MALICIOUS SOFTWARE

Eckhard Pfluegel
Topics Covered
• Introduction to Malware
• Taxonomy of viruses
• Static Malware
• Trap Doors
• Logic Bombs
• Trojans
• Zombies
• Replicating Malware
• Worms
• Bacteria
• Viruses
• Other Kinds of Malware
INTRODUCTION TO
MALWARE
Part 1
 4

Taxonomy of Malware
• Malicious code (malware): Code introduced by an
external agent which has unanticipated or undesired
effects on programmes in the system.
• Agent: writer of the programme or person who causes the
distribution of malware. This can be intentional or
unintentional
• In the context of security assessment: malware can be
seen as a threat/attack, targeting a software vulnerability.
• Also referred to as exploit, although this is more specific
• Two categories:
• Static
• Replicating
 5

Taxonomy of Malware
Malware

Needs Program Independent

Trap Door Viruses Worms

Logic Bombs Zombies

Trojans Bacteria
Static Replicating

(Not a complete picture)

STATIC MALWARE
Part 2
 7

Static Malware – Trap/Back Doors

• Secret entry point into a program or algorithm that bypasses the
usual security mechanism
• Have legitimate uses in software development, but cause a
weakness if left in after system development is complete
• Difficult to control from the operating system perspective.
Security measures must concentrate on the development phase
and update policies.
 8

Static - Logic Bombs

• Embedded in legitimate software
• When triggered by an event (e.g. year 2000) they ‘explode’
bringing down the software
• Can be triggered by events, timings or certain conditions met
• Often used in Shareware applications or very expensive
software that requires continuing licensing
 9

Static - Trojan Horses

• Siege of Troy: wooden horse given as “present” by Greeks to
Trojans. Menelaus and his men were hiding inside to open the city
gates!
• Apparently useful program containing hidden code – thus performs
illegitimate action whilst giving impression of being legitimate
• Executing program triggers malicious action
• Some such programs purport to be login screens – send passwords
to their makers
 10

Static - Zombie
• Malicious logic triggered by attacker
• Used to mount Distributed Denial of Service (DDOS) attacks
• Use of zombies to act as “botnet” makes it difficult to trace the
attack to its originator
• Distributed attacks becoming more common & very much more
successful than stand-alone attacks
REPLICATING MALWARE
Part 3
 12

Replicating - Worms
• Program that uses network to distribute itself from system to
system
• Users not necessarily aware of spread
• Can carry other malicious code, e.g. logic bomb or trap door.
• Three main avenues for replication
• E-mail
• Remote Execution
• Remote Login
 13

Replicating - Bacteria
• Process or program that replicates itself
• Does not harm data or other software
• Eventually consumes enough resources to constitute a kind of
“denial of service” attack (Interruption)
 14

Replicating - Viruses
• Like worms and bacteria, the word “virus” comes from biology.
• In biology a virus is not a true “life form”. It has no cell
structure of its own and replicates only inside cells of other
organisms.
• They consist of DNA fragments which they implant in the DNA
of their hosts.
• Computer viruses are much the same.
 15

Replicating - Viruses
• Virus code replicates by “infecting” host programs or files
• Can be harmless or destructive
• Different types of viruses
• Virus is only dangerous if executed
• Explicitly
• Implicitly (at boot time)
• E-mail attachment
• Link on web page
 16

Typical Virus Lifecycle

• Dormant Phase: virus waits for some event to trigger it into
operation. (Not all viruses have this phase.)
• Propagation Phase: the virus copies itself into other programs.
• Triggering Phase: virus is triggered to inflict the damage it was
intended to cause.
• Execution Phase: The damage is inflicted.
 17

A Very Simple Virus

Program V subroutine do_damage()
{ {
goto Main; Do the dirty deed!!!!;
1234567; }
subroutine infect()
{ subroutine trigger_pulled()
finished=false; {
do Return true if virus triggered;
{ }
file=get_random_file;
if (file has 1234567) finished=false; Main()
else {
{ infect();
prefix V to file; if (trigger_pulled)
finished=true; {
} do_damage();
} }
while (finished=false); }
} }
 18

Polymorphic Viruses
• Virus cannot be completely invisible
• Infected code has pattern: the virus’ signature
• Can be detected by virus scanner
• Clever virus writer produces polymorphic virus
• Virus can change its appearance
• Could insert random code
• Or even encryption with random keys
 19

Prevention of Virus Infection

• Only way: don’t share executable code with infected source
• Always use virus scanner
• Problems: variety of “hidden” executables
• Macros in text documents, scripts in spreadsheets, embedded code in
HTML e-mail messages
• Faked file extensions
• Extensions hidden (.dat.exe is shown as .dat)
• Systems automatically launch applications
Mini-Exercise
• Search for recent news stories on security instance,
involving computer viruses or malware in general.
• Can you find information about the latest form of
computer viruses, that is trying to be ahead of the game
(virus-scanners detecting them)?
SPYWARE AND
RANSOMWARE
Part 4
 22

Spyware
• Software that covertly gathers user information through user's
Internet connection without their knowledge
• Affects the confidentiality
• Bundled as hidden component of downloaded software or
scripts run in web pages
• Usually for advertising purposes (adware)
• Transmits information to someone else
 23

Spyware – Solutions
• Need to install a Spyware checker
• Can check Add/Remove Programs for unidentified software
• Check for cookies stored on your computer
• Can also install pop-up blockers and download managers
• Research a site before you download or activate scripting, etc.
 24

Ransomware
• Restricts users’ access to their system.
• Demands money in return for system release.
Invasive Apps
• Latest trend: Popular apps might trick you into paying (or
your parents?)
• Think carefully before you install these
• Some invasive apps even try to message you…
Mini-Exercise: Insecure Security Apps
• Investigate apps that claim to help with securing your data
or similar assets, for both iPhone and Android.
• In your opinion, how useful are they, and can you find
evidence that actually they might create a security risk?