Introduction to Malware

(Module-2)
Course Code: 20B12CS332

)
Program

 Program are simple things but they have the power to control anything.
 Programs are just strings of 0s and 1s, representing machine commands.
 Microprocessors have some basic instructions like move, compare with which it
can perform several operations to implement various types of programs
 Most programs these days are written in high level languages like C,C++, Java,
Python in which programmers may often use libraries to develop complex
programs.
 With the help of programs, we have pacemaker functions, satellite control, smart-
home technology, traffic management, and digital photography, streaming videos,
social networking and so on.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Terminology in Quality

 When a human being makes a mistake then it is called an

Error.
 Error may lead to a fault or an incorrect step, command,
process or data definition in a computer program, design or
documentation.
 A single error can generate many faults and a fault can
reside in any developed product or product under
maintenance period.
 A Failure is a departure from the system’s required
behavior.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Terminology in Quality

 Failure indicates that the system is not performing as required,

even though it may be performing as specified.
 Fault is inside view of the system which can be seen by developers
but Failure is an outside view which can be observed by user.
 Every failure has at least one fault as its root cause.
 It is not necessary that every fault may result into a failure.
 Security Engineer use FLAW/BUG to describe both faults and
failures.
 Security failures can result from intentional or non-malicious
causes; both can cause harm.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Types of Code
 Non Malicious Code
 Buffer Overflow
 Incomplete Mediation
 Time of Check to Time of Use Types of Code
 Off by one Error
 Integer Overflow
 Unterminated Null Terminated String
 Race Condition
 Malicious Code Non-Malicious Code Malicious Code
 Virus
 Worms
 Trojan Horse
 Spyware
 Ransomware
 Logic Bombs
 Phishing
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Non Malicious(Unintentional) Programming

 Programs are the basis of computing.

 A computer is useless without a program.
 In early days, the computer users need to be
programmers too.
 Today’s computer users are rarely programmers. They
use the program without having knowledge about the
code it has which is guiding the activities.
 A program gets executed once the device is turned on
like mobile phone, coffee machine, microwave oven.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Non Malicious(Unintentional) Programming

 Users seldom know whether the program is producing correct

result.
 A program may stop abruptly like the software stops responding,
text disappears from document, CD player skips the part of the song
etc.
 In most of the cases, user blame himself instead of discrepancy in
the program.
 The program flaws can have two security implications
 It can be a fault affecting the correctness of program’s result.
 A flaw from a benign cause can be exploited by some malicious attacker.
 In both ways, program correctness becomes a security issue.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Buffer Overflow

 A buffer or an array is a space in which data can be stored.

 The capacity of buffer is limited/finite.
 In C Programming, suppose a program has the following
declaration:
int i;
char alphabets[10];
alphabets[10]=‘B’;
alphabets[i]=‘N’;
 In this case, the compiler will not be able to detect the
overflow.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Harms from an Overflow

 Overwriting memory.
 Affecting an instruction of programmer.
 Affecting the OS or a critical application.
 Overwrite Stack memory
 Overwrite the program counter
 Overwrite part of the code
 Overwrite the program counter and data

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Simple memory structure for a program

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Buffer Overflow

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Overflow Counter measures
 Check before you write.
 Confirm that array subscripts are within limits.
 Double check boundary conditions.
 Monitor input.
 Use string utilities that transfer only a bounded amount of data.
 Check procedures that might overrun their space.
 Limit program privileges to prevent privilege escalation.
 Go for Code Reviews and Independent Testing.
 Preferably use compilers that preclude overflows.
 Use static code analyzer to detect unsafe conditions.
 Separate sensitive memory area.
 Use protective layer like Canary.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Incomplete Mediation

 Verifying that the subject is authorized to perform an action on object is called

mediation.
 Incomplete mediation occurs when the program accepts incorrect data as input.
 A programmer typically ignore considering bad input thinking why anyone would
enter wrong input.
 Users make errors from ignorance, misunderstanding, distraction
 Users sometimes mistype data in some forms like
 Email: pankaj$gmail.com
 Phone:9817A87899
 User errors should not cause program failures.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Incomplete Mediation Example
 A customer was interested to buy a product online from www.things.com
 He added the required product(quantity=20, cost=20/product) in his cart.
 URL to be generated by client’s browser to access server, e.g.:
http://www.things.com/order/final&custID=101&part=555A&qty=20&price=10&ship=
boat&shipcost=5&total=205
 Instead, customer edits URL directly, changing price and total cost as follows:
http://www.things.com/order/final&custID=101&part=555A&qty=20&price=1&ship=
boat&shipcost=5&total=25
 Customer uses forged URL to access server.
 The server takes 25 as the total cost

