Information and Computer

Security
NET363

CSE Department at YIC

Summer Semester (453), 2024
Dr. Gasim Alandjani

Office: YIC—AS-083
Cisco IP-phone: 41297
Email: [email protected]
 Course Delivery and Lecture Schedule
Topics to be Covered
List of Topics Weeks Contact
Hours
1. Introduction to Computer and Information Security 1 3

2. Security Management and Risk Assessment 1 3

3. Access Control Models 1 3

4. Security and Usability 1 3

5. Physical and Infrastructure Security 1 3

6. User Authentication 1 3

7. Operating System Security 1 6

8. Cryptographic Tools, Algorithms, and Protocols 2 6

9. Firewalls and Intrusion Detection Systems 1 6

10. Software Flaws and Malware 3 9

11. Ethical Issues 1 3

Chapte
r6
Malicious Software
 Malicious Software

Malware

“a program that is inserted into a system, usually covertly, with the

[SOUP13] defines malware as: intent of compromising the confidentiality, integrity, or availability of
the victim’s data, applications, or operating system or otherwise
annoying or disrupting the victim.”
 Table 6.1
Malware
Terminology
(Table can be found on page 221 in the
textbook.)
 Classified into two broad categories:

• Based first on how it spreads or

propagates to reach the desired
targets
• Then on the actions or payloads it
performs once a target is reached

Classification Also classified by:

of Malware • Those that need a host program

(parasitic code such as viruses)
• Those that are independent, self-
contained programs (worms,
trojans, and bots)
• Malware that does not replicate
(trojans and spam e-mail)
• Malware that does replicate
(viruses and worms)
Types of Malicious Software
(Malware)

Propagation mechanisms include:

• Infection of existing content by viruses that is subsequently spread to
other systems
• Exploit of software vulnerabilities by worms or drive-by-downloads to
allow the malware to replicate
• Social engineering attacks that convince users to bypass security
Payload actions
mechanisms performed
to install Trojans orby malware
to respond once it attacks
to phishing reaches a
target system can include:
• Corruption of system or data files
• Theft of service/make the system a zombie agent of attack as part of a
botnet
• Theft of information from the system/keylogging
• Stealthing/hiding its presence on the system
 Attack Kits
Initially, the development and deployment of malware required
considerable technical skill by software authors
• The development of virus-creation toolkits in the early 1990s and then more general attack
kits in the 2000s greatly assisted in the development and deployment of malware

Toolkits are often known as “crimeware”

• Include a variety of propagation mechanisms and payload modules that even novices can
deploy
• Variants that can be generated by attackers using these toolkits creates a significant problem
for those defending systems against them

Widely used toolkits include:

• Zeus
• Blackhole
• Sakura
• Phoenix
 Attack Sources
 Another significant malware development is the change from attackers being
individuals often motivated to demonstrate their technical competence to their peers
to more organized and dangerous attack sources such as:

Organizations
Politically that sell their National
Organized
motivated Criminals services to governmen
crime
attackers companies t agencies
and nations

 This has significantly changed the resources available and motivation behind the rise
of malware and has led to development of a large underground economy involving
the sale of attack kits, access to compromised hosts, and to stolen information
Advanced Persistent Threats (APTs)

Well-resourced, persistent application of a wide

variety of intrusion technologies and malware to
selected targets (usually business or political)

Typically attributed to state-sponsored

organizations and criminal enterprises

Differ from other types of attack by their careful

target selection and stealthy intrusion efforts over
extended periods

High profile attacks include Aurora, RSA, APT1, and

Stuxnet
 Advanced
• Used by the attackers of a wide variety of intrusion
technologies and malware including the development of
custom malware if required
• The individual components may not necessarily be
technically advanced but are carefully selected to suit the
chosen target

Persistent
APT • Determined application of the attacks over an extended
period against the chosen target in order to maximize the
Characteristics chance of success
• A variety of attacks may be progressively applied until the
target is compromised

Threats
• Threats to the selected targets as a result of the organized,
capable, and well-funded attackers intent to compromise
the specifically chosen targets
• The active involvement of people in the process greatly
raises the threat level from that due to automated attacks
tools, and also the likelihood of successful attacks
APT Attacks

• Varies from theft of intellectual property or security and

Aim: infrastructure related data to the physical disruption of
infrastructure

• Social engineering
Techniques • Spear-phishing email
• Drive-by-downloads from selected compromised websites likely
used: to be visited by personnel in the target organization

• To infect the target with sophisticated malware with multiple

propagation mechanisms and payloads
Intent: • Once they have gained initial access to systems in the target
organization a further range of attack tools are used to maintain
and extend their access
Viruses

Modifies them to include a copy of the virus

Piece of software that infects
Replicates and goes on to infect other content
programs
Easily spread through network environments

