Week 6 COMMON TYPES OF MALICIOUS CODE. Objectives describe the operation of: Viruses Malware [last...
Embed Size (px)
Transcript of Week 6 COMMON TYPES OF MALICIOUS CODE. Objectives describe the operation of: Viruses Malware [last...
Week 6 COMMON TYPES OF MALICIOUS CODE Objectives describe the operation of: Viruses Malware [last week] Spyware [last week] Adware [last week] Trojans Logic Bombs Worms Rootkits Keylogger First Virus many claim to be the first! The Alvi brothers' virus was relatively harmless all it did was change the 'volume label' of the disk (essentially renaming it). But for the surprised and astonished user who was tech-savvy enough to dig deeper, the program also had a message hidden in it: "Welcome to the Dungeon 1986 Basit & Amjad (Pvt) Ltd". It then went on to give the address and phone number of the brothers and exhorted the hapless user to contact them for a solution. It all began after the brothers discovered illegal copies of a medical software they had written. They had to do something, and hit upon the idea of writing a virus as a means to keep track of all the copies made of their program, the younger brother told TIME in a 1988 interview. BUT Called Brain, it spread like wildfire, igniting an inglorious era of crashing computers, lost data, millions of frustrated and bewildered computer users, and, of course, the $16.5- billion computer security industry. Taxonomy of Malicious code Independents: are self contained programs that can be scheduled and run by the operating system Needs Host program: are essentially fragments of programs that can not exist independently of an application program, utility or system program. Logic bombs A logic bomb is a program which has deliberately been written or modified to produce results when certain conditions are met that are unexpected and unauthorized by legitimate users or owners of the software. An example of a logic bomb is any program that mysteriously stops working three months after, say, its programmer's name has disappeared from the corporate salary database. The Michelangelo virus from the early 1990s - one of the first viruses to make it into public domain because of news coverage - tried to damage hard disk directories on the 6th of March It over wrote the first 100 sectors of a hard disk Result user could not access data on disk General Virus Types While there are thousands of variations of viruses, most fall into one of the following six general categories, each of which works its magic slightly differently: Boot Sector Virus: replaces or implants itself in the boot sector---an area of the hard drive (or any other disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot your hard disk. File Virus: infects applications. These executable then spread the virus by infecting associated documents and other applications whenever they're opened or run. Macro Virus: Written using a simplified macro programming language, these viruses affect Microsoft Office applications, such as Word and Excel, and account for about 75 per cent of viruses found in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly used command (such as Save) to trigger its payload upon execution of that command.. General Virus Types Multipartite Virus: infects both files and the boot sector--a double whammy that can re-infect your system dozens of times before it's caught. Polymorphic Virus: changes code whenever it passes to another machine; in theory these viruses should be more difficult for antivirus scanners to detect, but in practice they're usually not that well written. Stealth Virus: hides its presence by making an infected file not appear infected, but doesn't usually stand up to antivirus software PROBLEM many viruses today are combinations of different types Stealth Virus A stealth virus hides the modifications it makes. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). Use of stealth is the major reason why most anti-virus programs operate best when the system is started (booted) from a known- clean floppy disk or CD. When this happens, the virus does not gain control over the system and the changes and virus are immediately available to be seen and dealt with. Trojans A Trojan is a program that appears to be legitimate, but in fact does something malicious. Quite often, that something malicious involves gaining remote, surreptitious access to a user's system. Unlike viruses, a Trojan does not replicate. There are several different types of Trojans. Some of these include: remote access Trojans (RATs), backdoor Trojans (backdoors), IRC Trojans (IRCbots), and keylogging Trojans. Many Trojan encompass multiple types. For example, a Trojan may install both a keylogger and a backdoor. Vundo is a Trojan horse Worms Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm is an example of a worm Rootkits Rootkits are programs that typically replace kernel programs and DLL files with malware. Since it's a system file that has been replaced it's much easier to mask and hide the malware process from anti-virus software. Probably the most famous rootkit incident in 2005 was the Sony CD incident where Sony installed a rootkit onto music CD-ROMs. When the music CDs were played on a computer, the rootkit installed in order to provide digital rights management for the music on the CD. The problem was that the rootkit itself was not secure and it allowed other malware to piggyback onto it and also install onto a user's computer. An embarrassed Sony recalled a large number of music CDs and reissued them without the digital rights rootkit. Keyloggers Keyloggers sometimes called as keystroke logger or keylogger or system monitor. Keyloggers main intension is to spy on your computer. It has the ability to record, store and send byor FTP, etc.., to a desired person who installed it on your computer.. There are two types of keyloggers Hardware Keylogger, Software Keylogger Activity Research examples of viruses and other malware Add these to your E-safety Intranet site Read through the syllabus on Security and update your ILP