WYSZA SZKOA BIZNESU W DBROWIE GRNICZEJ 2015

Computer Security threats

Jzyk angielski

Lektor:

mgr Iwona Chory

Krzysztof Milanowski
Informatyka studia II stopnia
semestrIV

Krzysztof Milanowski

Protects
from
computer-based
data
software-based and communications-based
threats.

programs exploiting system vulnerabilities.

Also known as malware.
Types:
program fragments that need a host program
e.g. viruses, logic bombs, and backdoors

independent self-contained programs

e.g. worms, bots

replicating or not

sophisticated threat to computer systems !

In 1983, graduate student Fred Cohen

first used the term virus in a paper
describing a program that can spread by
infecting other computers with copies of
itself !
In 1986, The Brain virus was the first virus
designed to infect personal computer
systems.
by infecting floppy disks !

piece of software that infects

programs(host)
modifying them to include a copy of the virus
so it executes secretly when host program is run

Usually specific to operating system

taking advantage of their details and weaknesses

a typical virus goes through phases of:

Dormant: idle (not found in all virus)
Propagation: copy itself into other programs/disk
areas
Triggering: activated ( date, file, disk limit)
Execution: perform the intended function(message,
damage..

components:
Infect - enables replication
Trigger - event that makes payload activate
Payload - what it does

prepended / postpended / embedded

when infected program invoked, executes
virus code then original program code

Signatures sequence of bits that can be used

to accurately identify the presence of a
particular virus.
The code consists of three stages,
activation/trigger ,
replication/infect , and
Operation/payload

malicious task of a virus.

performed when the triggering condition
is satisfied.
types :
display a message, such as Gotcha, a
political slogan, or a commercial
advertisement
read a certain sensitive or private file. Such a
virus is in fact spyware.
slow the computer down by monopolizing and
exhausting limited resources.
completely deny any services to the user.

erase all the files on the host computer

select some files at random and change several
bits in each file, also at random.
referred to as data diddling, may be more serious,
because it results in problems that seem to be caused
by hardware failures, not by a virus.

One step beyond data diddling is random

deletion of files
random change of permissions.
Produce sounds, animation.

two types :
Nonresident viruses:
search for other hosts that can be infected,
infect those targets,
transfers control to the infected program

Resident viruses
do not search for hosts when they are started.
Instead, it loads itself into memory on execution and
transfers control to the host program.
The virus stays active in the background and infects
new hosts when those files are accessed by other
programs or the operating system itself

Date or time
Number of boots
Generation counter of the virus
Number of keypresses on the keyboard
Amount of free space on the hard drive
Amount of minutes the machine has been idle
Name of an executed program

Basically any event it the PC can be used as a

trigger by a virus !.

By target
boot sector: Infects a master boot record
or boot record and spreads when a system
is booted from the disk containing the
virus.
file infector: Infects executable files
macro virus: Infects files with macro code
that is interpreted by an application.

By Hiding Methods
encrypted virus: creates a random encryption
key, stored with the virus, and encrypts the
remainder of the virus. Then, the virus uses
the stored random key to decrypt the virus .
virus replicates, a different random key is
selected.
stealth virus: designed to hide itself

from detection by antivirus software.

By restoring the size, modification
date, and checksum of the infected file

Polymorphic virus: mutates and infects

each new file as a different string of bits
making detection by the signature of
the virus impossible.
Metamorphic virus: As with a
polymorphic virus ,a metamorphic virus
mutates with every infection.
The difference is that a metamorphic
virus rewrites itself completely at each
iteration, increasing the difficulty of
detection

A virus can modify itself and become a

different string of bits simply by inserting
several nop instructions in its code.
A nop (no operation) is an instruction that
does nothing.

Compression virus: In addition to mutating, a

virus may hide itself in a compressed file in
such a way that the bits with the virus part
depend on the rest of the infected file and are
therefore always different.

more recent development

e.g. Melissa

exploits MS Word macro in attached doc

if attachment opened, macro activates
sends email to all on users address list
and does local damage

then saw versions triggered reading email

hence much faster propagation

Anti-virus
prevention - ideal solution but difficult
realistically need:
detection
identification
removal

if detect but cant identify or remove, must

discard and replace infected program

virus & antivirus tech have both evolved

early viruses simple code, easily removed
as become more complex, so must the
countermeasures
generations

first - signature scanners

second heuristics rule (structure)
third - identify actions
fourth - combination packages

Using infected programs. the virus is executed

every time the program is executed.
Using interrupts that occurs each time an external
disk drive or a DVD is inserted into a USB port.
Once this interrupt occurs, the virus is executed as
part of the interrupt-handling routine and it tries
to infect the newly inserted volume.
As an email attachment.
Through infected softwares. useful program (a
calculator, a nice clock, or a beautiful screen
saver), embed a virus or a Trojan horse in it.

