Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Malware and security
1.
2. Malware
0 General misconception among people
0 Malware = “malicious software”
0 Malware is any kind of unwanted software that is
installed without your consent on your computer.
0 Viruses, worms, Trojan horses, bombs, spyware,
adware are subgroups of malware.
Gurbakash Phonsa 2
3. Classification of malware
0 Malware can be classified into several categories, depending on
propagation and concealment
0 Propagation
0 Virus: human-assisted propagation (e.g., open email attachment)
0 Worm: automatic propagation without human assistance
0 Concealment
0 Rootkit: modifies operating system to hide its existence
0 Trojan: provides desirable functionality but hides malicious operation
0 Various types of payloads, ranging from annoyance to crime
Malware for stealing information:
Spyware, keyloggers, screen scrapers
Malware for profit:
Dialers, scarewares, ransomware
Gurbakash Phonsa 3
4. Computer Viruses
0 A computer virus is computer code that can replicate
itself by modifying other files or programs to insert
code that is capable of further replication.
0 This self-replication property is what distinguishes
computer viruses from other kinds of malware, such
as logic bombs.
0 Another distinguishing property of a virus is that
replication requires some type of user assistance,
such as clicking on an email attachment or sharing a
USB drive.
Gurbakash Phonsa 4
5. Viruses
0 A virus tries to infect a carrier, which in turn relies on
the carrier to spread the virus around.
0 A computer virus is a program that can replicate itself
and spread from one computer to another.
Gurbakash Phonsa 5
6. Biological Analogy
0 Computer viruses share some properties with Biological
viruses
Gurbakash Phonsa 6
Attack Penetration
Replication and assembly Release
7. Virus Phases
0 Dormant phase. During this phase, the virus just exists—the
virus is laying low and avoiding detection.
0 Propagation phase. During this phase, the virus is replicating
itself, infecting new files on new systems.
0 Triggering phase. In this phase, some logical condition causes
the virus to move from a dormant or propagation phase to
perform its intended action.
0 Action phase. In this phase, the virus performs the malicious
action that it was designed to perform, called payload.
0 This action could include something seemingly innocent, like
displaying a silly picture on a computer’s screen, or something
quite malicious, such as deleting all essential files on the hard
drive.
Gurbakash Phonsa 7
8. Defenses Against Virus
Virus Signature: Experts study the infected files
looking for code fragments that are unique to the
particular computer virus. Once they have located
such a set of characteristic instructions, they can
construct a character string that uniquely identifies
this virus. This character string is known as a
signature for the virus; it amounts to a kind of digital
fingerprint.
Virus detection software packages have to be frequently
updated, so that they always are using the most up-
to- date database of virus signatures.
Gurbakash Phonsa 8
9. Computer Worms
0 A computer worm is a malware program that
spreads copies of itself without the need to inject
itself in other programs, and usually without human
interaction.
0 Thus, computer worms are technically not computer
viruses (since they don’t infect other programs), but
some people nevertheless confuse the terms, since
both spread by self-replication.
0 In most cases, a computer worm will carry a malicious
payload, such as deleting files or installing a backdoor.
Gurbakash Phonsa 9
10. Worm Propagation
0 Worms propagate by finding and infecting vulnerable hosts.
0 They need a way to tell if a host is vulnerable
0 They need a way to tell if a host is already infected.
Gurbakash Phonsa 10
initial infection
11. Worms
0 Worms and viruses get interchanged commonly in the
media.
0 In reality a worm is more dangerous than a virus.
0 User Propagation vs. Self Propagation
0 Worm is designed to replicate itself and disperse
throughout the user’s network.
0 Email Worms and Internet Worms are the two most
common worm.
Gurbakash Phonsa 11
12. Email Worm
0 Email worm goes into a user’s contact/address book
and chooses every user in that contact list.
0 It then copies itself and puts itself into an attachment;
then the user will open the attachment and the
process will start over again!
0 Video Example: I LOVE YOU WORM
Gurbakash Phonsa 12
13. Internet Worms
0 A internet worm is designed to be conspicuous to the
user.
0 The worms scans the computer for open internet
ports that the worm can download itself into the
computer.
0 Once inside the computer the worms scans the
internet to infect more computers.
Gurbakash Phonsa 13
14. Insider Attacks
0 An insider attack is a security breach that is caused
or facilitated by someone who is a part of the very
organization that controls or builds the asset that
should be protected.
0 In the case of malware, an insider attack refers to a
security hole that is created in a software system by
one of its programmers.
Gurbakash Phonsa 14
15. Logic Bombs
0 A logic bomb is a program that performs a malicious action as a
result of a certain logic condition.
0 The classic example of a logic bomb is a programmer coding up the
software for the payroll system who puts in code that makes the
program crash should it ever process two consecutive payrolls
without paying him.
