MALICIOUS

 SOFTWARE  
Raja  M.  Khurram  Shahzad  

1!
 Overview  
— IntroducAon  
— Virus  
— Worm  

— Other  Malicious  SoEware  

o     Backdoor/Trapdoor  
o     Logic  Bomb  
o     Trojan  Horse  

— DDoS  ANack  
o     DDos  DescripAon  
o     ConstrucAon  of  ANack  

2!
 Program DefiniAon  
A  computer  program  tells  a  computer    
what  to  do  and  how  to  do  it  
 
•  Computer   viruses,   network   worms,     and  
Trojan  Horse  are    
computer  programs.  

   
3!
 Malicious  soEware  ?  
•  Malicious  SoEware  (Malware)  is  a  soEware  that  is  included  or  
inserted  in  a  system  for  harmful  purposes.  
 
OR    
 
•  A   Malware   is   a   set   of   instrucAons   that   run   on   your   computer  
and  make  your  system  do  something  that  an  aNacker  wants  it  
to  do.  
 

4!
 The  Malware  Zoo  
•  Virus    
•  Worms  
•  Logic  Bomb  
•  Trojan  horse  
•  Zoombie  
•  Scareware  
•  Adware  
•  Backdoor  /  Trapdoors  

5!
 Taxonomy  of  Malicious  Programs  
Malicious Programs

Need Host Program

Independent

Trapdoors
Logic Trojan
Viruses
Zombies
Worms


Bombs
Horses

Most current malicious code mixes all capabilities! 6!

 What  it  is  good  for  ?  
•  Steal  personal  informaAon  

•  Delete  files  

•  Click  fraud    

•  Steal  soEware  serial  numbers  

7!
 What  to  Infect  
•  Executable  

•  Interpreted  file  

•  Kernel  

•  Service  

•  Master  Boot  Record    

8!
 Virus  
•  Self-­‐replicaAng   code,   aNaches   itself   to   another   program  
and  executes  secretly  when  the  host  program  is  executed.  

•  No  Hidden  acAon  
–  Generally  tries  to  remain  undetected,  but  what  about  acAviAes,  
such  as  deleted  files  ?  

9!
 Parts  of  a  Virus  
•  Three  Parts  
–  InfecAon   Mechanism:   The   means   by   which   a   virus  
spreads,   enabling   it   to   replicate,   also   referred   as  
InfecAon  Vector.    

–  Trigger:  The  event  or  condiAon  that  determines  when  

the  payload  is  acAvated  or  delivered.    

–  Payload:   The   payload   may   involve   damage   or   may  

involve  benign  but  NOTICEABLE  acAvity.    
 Phases  –  Life  Cycle  
•  Dormant  phase  -­‐  the  virus  is  idle  

•  Propaga1on  phase  -­‐  the  virus  places  an  idenAcal  copy  of  
itself  into  other  programs  

•  Triggering  phase  –  the  virus  is  acAvated  to  perform  the  

funcAon  for  which  it  was  intended  

•  Execu1on  phase  –    
the  funcAon  is  performed  

11!
Virus  Structure  

12!
 OperaAon  rouAne  
•  Operates   when   infected   code   executed   (execuAon  
sequence)  
–  Jump  to  Main  Virus  program  
–  If  spread  (infecAon)  condiAon  then  
{  
 For  target  files  :  if  not  infected,  then  alter  file  to  include  virus  
}  
–  Perform  malicious  acAon  
–  Transfer  control  back  
–  Execute  normal  program  

•  If   the   infecAon   phase   is   rapid,   user   will   not   noAce   any  

difference  between  the  execuAon  of  infected  program  and  
uninfected  program.    
 Types  of  Viruses  
•  On  the  basis  of  target  

•  Boot   Sector   Infector:   Infects   master   boot   record   /   boot   record   (boot  
sector)  of  a  disk  and  spreads  when  a  system  is  booted  with  an  infected  
disk  (original  DOS  viruses).  They  are  Memory-­‐resident  Virus.      

•  File  Infector  :  Infects  executable  files,  they  are  also  called  Parasi1c  Virus  
as  they  aNach  their  self  to  executable  files  as  part  of  their  code.    Runs  
whenever  the  host  program  is  executed.    