Usually Sharing: Each time users share a

computing resource such as a disk, a file, or a
library routine, there is the risk of infection

Self-replicating
program,
similar to virus, but is selfcontained.
Usually
propagates
over
network.
using email, remote exec, remote
login

by
exploiting
service
vulnerabilities.
It often creates denial of service

has phases like a virus:

dormant, propagation, triggering, execution
propagation phase: searches for other systems,
connects to it, copies self to it and runs
1st implemented by Xerox Palo

Alto labs in 1980s

search for idle systems to use to run a
computationally intensive task.

A virus propagates when users

send email, launch programs, or
carry storage media between
computers.
A worm propagates itself
throughout the Internet by
exploiting security weaknesses in
applications and protocols we all
use.
Has the highest speed of
propagation.

future worms may pose a

threat to the Internet, to Ecommerce, and to computer
communications
and
this
threat may be much greater
and much more dangerous
than that posed by other types
of malicious software.

Worm that has infected several

million computers on the
Internet may have the potential
for a global catastrophe.
could launch vast DoS attacks . That can bring
down not only E-commerce sites, but sensitive
military sites or the root domain name servers
of the Internet.

one of best know worms

released by Robert Morris in 1988
various attacks on UNIX systems
discover other hosts
cracking password file to use login/password to
logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail.

if succeed have remote shell access

sent bootstrap program to copy worm over

Code Red: July 2001

exploiting Microsoft Internet Information Server

(IIS) bug to penetrate and spread

probes random IP address
does DDoS attack
activities and reactivates periodically
consumes significant net capacity when active
infected nearly 360,000 servers in 14 hours

Code Red II variant includes

backdoor
allowing a hacker to direct activities of victim
computers

SQL Slammer: early 2003

attacks MS SQL Server
compact and very rapid spread

Mydoom: 2004
mass-mailing e-mail worm
installed remote access backdoor in
infected systems
flooded the Internet with 100 million
infected messages in 36hrs

first appeared on mobile phones in

2004
target smartphone which can install software

they communicate via Bluetooth or

MMS
disable phone, delete data on phone,
or send premium-priced messages
E.g. CommWarrior, launched in 2005
replicates using Bluetooth to nearby phones
and via MMS using address-book numbers
copies itself to the removable memory card

anti-virus
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment: content/code
payload-classification-based worm containment
examine packets using anomaly detection techniques

threshold random walk scan detection

exploits randomness in picking destinations to connect

rate limiting and rate halting

limits the rate of scanlike traffic from an infected host
immediately blocks outgoing traffic when a threshold is
exceeded

apparently useful , program with hidden

side-effects
which is usually superficially attractive
E.g. game, software upgrade, screen saver
etc

when run performs some additional tasks

Usually designed primarily to give
hackers access to system
often used to propagate a virus/worm or
install a backdoor
or simply to destroy data

Download files to the infected computer.

Make registry changes to the infected
computer.
Delete files on the infected computer.
Disable a keyboard, mouse, or other
peripherals.
Shut down or reboot the infected computer.
Run selected applications or terminate open
applications.
Disable virus protection or other computer
security software

Back doors/Trap doors

It is a program that allows attackers to access a
system, bypassing the normal authentication
mechanisms

Bomb
It is a program which lies dormant until a
particulate date/time or a program logic is
activated
Logic bomb or Time bomb

36

Spywares
are programs, cookies, or registry entries that track
your activity and send that data off to someone who
collects this data for their own purposes
The type of information stolen varies considerably
email login details
IP and DNS addresses of the computer
users Internet habits
bank details used to access accounts or make online
purchases etc

37

Adware
is software that is installed on your computer to show you
advertisements
These may be in the form of pop-ups, pop-unders,
advertisements embedded in programs, or placed on top
of ads in web sites, etc

Key logger
is a program that captures and records user keystrokes
E.g. whenever a user enters a password, bank account
numbers, credit card number, or other information, the
program logs the keystroke
The keystrokes are often sent over the Internet to the
hacker

38

Dialers
are programs that set up your modem connection to
connect to the Internet often to charge illicit phone usage
fees
are targeted to users of dial up internet services

Spam
is unsolicited bulk e-mail which is sent in massive
quantities to unsuspecting Internet email users.
Most spam tries to
Sell products and services.

A more dangerous category of spam tries to

Convince the recipient to share their bank account numbers,
credit card numbers, or logins & passwords to their online
banking systems/services

It is also used for phishing and to spread malicious code

39

Rootkit
is a set of tools and utilities that a hacker can use to
maintain access once they have hacked a system.
The rootkit tools allow them conceal their actions by
hiding their files and processes and erasing their
activity

Bot/Zombie
These are small programs that are inserted on
computers by attackers to allow them to control the
system remotely without the users consent or
knowledge
Botnets :groups of computers infected by bots and
controlled remotely by the owner of the bots
Computers that are infected with a bot are generally
referred to as zombies
40

Exploit

it a piece of software, a command, or a

methodology that attacks particular security
vulnerability
takes advantage of a particular weakness e.g. OS,
application programs

Phishing

is not an application. It's the process of attempting

to acquire sensitive user information with fake
websites.
It's an example of social engineering techniques
used to fool users
Common targets for phishing
Online payment systems such as e-bank, ecommerce are

41