0 Another classic example combines a logic bomb with a backdoor,
where a programmer puts in a logic bomb that will crash the
program on a certain date.
Gurbakash Phonsa 15
16. Scareware
0 Software
0 with malicious payloads, or of limited or no benefit
0 Sold by social engineering to cause shock, anxiety, or the perception of a
threat
0 Rapidly increasing
0 Anti-Phishing Working Group: # of scareware packages rose from 2,850
to 9,287 in 2nd half of 2008.
0 In 1st half of 2009, the APWG identified a 583% increase in scareware
programs.
0 A 2010 study by Google found 11,000 domains hosting fake anti-virus
software, accounting for 50% of malware delivered via Internet
advertising
Gurbakash Phonsa 16
17. Trojan Horses
0 A Trojan horse (or Trojan) is a malware program that
appears to perform some useful task, but which also does
something with negative consequences (e.g., launches a
keylogger).
0 Trojan horses can be installed as part of the payload of
other malware but are often installed by a user or
administrator, either deliberately or accidentally.
Gurbakash Phonsa 17
18. Trojans
0 Trojan horse: is a program or software designed to
look like a useful or legitimate file.
0 Once the program is installed and opened it steals
information or deletes data.
0 Trojan horses compared to other types of malware is
that it usually runs only once and then is done
functioning.
Gurbakash Phonsa 18
19. Trojans cont.
0 Some create back-door effects
0 Another distribution of Trojans is by infecting a server
that hosts websites.
0 Downfall of Trojans: very reliant on the user.
0 Video Example: Netural Zlob Trojan
Gurbakash Phonsa 19
20. Current Trends
0 Trojans currently have largest infection potential
0 Often exploit browser vulnerabilities
0 Typically used to download other malware in multi-stage attacks
Gurbakash Phonsa 20
Source:
Symantec Internet
Security Threat
Report, April 2009
21. Rootkit
0 A rootkit is software that enables continued privileged
access to a computer while actively hiding its presence
from administrators by subverting standard operating
system functionality or other applications.
0 Emphasis is on hiding information from administrators’
view, so that malware is not detected
0 E.g., hiding processes, files, opened network connections, etc
0 Example: Sony BMG copy protection rootkit scandal
0 In 2005, Sony BMG included Extended Copy Protection on music
CDs, which are automatically installed on Windows on CDs are
played.
Gurbakash Phonsa 21
22. Rootkits0 A rootkit modifies the operating system to hide its existence
0 E.g., modifies file system exploration utilities
0 Hard to detect using software that relies on the OS itself
0 RootkitRevealer
0 By Bryce Cogswell and Mark Russinovich (Sysinternals)
0 Two scans of file system
0 High-level scan using the Windows API
0 Raw scan using disk access methods
0 Discrepancy reveals presence of rootkit
0 Could be defeated by rootkit that intercepts and modifies results of
raw scan operations
0 http://www.symantec.com/content/en/us/enterprise/media/securi
ty_response/whitepapers/rootkits.pdf
Gurbakash Phonsa 22
23. Adware
Gurbakash Phonsa 23
Adware software payload
Adware engine infects
a user’s computer
Computer user
Adware agent
Adware engine requests
advertisements
from adware agent
Advertisers
Advertisers contract with
adware agent for content
Adware agent delivers
ad content to user
24. Spyware
Gurbakash Phonsa 24
Spyware software payload
1. Spyware engine infects
a user’s computer.
Computer user
Spyware data collection agent
2. Spyware process collects
keystrokes, passwords,
and screen captures.
3. Spyware process
periodically sends
collected data to
spyware data collection
agent.
25. Adware and Spyware
0 Adware is a type of malware designed to display
advertisements in the user’s software.
0 They can be designed to be harmless or harmful; the
adware gathers information on what the user
searches the World Wide Web for.
0 With this gathered information it displays ads
corresponding to information collected.
Gurbakash Phonsa 25
26. Adware and Spyware cont.
Spyware is like adware it spies on the user to see
what information it can collect off the user’s
computer to display pop ads on the user’s computer.
Spyware unlike adware likes to use memory from
programs running in the background of the
computer to keep close watch on the user.
This most often clogs up the computer causing the
program or computer to slow down and become un-
fuctional.