•  Macro   Virus   –Infects   files   with   macro   code   that   is   interpreted   by   the  
relevant  applicaAon,  such  as  doc  or  excel  files.    
 

14!
 Types  of  Viruses  
•  On  the  basis  of  concealment  strategy  

•  Encrypted  Virus  –  A  porAon  of  virus  creates  a  random  encrypAon  key  and  
encrypts   the   remainder   of   the   virus.   The   key   is   stored   with   the   virus.  
When  the  virus  replicates,  a  different  random  key  is  generated.    

•  Stealth  Virus  -­‐  explicitly  designed  to  hide  from  Virus  Scanning  programs.  

•  Polymorphic  Virus  -­‐  mutates  with  every  new  host  to  prevent  signature  
detecAon,  signature  detecAon  is  useless.    

•  Metamorphic  Virus  –  Rewrites  itself  completely  with  every  new  host,  may  
change  their  behavior  and  appearance.    
 
 

15!
 Recent  addiAon:  
 Email  Virus  
•  Moves   around   in   e-­‐mail   messages,   triggered   when   user  
opens  aNachment  
•  Do  local  damages  on  the  user’s  system  
•  Propagates  very  quickly  
•  Replicates  itself  by  automaAcally  mailing  itself  to  dozens    
 of  people  in  the  vicAm’s    
e-­‐mail  address  book  
 

16!
 Examples  of  risky  file  types  
•  The  following  file  types  should  never  be  opened  if…  
–  .EXE  
–  .PIF  
–  .BAT  
–  .VBS  
–  .COM  

17!
 Viruses  PropagaAon  
•  Virus  wriNen  in  some  language  e.g.  C,  C++,  Assembly  
etc.  

•  Inserted  into  another  program  

–  use  tool  called  a  “dropper”  

•  Virus  dormant  unAl  program  executed  

–  then  infects  other  programs  
–  eventually  executes  its  “payload”  

18!
 Viruses  PropagaAon  

•  An  executable  program  
•  With  a  virus  at  the  front  (File  size  is  increased)  
•  With  the  virus  at  the  end  (File  size  is  increased)  
•  With  a  virus  spread  over  free  space  within  program  
 
19!
 Viruses  PropagaAon  

(a)  A  program  
(b)  Infected    program  
(c)  Compressed  infected  program  
(d)  Encrypted  virus  
(e)  Compressed  virus  with  encrypted  compression  code  
20!
 AnA-­‐virus  
•  It   is   not   possible   to   build   a   perfect   virus/malware  
detector.  
•  Analyze  system  behavior  
•  Analyze  binary  to  decide  if  it  a  virus  
•  Type  :  
–  Scanner  
–  Real  Ame  monitor  

21!
 AnA-­‐virus  
•  Scanners  
–  First  GeneraAon,  relied  on  signature.    
–  Second   GeneraAon,   relied   on   heurisAc   rules   or   integrity  
checking  (e.g.  checksum  appended  to  a  program).  

•  Real  Ame  Monitors  

•  Third   GeneraAon,   memory   resident   and   idenAfy   virus   by   its  
acAons  (behaviour).  
•  Fourth  GeneraAon,  combinaAon  of  different  capabiliAes.    

22!
 Worm  
A computer worm is a self-replicating computer
virus. It uses a network to send copies of itself to
other nodes and do so without any user
intervention.!

23!
Comparision  of  Worm  Features  
1)    Computer  Virus:   • Needs  a  host  file  
• Copies  itself  
• Executable  

2)    Network  Worm:   • No  host  (self-­‐contained)    

• Copies  itself      
• Executable  

3)    Trojan  Horse:   •   No  host  (self-­‐contained)  

• Does  not  copy  itself  
• Imposter  Program   24!
 Worm:  History  
•  Runs  independently    
–  Does  not  require  a  host  program  

•  Propagates  a  fully  working  version  of  itself  to  other  machines  

—  History  
◦  Morris  worm  was  one  of  the  first  worms  distributed  over  Internet  
—  Two  examples    
◦  Morris  –  1998,  
◦  Slammer  –  2003  

25!
 Worm  OperaAon  
•  Worm  has  similar  phases  like  a  virus:  
•  Dormant  (inacAve;    rest)  

