ETHICAL HACKING AND PENTESTING

MALWARE/WEB

LECTURE 9
What is Malware:

 Software deliberately designed to harm computer

systems.

 Malicious software program causes undesired

actions in information systems.

 Spreads from one system to another through:

 E-mail (through attachments)
 Infected floppy disks
 Downloading / Exchanging of corrupted files
 Embedded into computer games
 Malware Types

• Viruses
• Worms
• Trojans
• Rabbits
• Hoaxes
• Logic Bombs
• Trap doors
 Types of Malicious Software

Virus : These are the programs that spread to other

software in the system .i.e., program that incorporates
copies of itself into other programs. Usually requires a user
interaction

Two major categories of viruses:

1. Boot sector virus
 infect boot sector of systems.
 become resident.
 activate while booting machine
2. File virus :
 infects program files
 activates when program is run.
 Types of Viruses

Polymorphic Virus Stealth Armored Companion

Produces Virus Virus Virus
modified & fully Using various A type of virus
operational code. techniques designed to Creates new
to avoid thwart program instead
Produces new detection. attempts of of modifying
& different code analysis & Existing program.
Complex reverse
every time when
programming engineering
virus is copied &
transmitted to a methods used Executed by
to Reports
new host. shell, instead of
design code, so false values to
original program.
difficult to programs as
Difficult to
repair they read files
detect & remove. infected file. or data from
storage media.
 Rabbit : This malicious software replicates
itself without limits. Depletes some or all the
system’s resources.

 Re-attacks the infected systems – difficult

recovery.

 Exhausts all the system’s resources such as CPU

time, memory, disk space.

 Depletion of resources thus denying user access

to those resources.
Hoaxes : False alerts of spreading viruses.
 e.g., sending chain letters.

 message seems to be important to recipient,

forwards it to other users – becomes a chain.

 Exchanging large number of messages (in chain)

floods the network resources – bandwidth wastage.

 Blocks the systems on network – access denied

due to heavy network traffic.
Trojan Horse : This is a malicious program
with unexpected additional functionality. It includes
harmful features of which the user is not aware.

 Perform a different function than what these are

advertised to do (some malicious action e.g., steal
the passwords).
 Neither self-replicating nor self-propagating.
 User assistance required for infection.
 Infects when user installs and executes infected
programs.
 Some types of trojan horses include Remote
Access Trojans (RAT), KeyLoggers, Password-
Stealers (PSW), and logic bombs.
Transmitting medium :
 spam or e-mail
 a downloaded file
 a disk from a trusted source
 a legitimate program with the Trojan inside.

 Trojan looks for your personal information and sends it to the Trojan writer
(hacker). It can also allow the hacker to take full control of your system.

Different types of Trojan Horses :

1. Remote access Trojan takes full control of your
system and passes it to the hacker.
2. The data-sending Trojan sends data back to the hacker by
means of e-mail.
e.g., Key-loggers – log and transmit each keystroke.
3. The destructive Trojan has only one purpose: to destroy and
delete files. Unlikely to be detected by anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines computing
power of all computers/systems it infects to launch an attack on
another computer system. Floods the system with traffic, hence
it crashes.
5. The FTP Trojan opens port 21 (the port for FTP transfer) and lets
the attacker connect to your computer using File Transfer
Protocol (FTP).
6. The security software disabler Trojan is designed to stop or kill
security programs such as anti-virus software, firewalls, etc.,
without you knowing it.
 Spyware :

 Spyware programs explore the files in an

information system.
 Information forwarded to an address specified in
Spyware.
 Spyware can also be used for investigation of
software users or preparation of an attack.
 Worms :
 program that spreads copies of itself through a network.
 Does irrecoverable damage to the computer system.
 Stand-alone program, spreads only through network.
 Also performs various malicious activities other than spreading itself
to different systems e.g., deleting files.

 Attacks of Worms:
 Deleting files and other malicious actions on systems.
 Communicate information back to attacker e.g., passwords, other
proprietary information.
 Disrupt normal operation of system, thus denial of service attack
(DoS) – due to re-infecting infected system.
 Worms may carry viruses with them.
 Means of spreading Infection by
Worms :

 Infects one system, gain access to trusted host

lists on infected system and spread to other
hosts.

 Another method of infection is penetrating a

system by guessing passwords.

 By exploiting widely known security holes, in

case, password guessing and trusted host
accessing fails.
 VIRUSES – More
Description

Desirable properties of Viruses :

 Virus program should be hard to detect by
anti-virus software.
 Viruses should be hard to destroy or deactivate.
 Spread infection widely.
 Should be easy to create.
 Be able to re-infect.
 Should be machine / platform independent, so
that it can spread on different hosts.
 Detecting virus infected
files/programs :

 Virus infected file changes – gets bigger.

 Modification detection by checksum :

> Use cryptographic checksum/hash
function
e.g., SHA, MD5.
> Add all 32-bit segments of a file and store
the sum
(i.e., checksum).
Examples
 Identifying Viruses :
 A virus is a unique program.
 It inserts in a deterministic manner.
 The pattern of object code and where it is inserted
provides a signature to the virus program.
 This virus signature can be used by virus scanners to
identify and detect a virus.
 Some viruses try to hide or alter their signature:
 Random patterns in meaningless places.
 Self modifying code –polymorphic viruses,
metamorphic
 Encrypt the code, change the key frequently.
 Places where viruses live :

 Boot sector
 Memory resident
 Disk – Applications and data stored on disk.
 Libraries – stored procedures and classes.
 Compiler
 Virus checking program infected by virus – unable
to detect that particular virus signature.
 Effect of Virus attack on computer
system

 Virus may affect user’s data in memory –

overwriting.

 Virus may affect user’s program – overwriting.

 Virus may also overwrite system’s data or

programs – corrupting it – disrupts normal
operation of system.

 “Smashing the Stack” – Buffer overflow due to

execution of program directed to virus code.
 Preventing infection by malicious
software :

 Use only trusted software, not pirated software.

 Test all new software on isolated computer system.
 Regularly take backup of the programs.
 Use anti-virus software to detect and remove viruses.
 Update virus database frequently to get new virus
signatures.
 Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
 Make sure that the e-mail attachments are secure.
 Do not keep a floppy disk in the drive when starting a
program, unless sure that it does not include malicious
software, else virus will be copied in the boot sector.
WEB PENTESTING
65

Q&
A