Ministry Of Higher

Education
Paktia University 1
Faculty of Computer
Science

Chapter 2

SUB: NETWORK SECURITY

 Malicious software(Malware) 2
 Malicious
software, or malware, arguably constitutes one
of the most significant categories of threats to computer
systems.
 malware as “a pro gram that is inserted into a system,
usually covertly, with the intent of compromising the
confidentiality, integrity, or availability of the victim’s
data, applications, or operating system or otherwise
annoying or disrupting the victim.”
 weare concerned with the threat malware poses to
application programs, to utility programs, such as editors
and compilers, and to kernel-level programs.
 Weare also concerned with its use on compromised or
malicious Web sites and servers, or in especially crafted
Terminology for Malicious 3

Software
Terminology for Malicious 4

Software…
 5
Viruses
A computer virus is a piece of software that can
“infect” other programs, or indeed any type of
executable content, by modifying them.
 Themodification includes injecting the original
code with a routine to make copies of the virus
code, which can then go on to infect other content.
 Computer viruses first appeared in the early 1980s,
and the term itself is attributed to Fred Cohen.
 6
Viruses…
a computer virus carries in its instructional code the
recipe for making perfect copies of itself.
A virus that attaches to an executable program can
do anything that the program is permitted to do. It
executes secretly when the host program is run.
 Once the virus code is executing, it can perform any
function, such as erasing files and programs, that is
allowed by the privileges of the current user.
 7
Virus parts
 Infection mechanism: The means by which a
virus spreads or propagates, enabling it to
replicate. The mechanism is also referred to as
the infection vector.
 Trigger:
The event or condition that determines
when the payload is activated or delivered,
sometimes known as a logic bomb.
 Payload: What the virus does, besides
spreading. The payload may involve damage or
may involve benign but noticeable activity.
 8
Viruses Phases
 Dormant phase: The virus is idle.
 Propagation phase: The virus places a copy of
itself into other programs or into certain system
areas on the disk.
 Triggering phase: The virus is activated to
perform the function for which it was intended.
 Execution phase: The function is performed.
 9
Viruses classification
 A virus classification by target includes the following
categories:
 Boot sector infector: Infects a master boot record
or boot record and spreads when a system is booted
from the disk containing the virus.
 File infector: Infects files that the operating
system or shell consider to be executable.
 Macro virus: Infects files with macro or scripting
code that is interpreted by an application.
 Multipartite virus: Infects files in multiple ways.
 10
Viruses classification…
 A virus classification by concealment strategy includes the
following categories:
 Encrypted virus: A form of virus that uses encryption to
obscure it’s content. A portion of the virus creates a random
encryption key and encrypts the remainder of the virus.
 Stealth virus: A form of virus explicitly designed to hide
itself from detection by anti-virus software.
 Polymorphic virus: A form of virus that creates copies
during replication that are functionally equivalent but have
distinctly different bit patterns, in order to defeat programs
that scan for viruses.
 11
Worms
 Worm programs exploit software vulnerabilities
in client or server programs to gain access to
each new system.
 They can use network connections to spread
from system to system.
 They can also spread through shared media.
 The concept of a computer worm was
introduced in John Brunner’s 1975.
 The first known worm implementation was done
in Xerox Palo Alto Labs in the early 1980s.
 12
Worms…
 To replicate itself, a worm uses some means to
access remote systems.
 Electronic mail or instant messenger facility: A
worm e-mails a copy of itself to other systems, or
sends itself as an attachment via an instant message
service, so that its code is run when the e-mail or
attachment is received or viewed.
 File sharing: A worm either creates a copy of itself
or infects other suitable files as a virus on removable
media such as a USB drivee; it then executes when
the drive is connected to another system
 13
Worms…
 Remote execution capability: A worm executes a
copy of itself on another system, either by using an
explicit remote execution facility
 Remote file access or transfer capability: A
worm uses a remote file access or transfer service to
another system to copy itself from one system to the
other, where users on that system may then execute
it.
 Remote login capability: A worm logs onto a
remote system as a user and then uses commands to
copy itself from one system to the other, where it
 Target Discovery(worm) 14