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for Incomplete Mediation

 Validate all input

 Restrict choices to valid ones.
 Guard against user’s fingers
 User may change the content of URL.
 Complete mediation
 Standard security tool
 Small and simple enough to give confidence of correctness.
 No bypass allowed.
 Always invoked.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Time-of-Check to Time-of-Use(TOCTTOU)

 TOCTTOU flaw concerns mediation that is performed in the middle

during access control.
 Every request for access must be mediated by access policy
enforcement agent.
 An incomplete mediation problem occurs when access is not checked
universally.
 Between access check and use, data must be protected against change.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Time-of-Check to Time-of-Use(TOCTTOU) Example
1. User makes a request to “my file” for performing an
action “Change byte 4 to A”.
2. The access control mediator receive the request and read
the file name.
3. The access control mediator would copy the file to its
local storage and would compare it with the access table.
4. The user can change the file name to “your file” and
action to “Delete file” while the access control mediator
is looking for access rights.
5. Since access control mediator will not re-check before
approving the grant and will handover the request to file
handler.
6. This exploitation between time the access was check and
the time the result was checked is called TOCTTOU

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for TOCTTOU

 The access checking agent/software must own the requested data until
the requested action is complete
 No interruption/loss of control should be allowed during validation.
 The data on which the access control decision is based and the result of
the decision must be outside the domain of the program whose access
is being controlled.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Undocumented Access Point

 Sometimes, programmer or tester may needs a way to access internals of a module e.g.
Output results obtained are not as specified so he needs to interrogate data values
during execution.
 The reason for the same may be flow of control is processing inaccurately
 Programmer may need to feed test values into it.
 Programmer may also wants to have a special debug mode to test conditions.
 All such situations will result in creating an undocumented entry point or execution mode
in the program.
 An undocumented access point is called a backdoor or trapdoor.
 Such entry can transfer control to any point with any privileges the programmer wanted.
 Even the attacker can make an account in the compromised system.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Undocumented Access Point Example

 An MS Excel 97 spread sheet program had the following feature.

 Open a new worksheet
 Press F5
 Type X97:L97 and press Enter
 Press Tab
 Hold <CTRL-SHIFT> and click the Chart Wizard.

 A user who did this steps found worksheet disappeared and the screen filled
with the image of an airplane cockpit.
 Using Arrow keys, the user could fly a simulated plane through space.
 With few more key strokes, the user’s screen seemed to follow down a
corridor with panels on the sides.
 The panels were inscribed the names of developer of the version of Excel.
Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Protection against Unauthorised Entry

 Undocumented entry points are due to poor programming

practice.
 Very difficult to protect because these are not documented.
 Rigorous independent code reviews may provide some level of
protection.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
OFF by One Error

 It deals with miscalculating the condition to end a loop.

 Most of the time programmer overlook that an array A[0]
to A[n] contains n+1 elements.
 Example
 int A[10]
 for i=0, i<=10; i++;
 The problem can lead to merging actual data with control
data.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
OFF by One Error Example

 A programmer has an array of 100 elements which contains issues which

are not addressed by some organization.
 The first element of the array (i.e. A[0]) contains the total no. of
unresolved issues.
 The program will execute correctly until there are no more than 99
issues.
 If the user adds 100th issue then this can cause the program to fail.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for OFF by One Error

 Only control to OFF by an Error is correct programming

 Programmers must ensure that the container is large enough
for the amount of data it can contain.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Integer Overflow

 Integer overflow occurs when the result of some arithmetic operation is

larger than the size(datatype) assigned to the variable.
 The extraneous bit does not spill over to affect adjacent data because
the arithmetic computation is performed in hardware register of
processor not in memory.
 Integer overflow may raise hardware program exception or fault
condition may be signaled.
 The consequence of integer overflow may lead to loss of data.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Integer Overflow Example

 8 bit unsigned integers 255+1 will produce result as 0 which

is incorrect.
 If a program uses an 8 bit unsigned integer for a loop which
stops at 256 then the condition will never be true and loop
will execute infinitely.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for Integer Overflow

 Skilled programmers are required.

 Compilers capable of detecting integer overflow and raising
an exception must be used.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Unterminated Null-Terminated String

 General representation of Strings

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Unterminated Null-Terminated String

 In C programming, a string is deemed to be terminated if NULL is

encountered i.e. end of the string is denoted by NULL character.
 Such representation may lead to buffer overflows because the
processing program determines the end of the string using NULL
character.
 If some erroneous process overwrites the NULL character then the
application will continue reading the memory until it encounters NULL
character.
 This can result in reading 1, 100, 10,000 extra characters or more until it
encounters a NULL

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Parameter Length, Type and Number

 A source of data length error can be parameters of procedure.

