Network & Computer Attacks
(Part 1)
January 27, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Objectives
 Describe different types of malicious software
 Discuss methods of protecting against malware
attacks
 Describe the types of network attacks
 Identify physical security attacks and
vulnerabilities
2
ISC* Objectives
 Confidentiality
 C – Confidentiality
 I – Integrity
 A – Availability
 A – Accountability/Authenticity
 Making sure that corporate data and transactions with
partners remain confidential
 Integrity
 Making sure that software programs, local data, and data
in-transit are not altered or destroyed
 Availability
 Making sure that computer and network resources or
services remain available for users and not disrupted
 Accountability
 Making sure that users are properly authenticated and
their actions accounted for.
 Authenticity
 Also called non-repudiation. Making sure that business
partner cannot deny their actions
3
* Information Security Countermeasures
Malicious Software attacks
 Common types of malware
 Viruses
 Worms
 Trojan horses
 Adware | Spyware
 Logic bombs
 [Web bots]
4
What is virus?
 A virus is a malware that …
attaches itself to files on a single computer
can replicate from file to file
does not stand on its own
 needs a host file – a vector - [unlike some other malware]
Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
Types of virus host / vector
Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft
Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and
shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run
software stored on USB Memory Storage Devices).
5
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets,
Microsoft Access database files, and AmiPro documents)
ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious code
Types of viruses
Based on host files
Boot sector viruses: attach themselves to files in
boot sector of HD
File infector viruses: attach themselves to program
files and user files
Macro viruses: attach to files with macro programs
embedded.
Based on mutation techniques
Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard
to locate
Metamorphic viruses: rewrite themselves
completely each time they are to infect new
executables*
6
* metamorphic engine is needed
Types of viruses (cont.)
 Based on deception methods
 Core MS-DOS viruses: make sure that the "last modified" date of
a host file stays the same when the file is infected by the virus.
 Cavity viruses
 infect files without increasing their sizes or damaging the files
 overwrite unused areas of executable files
File.exe of 300 KB
on a 512 KB block
 Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect
Portable Executable files which have many empty gaps
 Antivirus PID killers: kill tasks associated with antivirus
 Stealth: hides itself by intercepting disk access requests
by antivirus programs.
7
The stealth returns an uninfected version of files to the antivirus software, so that infected files seem "clean”.
* metamorphic engine is needed
Request
Stealth
OS
Using Base 64 encoding to hide viruses
 Base 64 encoding is used to reduce the size of
e-mail attachments
Email with the Price.cpl attached returned by server
This message was created automatically by mail delivery software. A message that you sent
could not be delivered to one or more of its recipients. This is a permanent error. The following
address (es) failed:
[email protected]
This message has been rejected because it has a potentially executable attachment “Price.cpl”.
This form of attachment has been used by recent viruses or other malware. If you meant to send
this file, then package it up as a zip file and resend it.
Base 64 content of Price.cpl
8
[Message header deleted for brevity]
<html><body>
</body></html>
-----------sghsfzfldbjbzqmztbdx
Content-Type: application/octet-stream; name=“Price.cpl”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=“Price.cpl”
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAgAAAAAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9nmFtIGNhbm5vdCBi
ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAABQRQRQAATAEDAA+kgUEAAAAAA
OAADiELAQUMAAwAAAACAAAAAAAQBUAAAAQAAAAIAAAIAAEAAQAAAgAAB
AAA …..
GWxWigppFLPigOA6Iqb3ZYDSw1XiXi1sV7d6oVtwKiyKmr4PDWUmgExWU6UOIHF6MK
….
What decoding the
content reveals.
