Chapter 8
The Art of Anti Malicious
Software
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Viruses

A computer virus is a piece of code hiding in a program that can
automatically copy itself or embed a mutation of itself in other
programs






Cannot spread on their own
Often require a host program to live in
Infected program: a host program with virus
Uninfected program (healthy program): a program cleared of all viruses
Disinfected program: a program once infected but now cleared of viruses
Specific to


particular types of file systems, file formats, and operating systems
Particular types of architecture, CPU, languages, macros, scripts,
debuggers, and every other form of programming or system environment
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Types

Classified based on host programs:



Boot Virus:

Infect the boot program in the boot sector

Use the boot sequence to activate itself

Modify the operating system to intercept disk access and infect other disks

May also infect an updatable BIOS of a PC computer
File-System Virus:

Overwrite table entries and spread itself through file systems

File system maintains a table of pointers pointing to the first cluster of a file
File-Format Virus:


Infect individual files
Macro Virus:

Infect documents containing macro codes
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Types (cont.)


Script Virus:

Infect script files

Replicate themselves in the form of email attachments, office and Web
documents
Registry Virus:


Memory-Resident Virus:


Infect Microsoft Windows registry
Infect programs loaded in the main memory for execution
Classified based on embedded forms:

Stealth virus:


Polymorphic virus:


Usually uses compression to mask itself
May change instruction orderings or encrypt itself into different forms
Metamorphic virus:

Can be rewritten automatically during transmission
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Infection Schemes




Overwrite a segment of an existing program
Insert itself at the beginning, in the middle, or at the end of an
uninfected host program
Break itself into segments and insert each segment in a different
location of host program
Virus has the same access rights as the host program
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Infection Schemes (Diagram)
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Structure

Consists of 4 main subroutines

Infect
 Search for host programs and
check if infected

Infection-Condition


Break-Out


Check for certain conditions to
launch infect subroutine
Carry out the actual damage
work
Breakout-Condition

Check for certain conditions to
launch breakout subroutine
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Compressor Viruses


An infected host file will often
show a change in size before
and after infection
Compressor viruses attempt to
hide that change

Compress the host file during the
infection period

Decompress the host file during
the breakout period

May add padding if the
compressed host + viral code is
smaller than the original size
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Viruses Disseminations

Spread through portable storage devices
(traditional):


floppy disks, CDs, flash memory sticks
Spread through email attachments,
downloaded programs (contemporary):

Email is a significant vector because many
email programs and users usually blindly open
attachments
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Win32 Virus Infection
Dissection


Win32 viruses exploit Microsoft’s
Portable Executable (PE) format for
infection
A PE file contains:

PE sections:


Modules of code, data, resources,
import tables, and export tables
PE headers:


Provide crucial information of
executable image
Natural targets of Win32 viruses
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Worms

A worm is a standalone program that can replicate
itself and spread through networks


Can execute itself automatically on a remote host


May be viewed as network viruses
May still need a host file for spreading
Most worms consist of


Target locator subroutine: find new targets
Infection propagator subroutine: transfer itself to a new
computer
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Common Worm Types


Mass Mailers

Usually attach [email protected] after the worm’s name

Reproduces themselves through email attachments
Rabbits

Rapidly replicate themselves until the system crashes
due to the resource load

Often hidden in a file directory or disguised with normal
file names
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Worm Examples


Morris worm

Exploit implementation flaws of
sendmail, finger and rsh/rexec

To infect other computers
AQAP
Melissa worm

A macro virus targeted at
Microsoft products

Spread via email attachments

Spread fast, creating a huge
amount of email traffic
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Email Attachments

Email attachments can be classified (roughly)
into 3 categories

Safe


To-Be-Cautious


Non-executable, no macros
Contain macros or executable codes, depend on
the sender
Perilous

Should not be opened at all
J. Wang. Computer Network Security Theory and Practice. Springer 2008
The Code Red Worm

Released in July 2001, it infected about 300K computers within
the first 24 hours of its release
It exploited a buffer overflow in Microsoft’s IIS
It arrived as a GET /default.ida request (with 224 N’s)

This request starts the worm code execution


J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Defense


Prevention: Block viruses from getting into a healthy
system

Install software patches in time

Do not download software from untrusted Web sites

Do not open “To-Be-Cautious” email attachments from
unknown senders

Do not open perilous email attachments
Restoration: Disinfect infected systems

Scan files with a virus scanner

Keep a backup of system and user files
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Standard Scanning Methods