•  PropagaAon  
•  Search  for  other  systems  to  infect  
•  Establish  connecAon  to  target  remote  system  
•  Replicate  self  onto    
remote  system  

–  Triggering  

–  ExecuAon  

26!
 Morris  Worm  
•  Best  known  classic  worm  

•  Released  by  Robert  Morris  in  1988  

•  Targeted  Unix  systems  

•  Using  several  propagaAon  techniques  

•  If  any  aNack  succeeds  then  replicated  self  

27!
 Slammer  (Sapphire)  Worm  
•  When  
•  Jan  25  2003  

•  How  
•  Exploit  Buffer-­‐overflow  with  MS  SQL  

•  Random  Scanning  
•  Randomly  select  IP  addresses  

•  Cost  
•  Caused  ~  $2.6  Billion  in  damage  
 

28!
 Slammer  Scale  

The  diameter  of  each  circle  is  a  funcAon  of  the  number  of  infected  machines,  so  
large   circles   visually   under   represent   the   number   of   infected   cases   in   order   to  
minimize  overlap  with  adjacent  locaAons    

29!
 The  worm  itself  …  
—  System  load  
◦  InfecAon  generates  a  number  of  processes  
◦  Password  cracking  uses  lots  of  resources  
◦  Thousands  of  systems  were  shut  down  

•  Tries  to  infect  as  many  other  hosts  as  possible  

–  When  worm  successfully  connects,  leaves  a  child  to  conAnue  the  infecAon  
while  the  parent  keeps  trying  new  hosts  
–  find  targets  using  several  mechanisms:  'netstat  -­‐r  -­‐n‘,  /etc/hosts,    

•  Worm  DO  NOT:  

–  Delete   system's   files,   modify   exisAng   files,   install   Trojan   horses,   record   or  
transmit  decrypted  passwords,  capture  super  user  privileges  

30!
Backdoor  or  Trapdoor  
—  Secret  entry  point  into  a  program  
—  Allows  those  who  know  access  by  passing  usual  security  
procedures  
—  Remains  hidden  to  casual  inspecAon  
—  Can  be  a  new  program  to  be  installed  
—  Can  modify  an  exisAng  program  
—  Trap  doors  can  provide  access  to  a  system  for  
unauthorized  procedures  
—  Very  hard  to  block  in  O/S  

31!
 Trap  Door  Example  

(a)  Normal  code.    

(b)  Code  with  a  trapdoor  inserted  

32!
 Logic  Bomb  
•  One  of  oldest  types  of  malicious  soEware  
•  Piece  of  code  that  executes  itself  when  pre-­‐defined  condiAons  are  
met  
•  Logic  Bombs  that  execute  on  certain  days  are  known  as  Time  
Bombs  
•  AcAvated  when  specified  condiAons  met  
–  E.g.,  presence/absence  of  some  file  
–  parAcular  date/Ame  
–  parAcular  user  
•  When  triggered  typically  damage  system  
–  modify/delete  files/disks,  halt  machine,  etc.  

33!
 Tracing  Logic  Bombs  
•  Searching - Even the most experienced programmers have trouble
erasing all traces of their code

•  Knowledge - Important to understand the underlying system

functions, the hardware, the hardware/software/firmware/
operating system interface, and the communications functions
inside and outside the computer

•  Example of benign logical fun

–  http://googletricks.com/top-25-fun-google-tricks/
–  Type zerg rush in google
 

34!
Trojan  Horse  

35!
 Trojan  Horse  
•  Trojan  horse  is  a  malicious  program    that  is  designed  as  
authenAc,    real  and  genuine  soEware.    
 
•  Like  the  giE  horse  leE  outside  the  gates  of  Troy  by  the  
Greeks,   Trojan   Horses   appear   to   be   useful   or  
interesAng   to   an   unsuspecAng   user,   but   are   actually  
harmful.  

36!
Trojan  Percentage  

37!
 What  Trojans  can  do  ?  
•  Erase  or  overwrite  data  on  a  computer  
•  Spread  other  viruses  or  install  a  backdoor.  In  this  case  the  
Trojan  horse  is  called  a  'dropper'.  
•  Sevng  up  networks  of  zombie  computers  in  order  to  launch  
DDoS  aNacks  or  send  Spam.  