This program cannot be run in
DOS mode. User32.dll
CloseHandle() CreateFileAb
GetWindowsDirectory
WriteFile scart kermel32.dll
Shell Execute shell32
KEMEL32.DLL USER32.DLL
GetProcAddress LoadLibrary
ExitProcess Virtual
FreeMessageBox
Using Base 64 encoding to hide viruses
 Base 64 encoding is used to reduce size of e-
mail attachments
 Represents 0 to 63 using six bits
 A is 000000 … Z is 011001
Converting base 64 strings to decimal equivalent
 Create groups of 4 characters, for each group
 Convert decimal value of each letter to binary
 Rewrite as three groups of eight bits
 Convert the binary into decimal
 Commercial Base 64 encoders/decoders available
 Try converting the Base 64 code below at
http://www.motobit.com/util/base64-decoder-encoder.asp
9
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Protecting against viruses
 Signature-based antivirus programs
Compare the contents of a file to a database of
virus signatures
 A signature is an algorithm or a hash (a number or string
of characters derived from the virus code) that uniquely
identifies a specific virus.
Must update signature database periodically or
use automatic update feature if available
Viruses signatures
1)
2)
3)
4)
5)
6)
10
67344883409999999999
DF56eeb&^fgkFT&&&88jjj
01000010100000000000
78020000100000102398
89950-1=ddjjdfjj3k3l355
…………………………………
Files
1)
2)
3)
4)
5)
6)
7)
Sales.xls
Forecast.doc
Staff.mdb
Ingredients.doc
Committees.xls
Minutes.accdb
………………….
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use generic signature
Through mutation or refinements by attackers, viruses
can grow into dozens of slightly different strains
called variants
Example: The Vundo trojan has evolve into two
distinct family members, Trojan.Vundo and
Trojan.Vundo.B
A generic signature can be generated for a virus
family.
Heuristic analysis uses generic signatures to identify
new malware or variants of known malware
11
Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would
happen if the suspicious file were to be executed
Execute the questionable program or script within a
specialized virtual machine
It then analyzes the execution, monitoring for
common viral activities: replication, file overwrites,
attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the
suspicious file is flagged as a potential virus.
12
Question: Which of the following is likely to lead to false positive virus identifications?
signature-based or heuristic-based antivirus.
Based on the descriptions, is the classification of the malware as virus
correct?
13
13
Worms
 Do not attach to files | A worm stands on its own
 Self-replicating malware that can propagate
across a network by themselves
 Use host computer’s resources, and their own
network application to send copies of itself to
other computers
 Types of harms:
 Consuming network bandwidth. Moorris and Mydoom are
notorious
 Consuming host computer resourses (processing, RAM)
 Delete files (e.g. ExploreZip worm)
 Encrypt files (which leads to cryptoviral extortion attack)
 Installing backdoor-zombie programs under control of
the worm author (e.g. Sobig)
14
Protecting against worms
 Worms spread by exploiting OS vulnerabilities
 Make sure that unnecessary ports are not open
 Regular OS security updates is the best protection
 Other effective defense systems:
 Antivirus programs
 Local firewall software can block incoming worms
Application layer
Transport layer
Internet layer
Interface layer
15
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs
 Non-self-replicating malware
 That appear to be useful programs like game, screen saver, free
antivirus, etc.
 But are actually backdoor or rootkits that facilitate remote access or a
“take over” by a remote hacker
 Once a Trojan horse is installed on a target computer, a Trojan
can be used to do the following:
Keystroke logging
Data theft (e.g. passwords, credit cards information, etc)
Installing other malware
Using the host computer as part of botnet for spamming or Distributed
DoS
 Deleting or modifying files




16
Trojan Programs (cont.)
17
Spyware
 Sends information from the infected computer
to the attacker
Confidential financial data
Passwords
PINs
Any other stored data
 Can registered each keystroke entered
 Prevalent technology
 Educate users about spyware
18
Adware
 Similar to spyware
Can be installed without the user being aware
 Sometimes displays a banner
 Main goal
Determine user’s online purchasing habits
Tailored advertisement
 Main problem
Slows down computers
19
Protecting Against Malware Attacks
at the organizational level
 What is/are the most effective technical
solution(s) that could be implemented at the
network level to deal with malware attacks?
 What is/are the most effective non-technical
solution(s) that could be implemented in an
organization to deal with malware attacks?
20