 Some of them are
 Too many parameters
 Wrong output type or size
 Too long string
 Procedures often have or allocate temporary space to
manipulate parameters.
 The temporary space should be large enough to handle such
issue.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Unsafe Utility Program

 Programming languages like C, provide library to assist programmer to

move or copy strings.
 In C, the function strcpy(dest, src) copies a string from source to
destination until it encounters NULL.
 This has the potential to overrun allocated memory.
 Rather, a skilled programmer uses strncpy(dest, src, max) which copies
upto the NULL character or max characters whichever comes first.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Race Condition

 In a Race Condition, two or more processes are executing concurrently

and the outcome of the computation depends on the order in which the
instructions of the processes are executed.
 Race condition can cause inconsistency, undesired or wrong outcome
which can lead to failure of integrity.
 With system heterogeneity (OS, Device drivers, applications developed
by different vendors), the likelihood of race condition increases.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Race Condition Example

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Race Condition Example

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Countermeasures for Race Condition

 Race Condition are hard to detect as the challenge is to set up

exactly the necessary condition of the system load and timing.
 It is equally harder for attacker to execute the race condition
nevertheless if race condition vulnerability exist then there are
chances that it can be exploited.

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Introduction to Malicious code

 Malicious Code/ Rogue Program/ MALWARE(MALcious SoftWARE)

are same.
 These are programs planted by agent with malicious intention to
cause unanticipated or undesired effects
 It excludes coincidence in which minor flaws in two benign programs
combine for a negative effect.
 Faults found during software testing do not qualify as malicious code.
 However unintentional faults can invoke same response as intentional
malevolence or disastrous effect.
Components of Malware

 Infection mechanism:
 Means by which malware is spread or propagates.
 Trigger:
 The event or condition that determines when the payload is
activated or delivered.
 Payload:
 It describes what the malware does besides spreading.
 It can involve damage or benign but noticeable activity.
Categories of Malware on the basis of Payload

 Non Destructive:
 Objective is to spread panic.
 Hiding the cursor, Displaying text or image on screen.
 Destructive:
 Objective is to harm the user
 Corrupt files, delete files, damage software, execute
commands to cause hardware stress or breakage.
 Commercial or Criminal Intent:
 Objective is raise money or perform illegal activity.
 Collection of credentials, proprietary data, using system of
user to perform DOS attack or spam emails.
Virus

 It is a program which replicate itself and pass on malicious

code to other non malicious programs by modifying it .
 The term virus was coined because it acts like biological virus.
 It infects other healthy programs by attaching itself and
either destroys the program or coexist with it.
 The infection of virus spread at a geometric rate, eventually
overtaking an entire computing system and spreading it to
other connected system.
Types of Virus

 Transient Virus
 It has a life span that depends on the life of its host.
 It executes when the program to which it is attached executes
and it terminated when the attached program ends.
 During its execution, it may spread infection to other
programs.
 Resident Virus
 It locates itself in memory.
 It can remain active or be activated as a stand alone program
even after its attached program ends.
Phases of Virus

 Dormant Phase:
 Virus is idle in this phase.
 The virus will eventually be activated by some event like date.
 Not all viruses have this stage.
 Propagation Phase:
 Virus will put a copy of itself into other programs or specific system
area on disk.
 The copy need not to be identical.
 Virus can morph to evade detection.
 The copy of virus may itself enter into propagation phase.
Phases of Virus

 Triggering Phase:
 Virus gets activated to perform specified intended function.
 Triggering may be due to any system events like specific data,
movement of file , copying of file, disk space full alert etc.
 Execution Phase:
 The intended function is performed.
 The function can be harmful or harmless.
 Harmful function may include exhausting of system resources,
encryption of file, change in functionality of software etc.
 Harmless function may include display of some message on screen,
hiding of data/files.
Virus Classification based on Targets

 Boot Sector Infector:

 Viruses which infects boot records
 Spreads when a system is booted from disk containing virus.
 File Infector:
 Infects files that the operating system or shell consider to be
executable.
 Macro Virus:
 Infects files with macro or scripting code that is interpreted by an
application.
 Multipartite Virus:
 Viruses which infect files in multiple ways.
 Capable of infecting multiple types of files.
 Objective is to escape eradication.
Virus Classification by Concealment Strategy

