UDP or TCP connection has
been made.
○ Once the connection is established, packets are exchanged directly between hosts without
further oversight or filtering.
Firewall Types
● Proxy Server: This version will check all messages that enter or leave a network, and then hide the
real network addresses from any external inspection.
● Next-Generation (NGFW):
○ These work by filtering traffic moving through a network – the filtering is determined by the
applications or traffic types and the ports they are assigned to.
○ These features comprise a blend of a standard firewall with additional functionality, to help with
greater, more self-sufficient network inspection.
● Stateful Firewalls:
○ Sometimes referred to as third-generation firewall technology, stateful filtering accomplishes two
things: traffic classification based on the destination port, and packet tracking of every interaction
between internal connections.
○ These newer technologies increase usability and assist in expanding access control granularity –
interactions are no longer defined by port and protocol.
○ A packet’s history in the state table is also measured.
Firewall Limitations
● A firewall is by its nature perimeter defence, and not geared to combating the enemy within, and
consequently no useful countermeasure against a user who abuses authorised access to the
domain.
● Due to the increasing line speeds and the more computationally intensive protocols that a firewall
must support, firewalls tend to become congestion points.
● This gap between processing and networking speeds is likely to increase, at least for the
foreseeable future: While computers (and hence firewalls) are becoming faster (following Moore’s
law), protocols and the tremendous increase in the amount of data that must be processed by the
firewall have been and will likely continue to outpace Moore’s law
● The increasing scale of modern networks typically implies a large number of attachments to the
Internet for performance, fault tolerance, and other reasons. Firewalls need to be deployed on all
these links, greatly increasing the management problem.
● A firewall is no real defence against malicious code problems like viruses and Trojan horses,
although some are capable of scanning the code for telltale signs.
● Configuring packet-filtering rules tends to be complicated process in the course of which errors can
easily occur, leading to holes in the defence.
Firewall Limitations
● Testing the configured rules tends to be a lengthy and difficult process due to the shortcomings of
current testing tools.
● Normal packet-filtering routers cannot enforce some security policies simply because the necessary
information is not available to them.
● End-to-end encryption can also be a threat to firewalls, as it prevents them from looking at the
packet fields necessary to do filtering.
● Allowing end-to-end encryption through a firewall implies considerable trust to the users on behalf of
the administrators.
● There are protocols that firewalls find relatively difficult to handle because they involve multiple,
seemingly independent packet flows. One example is FTP, where a control connection is initiated by
the client to the server but (at least in some configurations) data connections are initiated by the
server to the client. Although modern firewalls can and do handle these protocols, such solutions are
viewed as architecturally “unclean” and in some cases too invasive.
● Finally, there is an increasing need for finer grained (and even application-specific) access control
which standard firewalls cannot readily accommodate without greatly increasing their complexity and
processing requirements.
Adaptive Firewalls
● The new trend is towards adaptive firewalls that tie filters, circuit gateways and proxies together in
series.
● This gives the firewall administrator greater control over the level of security used for different
services or at different points in the use of those services.
○ He may, for example, configure the firewall to give priority to speed of transfer at the expense
of security when this is appropriate.
○ The firewall will then on such occasions reduce security to a lower level, thus allowing for
greater speed of transfer, and return it to its original level on completion of the transfer.
● Provides fluid, self-adapting control of network access, a key to establishing an effective network
security policy by examining every packet (and adapting rules "on-the-fly" based on information in
the packet) passing through the network interface.
Cloud Firewalls
● Software-based, cloud-deployed network devices, built to stop or mitigate unwanted access to
private networks.
● A new technology designed for modern business needs and sit within online application
environments.

