Cryptography and Network Security Chapter 21Chapter 21 – Malicious SoftwareViruses and Other Malicious ContentMalicious SoftwareBackdoor or TrapdoorLogic BombTrojan HorseMobile CodeMultiple-Threat MalwareVirusesVirus StructureSlide 12Compression VirusVirus ClassificationMacro VirusE-Mail VirusesVirus CountermeasuresAnti-Virus EvolutionGeneric DecryptionDigital Immune SystemBehavior-Blocking SoftwareWormsMorris WormWorm Propagation ModelRecent Worm AttacksWorm TechnologyMobile Phone WormsWorm CountermeasuresProactive Worm ContainmentNetwork Based Worm DefenseDistributed Denial of Service Attacks (DDoS)Slide 32DDoS Flood TypesConstructing an Attack NetworkDDoS CountermeasuresSummaryCryptography and Cryptography and Network SecurityNetwork SecurityChapter 21Chapter 21Fifth EditionFifth Editionby William Stallingsby William StallingsLecture slides by Lawrie BrownLecture slides by Lawrie BrownChapter 21 – Malicious SoftwareChapter 21 – Malicious SoftwareWhat is the concept of defense: The What is the concept of defense: The parrying of a blow. What is its parrying of a blow. What is its characteristic feature: Awaiting the blow.characteristic feature: Awaiting the blow.——On War, On War, Carl Von ClausewitzCarl Von ClausewitzViruses and Other Malicious Viruses and Other Malicious ContentContentcomputer viruses have got a lot of publicity computer viruses have got a lot of publicity one of a family of one of a family of malicious softwaremalicious software effects usually obvious effects usually obvious have figured in news reports, fiction, have figured in news reports, fiction, movies (often exaggerated) movies (often exaggerated) getting more attention than deserve getting more attention than deserve are a concern though are a concern thoughMalicious SoftwareMalicious SoftwareBackdoor or TrapdoorBackdoor or Trapdoorsecret entry point into a programsecret entry point into a programallows those who know access bypassing allows those who know access bypassing usual security proceduresusual security procedureshave been commonly used by developershave been commonly used by developersa threat when left in production programs a threat when left in production programs allowing exploited by attackersallowing exploited by attackersvery hard to block in O/Svery hard to block in O/Srequires good s/w development & updaterequires good s/w development & updateLogic BombLogic Bombone of oldest types of malicious softwareone of oldest types of malicious softwarecode embedded in legitimate programcode embedded in legitimate programactivated when specified conditions metactivated when specified conditions meteg presence/absence of some fileeg presence/absence of some fileparticular date/timeparticular date/timeparticular userparticular userwhen triggered typically damage systemwhen triggered typically damage systemmodify/delete files/disks, halt machine, etcmodify/delete files/disks, halt machine, etcTrojan HorseTrojan Horseprogram with hidden side-effects program with hidden side-effects which is usually superficially attractivewhich is usually superficially attractiveeg game, s/w upgrade etc eg game, s/w upgrade etc when run performs some additional taskswhen run performs some additional tasksallows attacker to indirectly gain access they do not allows attacker to indirectly gain access they do not have directlyhave directlyoften used to propagate a virus/worm or install a often used to propagate a virus/worm or install a backdoorbackdooror simply to destroy dataor simply to destroy dataMobile CodeMobile Codeprogram/script/macro that runs unchangedprogram/script/macro that runs unchangedon heterogeneous collection of platformson heterogeneous collection of platformson large homogeneous collection (Windows)on large homogeneous collection (Windows)transmitted from remote system to local transmitted from remote system to local system & then executed on local systemsystem & then executed on local systemoften to inject virus, worm, or Trojan horseoften to inject virus, worm, or Trojan horseor to perform own exploitsor to perform own exploitsunauthorized data access, root compromiseunauthorized data access, root compromiseMultiple-Threat MalwareMultiple-Threat Malwaremalware may operate in multiple waysmalware may operate in multiple waysmultipartite multipartite virus infects in multiple waysvirus infects in multiple wayseg. multiple file typeseg. multiple file typesblended blended attack uses multiple methods of attack uses multiple methods of infection or transmissioninfection or transmissionto maximize speed of contagion and severityto maximize speed of contagion and severitymay include multiple types of malwaremay include multiple types of malwareeg. Nimda has worm, virus, mobile codeeg. Nimda has worm, virus, mobile codecan also use IM & P2Pcan also use IM & P2PVirusesVirusespiece of software that infects programspiece of software that infects programsmodifying them to include a copy of the virusmodifying them to include a copy of the virusso it executes secretly when host program is runso it executes secretly when host program is runspecific to operating system and hardwarespecific to operating system and hardwaretaking advantage of their details and weaknessestaking advantage of their details and weaknessesa typical virus goes through phases of:a typical virus goes through phases of:dormantdormantpropagationpropagationtriggeringtriggeringexecutionexecutionVirus StructureVirus Structurecomponents:components:infection mechanism - enables replicationinfection mechanism - enables replicationtrigger - event that makes payload activatetrigger - event that makes payload activatepayload - what it does, malicious or benignpayload - what it does, malicious or benignprepended / postpended / embedded prepended / postpended / embedded when infected program invoked, executes when infected program invoked, executes virus code then original program codevirus code then original program codecan block initial infection (difficult)can block initial infection (difficult)or propogation (with access controls)or propogation (with access controls)Virus StructureVirus StructureCompression VirusCompression VirusVirus ClassificationVirus Classificationboot sectorboot sectorfile infectorfile infectormacro virusmacro
View Full Document