 Encrypted Virus
 Stealth Virus
 Polymorphic Virus
 Metamorphic Virus
Virus Classification by Concealment Strategy

 Encrypted Virus:
 Viruses which are encrypted to obscure its content.
 A portion of virus generates random key for encrypting the whole virus.
This portion is referred to as mutation engine.
 The encryption key is stored in the virus itself.
 The virus gets activated using stored key whenever the infected
program is invoked.
 During replication a new key is generated.
 Since these viruses are having different keys, these are hard to detect as
there is no constant pattern to observe.
Virus Classification by Concealment Strategy

 Stealth Virus:
 Especially designed to hide itself from detection by anti virus software.
 The entire virus (including payload) is hidden.
 Such viruses can uses compression or code mutation techniques to
achieve their goal.
 Polymorphic Virus:
 These virus while replicating creates distinctly different bit patterns to
defeat anti-virus software.
 The signature of the virus will vary with each copy.
 For such achievement, virus randomly insert superfluous instructions or
interchange sequence of independent instructions.
 The strategy of encryption viruses may be used.
 The mutation engine alter itself after each use.
Virus Classification by Concealment Strategy

 Metamorphic Virus:
 It mutates with every infection.
 It rewrites itself completely at each iteration.
 Multiple transformation techniques are used by such viruses which
makes it difficult to detect.
 These viruses may change their behavior as well as appearance.
Virus Signatures
 A virus cannot be completely invisible.
 Its code must be stored somewhere and must be in memory
to execute.
 Virus executes in a specific way using certain methods to
infect or spread.
 Each of these characteristics yields a telltale pattern called
signature.
Simple Virus Structure

Original Program
Program after infected
with Virus
Compression Virus Structure

Original Program after

Program infected with
Compressive Virus
Compression Virus Structure
Integrated Virus Structure
Macro Viruses
 Macros are used to automate repetitive task for saving
key strokes.
 Macros are also used to support dynamic content, form
validation and similar other useful tasks associated with
documents.
 Macro Virus infects scripting codes used to support
active content in a variety of user document types.
 Macro Virus is platform independent.
Macro Viruses
 It can infect active content in commonly used application
like Macros in MS Office or scripting code in PDF
document.
 Any hardware platform which support these applications
can be infected.
 It infects documents not the executable portions of
code.
 Macro viruses can easily spread as the document they
exploit are shared in normal use e.g. Email.
Countermeasures to Macro Viruses
 MS Office products provide increased protection against macro
viruses.
 MS offers optional Macro Virus Protection tool which can detect
suspicious files and alert the customer.
 Various Anti-Virus products have developed tools to detect and
remove macro viruses.
 Recent PDF Viewers like ADOBE include measures to warn users.
Worms
 A worm is a program that actively looks out for more
machines to infect, which then serves as an automated
launching pad for attacks on other machines.
 Worm exploits software vulnerabilities in client or server
programs to gain access to new system.
 It is a program that spread copies of itself through a
network.
 Worm spread copies of itself as a standalone program.

 They can also spread through media such as USB drive, CD

and DVD.
Some means used by Worms
Electronic email or instant messenger facility.
 Attachment, chat.
File sharing
 Removable media like USB, CD,DVD etc. Auto run mode
Remote Access
 Login to remote system and use commands to copy itself.
 Exchange of file.
 Executes on system remotely connected.
The propagation phase of a worm differs from a virus as:
Search for appropriate access mechanisms to other systems to infect by examining
 host tables, address books, buddy lists, trusted peers, and other similar
 repositories of remote system access details;
 By scanning possible target host addresses
 By searching for suitable removable media devices to use.
Use the access mechanisms found to transfer a copy of itself to the remote system, and cause the copy to
be run.
Target Discovery by Worms (Scanning or fingerpriting)
Random
 Random addresses in IP address space.
 Produces high volume of Internet traffic.
 Disruption caused even before the actual attack is launched
Hit List
 Compile list of potential vulnerable machines.
 Distributed among infected machines to launch attacks
 Results in short scanning period and difficult detection
Topological
 Uses information available on infected machine to find more host to
scan.
Local Subnet
 Local network of the infected machine is targeted.
 Uses subnet addresses to target the hosts.
Worms Propagation Model
Classic epidemic model
State of the art in Worm Technology
 Multiplatform:
 Newer worms are can attack a variety of platforms, like windows and various
UNIX based paltforms
 Exploit macro or scripting languages supported in popular document types.
 Especially designed to hide itself from detection by anti virus software.
 Multi-exploit:
 Penetrate systems in a variety of ways: Web servers, browsers, e-mail, file
sharing, shared media etc.
 Ultrafast Spreading:
 Exploit various techniques to optimize the rate of spread of a worm to
maximize its likelihood of locating as many vulnerable machines as possible in a
short period of time.
 Polymorphic:
 To evade detection, skip past filters, and foil real-time analysis, worms adopt
virus polymorphic techniques.
 Each copy has new code generated using functionally equivalent instructions
and encryption techniques.
State of the art in Worm Technology
 Metamorphic:
 Metamorphic worms have a range of different behavior patterns that are unleashed at
different stages of propagation.
 Transport Vehicles:
 Ideal for spreading a wide variety of malicious payloads, such as distributed denial-of-
service bots, rootkits, spam e-mail generators, and spyware
 Zero-day exploit:
 A worm should exploit an unknown vulnerability that is only discovered when the
worm is launched.
 Mobile code and worms : Programs (e.g., script, macro, or other portable instruction) that
can be shipped unchanged to a heterogeneous collection of platforms and execute with
identical semantics without user permission
 Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the
user’s workstation.
 Java applets, ActiveX, JavaScript, and VBScript.
 Common methods of using mobile code for malicious operations on local system are
cross-site scripting, interactive and dynamic Web sites, e-mail attachments, and
downloads from untrusted sites or of untrusted software.
Some specific Worms

