Malicious Software - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Malicious Software

Description:

A computer virus passes from computer to computer like a biological virus passes ... or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella because they ... – PowerPoint PPT presentation

Number of Views:216
Avg rating:3.0/5.0
Slides: 35
Provided by: Sah3
Category:

less

Transcript and Presenter's Notes

Title: Malicious Software


1
Malicious Software
2
First type Viruses
3
Introduction
  • Computer viruses are called viruses because they
    share some of the traits of biological viruses. A
    computer virus passes from computer to computer
    like a biological virus passes from person to
    person.
  • A computer virus must piggyback on top of some
    other program or document in order to get
    executed. Once it is running, it is then able to
    infect other programs or documents.

4
Definition of viruses
  • Viruses - A virus is a small piece of software
    that piggybacks on real programs. For example, a
    virus might attach itself to a program such as a
    spreadsheet program. Each time the spreadsheet
    program runs, the virus runs, too.

5
E-mail viruses
  • E-mail viruses - An e-mail virus moves around in
    e-mail messages, and usually replicates itself by
    automatically mailing itself to dozens of people
    in the victim's e-mail address book.

6
The part of the viruses
  • Replicator its job is to ensure the survival of
    the virus on a system. Most successful viruses do
    this by not inflicting damage on the system but
    by appending themselves to legitimate programs in
    the machine. Each time the program is run then
    the virus will 'wake up' and start to reproduce.
  • Concealed - This part of the virus has the job of
    hiding the virus. by using a number of methods to
    do this.

7
The part of the viruses (con)
  • The payload is what the computer virus is
    programmed to do.
  • Some viruses do nothing more than copy themselves
    onto another PC, much like a real virus does from
    host to host.  This is the simplest payload that
    a virus can have.
  • some computer viruses have a greater effect -
    maybe they steal files or data or allow someone
    else to take control over the PC while some will
    destroy some or all of the data on the computer. 
  • A virus can also have multiple payloads (in fact,
    any virus that does more than just spread has
    by default more than one payload) - perhaps it
    steals data and waits until some date in the
    future when it activates a new payload and
    deletes all the data on the drive or something
    similar.

8
Viruses Types and Examples
  • There are a couple of different types of computer
    viruses boot sector viruses , Program viruses
    , multi-partite viruses, macro viruses, companion
    viruses and link viruses .
  • These classifications take into account the
    different ways in which the virus can infect
    different parts of a system.

9
Viruses Types and Examples
  • Boot viruses
  • These viruses infect floppy disk boot records or
    master boot records in hard disks.
  • They replace the boot record program (which is
    responsible for loading the operating system in
    memory) copying it elsewhere on the disk or
    overwriting it.
  • Boot viruses load into memory if the computer
    tries to read the disk while it is booting.
  • Examples Form, Disk Killer and Stone virus

10
Types and Examples (con)
  • Program viruses
  • These infect executable program files, such as
    those with extensions like .BIN, .COM, .EXE,.DRV
    (driver) and .SYS (device driver).
  • These programs are loaded in memory during
    execution, taking the virus with them.
  • The virus becomes active in memory, making copies
    of itself and infecting files on disk.
  • Examples Sunday, Cascade

11
Types and Examples (con)
  • Multi-partite viruses
  • A hybrid of Boot and Program viruses. They infect
    program files and when the infected program is
    executed, these viruses infect the boot record.
    When you boot the computer next time the virus
    from the boot record loads in memory and then
    starts infecting other program files on
    disk.Examples Invader, Flip, and Tequila

12
Types and Examples (con)
  • Macro Viruses
  • A macro virus is a new type of computer virus
    that infects the macros within a document or
    template.
  • When you open a word processing or spreadsheet
    document, the macro virus is activated and it
    infects the Normal template -a general purpose
    file that stores default document formatting
    settings.
  • Every document you open refers to the Normal
    template, and hence gets infected with the macro
    virus.
  • Since this virus attaches itself to documents,
    the infection can spread if such documents are
    opened on other computers.
  • Examples DMV, Nuclear, Word Concept.

13
Macro Viruses (con)
  • Why are macro viruses so successful?
  • Today people share so much data, email documents
    and use the Internet to get
    programs and documents.
  • Macros are also very easy to write.
  • The problem is also that Word for Windows
    corrupts macros inadvertently creating new macro
    viruses.
  •    
  •   New macro virus by corruption

14
Symptoms of Virus Infection
  • Programs take longer to load.
  • A change in dates against the filenames in the
    directory.
  • The floppy disk or hard disk is suddenly accessed
    without logical reason.
  • Increased use of disk space and growth in file

15
Symptoms of Virus Infection (con)
  • 5. Abnormal write-protect errors. The virus
    trying to write to a protected disk.
  • 6. Strange characters appear in the directory
    listing of filenames. 
  • 7. Strange messages like "Type Happy Birthday
    Joshi" (Joshi Virus) or "Driver Memory Error"
    (kak.worm) appear on the screen and in
    documents. 
  •  
  • 8. Programs may hang the computer or not work at
    all. 