 The first function in the propagation phase for a

network worm is for it to search for other systems to
infect, a process known as scanning or fingerprinting.
 which exploit software vulnerabilities in remotely
accessible network services, it must identify potential
systems running the vulnerable service, and then
infect them.
 Then,typically, the worm code now installed on the
infected machines repeats the same scanning
process, until a large distributed network of infected
machines is created.
 Target Discovery(worm)… 15
 lists the following types of network address scanning
strategies that such a worm can use:
 Random: Each compromised host probes random
addresses in the IP address space, using a different
seed. This technique produces a high volume of
Internet traffic, which may cause generalized
disruption even before the actual attack is launched.
 Hit-List: The attacker first compiles a long list of
potential vulnerable machines. This can be a slow
process done over a long period to avoid detection
that an attack is underway.
 Target Discovery(worm)… 16
 Topological: This method uses information
contained on an infected victim machine to
find more hosts to scan.
 Local subnet: If a host can be infected
behind a firewall, that host then looks for
targets in its own local network. The host
uses the subnet address structure to find
other hosts that would otherwise be
protected by the firewall.
 17
Trojan horses
 A Trojan horse is a useful, or apparently useful,
program or utility containing hidden code that,
when invoked, performs some unwanted or
harmful function.
 Trojan horse programs can be used to
accomplish functions indirectly that the attacker
could not accomplish directly.
 18
Trojan horses Model
 Continuing to perform the function of the
original program and additionally performing a
separate malicious activity.
 Continuing to perform the function of the
original program but modifying the function to
perform malicious activity
 Performing a malicious function that completely
replaces the function of the original program.
 19
Mobile Phone Trojans
 Mobile phone Trojans also first appeared in 2004
with the discovery of Skuller.
 Trojans targeted Symbian phones. More recently, a
significant number of Trojans have been detected
that target Android phones and Apple iPhones.
 These Trojans are usually distributed via one or
more of the app marketplaces for the target phone
O/S.
 Adversaries 20
 To defend against attacks on information and
information systems, organizations must begin to
define the threat by identifying potential
adversaries. These adversaries can include the
following:
 Nation or states
 Terrorists
 Criminals
 Hackers
 Corporate competitors
 Disgruntled employees

 Motivation 21
 To defend against attacks on information and
information systems, organizations must
define the threat in terms of motivation.
 Motivations can include:
 intelligence gathering
 theft of intellectual property
 denial of service (DoS)
 embarrassment of the company or clients
 pride in exploiting a notable target.
Attack Methods 22
Attack Methods… 23
 IP spoofing Attack 24
 The prime goal of an IP spoofing attack is to
establish a connection that allows the attacker
to gain root access to the host and to create a
backdoor entry path into the target system.
 IP spoofing is a technique used to gain
unauthorized access to computers whereby
the intruder sends messages to a computer
with an IP address that indicates the message
is coming from a trusted host.
 IP spoofing can also provide access to user
accounts and passwords.
 IP spoofing Attack 25
 The prime goal of an IP spoofing attack is to
establish a connection that allows the attacker
to gain root access to the host and to create a
backdoor entry path into the target system.
 IP spoofing is a technique used to gain
unauthorized access to computers whereby
the intruder sends messages to a computer
with an IP address that indicates the message
is coming from a trusted host.
 IP spoofing can also provide access to user
accounts and passwords.
 Technical Discussion on IP Spoofing 26
 The client selects and transmits an initial sequence
number.
 The server acknowledges the initial sequence number
and sends its own sequence number.
 The client acknowledges the server sequence number,
and the connection is open to data transmission.
Man-in-the-Middle Attacks 27
 A complex form of IP spoofing is called man-in-the-middle attack,
where the hacker monitors the traffic and introduces himself as a
stealth intermediary between the sender and the receiver.
 Hackers use man-in-the-middle attacks to perform many security
violations:
 Theft of information
 Hijacking of an ongoing session to gain access to your internal
network resources
 Analysis of traffic to derive information about your network and
its users
 DoS
 Corruption of transmitted data
 Introduction of new information into network sessions
 Confidentiality Attack 28
 Confidentiality breaches can occur when an attacker
attempts to obtain access to read sensitive data.
 These attacks can be extremely difficult to detect
because the attacker can copy sensitive data without the
knowledge of the owner and without leaving a trace.
 A confidentiality breach can occur simply because of
incorrect file protections. For instance, a sensitive file
could mistakenly be given global read-access.
 Unauthorized copy ing or examination of the file would
probably be difficult to track without having some type of
audit mechanism running that logs every file operation.
 Confidentiality Attack 29
 If a user had no reason to suspect unwanted access,
however, the audit file would probably never be
examined.
 Confidentiality Attack Methods 30
 Packet sniffing
 Port scanning
 Dumpsite Diving
 Emanation Capturing
 Wiretapping
 Social Engineering
 Overt Channel
 Covert Channel