1 / 48

Computer Security set of slides 7

Computer Security set of slides 7. Dr Alexei Vernitski. Viruses and other malware. Viruses Worms Trojans Rootkits Trapdoors/backdoors (see more in textbooks). Viruses.

melita
Download Presentation

Computer Security set of slides 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Securityset of slides 7 Dr Alexei Vernitski

  2. Viruses and other malware • Viruses • Worms • Trojans • Rootkits • Trapdoors/backdoors (see more in textbooks)

  3. Viruses • The discovery of computer viruses was one of the most important factors that put computer security issues in the spotlight • Now, viruses are not as wide-spread as 15 or 20 years ago, but they still are around and can damage computer systems.

  4. Viruses: biological analogy • A biological virus is a small germ which does not have its own organs of reproduction and uses the infected organism’s cells for reproduction.

  5. Computer viruses • Each virus is written by a malicious programmer. It is not true that viruses can appear in computers by themselves. • (unlike some trapdoors)

  6. What is a virus? • Code written with the express intention of replicating itself • In simpler words, a virus is a program that can infect other programs by including in them a copy of itself

  7. Examples of virus code • Virus in an interpreted language • Virus in a compiled language

  8. Virus damage • Usually, viruses do not do anything useful for their author; they are just pranks • Viruses range from the mildly annoying to the downright destructive

  9. Virus damage • Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files or attempt to destroy files. • Some viruses cause unintended damage. • Even benign viruses cause significant damage by occupying disk space and main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.

  10. Targets of viruses • Some viruses affect individual programs; therefore, there can be a copy of the virus in every program on the computer • Other viruses affect the operating system; therefore, there can be a copy of the virus on every computer disk

  11. Targets of viruses • Some viruses are platform-dependent: they can work only within one particular operating system (of these viruses, 99% are oriented against the PC platform) • Other viruses are platform-independent: these are macro viruses, working within a cross-platform environment (e.g. MS Word)

  12. Example: Brain • Year: 1986 • Brain is a boot sector virus • It could spread on MS DOS PCs

  13. Hard disk 1 Floppy 1 Hard disk 2 Floppy 2

  14. Example: Melissa • Year: 1999 • Melissa is a macro virus living in MS Word documents. • It can spread on both PC and Mac platforms

  15. Melissa Infected Word file with virus’s code Interpreter of Visual Basic for Mac Interpreter of Visual Basic for PC Mac PC

  16. A lesson • Viruses cannot spread unless you run an infected program or open an infected document • Therefore, the good news is that a virus does not spread without human action to move it along, such as sharing a file or sending an e-mail

  17. Ways of attaching a virus to a program • Overwriting • Appending • For the sake of example, let us assume that a file with a program contains only executable instructions, and all these instructions are executed in order

  18. Before infecting A program to be infected An infected program is executed Virus code Do something 1 Do something 2 Do something 3 Do something 4 Do something 5 Do something 6 Do something 7 Do something 8 Do something 9 Do something 10 Do something 11 Do something 12

  19. Overwriting A program to be infected An infected program is executed Virus code Do something 1 Do something 2 Do something 3 Do something 4 Do something 5 Do something 6 Do something 7 Do something 8 Do something 9 Do something 10 Do something 11 Do something 12 Virus code

  20. Before infecting A program to be infected An infected program is executed Virus code Do something 1 Do something 2 Do something 3 Do something 4 Do something 5 Do something 6 Do something 7 Do something 8 Do something 9 Do something 10 Do something 11 Do something 12

  21. Appending A program to be infected An infected program is executed Virus code Virus code Do something 1 Do something 2 Do something 3 Do something 4 Do something 5 Do something 6 Do something 7 Do something 8 Do something 9 Do something 10 Do something 11 Do something 12

  22. Overwriting vs appending • If the virus overwrites the program, the program stops working, and the user will notice that immediately. • If the virus appends itself to the program, the length of the program changes, and this is easy to check.