•  Logging  keystrokes  to  steal  informaAon  such  as  passwords  

and  credit  card  numbers  (known  as  a  key  logger)  
•  Phish  for  bank  or  other  account  details,  which  can  be  used  for  
criminal  acAviAes.  
•  Or  simply  to  destroy  data  
•  Mail  the  password  file.  
 

38!
 How  can  you  be  infected  ?  
•  Websites:  You  can  be  infected  by  visiAng  a  rogue  website.  
Internet   Explorer   is   most   oEen   targeted   by   makers   of  
Trojans  and  other  pests.  Even  using  a  secure  web  browser,  
such  as  Mozilla's  Firefox,  if  Java  is  enabled,  your  computer  
has  the  potenAal  of  receiving  a  Trojan  horse.  

•  Instant   message:   Many   get   infected   through   files   sent  

through  various  messengers.  This  is  due  to  an  extreme  lack  
of   security   in   some   instant   messengers,   such   of   AOL's  
instant  messenger.  

•  E-­‐mail:   ANachments   on   e-­‐mail   messages   may   contain  

Trojans.    Trojan  horses  via  SMTP.  

39!
 Sample  Delivery  
•  ANacker  will  aNach  the  Trojan  to  an  e-­‐mail  with  an  enAcing  
header.  
 
•  The   Trojan   horse   is   typically   a   Windows   executable  
program   file,   and   must   have   an   executable   file   extension  
such   as   .exe,   .com,   .scr,   .bat,   or   .pif.   Since   Windows   is  
configured   by   default   to   hide   extensions   from   a   user,   the  
Trojan   horse's   extension   might   be   "masked"   by   giving   it   a  
name   such   as   'Readme.txt.exe'.   With   file   extensions  
hidden,   the   user   would   only   see   'Readme.txt'   and   could  
mistake  it  for  a  harmless  text  file.    

40!
 Where  They  Live  ?  (1)  
•  Autostart  Folder  
The  Autostart  folder  is  located  in  C:\Windows\Start  Menu\Programs
\startup  and  as  its  name  suggests,  automaAcally  starts  everything  placed  
there.    
•  Win.ini  
Windows  system  file  using  load=Trojan.exe  and  run=Trojan.exe  to  execute  
the  Trojan    
•  System.ini  
Using  Shell=Explorer.exe  trojan.exe  results  in  execuAon  of  every  file  aEer  
Explorer.exe    
•  Wininit.ini  
Setup-­‐Programs  use  it  mostly;  once  run,  it's  being  auto-­‐deleted,  which  is  
very  handy  for  Trojans  to  restart    

41!
 Where  They  Live  ?  (2)  
•  Winstart.bat  
AcAng  as  a  normal  bat  file  trojan  is  added  as  @trojan.exe  to  hide  its  
execuAon  from  the  user    

•  Autoexec.bat  
It's  a  DOS  auto-­‐starAng  file  and  it's  used  as  auto-­‐starAng  method  like  this  -­‐>  
c:\Trojan.exe    

•  Config.sys  
Could  also  be  used  as  an  auto-­‐starAng  method  for  Trojans    

•  Explorer  Startup  
Is  an  auto-­‐starAng  method  for  Windows95,  98,  ME,  XP  and  if  c:
\explorer.exe  exists,  it  will  be  started  instead  of  the  usual  c:\Windows
\Explorer.exe,  which  is  the  common  path  to  the  file.  

42!
 What  the  aNacker  wants?  
•  Credit  Card  InformaAon  (oEen  used  for  domain    
registraAon,  shopping  with  your  credit  card)    

•  Any   accounAng   data   (E-­‐mail   passwords,   Login   passwords,  

Web  Services  passwords,  etc.)    

•  Email  Addresses  (Might  be  used  for  spamming,  as  explained  

above)      

•  Work   Projects   (Steal   your   presentaAons   and   work   related  

papers)        

•  School  work  (steal  your  papers  and  publish  them  with  his/
her  name  on  it)  
43!
 Stopping  the  Trojan  …  
The  Horse  must  be  “invited  in”  ….  