16
   How to provide against viruses
  • Best way to protect yourself is to prepare your
    computer against viruses in advance.
  • One way to protect you computer is to use
    updated anti-virus program. When you get an email
    attachment, you should first check the attachment
    by checking the file with a anti-virus program.

17
Second type worm
18
Worms
  • Worms
  • is a small piece of software that uses computer
    networks and security holes to replicate itself.
  • A copy of the worm scans the network for another
    machine that has a specific security hole. It
    copies itself to the new machine using the
    security hole, and then starts replicating from
    there, as well.
  • Unlike a virus, it does not need to attach itself
    to an existing program. Worms always harm the
    network (if only by consuming bandwidth), whereas
    viruses always infect or corrupt files on a
    targeted computer.

19
Type of worm
  • 1. Email Worms
  • Spread via email messages. Typically the worm
    will arrive as email, where the message body or
    attachment contains the worm code, but it may
    also link to code on an external website.
  • Poor design aside, most email systems require
    the user to explicitly open an attachment to
    activate the worm.
  • Once activated the worm will send itself out
    using either local email systems (e.g. MS Outlook
    services, Windows MAPI functions), or directly
    using SMTP. The addresses it sends to are often
    harvested from the infected computers email
    system or files.

20
Type of worm (con)
  • 2. Instant messaging worms
  • The spreading used is via instant messaging
    applications by sending links to infected
    websites to everyone on the local contact list.
    The only difference between these and email worms
    is the way chosen to send the links
  • 3. IRC worms
  • Chat channels are the main target and the same
    infection/spreading method is used as above
    sending infected files or links to infected
    websites. Infected file sending is less effective
    as the recipient needs to confirm receipt, save
    the file and open it before infection will take
    place.

21
Type of worm (con)
  • 4. File-sharing networks worms
  • Copies itself into a shared folder, most likely
    located on the local machine.
  • The worm will place a copy of itself in a shared
    folder under a harmless name.
  • Now the worm is ready for download via the P2P
    network and spreading of the infected file will
    continue.

22
Type of worm (con)
  • 5. Internet worms
  • Those which target low level TCP/IP ports
    directly, rather than going via higher level
    protocols such as email or IRC.
  • An infected machine aggressively scans random
    computers on both its local network and the
    public Internet attempting an exploit against
    port 135 which, if successful, spreads the worm
    to that machine.

23
Payload
  • A "payload" is code designed to do more than
    spread the worm - it might
  • delete files on a host system (eg the ExploreZip
    worm),
  • encrypt files in a cryptoviral extortion attack,
  • or send documents via e-mail.
  • A very common payload for worms is to install a
    backdoor in the infected computer to allow the
    creation of a "zombie" under control of the worm
    author.
  • Network of such machines are often referred to
    as botnets and are very commonly used by spam
    senders for sending junk email or to cloak their
    website's address. Spammers are therefore thought
    to be a source of funding for the creation of
    such worms , and worm writers have been caught
    selling lists of IP addresses of infected
    machines. Others try to blackmail companies with
    threatened DoS attacks.
  • Backdoors, however they may be installed, can be
    exploited by other malware, including worms.
    Examples include Doomjuice, which spreads using
    the backdoor opened by Mydoom, and at least one
    instance of malware taking advantage of the
    rootkit backdoor installed by the Sony/BMG DRM
    software utilized by millions of music CDs prior
    to late 2005.

24
Third Type Trojan horse
25
Trojan horses
  • Trojan horses - A Trojan horse is simply a
    computer program. The program claims to do one
    thing (it may claim to be a game) but instead
    does damage when you run it (it may erase your
    hard disk). Trojan horses have no way to
    replicate automatically.
  • Trojan horses may appear to be useful or
    interesting programs (or at the very least
    harmless) to an unsuspecting user, but are
    actually harmful when executed.
  • Trojans are also known to create a backdoor on
    your computer that gives malicious users access
    to your system, possibly allowing confidential or
    personal information to be compromised.

26
Type of Trojan horse
  • There are two common types of Trojan horses.
  • One, is otherwise useful software that has been
    corrupted by a cracker inserting malicious code
    that executes while the program is used. Examples
    include various implementations of weather
    alerting programs, computer clock setting
    software, and peer to peer file sharing
    utilities.
  • The other type is a standalone program that
    masquerades as something else, like a game or
    image file, in order to trick the user into some
    misdirected complicity that is needed to carry
    out the program's objectives.