When attached to an executable

Executes secretly when the host
program a virus can do anything that program is run
the program is permitted to do

Specific to operating system and Takes advantage of their details

hardware and weaknesses
Virus Components
Infection • Means by which a virus spreads or propagates
mechanism • Also referred to as the infection vector

• Event or condition that determines when the

Trigger payload is activated or delivered
• Sometimes known as a logic bomb

• What the virus does (besides spreading)

Payload • May involve damage or benign but noticeable
activity
 Dormant phase
• Virus is idle
• Will eventually be activated by some event
• Not all viruses have this stage

Triggering phase
• Virus is activated to perform the function for which it
was intended
Virus • Can be caused by a variety of system events

Phases Propagation phase

• Virus places a copy of itself into other programs or into
certain system areas on the disk
• May not be identical to the propagating version
• Each infected program will now contain a clone of the
virus which will itself enter a propagation phase

Execution phase
• Function is performed
• May be harmless or damaging
Virus Structure
 Virus Classifications
Classification by target Classification by concealment strategy

Boot sector infector Encrypted virus

Infects a master boot record or boot A portion of the virus creates a
record and spreads when a system is random encryption key and encrypts
booted from the disk containing the the remainder of the virus
virus Stealth virus
File infector A form of virus explicitly designed to
Infects files that the operating system or hide itself from detection by anti-virus
software
shell considers to be executable
Polymorphic virus
Macro virus
A virus that mutates with every
Infects files with macro or scripting code infection
that is interpreted by an application
Metamorphic virus
Multipartite virus
A virus that mutates and rewrites
Infects files in multiple ways itself completely at each iteration and
may change behavior as well as
appearance
Macro and Scripting Viruses

Very common in mid- Exploit macro capability of Various anti-virus

1990s MS Office applications programs have been
developed so these are no
Platform independent More recent releases of
longer the predominant
Infect documents (not products include protection
virus threat
executable portions of code)
Easily spread
 Worms
• Program that actively seeks out more machines to infect and each infected
machine serves as an automated launching pad for attacks on other machines

• Exploits software vulnerabilities in client or server programs

• Can use network connections to spread from system to system

• Spreads through shared media (USB drives, CD, DVD data disks)

• E-mail worms spread in macro or script code included in attachments and

instant messenger file transfers

• Upon activation the worm may replicate and propagate again

• Usually carries some form of payload

• First known implementation was done in Xerox Palo Alto Labs in the early
1980s
Worm Replication
Worm e-mails a copy of itself to other
Electronic mail or instant systems

messenger facility Sends itself as an attachment via an

instant message service

Creates a copy of itself or infects a file as

File sharing a virus on removable media

Remote execution Worm executes a copy of itself on

another system
capability

Remote file access or Worm uses a remote file access or

transfer service to copy itself from one
transfer capability system to the other

Worm logs onto a remote system as a

Remote login capability user and then uses commands to copy
itself from one system to the other
 Scanning (or fingerprinting)
Target • First function in the propagation phase

Discovery for a network worm

• Searches for other systems to infect

Scanning strategies that a worm can use:

Random
o Each compromised host probes random addresses in the IP address space using a different seed
o This produces a high volume of Internet traffic which may cause generalized disruption even before
the actual attack is launched
Hit-list
o The attacker first compiles a long list of potential vulnerable machines
o Once the list is compiled the attacker begins infecting machines on the list
o Each infected machine is provided with a portion of the list to scan
o This results in a very short scanning period which may make it difficult to detect that infection is
taking place
Topological
o This method uses information contained on an infected victim machine to find more hosts to scan
Local subnet
o If a host can be infected behind a firewall that host then looks for targets in its own local network
o The host uses the subnet address structure to find other hosts that would otherwise be protected
by the firewall
Morris Worm

• Earliest significant worm infection

• Released by Robert Morris in 1988
• Designed to spread on UNIX systems
• Attempted to crack local password file to use
login/password to logon to other systems
• Exploited a bug in the finger protocol which reports the
whereabouts of a remote user
• Exploited a trapdoor in the debug option of the remote
process that receives and sends mail
• Successful attacks achieved communication with the
operating system command interpreter
• Sent interpreter a bootstrap program to copy worm over
 Recent Worm
Attacks
Melissa 1998 e-mail worm
first to include virus, worm and Trojan in one package
Code Red July 2001 exploited Microsoft IIS bug
probes random IP addresses
consumes significant Internet capacity when active

Code Red II August 2001 also targeted Microsoft IIS

installs a backdoor for access
Nimda September 2001 had worm, virus and mobile code characteristics
spread using e-mail, Windows shares, Web servers, Web clients, backdoors