Gurbakash Phonsa 26
27. Signatures: A Malware
Countermeasure
0 Scan compare the analyzed object with a database of
signatures
0 A signature is a virus fingerprint
0 E.g.,a string with a sequence of instructions specific for each
virus
0 Different from a digital signature
0 A file is infected if there is a signature inside its code
0 Fast pattern matching techniques to search for signatures
0 All the signatures together create the malware database
that usually is proprietary
Gurbakash Phonsa 27
28. Best Practices to safeguard
against Malware
0 Try to limit software installations to systems that come from
trusted sources, including large corporations, which have to deal
with public-relations nightmares when their software is
exploited by malware,
0 Avoid freeware and shareware unless it comes with verifiable
guarantees about the absence of spyware and/ or adware
0 Avoid peer- to- peer ( P2P) music and video sharing systems,
which are often hotbeds for adware, spyware, computer worms,
and computer viruses.
0 Install a network monitor that blocks the installation of known
instances of privacy- invasive software or the downloading of
web pages from known malware web sites.•
Gurbakash Phonsa 28
29. Best Practices to safeguard
against Malware
0 Install a network firewall, which blocks the transmission of
data to unauthorized locations, such as computers or email
addresses of spyware sources.•
0 Use physical tokens, e. g., smartcards ( Section 2.3.3), or
biometrics ( Section 2.3.5) in addition to passwords for
authentication, so that even if a keylogger can capture the
username and password, more information is required to
compromise a user’s account.”Separation of Privilege”
0 Keep all software up- to- date. Computer worms usually
don’t require direct interaction with humans. Instead, they
spread by exploiting vulnerabilities in computers
connected to a network. Therefore, the best way to thwart
computer worms is to keep all programs updated
Gurbakash Phonsa 29
30. Security software
0 Security software is any computer program designed
to enhance information security.
0 The defense of computers against intrusion and
unauthorized use of resources is called computer
security.
0 Similarly, the defense of computer networks is called
network security.
Gurbakash Phonsa 30
31. Types of security software
0 Access control
0 Anti-keyloggers
0 Anti-spyware
0 Antivirus software
0 Cryptographic software
0 Firewall
0 Intrusion detection system (IDS)
Gurbakash Phonsa 31
32. Antivirus Programs
0 Antivirus programs are designed to detect malware
trying to enter the user’s system.
0 There are several ways a antivirus program can track
malware entering the computer.
0 Software can use:
0 Signature based detection
0 Heuristics
0 Cloud Antivirus
0 Network Firewall
Gurbakash Phonsa 32
33. Signature-Based Detection
0 Most common way a antivirus finds malware on a
computer
0 Database of virus signatures
0 Constant Updates
0 Not 100% foolproof
Gurbakash Phonsa 33
34. Heuristics
0 Detection of malware is done by monitoring files and
how certain programs try to reform the files on the
system.
0 When a modification takes place the antivirus alerts
the user and tries to elevate the problem.
Gurbakash Phonsa 34
35. Cloud Antivirus
0 New form of antivirus program
0 The virus scanning is done from a remote location(not
on the computer).
0 Why this is so popular is because it relieves the
physical computer resources.
0 Constant functionality (Nonstop scanning)
0 Security Issues
Gurbakash Phonsa 35
36. Network Firewall
0 Operating systems way of protecting the user from
unknown programs.
0 Not technically a antivirus program
0 Monitors the TCP/IP ports programs tries to access.
Gurbakash Phonsa 36
37. Future Threats
0 Almost everything is hooked up to the internet in
some sort of form.
0 Recent events have widened the eyes of many security
experts.
0 The ability to gain access to high security
organizations, infrastructures or mainframes has
frightened many people.
0 Could one click of the mouse start World War III?
Gurbakash Phonsa 37
38. How can we protect ourselves
0 Use an antivirus program and keep it up to date!
0 Yes they only protect from know malicious code out
there, but it’s still something!
Gurbakash Phonsa 38
39. Operating System’s Security
0 Keep your Operating System up to date!
0 Windows is one of the most hacked OS on the market.
0 The updates are mostly focused on security patches
Gurbakash Phonsa 39
40. Become An Informed User!
0 Become aware of what you are doing on the internet!
0 Don’t click on pop up ads!
0 Keep up to date on current issues happening on the
web!
Gurbakash Phonsa 40
41. References
0 Wang, Wallace. (2006). Steal This Computer Book 4.0: What They Won’t Tell You About the Internet. San
Francisco, CA: William Pollock.
0 Panda Cloud Antivirus. (n.d.) Retrieved October 29, 2011 from Wikipedia:
http://www.en.wikipedia.org/wiki/Panda_Cloud_Antivirus
0 Fowler, Daniel. (2008). Importance of Cybersecurity Increases as Attacks Get More Dangerous. In
Richard Joseph Stein (Ed.), Internet Safety (pp. 5-7). New York, NY: H.W. Wilson Company.
0 Viega, John. (2009). The Myths of Security: What the computer Security Industry Doesn’t Want you to Know.
Sebastopol, CA: O’Reilly Media, Inc.
0 http://www.alanbonnici.com
Gurbakash Phonsa 41