● Benefits
○ Scalability:
■ Because deployment is much simpler, organizations can adjust the size of their security
solution without the frustrations inherent with on-site installation, maintenance and upgrading.
■ As bandwidth increases, cloud firewalls can automatically adjust to maintain parity. For
example, distributed denial-of-service (DDoS) attacks can be mitigated without having to worry
about bandwidth limits.
Cloud Firewalls
● Benefits
○ Availability:
■ Cloud firewall providers account for the built-in cost of high availability by supporting
infrastructure.
■ Guaranteeing redundant power, HVAC, and network services, and automating backup
strategies in the event of a site failure.
■ This availability is hard to match with on-premises firewall solutions because of the cost and
support required.
■ Necessary updates can be implemented immediately, without the need for large system
downloads or updates.
○ Extensibility:
■ Can be reached and installed anywhere an organization can provide a protected network
communication path.
■ With an on-premises device, this extensibility is limited by the available resources of the
organization looking for a firewall solution.
○
Cloud Firewalls
● Benefits
○ Migration Security:
■ Capable of filtering traffic from a variety of sources: Internet, between virtual networks,
between tenants, or even a virtual data centre.
■ Capable of guaranteeing security of connections made between physical data centres and
cloud.
■ Beneficial for organizations looking for a means of migrating current solutions from an
on-prem location to a cloud-based infrastructure.
○ Secure Access Parity:
■ Provide the same level of secure access as on-prem firewalls.
■ This means advanced access policy, connection management, and filtering between
clients and the cloud. This also extends to encrypted content.
○ Identity Protection: can integrate with access control providers and give users granular control
over filtering tools.
○ Performance Management: provide tools for controlling performance, visibility, usage,
configuration, and logging – all things normally associated with an on-prem solution.
Cloud Firewall Types
● SaaS Firewalls:
○ Designed to secure an organization’s network and its users, not unlike a traditional
on-premises hardware or software firewall.
○ Only difference is that it is deployed off-site from the cloud. This type of firewall can be called:
■ Software-as-a-service firewall (SaaS firewall)
■ Security-as-a-service (SECaaS)
■ Firewall-as-a-service (FWaaS)
● Next-Generation Firewalls:
○ They are cloud-based services intended to deploy within a virtual data centre.
○ Protect an organization’s own servers in a platform-as-a-service (PaaS) or
infrastructure-as-a-service (IaaS) model.
○ The firewall application exists on a virtual server and secures incoming and outgoing traffic
between cloud-based applications.
Honeypots
● Honeynet is a system designed to attract troublemakers lurking about on the Internet.
● Honeynets are a creation of the IT security world intended to draw the attention of hackers, identify
the tools in their toolkit, and learn their modus operandi.
● Decoy systems or servers deployed alongside production systems within a network.
● When deployed as enticing targets for attackers, honeypots can add security monitoring
opportunities for blue teams and misdirect the adversary from their true target.
● it is a system or resource that is left open and available to the public so that it might entice a user
with malicious intent. This resource can then be monitored to learn things, such as the tools used to
gain access to the resource and the tools used after the resource is compromised.
● Come in a variety of complexities depending on the needs of the organization and can be a
significant line of defence when it comes to flagging attacks early.
● Offer plenty of security benefits to organizations that choose to implement them, including
○ break the attacker kill chain and slow attackers down.
○ straightforward and low-maintenance.
○ help to test the incident response processes.
Honeypot Types
● Pure honeypot:
○ A full-scale, completely production-mimicking system that runs on various servers.
○ Contains “confidential” data and user information and is full of sensors.
○ Though these can be complex and difficult to maintain, the information they provide is
invaluable.
● High-interaction honeypot:
○ Similar to a pure honeypot in that it runs a lot of services, but it is not as complex and does not
hold as much data.
○ Not meant to mimic a full-scale production system, but they do run (or appear to run) all the
services that a production system would run, including a proper operating system.
○ Allows the deploying organization to see attacker behaviours and techniques.
○ resource-intensive and come with maintenance challenges, but the findings can be worth the
squeeze.
Honeypot Types
● Mid-interaction honeypot:
○ Emulate aspects of the application layer but do not have their own operating system.
○ work to stall or confuse attackers so that organizations have more time to figure out how to
properly react to an attack.
● Low-interaction honeypot:
○ This is the most commonly deployed in a production environment.
○ Run a handful of services and serve as an early warning detection mechanism.
○ easy to deploy and maintain, with many security teams deploying multiple honeypots across
different segments of their network.
Honeypot Technologies
● Malware honeypots:
○ These use known replication and attack vectors to detect malware.
○ For example, honeypots (e.g., Ghost) have been crafted to emulate as a USB storage device. If a
machine is infected by malware that spreads via USB, the honeypot will trick the malware to infect the
emulated device.
● Spam honeypots:
○ These are used to emulate open mail relays and open proxies.
○ Spammers will test the open mail relay by sending themselves an email first. If they succeed, they then
send out large quantities of spam.
○ can detect and recognize this test and successfully block the massive volume of spam that follows.
● Database honeypot: Activities such as SQL injections can often go undetected by firewalls, so some
organizations will use a database firewall, which can provide honeypot support to create decoy databases.
● Client honeypots:
○ Most honeypots are servers listening for connections.
○ Client honeypots actively seek out malicious servers that attack clients, monitoring for suspicious and
unexpected modifications to the honeypot.
○ generally run on virtualization technology and have a containment strategy to minimize risk.
Honeynets
● A honeynet is a more complicated arrangement of a honeypot, using one or more honeypots within an entire
network that is set up for the sole purpose of monitoring a hacker’s activities.
● Rather than being a single system, a honeynet is a network placed behind a reverse firewall
● This network is then protected by a honeywall, which acts as a firewall to protect the outside world from
attacks emanating from within the honeynet.
● Strategically track methods and motives of an attacker while containing all inbound and outbound traffic.
● A popular tool for use in studying hacker mentality and methodology.
○ Flexibility – The lack of production services allows for easier maintenance and alteration of system
services.
○ Availability of data – Many production systems are limited in the data that can be produced due to
privacy policies. Honeynets have no such restrictions.
○ Performance – Recording additional data will often require additional network components.
○ Purity of data – A honeynet is not used for production and thus all traffic in and out of the honeynet is
suspicious. Production traffic or logging does not need to be filtered from a honeynet’s logs.
Distributed Denial of Service (DDoS)
● A Distributed Denial of Service (DDoS) attack uses many computers to
launch a coordinated DoS attack against one or more targets.
● Using client/server technology, the perpetrator is able to multiply the
effectiveness of the Denial of Service significantly by harnessing the
resources of multiple unwitting accomplice computers which serve as
attack platforms.
● Typically a DDoS master program is installed on one computer using a
stolen account. The master program, at a designated time, then
communicates to any number of ”agent” programs, installed on
computers anywhere on the Internet.
● In a typical DDoS attack, the attacker subverts a number of servers on
the Internet by exploiting well-known security flaws.
● These compromised servers become the slaves of the attacker by the
● The agents, when they receive the
installation of flooding tools for the real attack.
command, initiate the attack.
● The attacker sends control traffic to his compromised slaves that
● Using client/server technology, the
instructs them to generate high volume traffic toward the victim,
master program can initiate
typically with a faked source address to prevent backtracing to the
hundreds or even thousands of
slaves (that might be used in another attack)
agent programs within seconds.
A Honeypot for DDoS

Weiler, Nathalie. "Honeypots for distributed denial-of-service attacks." Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 2002.
A Honeypot for DDoS

Tracing of the Attacker

Weiler, Nathalie. "Honeypots for distributed denial-of-service attacks." Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 2002.