 Smart Mobile Phone Worms:

 First appeared with the discovery of CABIR WORM in 2004.
 Use Bluetooth Wireless connections to replicate.
 It can also copy itself to removable memory card.
 Early mobile worm targeted mobile phone with Symbian OS.
 Recent worms target Android and Iphone.
 It can completely disable the phone, delete data, force device to send costly
messages to premium priced numbers.
 It can also send MMS file to contact in phone.
 It can automatically reply to incoming messages.
 Click Jacking:
 Also known as user interface redress attack.
 Attacker force user to do variety of things by adjusting user’s computer setting .
 Can even place a button under a legitimate button making it difficult to detect.
 Hijacking clicks meant for one page and routing them to another page.
Bot as Worms

 A bot(short for robot), is a kind of worm used in vast number

of search engine hosts like Bing and Google.
 Armies of these agents run on any computers on which they
can install themselves.
 Their purpose is to scan accessible web content continuously
and report back any new content they have found.
 In this way, agents find new/updated pages, enabling the
search engine to return these results in response to the
individuals’ queries.
Worm Attack Example-Morris Worm
 Robert, a graduate student at Cornell University, created and
released the first computer worm that could spread between
computers and copy itself.
 Morris didn’t have malicious intent but an error in the
program let to its propagation beyond expectation.
 Around 6000 computers were reportedly affected causing an
estimated $10-$100 million dollars bill.
 Morris was fined $10,050, 400 hours of community service
and three years probation.
 After that, Morris got an opportunity to work in MIT
Computer Science and Artificial Intelligence Laboratory.
Worm Attack Example-Melissa Worm
 It was a very simple Malware that included aspects of Virus,
Worm and Trojan in one package.
 It took only 3 days to infect over 100,000 computers which
ended up costing $80 million in damages.
 It sends itself to everyone on the mailing list in user’s email
disabling security tools and copying itself to other documents.
 In 1999, a more powerful version was seen which could be
activated merely by opening an email that contains virus.
 Incidentally, anti-virus software sales went gangbusters that
year.
Worm Attack Example-Sobig.F
 Appeared in late 2003.
 Exploited open proxy servers and turned them into spam
engines.
 Sobig.F reportedly accounted for 1 in every 17 messages
 Produced more than 1 million copies of itself within 24 hours.
Worm Attack Example-Mydoom
 Appeared in 2004.
 Installed a backdoor in infected computers.
 Enable hackers to gain remote access to credentials.
 Replicated upto 1000 times per minute.
 Flooded the Internet with 100 million infected messages in 36
hours.
Worm Attack Example-Warezov
 Appeared in late 2006.
 Created several executable in system directories.
 Capable of setting itself to run every time Windows start by
creating a registry entry.
 It sends itself as an email attachment.
Worm Attack Example-Conficker
 Appeared in late 2008.
 Also known as Downadup.
 Exploited windows buffer overflow vulnerability.
 Later versions could also spread via USB drives and network
file shares.
Worm Attack Example-Stuxnet
 Appeared in 2010.
 Disabled uranium-enrichment centrifuges in Iran, slowing
down the country’s nuclear program for several years.
 It supported a range of propagation mechanisms, including via
USB drives, network file shares.
 The worm manifested itself only on computers operated by
Siemens programmable controllers and software.
 On landing on such a machine, it reprogrammed these
controllers. Then, by setting the rotational speed of the
uranium-enrichment centrifuges too high, it physically
destroyed them.
Worm Attack Example- Flame
 Appeared in 2012.
 Appeared to target Middle-Eastern Countries.
 They have been identified on computers of very large number
of countries.
 They even penetrated systems which were kept physically
isolated from the general Internet.
Trojan Horse- History
 Around 12th Century B.C., Greek soldiers even after 10 years of
war was unable to capture Troy.
 Greek soldiers made a giant wooden horse and kept it at the gate
of Troy.
 It ostensibly was a peace of offering and pretended to sail away.
 The Trojan was confused by the people and they dragged the
horse inside the city walls and celebrated their victory.
 At night, Greek soldiers emerged from the horse’s hollow belly
and opened the City gates, allowing their compatriots to capture
and destroy Troy.
 Over the time, the term TROJAN HORSE became a synonym for a
trap
Trojan Horse