SQL Slammer Early 2003 exploited a buffer overflow vulnerability in SQL server
compact and spread rapidly
Sobig.F Late 2003 exploited open proxy servers to turn infected machines into spam engines

Mydoom 2004 mass-mailing e-mail worm

installed a backdoor in infected machines
Warezov 2006 creates executables in system directories
sends itself as an e-mail attachment
can disable security related products

Conficker (Downadup) November 2008 exploits a Windows buffer overflow vulnerability

most widespread infection since SQL Slammer
Stuxnet 2010 restricted rate of spread to reduce chance of detection
targeted industrial control systems
 Multiplatform

Metamorphic Multi-exploit

Worm
Technology

Ultrafast
Polymorphic
spreading
Mobile Code
Transmitted from a
Programs that can be
remote system to a
shipped unchanged
local system and then
to a variety of
executed on the local
platforms
system

Often acts as a Takes advantage of

mechanism for a vulnerabilities to
virus, worm, or perform its own
Trojan horse exploits

Popular vehicles
include Java applets,
ActiveX, JavaScript
and VBScript
 Mobile Phone Worms

First discovery was Cabir Then Lasco and Communicate through

worm in 2004 CommWarrior in 2005 Bluetooth wireless
connections or MMS

Target is the smartphone Can completely disable CommWarrior replicates

the phone, delete data on by means of Bluetooth to
the phone, or force the other phones, sends itself
device to send costly as an MMS file to
messages contacts and as an auto
reply to incoming text
messages
Drive-By-Downloads

EXPLOITS BROWSER IN MOST CASES DOES NOT SPREADS WHEN USERS VISIT
VULNERABILITIES TO ACTIVELY PROPAGATE THE MALICIOUS WEB PAGE
DOWNLOAD AND INSTALLS
MALWARE ON THE SYSTEM
WHEN THE USER VIEWS A WEB
PAGE CONTROLLED BY THE
ATTACKER
 Clickjacking
• Vulnerability used by an attacker to
collect an infected user’s clicks
• The attacker can force the user to do a
variety of things from adjusting the
• Also known as a user-interface user’s computer setters to unwittingly
(UI) redress attack sending the user to Web sites that
might have malicious code
• Using a similar technique,
keystrokes can also be hijacked • By taking advantage of Adobe Flash or
• A user can be led to believe they are typing JavaScript an attacker could even place
in the password to their email or bank a button under or over a legitimate
account, but are instead typing into an button making it difficult for users to
invisible frame controlled by the attacker detect
• A typical attack uses multiple
transparent or opaque layers to trick a
user into clicking on a button or link on
another page when they were
intending to click on the top level page
• The attacker is hijacking clicks meant
for one page and routing them to
another page
Social Engineering
• “Tricking” users to assist in the compromise of their own systems

Mobile phone
Spam Trojan horse
Trojans

Unsolicited bulk Program or

utility First appeared
e-mail containing in 2004
harmful hidden (Skuller)
Significant code
carrier of Used to
malware accomplish
functions that
Target is the
Used for the attacker
smartphone
phishing could not
attacks accomplish
directly
Payload
System Corruption
Chernobyl virus Klez
• First seen in 1998 • Mass mailing worm infecting
• Windows 95 and 98 virus Windows 95 to XP systems
• Infects executable files and corrupts • On trigger date causes files on the
the entire file system when a trigger hard drive to become empty
date is reached

Ransomware
• Encrypts the user’s data and
demands payment in order to access
the key needed to recover the
information
• PC Cyborg Trojan (1989)
• Gpcode Trojan (2006
Payload
System Corruption

• Real-world damage
• Causes damage to physical equipment
• Chernobyl virus rewrites BIOS code
• Stuxnet worm
• Targets specific industrial control system software
• There are concerns about using sophisticated targeted
malware for industrial sabotage
• Logic bomb
• Code embedded in the malware that is set to
“explode” when certain conditions are met
 Payload – Attack Agents
Bots
• Takes over another Internet attached computer and uses that computer to launch or manage
attacks
• Botnet - collection of bots capable of acting in a coordinated manner
• Uses:
• Distributed denial-of-service (DDoS) attacks
• Spamming
• Sniffing traffic
• Keylogging
• Spreading new malware
• Installing advertisement add-ons and browser helper objects (BHOs)
• Attacking IRC chat networks
• Manipulating online polls/games
 Remote Control Facility

• Distinguishes a bot from a worm

• Worm propagates itself and activates itself
• Bot is initially controlled from some central facility
• Typical means of implementing the remote control facility is on an IRC
server

