...

Saturday, February 26, 2011

NETSEC 07

We now go into the topic of Malicious Code. Malicious Code can be any code that is capable of causing harm to a system. Malicious code include Viruses, Worms, Trojan Horses, and can include certain malicious Java Applets and ActiveX Controls.
It is sometimes not possible to classify a code under a specific class, so the general term "malware" is used. A malware is not necessarily a virus, but is a virus is definitely a malware.

Malicious code cause harm to the network by attacking the goals of network security (cause DoS, modify data, leak out confidential information). This would end up reducing productivity, causing bad reputation and loss of revenue.

A virus is a program that attaches itself into another program. It can be embedded at the start (similar to a launcher), or at the end of a program (similar to the use of a codecave).

For a virus to start working, the infected program must be executed. Some virus perform deadly operations immediately, while others remain inactive until conditions are met (e.g. A command is sent from the attacker, or a certain day and time).

Most viruses are written in assembly language, with the exception of macro viruses. Viruses can be playful or harmful (causing loss or corruption of data and/or services).

The life cycle of a virus is:
-Replication
-Activation

There are several kind of viruses. The most common of which are:

File Infector viruses - The most common virus class. It infects a file and hides within the code of another program. The infected program is an executable file which activates the virus and the program when run. The virus can then continue to run after the program is closed.

Viruses cannot exist in data/text files because the code within are not run. Instead, they are simply interpreted as ASCII characters. So even if a text file is infected, it would just appear to be a bunch of corrupted characters when open.

Boot sector viruses are stored in the boot sector of media (C/DVDs, diskettes, HDDs). It is executed when a computer first turns on, searches for the boot sector, and executes it. The virus is then loaded into the computer before, while or after the bootstrapper initializes the OS.

A boot sector virus can only be used to infect a machine if it is used to start it up. It cannot be used to infect a machine if it is introduced after bootup. A boot sector virus can then spread to other media while the OS is running.

A macro virus is a virus that makes use of powerful macro languages provided by certain programs (e.g. Word, Excel). These viruses execute each time the document is opened and may infect all future documents created with the application. The Melissa virus is an example of the macro virus, which causes the victim machine to mail out confidential documents with the Melissa virus attached to it.

A worm is a type of virus that can replicate itself but cannot attach itself to other programs. It is self-replicating and does not alter files but resides in active memory and duplicates itself. Mainly worms are used to use up objectives, but can also perform other tasks.

Viruses can spread through:
-Network
-Infected media
-Files from the internet
-Attachments
-ICQ/IRC
-P2P
-etc.

Antivirus softwares are used to remove malwares. They involve scanning and removing them. Anti-virus softwares can be:
-Virus scanning software
-Memory scanning software
-Integrity checkers
-Activity blockers

Virus scanning software can scan files and boot records. It may be able to notify the user, clean, delete, or quarantine the files/directories/disks affected. Virus scanners can look for known viruses, as well as new viruses.

Known viruses are found using signature scanning - a unique pattern of bits or binary data in the virus/program. The signature is like the fingerprint of a virus which is made as unique as possible for the identification of the virus.

Signature scanning may be able to find variants of existing viruses. False positives is relatively low. New viruses with different methods may not be detected as they may have different signatures.

Since antivirus softwares may not know the existence of new viruses, they make use of heuristic algorithms to scan. It is similar to signature scanning, but it looks for certain characteristics of the code (e.g. certain instructions that typically are not found in normal programs, such as modifiction of a driver, or modification of the registry).

If it finds a program that does unusual things, then it classifies it as a virus. However, it is more prone to false positives as legitimate programs (such as a Registry scanner) may be classified as malicious.

A Trojan Horse is a malicious, security breaking program that is disguised as something benign. An apparently useful program may have additional code to collect, exploit, falsify or destroy data.

A Trojan Horse is not a virus, in that although it does everything a virus can do, it does not attach itself to another program or attempt to replicate themselves. Trojans can be used for:
-Spying
-Relaying malicious connections (redirect connections to cause attacks to appear from another vector)
-Access restricted resources
-Launch a DDoS attack
-Capture keystrokes (Keylogger)

Trojans typically comprise of two parts:
-Server
-Client

The server is installed in the victim's machine, and the client is used by the attacker to connect to the victim's machine.

An example would be: Attacker makes the victim accept the Trojan server disguised as a game. The victim accepts and executes the file, causing the Trojan to be installed somewhere in the directory structure. The Trojan also modifies the Registry to cause it to be loaded automatically the next time the PC boots up. The attacker then connects to the Trojan to do work. The victim may also need to relay the IP of itself back to the attacker through means like DynDNS or email.

Defenses include:
-Do not download programs from dubious sites
-Do not open suspicious email attachments
-Prevent execution of ActiveX controls
-Don't accept programs in chatlines
-Check comments for files in P2P networks
-Use anti-spyware to detect and remove
-Configure a firewall to check for attempts to open ports
-Scan floppies and CDs before using

A Trojan may or may not be detected by Anti-Virus programs because they do things many other servers do, but famous ones like Sub Seven are definitely detected.

An example security policy for prevention of viruses can be:
1) All systems in the organization must be installed with firewalls and antivirus
2) Virus signatures must be updated
3) All media must be scanned for viruses before use
4) Programs downloaded from the Internet must be approved by the administrator before use

8 comments :

  1. It's perfect time to make some plans for the future and it's time to be
    happy. I have read this post and if I could
    I desire to suggest you few interesting things or suggestions.
    Maybe you can write next articles referring to this article.
    I desire to read more things about it!

    Also visit my web-site; privat krankenversicherung vergleich

    ReplyDelete
  2. Everyone loves what you guys are up too. This sort of clever
    work and coverage! Keep up the very good works guys
    I've included you guys to my blogroll.

    Stop by my homepage: wiki.fsa.pub.ro

    ReplyDelete
  3. Hey there, You have done an incredible job. I will certainly digg it and personally recommend to my friends.

    I'm confident they will be benefited from this site.

    My web site: click through the next website

    ReplyDelete
  4. I'm curious to find out what blog platform you happen to be using? I'm having
    some small security problems with my latest blog and I would like to
    find something more secure. Do you have any recommendations?


    my weblog :: please click the next internet page

    ReplyDelete
  5. Hey there! I realize this is somewhat off-topic however I needed to ask.
    Does operating a well-established blog like yours require a lot of work?
    I'm completely new to writing a blog but I do write in my journal everyday. I'd like
    to start a blog so I will be able to share my own experience and feelings
    online. Please let me know if you have any suggestions or tips for brand
    new aspiring blog owners. Thankyou!

    My website :: click through the next document

    ReplyDelete
  6. Oh my goodness! Awesome article dude! Many thanks, However I am experiencing difficulties with your RSS.
    I don't know the reason why I cannot subscribe to it. Is there anybody getting similar RSS problems? Anyone that knows the answer can you kindly respond? Thanks!!

    my site ... Virage 2.0 � TENDANCES 2011 - MéDias Sociaux Et Web 2.0

    ReplyDelete
  7. There is apparently a whole lot to encounter about this.
    I think you created some pleasant tips in Functions
    also.

    Check out my page: günstige kredite vergleich
    ()

    ReplyDelete

<