Cryptography and Network Security Chapter 21Chapter 21 – Malicious SoftwareViruses and Other Malicious ContentMalicious SoftwareBackdoor or TrapdoorLogic BombTrojan HorseMobile CodeMultiple-Threat MalwareVirusesVirus StructureSlide 12Compression VirusVirus ClassificationMacro VirusE-Mail VirusesVirus CountermeasuresAnti-Virus EvolutionGeneric DecryptionDigital Immune SystemBehavior-Blocking SoftwareWormsMorris WormWorm Propagation ModelRecent Worm AttacksWorm TechnologyMobile Phone WormsWorm CountermeasuresProactive Worm ContainmentNetwork Based Worm DefenseDistributed Denial of Service Attacks (DDoS)Slide 32DDoS Flood TypesConstructing an Attack NetworkDDoS CountermeasuresSummaryCryptography and Cryptography and Network SecurityNetwork SecurityChapter 21Chapter 21Fifth EditionFifth Editionby William Stallingsby William StallingsLecture slides by Lawrie BrownLecture slides by Lawrie BrownChapter 21 – Malicious SoftwareChapter 21 – Malicious SoftwareWhat is the concept of defense: The What is the concept of defense: The parrying of a blow. What is its parrying of a blow. What is its characteristic feature: Awaiting the blow.characteristic feature: Awaiting the blow.——On War, On War, Carl Von ClausewitzCarl Von ClausewitzViruses and Other Malicious Viruses and Other Malicious ContentContentcomputer viruses have got a lot of publicity computer viruses have got a lot of publicity one of a family of one of a family of malicious softwaremalicious software effects usually obvious effects usually obvious have figured in news reports, fiction, have figured in news reports, fiction, movies (often exaggerated) movies (often exaggerated) getting more attention than deserve getting more attention than deserve are a concern though are a concern thoughMalicious SoftwareMalicious SoftwareBackdoor or TrapdoorBackdoor or Trapdoorsecret entry point into a programsecret entry point into a programallows those who know access bypassing allows those who know access bypassing usual security proceduresusual security procedureshave been commonly used by developershave been commonly used by developersa threat when left in production programs a threat when left in production programs allowing exploited by attackersallowing exploited by attackersvery hard to block in O/Svery hard to block in O/Srequires good s/w development & updaterequires good s/w development & updateLogic BombLogic Bombone of oldest types of malicious softwareone of oldest types of malicious softwarecode embedded in legitimate programcode embedded in legitimate programactivated when specified conditions metactivated when specified conditions meteg presence/absence of some fileeg presence/absence of some fileparticular date/timeparticular date/timeparticular userparticular userwhen triggered typically damage systemwhen triggered typically damage systemmodify/delete files/disks, halt machine, etcmodify/delete files/disks, halt machine, etcTrojan HorseTrojan Horseprogram with hidden side-effects program with hidden side-effects which is usually superficially attractivewhich is usually superficially attractiveeg game, s/w upgrade etc eg game, s/w upgrade etc when run performs some additional taskswhen run performs some additional tasksallows attacker to indirectly gain access they do not allows attacker to indirectly gain access they do not have directlyhave directlyoften used to propagate a virus/worm or install a often used to propagate a virus/worm or install a backdoorbackdooror simply to destroy dataor simply to destroy dataMobile CodeMobile Codeprogram/script/macro that runs unchangedprogram/script/macro that runs unchangedon heterogeneous collection of platformson heterogeneous collection of platformson large homogeneous collection (Windows)on large homogeneous collection (Windows)transmitted from remote system to local transmitted from remote system to local system & then executed on local systemsystem & then executed on local systemoften to inject virus, worm, or Trojan horseoften to inject virus, worm, or Trojan horseor to perform own exploitsor to perform own exploitsunauthorized data access, root compromiseunauthorized data access, root compromiseMultiple-Threat MalwareMultiple-Threat Malwaremalware may operate in multiple waysmalware may operate in multiple waysmultipartite multipartite virus infects in multiple waysvirus infects in multiple wayseg. multiple file typeseg. multiple file typesblended blended attack uses multiple methods of attack uses multiple methods of infection or transmissioninfection or transmissionto maximize speed of contagion and severityto maximize speed of contagion and severitymay include multiple types of malwaremay include multiple types of malwareeg. Nimda has worm, virus, mobile codeeg. Nimda has worm, virus, mobile codecan also use IM & P2Pcan also use IM & P2PVirusesVirusespiece of software that infects programspiece of software that infects programsmodifying them to include a copy of the virusmodifying them to include a copy of the virusso it executes secretly when host program is runso it executes secretly when host program is runspecific to operating system and hardwarespecific to operating system and hardwaretaking advantage of their details and weaknessestaking advantage of their details and weaknessesa typical virus goes through phases of:a typical virus goes through phases of:dormantdormantpropagationpropagationtriggeringtriggeringexecutionexecutionVirus StructureVirus Structurecomponents:components:infection mechanism - enables replicationinfection mechanism - enables replicationtrigger - event that makes payload activatetrigger - event that makes payload activatepayload - what it does, malicious or benignpayload - what it does, malicious or benignprepended / postpended / embedded prepended / postpended / embedded when infected program invoked, executes when infected program invoked, executes virus code then original program codevirus code then original program codecan block initial infection (difficult)can block initial infection (difficult)or propogation (with access controls)or propogation (with access controls)Virus StructureVirus StructureCompression VirusCompression VirusVirus ClassificationVirus Classificationboot sectorboot sectorfile infectorfile infectormacro virusmacro