“Unix. The world's first computer virus.” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious computer scientists ISBN: 1-56884-203-1 Classification of Threats Threats may exploit weaknesses in 1. operating system (W32,W95, Linux, etc),
title of Chapter 1 of
‘The Unix Haters Handbook’,
written by serious computer scientists ISBN: 1-56884-203-1
Threats may exploit weaknesses in
1. operating system (W32,W95, Linux, etc),
2. applications they infect (W97M, WordPro, X97M, etc)
3. language (HTML, VBS, JS, etc).
Delivery of malicious codes to a users machine:
A trapdoor: a code that recognizes some special (unlikely) sequence of inputs or is triggered by being run from a special ID.
Some programs require special privileges and authentication to access it. Or they may require long setup (providing many initial values of variables) and authentication.
While debugging one may want to be able to open the program without going through these procedures.
A trapdoor allows one to activate the program even if something be wrong with the authentication procedure.
Need Host programs
Trap doors Logic Bombs Trojan Horse Viruses
A Logic Bomb or a Trojan Horse may be part of a Virus or Worm.
that, when executed, may produce one or more copies of itself on the same system or some other system.
Those that won’t replicate
Those that replicate themselves
Trap Doors Logic Bombs Trojan Horses Viruses Zombie Worms
*Ref: Fig 19.1 pp.599, Stallings 
Malicious software: runs under the user’s authority (without his knowledge and permission);
hence can do all that a user can himself do.
TYPES: Back doors/trap doors : allow unauthorized access to your system.
Logic bombs usually are embedded in programs by software developers who have legitimate access to the system.
Examples of Trojan horse attacks:
The code creates a trapdoor in the login program that permits the author to log on to the system using a special word. Difficult to discover, by reading the source code of the program.
Ref : THOM 84 from Stallings
Viruses:* not distinct programs
*need to have some host program, of which they are a part, executed to activate them
*executes secretly, when the host program is run.
A typical virus, in a computer, takes control of its Disk Operating System. Whenever it comes in contact with any uninfected piece of software, a fresh copy of the virus is attached to the new program.
Reference: A malicious program was called a Virus by Cohen.Cohen F.,’Computer Viruses’, Computer Security: A Global Challenge, Elsevier Press, 1984, p143-158
Examples of Worms:
Morris 1998 for unix systems,
Code Red (July 2001), Code Red II,
NIMDA (late 2001)
Some viruses may not have this stage.
2. Propagation phase: Both a worm and a virus check whether the file/system is already infected. If not, they do the job.
3. Triggering phase: may be caused by some system event.
4. Execution phase: Performs a function
Viruses are designed to take advantage of the
weaknesses of the OS and/or a hardware platform.
Trojan Horse vs Virus:
Propagation of Virus: Malicious programs arrived via tapes and disks, and the spread of a virus around the world took many months.
Today, Trojan horses, and viruses are network deliverable as
They could arrive as a part of a game or a useful utility, copied from some electronic bulletin board
Mobile-program system: Ex.: java and ActiveX.
A mobile program may act as the carrier of a virus.
Any mechanism for sharing of files – of programs, data, documents or images – can transfer a virus
Or like a logic bomb, the damaging action may take place in response to some trigger.
Usually the first two steps may take so little time, that one may fail to notice any difference.
Jump to main of infected program;
file = choose an uninfected executable file;
Prepend V to file;
Return (some test? 1:0);
It attaches itself to executable files and replicates, when the infected program is executed, by finding other files to infect.
stays in main memory as a part of a system program. Then it infects every program that executes. (Like Terminate and Stay Resident – TSR- programs )
It infects a boot record and spreads when a system is booted from the disk containing the virus.
Boot sector contains crucial files. Hence it is made invisible by the OS. boot-sector virus files will not show up in a normal listing of files.
Creates copies that are functionally equivalent but have distinctly different bit patterns. Thus signature of each copy will vary and a virus scanner will find it difficult to locate it.
When this virus infects another host, the altered mutation engine would generate a different key.
Thus every host would carry a different signature for the virus.
There are two other types: The Stealth virus and the Macro virus.
A stealth virus has code in it that seeks to conceal itself from discovery or defends itself against attempts to analyze or remove it.
When the system seeks to open an infected file, the stealth virus displays the uninfected version, thus hiding itself.
There are many techniques to leave the file lengthand even a check sum unchanged and yet infect.
Three types of auto-executing Macros:
1.Start-up Auto-execute: executed when WORD is started.
2.Automacro: executes when some event like opening/closing a document, creating a new document, quitting WORD
3.Command:executes when a WORD command, like FileSave) is executed.
MS has developed a Macro Virus Protection Tool. It detects suspicious files and alerts the user to the risk of opening them.
A macro virus is a piece of self-replicating code inserted into an auto-execute macro.
itself to other documents.
Macro Viruses spread fast because
Ex: A virus, called Melissa, used a micro, embedded in a WORD document attached to an e-mail. …………………….
On opening the WORD attachment of e-mail,
In 1999, new e-mail viruses appeared. These would be able to infect, as soon as one opens the carrier e-mail, and not by opening an attachment
The program originates from some other host.
It then uses the computer, that has been taken over, for attacking a victim.
