Information Security &

Forensics
Lecture # 7: Malicious Software:
Viruses and their categories
 What is Malicious Software:
 Software deliberately designed to harm
computer systems.

 Malicious software program causes undesired

actions in information systems.

 Spreads from one system to another through:

1. E-mail (through attachments)
2. Infected floppy disks
3. Downloading / Exchanging of corrupted files
4. Embedded into computer games
 Malicious Software - Categories

Malicious Software

Viruses Rabbit Hoaxes Trojan Horse Spyware Trapdoor Worms

Boot Viruses File Viruses Time Bomb Logic Bomb

 Types of Malicious Software
• Virus : These are the programs that spread to other software
in the system .i.e., program that incorporates copies of itself
into other programs.

Two major categories of viruses:

1. Boot sector virus : infect boot sector of systems.
become resident.
activate while booting machine
2. File virus : infects program files.
activates when program is run.
 Categories of Viruses

Polymorphic Stealth Armored Companion

Virus Virus Virus Virus
 Produces  Programming  Hides
 Creates new
modified & fully tricks make the modifications it
program instead
operational code. tracing and has made to
of modifying
 Produces new understanding files or to the
existing program.
& different code the code difficult. disk.  Contains all
every time when  Complex  Reports
virus code.
virus is copied & programming false values to  Executed by
transmitted to a methods used to programs as
shell, instead of
new host. design code, so they read files
original program.
 Difficult to difficult to repair or data from
detect & remove. infected file. storage media. 
• Rabbit : This malicious software replicates itself
without limits. Depletes some or all the system’s resources.

 Re-attacks the infected systems – difficult recovery.

 Exhausts all the system’s resources such as CPU time,

memory, disk space.

 Depletion of resources thus denying user access to those

resources.
• Hoaxes : False alerts of spreading viruses.

 e.g., sending chain letters.

 message seems to be important to recipient, forwards it to

other users – becomes a chain.

 Exchanging large number of messages (in chain) floods the

network resources – bandwidth wastage.

 Blocks the systems on network – access denied due to heavy

network traffic.
Information Security &
Forensics
Lecture # 8: Trojan Horses,
Worms and some other
precautions about viruses
• Trojan Horse : This is a malicious program with
unexpected additional functionality. It includes harmful
features of which the user is not aware.

 Perform a different function than what these are advertised to

do (some malicious action e.g., steal the passwords).
 Neither self-replicating nor self-propagating.
 User assistance required for infection.
 Infects when user installs and executes infected programs.
 Some types of trojan horses include Remote Access Trojans
(RAT), KeyLoggers, Password-Stealers (PSW), and logic
bombs.
 Transmitting medium :
1. spam or e-mail
2. a downloaded file
3. a disk from a trusted source
4. a legitimate program with the Trojan inside.

 Trojan looks for your personal information and sends it to

the Trojan writer (hacker). It can also allow the hacker to
take full control of your system.

 Different types of Trojan Horses :

1. Remote access Trojan takes full control of your
system and passes it to the hacker.
2. The data-sending Trojan sends data back to the hacker by
means of e-mail.
e.g., Key-loggers – log and transmit each keystroke.
3. The destructive Trojan has only one purpose: to destroy and
delete files. Unlikely to be detected by anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines
computing power of all computers/systems it infects to
launch an attack on another computer system. Floods the
system with traffic, hence it crashes.
5. The proxy Trojans allows a hacker to turn user’s computer
into HIS (Host Integration Server) server – to make
purchases with stolen credit cards and run other organized
criminal enterprises in particular user’s name.
6. The FTP Trojan opens port 21 (the port for FTP transfer)
and lets the attacker connect to your computer using File
Transfer Protocol (FTP).
7. The security software disabler Trojan is designed to stop or
kill security programs such as anti-virus software, firewalls,
etc., without you knowing it.

• Spyware :

 Spyware programs explore the files in an information

system.
 Information forwarded to an address specified in Spyware.
 Spyware can also be used for investigation of software users
or preparation of an attack.
• Trapdoor : Secret undocumented entry point to the
program.

