Malicious Code

Brian E. Brzezicki

Malicious Code(from Chapter 13 and 11)

Malicious CodeOnce upon a time hackers tried to exploit technical

flaws in systems. While that still happens today, hackers are increasingly trying to “trick” people into running malicious code.. Which then tries to take control of a system (or help a hacker steal passwords and resources)

Malicious CodeSoftware that has been designed to do bad things. Some

types that we will talk about in the next couple slides are• Viruses– Program– Boot Sector– Macro

• Trojan Horses• Worms• Logic Bombs• Spyware

Viruses

Viruses (410)The “original” malware. Can someone tell me how a

virus works?

Traits – • Requires human intervention to spread and attack

Program Virus (410)This is the kind of virus we just discussed. Infects

other executable software with it’s own virus code.

Examples of Executable code is• Web browser• Spreadsheet program• Word processor• Anything that you “run” and it does something

Boot Sector Virus (410)Specifically try to attack the boot sector of hard

drives and floppy drives.

Macro Virus (410)Viruses used to effect ONLY executable code (not

data such as wordprocessors or images). Another type of “virus” actually embeds itself into data files and tells the reading program to do commands on it’s behalf)

• Uses Macros… what’s a Macro?

Advanced Viruses

Stealth Virus – tried to evade anti-virus software by various methods

Polymorphic Virus – actually evolves and changes it’s code as it spreads. This defeats signature checking

Anti-Virus Contermeasures (ch 11…pg 307)

Anti-Virus software attempt to detect and stop viri from infecting our computers.

2 Main types (talk about each in next slides)• Signature Based• Heuristic

Signature (ch 11. 308)Viri is software, which is nothing but a set of

computer instructions that “does something”. Viri generally do some bad action and also replicate. The code that each virus uses to do harm and replicate can be isolated. This is called a signature.

Anti Virus product that use signatures have a database of known virus signature and they scan files against this signature database

(more)

Signature based anti-virus (ch 11. 308)

Advantages• Signatures in known database• Easy operation, few false positives

Disadvantages• Must subscribe to anti-virus database service• Must constantly update virus signature database• Cannot protect against unseen/new viri

Heuristic Anti-Virus (ch 11. 308)

Looks for suspicious behavior. May “sandbox” code and run in a virtual environment.

Advantages• Can catch new viriDisadvantages• Higher rate of false positives

Virus Countermeasures (411)Countermeasures• Never run code if you don’t know what or where

that executable has been ;)• Run anti-virus software on all workstations and

major servers that accept incoming data to users (email, instant messaging, web proxies)

Trojan (horse)

Trojan (412)Like the Trojan Horse, a Trojan program seems like a “gift”.

Seems to be some useful program, and it even might do something useful… however inside there is code to do bad things. Can do really anything.

Countermeasures• User Education• Don’t run software that you are not familiar with and

that you don’t have “real distribution” media for.• Software Signing• Anti-virus software to detect known Trojans

Worms (414)Once Run a worm usually does something bad, but

then tried to actively spread. Unlike a virus that simply copies itself into other executables. A worm “self-propagates” and tried to spread in any way possible. It might try to scan networks for known security weaknesses and “hack” machines as a method of spreading. Another example is via email.

(more)

Famous Worm Attacks (415)Morris Worm – First known worm• Simply spread didn’t do anything else• Did eat up a lot of CPU and network bandwidth, brought

internet to a halt in 1988.• Did password guessing and auto-hackingCode Red• Attacked IIS, using a buffer overflow, targeted other IIS

serversNimba• 5 methods of propagation• Email, network shares, compromised web sites, IIS

holes, and backdoors from other worms.

Worm CountermeasuresCounter measures• Remove un-necessary services• Patch OS and applications• Beware of email

Hoaxes (37)Chain letters, fake virus reports

Does not necessarily pose a threat but• Wastes employee time and productivity• Causes confusion, FUD• Could cause users to modify settings• Wastes network resources as messages are spread.• Wastes IT/helpdesk time.

Countermeasures• User education• Centralized information base and IT communication

Logic Bombs (413)What is a Logic Bomb… anyone?

Countermeasures• Inventory all software and keep checksums.

(tripwire)

Spy Ware (412)

We already talked about spyware previously. Anyone care to refresh us?

Malicious Code reviewQ. How does a virus replicate?

Q. How is a virus different than a worm?

Q. Why are worms difficult to detect?

Q. What is a Logic Bomb.? What is a way a logic bomb usually gets on a system?