Objectives: To hide the originator of the attack
To attack the victim through a large number of zombie computers (as in a DDoS attack)
“Virus” is used, (in the following slides-for- detection-and-removal of viruses,) to stand for all types of malicious programs.
After detection of a virus, its identification and removal is required.
They record and check the length of all executables.
They also do integrity checking by calculating a checksum of a program and storing somewhere else the encrypted checksum.
Second generation (continued)….A better method is storing a hash function rather than a checksum.
The encryption key is stored at a separate place.
1) Generic Decryption (GD) Technology
a) CPU Emulator: Consisting of a virtual computer with software versions of all registers and other processor hardware.
b) Virus signature scanner
c) Emulator control module
Virus elements are usually activated immediately after a program starts execution.
2) IBM’s Digital Immune System (DIS):
1) Monitoring Program - on each PC - uses heuristics based on
to monitor the presence of a virus in a program.
Such an infected program is sent to an Administrative Machine in the organization
2) Administrative Machines : one machines located at each site
3) Central Virus Analysis machine :
3) Central Virus Analysis machine :
3) Behavior Blocking Software: monitors and blocks malicious actions like
But can we/ should we block shuffling of files?
The brain virus splits itself into 3 parts. The first part is in the boot sector. The other 2 parts are in the two other sector of the disk.
The 3rd sector of the disk contains the original boot sector code.
Another copy of the virus is stored in the remaining 3 sectors on the disk
Released on Internet in the evening of Nov 2, 1988 by Robert T. Morris Jr., a grad student of Cornell.
In 1990 he was sentenced to a fine of $10,000, a suspended 3 year jail and 400 hours of community service.
Morris exploited three flaws:
1. Unix Password file is stored in encrypted form.
But any one can read the ciphertext.
To connect to a remote system, it tries to crack the local password file by trying the following:
2.) the second flaw- in fingered:
3) the third flaw --- in sendmail - in debug mode –
Normally sendmail runs in the background. It receives a ‘send’ instruction along with dest address.
However in debug mode the worm can send a command string, in place of dest address. Then this command string may be executed.
Assume that the Worm has been able to enter a host (without its knowledge or permission.)
It examines the following lists on the host:
Then the host logs off.
Efforts at stealth:
Because of a flaw in the code of Morris, it created many copies of the worm on the same machine, thereby degrading its performance to normal tasks.
After Morris, a Computer Emergency Response Team was set up in Carnegie - Mellon University.
Welcome to http://www.worm.com !
Hacked by Chinese !
It modifies html files and some executable files. It creates numerous copies under various names.
causing probably the most damaging attack in a year and a half.
Payloads can be malign and I expect that
we’ll see more devious payloads over the
next few years.”
- Bruce Schneier
author of Applied Cryptography
Most Internet security problems are
Types of Attack
• Often difficult to perform, but very powerful
– Mail forgery/modification
– TCP/IP spoofing/session hijacking
• Access control: Protects against unauthorized use.
• Authentication: Provides assurance of someone's identity.
• Confidentiality: Protects against disclosure to unauthorized
• Integrity: Protects from unauthorized data alteration.
• Non-repudiation: Protects against originator of
communications later denying it.
Virus detection and cleaning of the files are additional services,
required in a networked system.
• Encryption is used to provide confidentiality;
can also provide authentication and integrity protection
• Digital signatures are used to provide authentication, integrity protection, and non-repudiation
• Checksums/hash algorithms are used to provide integrity
protection, can provide authentication
a security service
A typical security protocol provides one or more services
Services in a security protocol
• Services are built from mechanisms
• Mechanisms are implemented using algorithms
E commerce protocols
SSL, TLS, SSH
The further down you go, the more transparent it is; the
further up you go, the easier it is to deploy.
Security at network layer
But it cannot provide user-level security
services like user authentication.
Thus security functions are required to be built
into the higher layer applications, in addition to
the provision of blanket coverage at network
It is easy to deploy security functionality
at higher layers.
Thus PGP has come to be used widely for
providing e-mail security, while IPSec is
yet to be rolled out on the Internet.
An effective security system can be built
by carefully choosing an appropriate
combination of protocols and algorithms
Attacks: from various fronts.
So security has also to be multi-faceted.
Example: A mobile user A, who may be a salesman,
may be allowed to access a company network,
protected by a firewall.
A may have a wireless network at home, which may get
connected to the company network.
A malicious user, who may be a neighbor or even a
computer, in a parked vehicle near A’s home, could in
turn become a part of the wireless network.
Thus firewall alone may not be able to provide a
protection from such a malicious user.
Based on Behavior Blocking Software idea of slide 55
Two types of Triggers:
one on ticking time-bombs in the weakest link – the PCs
two on 1st April pranks by security companies
(A honey pot is a machine connected to the Internet and left defenseless so that security experts can observe hackers' activities or methods.)
The second prank:An advisory posted to BugTraq (by an Internet security company – but not on Internet security)
Sandeep Kumar, and Gene Spafford, “A Generic Virus Scanner in C++,” Proceedings of the 8th Computer Security Applications Conference, IEEE Press, Piscataway, NJ; pp.210-219, 2-4 Dec 1992
G.C.Kessler, “An Overview of Cryptography”
RSA Laboratories, “RSALabs FAQ,”