 A program containing a hidden code which when invoked

performs some unwanted or harmful function.
 Used by an attacker to accomplish functions indirectly
that could not be accomplished directly.
 It can make copies of themselves.
 Trojan horse scans user’s system for desired sensitive
information and sends a copy to the attacker.
 Used recently with utilities claiming to be the latest anti-
virus scanner, or security update, for systems
 Are malicious Trojans, carrying payloads such as spyware
Trojan Horse Versions
 Perform the function of the original program and additionally performing a
separate malicious activity.

Perform the function of the original program but modifying the function to
perform malicious activity. Eg . Trojan horse version of a login program that
collects passwords
 Continuing to perform the function of the original program but disguise other
malicious activity E.g., a Trojan horse version of a process listing program that does
not display certain processes that are malicious
 Perform a malicious function that completely replaces the function of the original
program.
 Some avoid the requirement for user assistance by exploiting some software
vulnerability to enable their automatic installation and execution.
 In this they share some features of a worm, but unlike it, they do not replicate.
Trojan Horse Example

 In 1970, C programming language was developed, the

developer(Dennis Ritchie) discovered that a compiler
can be rigged(or bugged) to embed a Trojan Horse
into the login routine.
 The point is that Trojan Horse does not exist in the
source code of the program being compiled, so an
examination of source code will not yield anything
suspicious.
 This can only be disclosed when the source code of
the compiler can be examined
Trojan Horse Example

 But the attacker can proceed in three steps which can

leave virtually no traces.
 Rig the compiler
 Compile the compiler itself (This will create an executable
compiler with a Trojan Horse)
 Remove the Trojan Horse from the source code of the
compiler.
 The result will be a Trojan Horse embedded in an
executable file which is a C compiler.
 Both the source code and the compiler are clean but
the object codes(executable files) are infected.
Backdoors and trapdoors
 A secret entry point into a program used to debug and test programs also called as a
maintenance hook.
 Allows someone who is aware of the backdoor to gain access without going through the usual
security access procedures.
 Usually created in developing an application having authentication procedure/a long
setup/requires the user to enter many different values to run the application.
 For debugging the developer gains special privileges or to avoid all the necessary setup and
authentication.
The programmer may also want to ensure that there is a method of activating the program if
there is a fault in the authentication procedure.
The backdoor is code that recognizes some special sequence of input or is triggered by being
run from a certain user ID or by an unlikely sequence of events.
 Eg. a backdoor is usually implemented as a network service listening on some non-standard
port that the attacker can connect to and issue commands through to be run on the compromised
system.
It is difficult to implement operating system controls for backdoors in applications.
Security measures must focus on the program development and software update activities, and
on programs that wish to offer a network service.
Root Kit
A rootkit is a set of programs installed on a system to maintain covert access
to that
system with administrator privileges, while hiding evidence of its presence.
Provides access to all the functions and services of the operating system.
 Alters the host’s standard functionality in a malicious and stealthy way.
 With root access, an attacker has complete control of the system.
I t can add or change programs and files, monitor processes, send and
receive network traffic, and get backdoor access on demand.
It can make many changes to a system to hide its existence, making it
difficult for the user to determine that the rootkit is present and to identify
what changes have been made.
A rootkit hides by subverting the mechanisms that monitor and report on
the processes, files, and registries on a computer.
Root Kit classification
 Persistent: Activates each time the system boots.
Stores code in a persistent store, such as the registry or file system, and configure a
method by which the code executes without user intervention.
 It is easier to detect by scanning
 Memory based: Has no persistent code and cannot survive a reboot.
 However, because it is only in memory, it can be harder to detect.
 User mode: Intercepts calls to APIs (application program interfaces) and modifies
returned results.
 Kernel mode: Can intercept calls to native APIs in kernel mode. Can also hide the
presence of a malware process by removing it from the kernel’s list of active
processes.
Virtual machine based: Installs a lightweight virtual machine monitor, and then runs
the operating system in a virtual machine. The rootkit then transparently intercepts and
modify states and events occurring in the virtualized system.
External mode: The malware is located outside the normal operation mode, in BIOS or
system management mode , where it can directly access hardware.
Bacterium

