January 27, 2010
MIS 4600 – MBA 5880 - © Abdou Illia

2

Describe different types of malicious software

Discuss methods of protecting against malware attacks

Describe the types of network attacks

Identify physical security attacks and vulnerabilities

3



C – Confidentiality
I – Integrity
A – Availability

A – Accountability/Authenticity

Confidentiality


Making sure that corporate data and transactions with partners remain confidential
Integrity


Making sure that software programs, local data, and data in-transit are not altered or destroyed
Availability


Making sure that computer and network resources or services remain available for users and not disrupted
Accountability


Making sure that users are properly authenticated and their actions accounted for.
Authenticity

Also called non-repudiation. Making sure that business partner cannot deny their actions
* Information Security Countermeasures

4

Common types of malware






Viruses
Worms
Trojan horses
Adware | Spyware
Logic bombs
[Web bots]

5

A virus is a malware that …
 attaches itself to files on a single computer
 can replicate from file to file
 does not stand on its own
 needs a host file – a vector - [unlike some other malware]

Does not spread across computers without human intervention (flash drive, email attachment, etc.)
Types of virus host / vector
Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft
Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices).
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets,
Microsoft Access database files, and AmiPro documents)
ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious code

6


Boot sector viruses: attach themselves to files in boot sector of HD

File infector viruses: attach themselves to program files and user files

Macro viruses: attach to files with macro programs embedded.


Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard to locate

Metamorphic viruses: rewrite themselves completely each time they are to infect new executables*
* metamorphic engine is needed


Based on deception methods

Core MS-DOS viruses: make sure that the "last modified" date of a host file stays the same when the file is infected by the virus.

Cavity viruses
 infect files without increasing their sizes or damaging the files
 overwrite unused areas of executable files
File.exe of 300 KB on a 512 KB block

Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect
Portable Executable files which have many empty gaps

Antivirus PID killers: kill tasks associated with antivirus

Stealth: hides itself by intercepting disk access requests by antivirus programs.
Request
7
The stealth returns an uninfected version of files to the antivirus software, so that infected files seem "clean”.
* metamorphic engine is needed
Stealth
OS

8

Base 64 encoding is used to reduce the size of e-mail attachments
Email with the Price.cpl attached returned by server
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address (es) failed: customerservice@regions.com
This message has been rejected because it has a potentially executable attachment “Price.cpl”.
This form of attachment has been used by recent viruses or other malware. If you meant to send this file, then package it up as a zip file and resend it.
[Message header deleted for brevity]
What decoding the content reveals.
<html><body>
</body></html>
-----------sghsfzfldbjbzqmztbdx
Content-Type: application/octet-stream; name=“Price.cpl”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=“Price.cpl”
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAgAAAAAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9nmFtIGNhbm5vdCBi
ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAABQRQRQAATAEDAA+kgUEAAAAAA
OAADiELAQUMAAwAAAACAAAAAAAQBUAAAAQAAAAIAAAIAAEAAQAAAgAAB
AAA …..
GWxWigppFLPigOA6Iqb3ZYDSw1XiXi1sV7d6oVtwKiyKmr4PDWUmgExWU6UOIHF6MK
….
This program cannot be run in
DOS mode. User32.dll
CloseHandle() CreateFileAb
GetWindowsDirectory
WriteFile scart kermel32.dll
Shell Execute shell32
KEMEL32.DLL USER32.DLL
GetProcAddress LoadLibrary
ExitProcess Virtual
FreeMessageBox

9

Base 64 encoding is used to reduce size of email attachments

Represents 0 to 63 using six bits

A is 000000 … Z is 011001

Converting base 64 strings to decimal equivalent

Create groups of 4 characters, for each group

Convert decimal value of each letter to binary

Rewrite as three groups of eight bits

Convert the binary into decimal

Commercial Base 64 encoders/decoders available

Try converting the Base 64 code below at http://www.motobit.com/util/base64-decoder-encoder.asp
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=


Signature-based antivirus programs

Compare the contents of a file to a database of virus signatures

A signature is an algorithm or a hash (a number or string of characters derived from the virus code) that uniquely identifies a specific virus.

Must update signature database periodically or use automatic update feature if available
Viruses signatures
1) 67344883409999999999
2) DF56eeb&^fgkFT&&&88jjj
3) 01000010100000000000
4) 78020000100000102398
5) 89950-1=ddjjdfjj3k3l355
6) …………………………………
Files
1) Sales.xls
2) Forecast.doc
3) Staff.mdb
4) Ingredients.doc
5) Committees.xls
6) Minutes.accdb
7) ………………….
10
Question: Name two kinds of situation where signature-based antivirus won’t be effective?


Heuristic-based antivirus that use generic signature

Through mutation or refinements by attackers, viruses can grow into dozens of slightly different strains called variants

Example: The Vundo trojan has evolve into two distinct family members, Trojan.Vundo
and
Trojan.Vundo.B

A generic signature can be generated for a virus family.

Heuristic analysis uses generic signatures to identify new malware or variants of known malware
11
Question: Is generic signature more or less accurate than a specific virus’ signature?


Heuristic-based antivirus that use virtual machines

Allow the antivirus program to simulate what would happen if the suspicious file were to be executed

Execute the questionable program or script within a specialized virtual machine

It then analyzes the execution, monitoring for common viral activities: replication, file overwrites, attempts to hide the existence of the suspicious file.

If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus.
12
Question: Which of the following is likely to lead to false positive virus identifications? signature-based or heuristic-based antivirus.

13
 Based on the descriptions, is the classification of the malware as virus correct?
13

14

Do not attach to files | A worm stands on its own

Self-replicating malware that can propagate across a network by themselves

Use host computer’s resources, and their own network application to send copies of itself to other computers

Types of harms:





Consuming network bandwidth. Moorris and Mydoom are notorious
Consuming host computer resourses (processing, RAM)
Delete files (e.g. ExploreZip worm)
Encrypt files (which leads to cryptoviral extortion attack)
Installing backdoor-zombie programs under control of the worm author (e.g. Sobig)

15

Worms spread by exploiting OS vulnerabilities

Make sure that unnecessary ports are not open

Regular OS security updates is the best protection

Other effective defense systems:

Antivirus programs

Local firewall software can block incoming worms
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer

16


Non-self-replicating malware


That appear to be useful programs like game, screen saver, free antivirus, etc.
But are actually backdoor or rootkits that facilitate remote access or a
“take over” by a remote hacker
Once a Trojan horse is installed on a target computer, a Trojan can be used to do the following:





Keystroke logging
Data theft (e.g. passwords, credit cards information, etc)
Installing other malware
Using the host computer as part of botnet for spamming or Distributed
DoS
Deleting or modifying files

17

18

Sends information from the infected computer to the attacker

Confidential financial data

Passwords

PINs

Any other stored data

Can registered each keystroke entered

Prevalent technology

Educate users about spyware

19

Similar to spyware

Can be installed without the user being aware

Sometimes displays a banner

Main goal

Determine user’s online purchasing habits

Tailored advertisement

Main problem

Slows down computers

20

What is/are the most effective technical solution(s) that could be implemented at the network level to deal with malware attacks?

What is/are the most effective non-technical solution(s) that could be implemented in an organization to deal with malware attacks?