Malicious Code Brian E. Brzezicki
Malicious Code Once upon a time hackers tried to exploit technical flaws in systems. While that still happens today, hackers are increasingly trying to “trick” people into running malicious code.. Which then tries to take control of a system (or help a hacker steal passwords and resources)
Malicious Code Software that has been designed to do bad things. Some types that we will talk about in the next couple slides are • Viruses • Program • Boot Sector • Macro • Trojan Horses • Worms • Logic Bombs • Spyware
Viruses (410) The “original” malware. Can someone tell me how a virus works? Traits – • Requires human intervention to spread and attack
Program Virus (410) This is the kind of virus we just discussed. Infects other executable software with it’s own virus code. Examples of Executable code is • Web browser • Spreadsheet program • Word processor • Anything that you “run” and it does something
Boot Sector Virus (410) Specifically try to attack the boot sector of hard drives and floppy drives.
Macro Virus (410) Viruses used to effect ONLY executable code (not data such as wordprocessors or images). Another type of “virus” actually embeds itself into data files and tells the reading program to do commands on it’s behalf) • Uses Macros… what’s a Macro?
Advanced Viruses Stealth Virus – tried to evade anti-virus software by various methods Polymorphic Virus – actually evolves and changes it’s code as it spreads. This defeats signature checking
Anti-Virus Contermeasures (ch 11…pg 307) Anti-Virus software attempt to detect and stop viri from infecting our computers. 2 Main types (talk about each in next slides) • Signature Based • Heuristic
Signature (ch 11. 308) Viri is software, which is nothing but a set of computer instructions that “does something”. Viri generally do some bad action and also replicate. The code that each virus uses to do harm and replicate can be isolated. This is called a signature. Anti Virus product that use signatures have a database of known virus signature and they scan files against this signature database (more)
Signature based anti-virus (ch 11. 308) Advantages • Signatures in known database • Easy operation, few false positives Disadvantages • Must subscribe to anti-virus database service • Must constantly update virus signature database • Cannot protect against unseen/new viri
Heuristic Anti-Virus (ch 11. 308) Looks for suspicious behavior. May “sandbox” code and run in a virtual environment. Advantages • Can catch new viri Disadvantages • Higher rate of false positives
Virus Countermeasures (411) Countermeasures • Never run code if you don’t know what or where that executable has been ;) • Run anti-virus software on all workstations and major servers that accept incoming data to users (email, instant messaging, web proxies)
Trojan (412) Like the Trojan Horse, a Trojan program seems like a “gift”. Seems to be some useful program, and it even might do something useful… however inside there is code to do bad things. Can do really anything. Countermeasures • User Education • Don’t run software that you are not familiar with and that you don’t have “real distribution” media for. • Software Signing • Anti-virus software to detect known Trojans
Worms (414) Once Run a worm usually does something bad, but then tried to actively spread. Unlike a virus that simply copies itself into other executables. A worm “self-propagates” and tried to spread in any way possible. It might try to scan networks for known security weaknesses and “hack” machines as a method of spreading. Another example is via email. (more)
Famous Worm Attacks (415) Morris Worm – First known worm • Simply spread didn’t do anything else • Did eat up a lot of CPU and network bandwidth, brought internet to a halt in 1988. • Did password guessing and auto-hacking Code Red • Attacked IIS, using a buffer overflow, targeted other IIS servers Nimba • 5 methods of propagation • Email, network shares, compromised web sites, IIS holes, and backdoors from other worms.
Worm Countermeasures Counter measures • Remove un-necessary services • Patch OS and applications • Beware of email
Hoaxes (37) Chain letters, fake virus reports Does not necessarily pose a threat but • Wastes employee time and productivity • Causes confusion, FUD • Could cause users to modify settings • Wastes network resources as messages are spread. • Wastes IT/helpdesk time. Countermeasures • User education • Centralized information base and IT communication
Logic Bombs (413) What is a Logic Bomb… anyone? Countermeasures • Inventory all software and keep checksums. (tripwire)
Spy Ware (412) We already talked about spyware previously. Anyone care to refresh us?
Malicious Code review Q. How does a virus replicate? Q. How is a virus different than a worm? Q. Why are worms difficult to detect? Q. What is a Logic Bomb.? What is a way a logic bomb usually gets on a system?