• Bots join a specific channel on this server and treat incoming

messages as commands

• More recent botnets use covert communication channels via

protocols such as HTTP

• Distributed control mechanisms use peer-to-peer protocols to avoid

a single point of failure
Payload – Information Theft
Keyloggers and Spyware

Keylogger Spyware
• Captures keystrokes to • Subverts the compromised
allow attacker to monitor machine to allow monitoring
sensitive information of a wide range of activity
• Typically uses some form of on the system
filtering mechanism that • Monitoring history and
only returns information content of browsing
close to keywords (“login”, activity
“password”) • Redirecting certain Web
page requests to fake sites
• Dynamically modifying
data exchanged between
the browser and certain
Web sites of interest
Payload – Information Theft
Phishing
Exploits social engineering to Spear-phishing
leverage the user’s trust by • Recipients are carefully
masquerading as communication researched by the attacker
from a trusted source • E-mail is crafted to
specifically suit its recipient,
• Include a URL in a spam e-mail often quoting a range of
that links to a fake Web site information to convince
that mimics the login page of a them of it authenticity
banking, gaming, or similar site
• Suggests that urgent action is
required by the user to
authenticate their account
• Attacker exploits the account
using the captured credentials
 Worm Countermeasures
Considerable overlap in techniques for dealing with viruses and worms

Once a worm is resident on a machine anti-virus software can be used to

detect and possibly remove it
Perimeter network activity and usage monitoring can form the basis of a worm
defense

Worm defense approaches include:

• Signature-based worm scan filtering
• Filter-based worm containment
• Payload-classification-based worm containment
• Threshold random walk (TRW) scan detection
• Rate limiting
• Rate halting
Payload – Stealthing
Backdoor

Also known as a trapdoor

Secret entry point into a program allowing the attacker to

gain access and bypass the security access procedures

Maintenance hook is a backdoor used by Programmers to

debug and test programs

Difficult to implement operating system

controls for backdoors in applications
Payload - Stealthing
Rootkit
Set of hidden programs installed on a system to
maintain covert access to that system
Hides by subverting the mechanisms that monitor
and report on the processes, files, and registries on
a computer

Gives administrator (or root) privileges to attacker

• Can add or change programs and files, monitor processes,

send and receive network traffic, and get backdoor access
on demand
 Persistent
Memory based
Rootkit User mode
Classification
Characteristics Kernel mode
Virtual machine based
External mode
Malware Countermeasure
Approaches
• Ideal solution to the threat of malware is prevention

Four main elements of prevention:

• Policy
• Awareness
• Vulnerability mitigation
• Threat mitigation

• If prevention fails, technical mechanisms can be used to support

the following threat mitigation options:
• Detection
• Identification
• Removal
 First generation: simple scanners
• Requires a malware signature to identify the malware
• Limited to the detection of known malware

Second generation: heuristic scanners

• Uses heuristic rules to search for probable malware
instances
Generations • Another approach is integrity checking
of Anti-Virus
Third generation: activity traps
Software
• Memory-resident programs that identify malware by
its actions rather than its structure in an infected
program

Fourth generation: full-featured protection

• Packages consisting of a variety of anti-virus
techniques used in conjunction
• Include scanning and activity trap components and
access control capability
Generic Decryption
(GD)
• Enables the anti-virus program to easily detect
complex polymorphic viruses and other malware
while maintaining fast scanning speeds
• Executable files are run through a GD scanner
which contains the following elements:
• CPU emulator
• Virus signature scanner
• Emulation control module

• The most difficult design issue with a GD

scanner is to determine how long to run each
interpretation
Host-Based Behavior-Blocking Software
• Integrates with the operating system of a host computer and
monitors program behavior in real time for malicious action
• Blocks potentially malicious actions before they have a chance to affect the system
• Blocks software in real time so it has an advantage over anti-virus detection
techniques such as fingerprinting or heuristics

Limitations

• Because malicious code must run on the target machine

before all its behaviors can be identified, it can cause
harm before it has been detected and blocked
 Perimeter Scanning Approaches
• Anti-virus software typically
included in e-mail and Web Ingress Egress
proxy services running on an monitors monitors
organization’s firewall and IDS
• May also be included in the Located at the egress
point of individual LANs
Located at the border
traffic analysis component of an between the enterprise as well as at the border
IDS network and the
Internet
between the enterprise
network and the
Internet
• May include intrusion
prevention measures, blocking
the flow of any suspicious traffic One technique is to Monitors outgoing traffic
look for incoming traffic for signs of scanning or
• Approach is limited to scanning to unused local IP other suspicious behavior
addresses
malware

Two types of monitoring software

Summary

• Types of malicious software • Payload

(malware) • System corruption
• Advanced persistent threat • Attack agent
• Zombie
• Propagation • Bots
• Infected content • Information theft
• viruses • Keyloggers
• Vulnerability exploit • Phishing
• worms • Spyware
• Social engineering • Stealthing
• spam
• e-mail
• Countermeasures
• Trojans