 It is also known as rabbit.

 Named for their similarity to biological bacteria.
 Sole purpose is to replicate themselves.
 Multiplies so rapidly that resources become exhausted.
 May result in denial of service attack.
Logic Bombs

 It is a data corrupting malware.

 A code is embedded in malware which explode when certain
conditions are met.
 The condition can be presence/absence of certain file, a
particular day, date, particular version etc.
 Once triggered, it may alter, delete data or entire file or even
halt a machine or do any kind of damage.
Bots and botnets
Bot/Zombie/Drone: The infected system where malware subverts
its computational and network resources of the for use by the

Secretly takes over another Internet-attached computer and

uses it to launch/ manage attacks that are difficult to trace to the
bot’s creator.
The bot is typically planted on several computers belonging to
unsuspecting third parties.
Botnet: The collection of bots capable of acting in a coordinated
manner
These attacks the integrity and availability of the infected
system.
Uses of bots
1. Distributed denial-of-service (DDoS) attacks
2. Spamming
3. Sniffing traffic
4. Keylogging
5. Spreading new malware: download and execute a file via HTTP or FTP.
6. Installing advertisement add-ons and browser helper objects (BHOs) : Used to gain
financial advantages using a fake Web site with some advertisements:
The operator of Web site negotiates with some hosting companies that pay for clicks on ads.
A botnet is used to automate these clicks and instantly a few thousand bots click on the pop-ups.
The bot hijacks the start-page of a compromised machine and the clicks are executed each time the
victim uses the browser.
7. Attacking IRC chat networks (Internet Relay Chat): Clone Attack
 The controller orders each bot to connect a large number of clones to the victim IRC network.
The victim is flooded by service requests from thousands of bots.
 In this way, the victim IRC network is brought down, similar to a DDoS attack.
8. Manipulating online polls/games: Every bot has a distinct IP address, every vote will have the same
credibility as a vote cast by a real person.
Cookies

 Cookies are text files stored on your computer.

 They store and report data to the cookie’s owner but they cause
no action themselves.
 Cookies show where you have been or what you have done.
 Cookies associate actions on a browser.
 These are passive tracking objects.
 In general, because cookies are stored in your computer, you can
delete cookies at will.
Spyware

 Cookies are passive files and data they capture is limited.

 Cookies can read computer’s registry, peruse email or capture
file directory structure.
 SPYWARE is active code which can do all these things that
cookies cannot.
 Spyware can do anything a program can do.
 It is a code designed to spy on a user for collecting data.
 Spyware can applied to everything from keystroke loggers,
advertising applications that track user’s browsing history,
cookies, program designed to help provide security patches
directly to user.
Ransomware
 The first known ransomware was AIDS Trojan/PC Cyborg in 1989
by Dr. Joseph Popp.
 Ransomware is a type of malware which infects the user’s
computer by taking complete control of machine, files,
documents etc.
 It can either LOCK the computer to prevent normal use or
encrypt the documents and files on it to prevent access.
 The only objective of ransomware is to extort money from the
user.
 Ransomware can be installed when you open malicious
attachment, open malicious website, click link in email message,
social networking website etc.
Types of Ransomware

 Encryption Ransomware
 Encrypts everything from files to folders.
 Only thing visible is instructions for payments.
 Sometimes also called file encryptor ransomware.
 Lock Screen Ransomware
 Also called WinLocker ransomware.
 It LOCKS the screen and demand payments.
 A full screen image will be displayed that blocks all other windows.
 Files are not encrypted.
 Master Boot Record(MBR) Ransomware
 It affects the section of computer’s hard drive that allows OS to boot up.
 It changes the computer’s MBR to interrupt the normal booting process.
 A ransom demand screen is displayed while booting.
Ransomware Example : AIDS Trojan/PC Cyborg

 AIDS was introduced into systems through a floppy disk called

the "AIDS Information Introductory Diskette", which had been
mailed to a mailing list.
 AIDS used to count the number of times the computer has
booted.
 Once this boot count reaches 90, AIDS hides directories and
encrypts the names of all files on drive C: (rendering the system
unusable),
 The user were asked to 'renew the license' and contact PC
Cyborg Corporation for payment (which would involve sending
189 US$ to a post office box in Panama)
Source: Wikipedia
Ransomware Example : AIDS Trojan/PC Cyborg

Source: Wikipedia
Ransomware Example : Reveton

 Reveton began to spread on 2012.

