Chapter 19: Malicious

Software

Fourth Edition
by William Stallings

Lecture slides by Lawrie Brown

(Modified by Prof. M. Singhal, U of
Kentucky)
1
Malicious Software

2
 Backdoor or Trapdoor
• secret entry point into a program
• allows those who know access bypassing
usual security procedures
• have been commonly used by developers
• a threat when left in production programs
allowing exploited by attackers
• very hard to block in O/S

3
 Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met
– E.g., presence/absence of some file
– particular date/time
– particular user
• when triggered typically damage system
– modify/delete files/disks, halt machine, etc.
4
 Trojan Horse
• program with hidden side-effects
• which is usually superficially attractive
– E.g., game, s/w upgrade, etc.
• when run performs some additional tasks
– allows attacker to indirectly gain access they do not
have directly
• often used to propagate a virus/worm or install a
backdoor
• or simply to destroy data
• Mail the password file.
5
 Zombie
• program which secretly takes over another
networked computer
• then uses it to indirectly launch attacks
(difficult to trace zombie’s creator)
• often used to launch distributed denial of
service (DDoS) attacks
• exploits known flaws in network systems

6
 Viruses
• a piece of self-replicating code attached to
some other code
• attaches itself to another program and
executes secretly when the host program
is executed.
• propagates itself & carries a payload
– carries code to make copies of itself
– as well as code to perform some covert task

7
 Virus Operation
• virus phases:
– dormant – waiting on trigger event
– propagation – replicating to programs/disks
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific
– exploiting features/weaknesses

8
 Virus Structure
program V :=
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
9
}
 Types of Viruses
can classify on basis of how they attack
• parasitic virus
-attaches itself to executable files and replicates
• memory-resident virus
-lodges in the main memory and infects every
program that executes.
• boot sector virus
-infects a boot record and spreads when the
system is booted from the disk
10
 Types of Viruses…

• Stealth
-designed to hide itself from antivirus software
• polymorphic virus
-a virus that mutates with every infection, making
detection very difficult
• metamorphic virus
-mutates with every infection, but rewrites itself
completely every time. Making it extremely
difficult to detect.
11
 Email Virus
• spread using email with attachment
containing a macro virus
• triggered when user opens attachment
• or worse even when mail viewed by using
scripting features in mail agent
• hence propagates very quickly
• usually targeted at Microsoft Outlook mail
agent & Word/Excel documents

12
 Worms
• replicating but not infecting program
(does not attach itself to a program)
• typically spreads over a network
– Morris Internet Worm in 1988
• using users distributed privileges or by exploiting
system vulnerabilities
• worms perform unwanted functions
• widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS
• major issue is lack of security of permanently
connected systems, esp PC's
13
 Worm Operation
• worm has phases like those of viruses:
– dormant
– propagation
• search for other systems to infect
• establish connection to target remote system
• replicate self onto remote system
– triggering
– execution

14
 Morris Worm
• best known classic worm
• released by Robert Morris in 1988
• targeted Unix systems
• using several propagation techniques
– simple password cracking of local pw file
– exploit bug in finger daemon
– exploit debug trapdoor in sendmail daemon
• if any attack succeeds then replicated self
15
 Virus Countermeasures
• best countermeasure is prevention
(do not allow a virus to get into the system in
the first place.)
• but in general not possible
• hence need to do one or more of:
– detection - of viruses in infected system
– identification - of specific infecting virus
– removeal - restoring system to clean state
16
 Anti-Virus Software
• first-generation
– scanner uses virus signature to identify virus
– or change in length of programs
• second-generation
– uses heuristic rules to spot viral infection
– or uses crypto hash of program to spot changes
• third-generation
– memory-resident programs identify virus by actions
• fourth-generation
– packages with a variety of antivirus techniques
– eg scanning & activity traps, access-controls
• arms race continues
17
Digital Immune System

18
 Behavior-Blocking Software
• integrated with host O/S
• monitors program behavior in real-time
– eg file access, disk format, executable mods,
system settings changes, network access
• for possibly malicious actions
– if detected can block, terminate, or seek ok
• has advantage over scanners
• but malicious code runs before detection
19
 Distributed Denial of Service
Attacks (DDoS)
• Distributed Denial of Service (DDoS)
attacks form a significant security threat
• making networked systems unavailable
• by flooding with useless traffic
• using large numbers of “zombies”
• growing sophistication of attacks
• defense technologies struggling to cope
20
Distributed Denial of Service
Attacks (DDoS)

21
 DDoS Countermeasures

• three broad lines of defense:

1. attack prevention & preemption (before)
2. attack detection & filtering (during)
3. attack source traceback & identification
(after)
• huge range of attack possibilities
• hence evolving countermeasures

22
 Summary
• have considered:
– various malicious programs
– trapdoor, logic bomb, trojan horse, zombie
– viruses
– worms
– countermeasures
– distributed denial of service attacks

23