  23. Stealth • It is a bomber aircraft which radars cannot discover

  24. Stealth viruses • A stealth virus infects both files and the operating system • If you view or edit the infected file, it looks uninfected • If you execute the infected file, it works as infected

  25. Reading from a file infected by a Stealth virus You think you are reading from here Virus code In fact, you are reading from here The original file content

  26. Polymorphic viruses • A polymorphic virus changes its code every time when it infects a program • Therefore, it is more difficult to find it

  27. For example, a polymorphic virus can distribute its code inside the original program The original file content Virus code 1 Virus code 2 Virus code 3

  28. Stuxnet virus • Stuxnet is one of the most famous recent viruses • It is very advanced and it seems that it was written with some specific purpose in mind, which is still unclear

  29. Stuxnet virus • The Stuxnet virus infects Windows computers using a number of methods, including, for example, USB flash drives. • It tries to infect as many Windows computers as possible.

  30. Stuxnet virus • When the Stuxnet virus finds a computer which runs a software for programming a specific brand of controllers (Siemens), it infects this software. • Stuxnet only attacks controllers used for controlling the speed of a specific brand and type of electric motors. • It is not clear what exactly Stuxnet does then.

  31. Stuxnet virus • Stuxnet is a virus of unprecedented complexity: • It works within two programming environments • It attempts to control production processes (via electric motors) • It is unusually large for viruses • It is written in two programming languages • Its code is encrypted and is difficult to understand

  32. Stuxnet virus • It is believed that Stuxnet is an example of ‘cyberwarfare’ • It is believed that Stuxnet was written with an intent to disrupt the production of nuclear weapons by Iran • It is believed that the virus was successful in affecting the work of some nuclear reactors in Iran in 2010.

  33. Stuxnet • In December 2012, the Stuxnet virus returnedhttp://www.bbc.co.uk/news/technology-21075781 • Ways of spreading:“Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive”http://www.theregister.co.uk/2012/09/13/stuxnet/

  34. Prevention of virus infection • There is a theorem saying that no antivirus program can find all viruses! • You need to use a combination of managerial and programming solutions

  35. Where do viruses come from • Global Access Networks and Email • Email Conferences, File Servers, FTP and BBS • Local Access Networks • Pirated Software • General Access Personal Computers • Repair Services

  36. Virus infection • “If you bought an iPod between September 12, 2006 and October 18, 2006, there is, according to Apple, a 1 percent chance it contains a worm called RavMonE.exe.”http://electronics.howstuffworks.com/ipod-virus.htm

  37. Purchasing software • Use only commercial software acquired from reliable, well-established vendors with significant reputations • Example: open-source software seems to be safe, but can be infected

  38. Keeping an eye on new software • If possible, test all new software on an isolated computer and look for unexpected behaviour • Run an up-to-date antivirus program after installing new software

  39. Taking care with e-mail attachments • Open attachments only when you know them to be safe • Example: DOC vs RTF • Can .jpg files contain viruses? Example:http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Exploit:Win32/MS04028!jpeg

  40. System recovery • Make a system image and store it safely • Make and retain backup copies of executable system files

  41. Data recovery • Back up all your work regularly and store backups safely • This rule not only protects you against viruses but e.g. against computer theft

  42. Antivirus programs • Antivirus programs are otherwise known as virus detectors or virus scanners • Use them, and update them regularly

  43. Signature • Simple virus detectors search files looking for a given signature in them. • A signature is a piece of code typical of a particular virus. • (Of course, it is just a simple virus detector: it will not be able to detect polymorphic viruses.)

  44. Data integrity checking • Use validation and data integrity checking utilities. They check file information(check sums, sizes, attributes, last modification dates etc.). You should periodically compare such database information with actual hard drive contents, because any inconsistency might be a signal of presence of a Trojan horse or virus.

  45. Behaviour Blockers • Anti-virus behaviour blockers are memory resident programs intercepting potential virus danger and warning user about it. • Such virus danger may be detected during write calls to executable files, boot sector writes, attempts of programs to go TSR etc., that is the operations characteristic for viruses in their attempts to spread.

  46. Immunizers • With these programs, disk files are modified in such a way that the virus considers them already infected.

  47. Frankenstein viruses • Experiments with Frankenstein technology try to construct viruses from fragments of benign codehttp://www.newscientist.com/article/mg21528785.600-frankenstein-virus-creates-malware-by-pilfering-code.html

  48. Sample exam questions • A simple virus infects a program by adding its code to the code of the program. Explain two main strategies the virus can have at this point, and explain the advantages and the disadvantages of each one, from the point of view of the virus. • Discuss what goals the attackers might choose to achieve with viruses (as opposed to other types of malware).

More Related