 Its payload displays a warning purportedly from a law enforcement agency
claiming that the computer has been used for illegal activities, such as
downloading unlicensed software or child pornography.
 Due to this behavior, it is also known as “Police Trojan”.
 The warning informs the user to pay a fine using a voucher from an anonymous
prepaid cash service such as Ukash or paysafecard.
 To increase the illusion that the computer is being tracked by law enforcement,
the screen also displays the computer's IP address, while some versions display
footage from a victim's webcam to give the illusion that the user is being
recorded

Source: Wikipedia
Introduction to Anti-Malware Technology
 McAfee reports identifying 200 distinct, new pieces of
malware every minute.
 The ideal solution to threat of malware is prevention(nearly
impossible).
 The main elements of prevention are
 Policy(Limit the privileges)
 Awareness(Avoid alluring activities)
 Vulnerability and Threat mitigation(Keep system updated )
 If prevention fails then only options left are
 Detection
 Identification
 Removal

Requirements for Effective Countermeasures
 Generality:
 The approach taken should be able to handle a wide
variety of attacks.
 Timeliness
 The approach should respond quickly so as to limit the
number of infected programs or systems and the
consequent activity.
 Resiliency:
 The approach should be resistant to evasion techniques
employed by attackers to hide the presence of their
malware.
Requirements for Effective Countermeasures
 Minimal DOS costs:
 The approach should result in minimal reduction in
capacity or service due to the actions of the
countermeasure software, and should not significantly
disrupt normal operation.
 Transparency:
 The countermeasure software and devices should not
require modification to existing (legacy) OSs, application
software, and hardware.
 Global and Local Coverage:
 The approach should be able to deal with attack sources
both from outside and inside the enterprise network.
User Vigilance

 Use only commercial software acquired from reliable, well

established vendors.
 Test all new software on an isolated computer.
 Open attachments and other potentially infected data files
only when you know them to be safe.
 Install software and other potentially infected executable
code files only when you really know them to be safe.
 Recognize that any web site can be potentially harmful.
 Make a recoverable system image and store it safely.
 Make and retain backup copies of executable system files.
Virus Detectors
 Virus scanners are tools that look for signs of malicious code
infection.
 These tools look for a signature, fingerprint, a telltale pattern
in program, files or memory.
 When the scanner recognizes a known virus’s pattern, it can
block the virus , inform the user, deactivate or remove the
virus.
 A virus scanner is effective only if it has been kept up to date
with latest information on current viruses.
 Virus writers and antivirus tool makers engage in a battle to
conceal patterns and find those regularities.
Limitation of Virus Detectors
 Virus detectors are powerful but not all-powerful.
 Until the pattern of existing virus is not known it cannot be
detected.
 Timeliness and variation limits the effectiveness.
Code Analysis
 Detecting an infection is to analyze the code to determine what it
does, how it propagates and perhaps where it originated.
 Difficulty in code analysis is that researcher has only the end
product(machine code/executable) to look at.
 If only executable is available then disassembler can convert machine
language binary instructions to assembly language equivalent.
 But it will not have informative documentation, variable names,
labels, comments etc.
 Even with the Analysis tools, the process depends heavily on human
ingenuity.
Storage Patterns
 Most viruses attach itself to programs.
 Most likely the virus will be attached at the beginning of
original program.
 Virus writer wants to control execution before the original
program takes charge.
 In some cases, virus infection consists of handful of
instructions after a condition testing which may point or
jump to detailed instructions elsewhere.
Storage Patterns

Source: Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Storage Patterns
 Virus scanner can check for change in file size as attachment
of virus will increase the size.
 Virus scanner can use checksum to detect changes to a file.
 It can also look for suspicious pattern such as JUMP/GOTO
instructions.
Top Secure Coding Practices
 Validate Input
 Heed Compiler warnings
 Architect and design for security policies
 Keep it simple
 Default to deny
 Adhere to the principle of least privilege
 Sanitize data sent to other systems
 Practice defense in depth
 Use effective quality assurance techniques
 Adopt secure coding standards