Basic Scanning

Search for signatures of known viruses in hostable files

Check the size of system files
Heuristic Scanning


ICV Scanning


Search for suspicious code fragments in executable files
Compute ICV for each uninfected executable file then check
against that value later on
Behavior Monitoring

Evaluate the behavior of executing programs
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Some Common Anti-Virus
Software Products

McAfee VirusScan


Norton AntiVirus


http://www.avast.com
AVG


http://www.symantec.com
Avast! AntiVirus


http://www.mcafee.com
http://www.grisoft.com
…
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Emulator

Isolated hardware
and software to
evaluate suspicious
programs


May create a large
amount of
computational
overhead
Helps to prevent
suspicious programs
from causing damage
to critical systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Trojan Horses

A program that appears to have some useful
functions but contains a malicious payload (a.k.a.
warrior code)



Cannot replicate itself automatically
Require direct user intervention to run
May inflict following types of damages:





Install backdoor or Zombieware for DDoS attack
Install spyware
Look for users’ bank account numbers and private info.
Install viruses or other malicious code to other hosts
Modify or delete user files
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Hoaxes




Hoaxes trick users to do something they
would normally not do.
Often in the form of email messages
Example: “You’ve Got Virus!” hoax
The countermeasure of hoaxes is to ignore
them

There is no free lunch !!
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Peer-to-Peer Security
Client-server topology:
P2P topology:
A small number of servers provide
services to a large number of clients
Ad hoc network, each computer acts both
as a client and a server
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Peer-to-Peer Security

Security vulnerabilities:




Copyright infringement
Consume too much bandwidth and local disk storage 
DoS attack
P2P application opens a specific port to share files with
unknown users, which may opens a door for Trojan horses,
viruses, malicious software
Security measures:



Install only official P2P software
Scan the downloaded file before opening it
Disallow P2P software in company
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Web Security
Basic types of Web documents:

Static documents:



Dynamic documents:




A Web document without executable codes
Safe to download
A Web document containing executable codes
CGI executed on the server computer
Download resulting document to client
Active documents:


Also contain executable codes, but run on the client computer
Download entire document to client for execution
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Security of Web Documents

Server-side:


May be attacked by
exploiting loopholes in
dynamic documents and
Web server programs
Security measures:



Update to newest version of
Web server programs
Manage rigorously CGI
programs and their
directories
Only designated person can
post CGI at Web server

Client-side:


May be attacked by
exploiting loopholes in
active documents and Web
browser programs
Security measures:



Install browser patches
Disable JavaScript of
browser
Disable Java applets of
browser
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Cookies

Web browser is stateless






A new connection with a Web server for each URL request
Different, unrelated TCP connections have to be established for
subsequent pages
Cookie stores the user information and passes it to the
user’s browser
Browser sends the cookie along with user’s request for
visiting subsequent pages
Server: must ensure cookies not be used for malicious
purposes
Client: remove stored cookies frequently
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Spyware


Malicious software installed as a plugin module in Web
browser without user’s consent
Spyware may




Collect user’s information and send to the attacker
Monitor user’s Web surfing activities and pop up ad
Modify default settings of browser and redirect to a certain
Webpage
Countermeasures of spyware:



Set up a firewall to prevent attackers from embedding spyware
Install software patches in time
Install anti-spyware software
J. Wang. Computer Network Security Theory and Practice. Springer 2008
AJAX Security






Asynchronous JavaScript and
XML (AJAX)
AJAX achieves asynchronous
interactions to make smooth
surfing
Examples: Google Maps
Face the same security problems
as traditional Web applications
Cross-site scripting attack
Silent calls and cookies
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Safe Web Surfing





Download software only from trusted Web sites
Do not click any button on a popup window
Read privacy statements, license statements
and security warnings to find out the risks you
may take if you install and run the software
Do not visit other sites with different addresses
from the password-protected site
Do not visit suspicious Web sites
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline








8.1 Viruses
8.2 Worms
8.3 Virus Defense
8.4 Trojan Horses
8.5 Hoaxes
8.6 Peer-to-Peer Security
8.7 Web Security
8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Master-slave DDoS attack
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Master-Slave-Reflector DDoS
Attack
J. Wang. Computer Network Security Theory and Practice. Springer 2008
DDoS Attack Countermeasures

Reduce the number of vulnerable computers






Improve security management of networked computers
Set up a backup system
Distribute resources appropriately
Construct a DDoS monitoring and responding system
Keep a complete system log to help trace sources
Make it hard for attackers to find vulnerable computers



Close all unnecessary ports to defy IP scans
Disconnect network connection when user’s computer is no
longer in use
Detect and remove zombieware
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Descargar

91.561 Computer & Network Security I