27
Types of Trojan horse payloads
  • Trojan horse payloads are designed to do various
    harmful things, but could be harmless.
  • They are broken down in classification based on
    how they breach systems and the damage they
    cause,
  • The nine main types of Trojan horse payloads are
  • Remote Access
  • Email Sending (Data Sending Trojans )
  • Data Destructive
  • Downloader
  • Proxy Trojan (disguising others as the infected
    computer)
  • FTP Trojan (adding or copying data from the
    infected computer)
  • security software disabler
  • denial-of-service attack (DoS)
  • URL trojan (directing the infected computer to
    only connect to the internet via an expensive
    dial-up connection)

28
Some examples are
  • erasing or overwriting data on a computer.
  • corrupting files in a subtle way.
  • upload and download files.
  • allowing remote access to the victim's computer.
    This is called a RAT (remote administration
    tool).
  • spreading other malware, such as viruses. In this
    case the Trojan horse is called a 'dropper' or
    'vector'.
  • setting up networks of zombie computers in order
    to launch DDoS attacks or send spam.
  • make screenshots.
  • logging keystrokes to steal information such as
    passwords and credit card numbers (also known as
    a keylogger).
  • installing a backdoor on a computer system.
  • opening and closing CD-ROM tray.
  • Restarts the computer whenever the infected
    program is started.

29
Time bombs and logic bombs
  • "Time bombs" and "logic bombs" are types of
    trojan horses.
  • "Time bombs" activate on particular dates and/or
    times.
  • "Logic bombs" activate on certain conditions met
    by the computer.

30
Methods of Infection
  • The majority of Trojan horse infections occur
    because the user was tricked into running an
    infected program.
  • The infected program doesn't have to arrive via
    email , it can be sent to you in an Instant
    Message, downloaded from a Web site or by FTP, or
    even delivered on a CD or floppy disk.
  • Furthermore, an infected program could come from
    someone who sits down at your computer and loads
    it manually.
  • By Websites You can be infected by visiting a
    rogue website.
  • Email Email viruses will often send copies of
    themselves to people in the infected user's
    address book.

31
Methods of Infection (con)
  • 3. open ports
  • Computers running their own servers (HTTP, FTP,
    or SMTP, for example), allowing Windows file
    sharing, or running programs that provide
    filesharing capabilities such as Instant
    Messengers (AOL's AIM, MSN Messenger, etc.) may
    have vulnerabilities to trojan horse effect
  • These programs and services may open a network
    port giving attackers a means for interacting
    with these programs from anywhere on the
    Internet. Vulnerabilities allowing unauthorized
    remote entry are regularly found in such
    programs, so they should be avoided or properly
    secured.
  • A firewall may be used to limit access to open
    ports. Firewalls are widely used in practice, and
    they help to mitigate the problem of remote
    trojan insertion via open ports, but they are not
    a totally impenetrable solution, either.
  • Some of the modern trojans that come through
    messages. They come in as a very important
    looking message, but contain trojans, the
    executable files are same as that of windows
    system processes like 'Svchost.exe',
  • some of the look alike trojans are Svchost32.exe
    ,Svhost.exe ,back.exe

32
Precautions against Trojan horses
  • Trojan Horses are most commonly spread through an
    e-mail, much like other types of common viruses.
    The only difference being of course is that a
    Trojan Horse payload is hidden. The best ways to
    protect yourself and your company from Trojan
    Horses are as follows
  • If you receive e-mail from someone that you do
    not know or you receive an unknown attachment,
    never open it right away. As an e-mail user you
    should confirm the source. Some hackers have the
    ability to steal address books, so if you see
    e-mail from someone you know, it is not
    necessarily safe.
  • When setting up your e-mail client, make sure
    that you have the settings so that attachments do
    not open automatically. Some e-mail clients come
    ready with an anti-virus program that scans any
    attachments before they are opened. If your
    client does not come with this, it would be best
    to purchase one or download one for free.

33
Precautions against Trojan horses (con)
  • 3. Make sure your computer has an anti-virus
    program on it and update it regularly. If you
    have an auto-update option included in your
    anti-virus program you should turn it on that
    way if you forget to update your software you can
    still be protected from threats
  • 4. Operating systems offer patches to protect
    their users from certain threats. Software
    developers like Microsoft offer patches that in a
    sense "close the hole" that the Trojan horse or
    other virus would use to get through to your
    system. If you keep your system updated with
    these patches, your computer is kept much safer.
  • 5. Avoid using peer-to-peer or P2P sharing
    networks like Kazaa, Limewire, Ares, or Gnutella
    because they are generally unprotected from
    viruses and Trojan Horse viruses spread through
    them especially easily.
  • If you insist on using P2P, it would be safe to
    not download files that claim to be "rare" songs,
    books, movies, pictures, etc.

34
Methods of Deletion
  • Since there is a variety of trojans, deleting
    them isn't always the same.
  • The common way of deleting the majority of
    trojans is by clearing your temporary internet
    files, or finding the file and deleting it
    manually, in both regular mode and safe mode.
  • In certain cases, registry editing is needed. In
    this case, go to start, run, regedit, and delete
    or repair any corrupted file the trojan has made
    on the registry.
Write a Comment
User Comments (0)
About PowerShow.com