written 8.4 years ago by |
- Malicious software can be divided into two categories: Those that need a host program and those that are independent.
- The former are essentially fragments of programs that can’t exist independently of some actual application program, utility or system program. Examples: Viruses, Logic bombs and backdoors.
- The latter are self-contained programs that can be scheduled and run by the operating system. Examples: Worms and Zombie programs.
A virus is a piece of software that can “infect” other programs by modifying them. The modification includes a copy of the virus program, which then can go to infect other programs.
i. A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run.
ii. Once a virus is executing, it can perform any function such as erasing files and programs.
iii. Most viruses carry out their work in a manner that is specific to6a particular operating system and in some cases specific to a particular hardware platform. Thus they are designed to take advantage of the details and weaknesses of particular systems.
iv. A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion. The key to it’s operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.
v. During it’s lifetime a typical virus goes through following 4 phases:
- Dominant Phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit.
- Propagation Phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk.
- Triggering Phase: The virus is activated to perform the function for which it was intended.
- Execution Phase: The function is performed. The function may be harmless of damaging.
Types of viruses:
i. Parasitic Virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable and replicates when the infected program is executed.
ii. Memory resident Virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes.
iii. Boot-Sector Virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
iv. Stealth Virus: A form of virus explicitly designed to hide itself from detection by antivirus software.
v. Polymorphic Virus: A virus that mutates with every infection, making detection by the “signature” of the virus impossible.
vi. Metamorphic Virus: A metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance.
Examples of recent viruses:
i. Macro viruses:
- Macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports word can be infected.
- Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program.
- Macro viruses are easily spread. A very common method is by e-mail.
ii. E-Mail viruses:
A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated. Then,
- The e-mail virus sends itself to everyone on the mailing list in the user’s email package.
- The virus does local damage.
iii. Worms:
- A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again.
- In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has some of the characteristics, of a worm, because it propagates itself from system to system. A worm actively seeks out more machines launching pad for attacks on other machines.
- Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
iv. State of worm technology
- Multiplatform: Worms are not limited to windows machines but can attack a variety of platforms, especially the popular varieties of UNIX.
- Multiexploit: New worms penetrate systems in a variety of ways, using exploits against web servers, browsers, e-mail, file sharing and other network based applications.
- Ultrafast Spreading: One technique to accelerate the spread of a worm is to conduct a prior internet scan to accumulate internet addresses of vulnerable machines.
- Polymorphic: To evade detection, skip past filters and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionality equivalent instructions and encryption techniques.
- Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behaviour pattern that are unleashed at different stages of propagation.
- Transport Vehicles: Because worms can rapidly compromise a large no.of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service zombies.
- Zero-Day exploit: To achieve maximum surprise and distribution, a worm should exploit an unkown vulnerability that is only discovered by the general network community when the worm is launched.
Intruders:
- The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a back door into the system.
- The intruder attempts to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user’s password, an intruder can log in to a system and all information available on system.
There are three classes of intruders:
- Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account. The masquerader is likely to be an outsider.
- Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. The misfeasor generally is an insider.
- Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. The clandestine user can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system
- Following are some examples of intrusion:
- Performing a remote root compromise of an e-mail server
- Defacing a Web server
- Guessing and cracking passwords
- Copying a database containing credit card numbers
- Viewing sensitive data, including payroll records and medical information, without authorization
1) Logic Bombs
- Logic bombs are programmed threats that lie dormant in commonly used software for an extended period of time until they are triggered; at this point, they perform a function that is not the intended function of the program in which they are contained.
- Logic bombs usually are embedded in programs by software developers who have legitimate access to the system.
- Conditions required to trigger a logic bomb include the presence or absence of certain files, a particular day of the week, or a particular user running the application.
The logic bomb might check first to see which users are logged in, or which programs are currently in use on the system. Once triggered, a logic bomb can destroy or alter data, cause machine halts, or otherwise damage the system.
Time-outs are a special kind of logic bomb that are occasionally used to enforce payment or other contract provisions. Time-outs make a program stop running after a certain amount of time unless some special action is taken.
- Protection against malicious logic bombs can be done by not installing software without thoroughly testing it and reading it. By keeping regular backups, we scan restore data.
2) Trojan Horses
- Trojan horses resemble a program that the user wishes to run - a game, a spreadsheet, or an editor. While the program appears to be doing what the user wants, it actually is doing something else unrelated to its advertised purpose, and without the user's knowledge.
- For example, the user may think that the program is a game. While it is printing messages about initializing databases and asking questions like "What do you want to name your player?" and "What level of difficulty do you want to play?" the program may actually be deleting files, reformatting a disk, or otherwise altering information.
- All the user sees, until it's too late, is the interface of a program that the user is trying to run.
- Trojan horses are, unfortunately, as common as jokes within some programming environments. They are often planted as cruel tricks on bulletin boards and circulated among individuals as shared software.
- An attacker can embed commands in places other than compiled programs. Shell files (especially shar files), awk, Perl, and sed scripts, TeX files, PostScript files, MIME-encoded mail, WWW pages, and even editor buffers can all contain commands that can cause you unexpected problems.
- Another form of a Trojan horse makes use of block-send commands or answerback modes in some terminals
- The best way to avoid Trojan horses is to never execute anything, as a program or as input to an interpreter, until you have carefully read through the entire file. When you read the file, use a program or editor that displays control codes in a visible manner. If you do not understand what the file does, do not run it until you do. And never, ever run anything as root unless you absolutely must.