 An example of such feature is so called back door, which

enables intrusion to the target by passing user
authentication methods.
 A hole in the security of a system deliberately left in place by
designers or maintainers. 
 Trapdoor allows unauthorized access to the system.
 Only purpose of a trap door is to "bypass" internal controls.  It
is up to the attacker to determine how this circumvention of
control can be utilized for his benefit.
 Types of Trapdoor

Undetectable Hardware
Trapdoor Trapdoor

Virtually undetectable. Security-related

hardware flaws.
• Worms :
 program that spreads copies of itself through a
network. 
 Does irrecoverable damage to the computer system.
 Stand-alone program, spreads only through network.
 Also performs various malicious activities other than spreading
itself to different systems e.g., deleting files.

 Attacks of Worms:
1. Deleting files and other malicious actions on systems.
2. Communicate information back to attacker e.g., passwords,
other proprietary information.
3. Disrupt normal operation of system, thus denial of service
attack (DoS) – due to re-infecting infected system.
4. Worms may carry viruses with them.
Means of spreading Infection by Worms :

• Infects one system, gain access to trusted host lists on infected

system and spread to other hosts.

• Another method of infection is penetrating a system by

guessing passwords.

• By exploiting widely known security holes, in case, password

guessing and trusted host accessing fails.

e.g., worms which invaded millions of computers through

e-mail in year 2000.
 VIRUSES – More Description

Desirable properties of Viruses :

 Virus program should be hard to detect by
anti-virus software.
 Viruses should be hard to destroy or deactivate.
 Spread infection widely.
 Should be easy to create.
 Be able to re-infect.
 Should be machine / platform independent, so that it can
spread on different hosts.
Detecting virus infected files/programs :

 Virus infected file changes – gets bigger.

 Modification detection by checksum :

> Use cryptographic checksum/hash function
e.g., SHA, MD5.
> Add all 32-bit segments of a file and store the sum
(i.e., checksum).
Identifying Viruses :
 A virus is a unique program.
 It as a unique object code.
 It inserts in a deterministic manner.
 The pattern of object code and where it is inserted provides a
signature to the virus program.
 This virus signature can be used by virus scanners to identify and
detect a particular virus.
 Some viruses try to hide or alter their signature:
• Random patterns in meaningless places.
• Self modifying code – metamorphic, polymorphic viruses.
• Encrypt the code, change the key frequently.
Places where viruses live :

 Boot sector
 Memory resident
 Disk – Applications and data stored on disk.
 Libraries – stored procedures and classes.
 Compiler
 Debugger
 Virus checking program infected by virus – unable to detect
that particular virus signature.
Effect of Virus attack on computer system

 Virus may affect user’s data in memory – overwriting.

 Virus may affect user’s program – overwriting.

 Virus may also overwrite system’s data or programs –

corrupting it – disrupts normal operation of system.

 “Smashing the Stack” – Buffer overflow due to execution of

program directed to virus code.
Preventing infection by malicious software :

 Use only trusted software, not pirated software.

 Test all new software on isolated computer system.
 Regularly take backup of the programs.
 Use anti-virus software to detect and remove viruses.
 Update virus database frequently to get new virus signatures.
 Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
 Make sure that the e-mail attachments are secure.
 Do not keep a floppy disk in the drive when starting a program,
unless sure that it does not include malicious software, else virus
will be copied in the boot sector.
 Information Security &
Forensics
Lecture # 9 10: Types of Security
Attacks and Network Security
Attacks
 Security Attack
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks
– passive
– active
Passive Attacks
Active Attacks
Network Security Attacks
 Other Security Attacks
• Insider abuse of Internet Access
• Laptop or Mobile Theft
• Denial of Service
• Unauthorized Access to Information
• Abuse of Wireless Networks
• System Penetration
• Telecom Fraud
• Theft of proprietary Information
• Financial Fraud
 Other Security Attacks
• Misuse of public web applications.
• Website Defacement
• Sabotage