[attachment=12269]
SYSTEM SECURITY
Malicious Software
1. Malicious Software:
S/W that is intentionally inserted into a system for a harmful purpose.
2. Virus:
A piece of S/W that can infect other programs by modifying them.
3. Worm:
A program that replicate itself and send copies from computer to computer across n/w.
It usually performs some unwanted functions.
4. DDoS.
 Backdoor (or) Trapdoor:
 A secret entry point into a program.
 Lets an unscrupulous programmer to gain access to the program without using the usual security access procedures.
 Commonly used by developers while developing an application with authentication procedure.
 It is invoked either by a special sequence of code or triggering from an user ID or unlikely sequence of events.
 Difficult to implement OS controls.
 Requires good S/W development & update.
Logic Bomb:
 One of oldest types of program threat, predating viruses and worms.
 Code embedded in legitimate program and is set to explode when certain conditions are met.
 Examples:
 presence/absence of some file
 particular date/time
 particular user
 When triggered typically damages the entire system
 modify/delete files/disks, halt machine, etc
Trojan Horse:
 Program or command procedure containing hidden code that when invoked performs unwanted or harmful function.
 Appears as superficially attractive
 e.g. game, s/w upgrade etc
 Accomplish functions indirectly that an unauthorized user cant accomplish directly.
 Often used to propagate a virus/worm or install a backdoor or simply to destroy data.
Zombie:
 Program which secretly takes over another computer in the n/w, then uses it to indirectly launch attacks.
 Often used to launch distributed denial of service (DDoS) attacks.
 Exploits known flaws in network systems
 In short, Zombie is a program activated on an infected machine that is activated to launch attacks on other machines.
Virus:
 A piece of software that can infect other programs by modifying(self replicating) them which can go to infect other programs.
 Makes a fresh copy of its own whenever a new uninfected piece of S/W is found.
 When host program is run, all its replicas will infect the system performing any function.
 Viruses carry out their function specific to a particular OS.
 Example: Virus designed for Windows cant affect Linux and vice versa.
Virus Operation:
1. Dormant Phase:
Idle state and waiting for an event to activate it.
2. Propagation Phase:
Replicating its copy to other uninfected areas on the disk. Making clones.
3. Triggering Phase:
Activating the host to perform a function it was intended to.
4. Execution Phase:
Function of the virus is performed.
Virus Structure:
program V :=
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
Virus Types:
Parasitic virus:
Attaches itself to executable files and replicates when it is run.
 Memory-resident virus:
 Lodges in MM as a part of resident system.
 Infects all programs that are executed.
Boot sector virus:
Spreads when a system is booted with a disk containing virus.
Stealth:
Hides itself from detection from Antivirus S/W.
Polymorphic virus:
 Mutates with every infection.
 Does not rewrite its code at each iteration.
Metamorphic virus:
 Mutates with every infection.
 Rewrites its code at each iteration increasing its difficulty of detection.
Macro Viruses:
 Platform independent.
 Usually infects office files.
 OS that supports the document file gets infected.
 Does not affect executable files but only document files.
 Later versions of office have intended security towards Macro viruses.
 Common method of spreading is by E-mail.
E-mail Viruses:
 Spread using email with attachment containing a macro virus.
 E.g. Melissa
 Sends itself to everyone on the mailing list in the user’s e-mail package.
 Triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent.
 Hence propagate very quickly.
 Does local damage.
Worms:
 A program that replicates itself and send some copies from computer to computer.
 Needs a human to invoke it.
 Once it is active within a system, the machine serves as an automated launching pad for attacks on other machines.
 Does not infect a program but could implant an Trojan horse or perform any destructive action that can infect the performance of the system.
Worm operation:
 Dormant:
 Propagation:
 search for other systems to infect
 establish connection to target remote system
 replicate self onto remote system
 Triggering:
 Execution:
Morris Worm:
 Released in Internet by Robert Morris in 1998.
 Designed for UNIX systems.
 Logins to remote host as legitimate user
 Cracks password file
 Retrieve user ids and corresponding password.
 Exploits a bug to give info about remote user.
 Exploits a trapdoor to send and receive mails
 Then attacks the command interpreter.
Virus Countermeasures:
 Only Solution is to prevent it.
 Do not allow virus to enter the system (which is generally impossible)
Antivirus approach:
 Detection
 Identification
 Removal
Generations of Antivirus S/W:
 First generation: (simple scanners)
 scanner uses virus signature to identify virus
 or change in length of programs
 Second generation: (heuristic scanners)
 uses heuristic rules to spot viral infection
 or uses crypto hash of program to spot changes
 Third generation: (activity traps)
 memory-resident programs identify virus by actions
 Fourth generation: (full featured protection)
 packages with a variety of antivirus techniques like access control capability.
 E.g. scanning & activity traps, access-controls
Advanced Antivirus Techniques:
1. Generic Decryption:
 Enables antivirus program to detect even the most complex polymorphic viruses.
 Every executable file should be run in the GD scanner which has CPU emulator, Virus sign scanner and Emulation control module.
2. Digital Immune System:
 Developed by IBM.
 To solve threats in a network.
 Integrated mail systems
 Mobile program systems
Digital Immune System:
3. Behavior Blocking System:
 Integrates with the OS of host
 Monitors the behavior
 Blocks potentially malicious S/W that would harm the system.
 Disadvantage is when a virus runs before expressing its behavior it would cause a great deal in harming the system.
Distributed Denial of Service Attacks:
 An attempt to make the users to prevent using that using that service.
 A serious threat over network(s) by a single attacker.
 Consumes target’s resources.
 Based on types of resource consumed
 Internal resource attack
 Attack consuming data transmission resources
 Based on type of attack
 Direct DDoS
 Reflector DDoS
Constructing Attack network:
 Create a S/W that would carry out the attack.
 It should be triggered at the particular time.
 Triggering should cause vulnerability in multiple systems.
 Information about the vulnerability should be informed to the attacker.
Selecting the system:
 Random (IP address)
 Hit list (analyzing vulnerable machines and then attack)
 Topological (Finding hosts from infected machine)
 Local subnet (within the LAN)
DDoS countermeasures:
 Prevention and preemption
 Before the attack
 Detection and filtering
 During the attack
 Source trace back and identification
 During and after the attack