How  does  it  get  in?   By:  

Downloading  a  file  
Installing  a  program  
Opening  an  aNachment  
Opening  bogus  Web  pages  
Copying  a  file  from  someone  else  

44!
 Zombie  
•  The   program   which   secretly   takes   over   another  
networked   computer     and   force   it   to   run   under   a  
common  command  and  control  infrastructure.  
•  Uses  it  to  indirectly  launch  aNacks,  e.g.,  DDoS,  phishing,  
spamming,  cracking    
•  Difficult  to  trace  zombie’s  creator)  
•  Infected  computers  —  mostly  Windows  machines  —  are  
now  the  major  delivery  method  of  spam.  

•  Zombies  have  been  used  extensively  to  send  e-­‐mail  

spam;  between  50%  to  80%  of  all  spam  worldwide  is  now  
sent  by  zombie  computers.  
  45!
Adware  

46!
Scareware  /  Rouge/  
Fake  anAvirus  

47!
Where  malware  Lives:  Auto  start  
•  Folder  auto-­‐start    

•  Win.ini  :  run=[backdoor]"  or  "load=[backdoor]".  

•  System.ini  :  shell=”myexplorer.exe”  

•  Autoexec.bat  

•  Config.sys  
•  Init.d  

48!
 Auto  start  
•  Assign  know  extension  (.doc)  to  the  malware  

•  Add  a  Registry  key  such  as  HKCU\SOFTWARE\Microso=

\Windows  \CurrentVersion\Run  

•  Add  a  task  in  the  task  scheduler  

•  Run  as  service  

49!
 Web  
—  1.3%  of  the  incoming  search  queries  to  Google  returned  at  a  
least  one  malware  site  

—  Visit  sites  with  an  army  of  browsers  in  VMs,  check  for  changes  
to  local  system  

—  Indicate  potenAally  harmful  sites  in  search  results  

Web:  Fake  page  

51!
Shared  folder  

52!
Email  

53!
Email  again  

54!
 P2P  Files  

•  35.5%  malwares  
 

55!
 Typical  Symptoms  
•  File  deleAon  
•  File  corrupAon  
•  Visual  effects  
•  Pop-­‐Ups  
•  Computer  crashes  
•  Slow  ConnecAon  
•  Spam  Relaying  

56!
 Distributed Denial of Service
•  A  denial-­‐of-­‐service  aKack  is  an  aNack  that  causes  a  loss  
of   service   to   users,   typically   the   loss   of   network  
connecAvity.  

•  CPU,   memory,   network   connecAvity,   network  

bandwidth,  baNery  energy  

•  Hard  to  address,  especially  in  distributed  form  

57!
 DDoS  Mechanism  
•  Goal:  make  a  service  unusable.  

•  How:   overload   a   server,   router,   network   link,   by  

flooding  with  useless  traffic  

•  Focus:   bandwidth   aNacks,   using   large   numbers   of  

“zombies”    
 

58!
 How  it  works?  
•  The   flood   of   incoming   messages   to   the   target   system  
essenAally   forces   it   to   shut   down,   thereby   denying  
service  to  the  system  to  legiAmate  users.    

•  VicAm's  IP  address.    

•  VicAm's  port  number.    
•  ANacking  packet  size.    
•  ANacking  inter-­‐packet  delay.    
•  DuraAon  of  aNack.    
 

59!
 Example  1  
•  Ping-­‐of-­‐death  
–  IP  packet  with  a  size  larger  than  65,536  bytes  is  illegal  by  standard  

–  Many  operaAng  system  did  not  know  what  to  do  when  they  received  
an  oversized  packet,  so  they  froze,  crashed  or  rebooted.  

–  Routers  forward  each  packet  independently.  

–  Routers  don’t  know  about  connecAons.  

–  Complexity  is  in  end  hosts;  routers  are  simple.  

60!
Example  1  
 Example  2  
•  TCP  handshake  

•  SYN  Flood  
–  A  stream  of  TCP  SYN  packets  directed  to  a  listening  TCP  port  at  the  
vicAm  
–  The  host  vicAm  must  allocate  new  data  structures  to  each  SYN  request  
–  legiAmate  connecAons  are  denied  while  the  vicAm  machine  is  waiAng    
to  complete  bogus  "half-­‐open"  connecAons  
–  Not  a  bandwidth  consumpAon  aNack  

•  IP  Spoofing  

62!
Example  2  

63!
From  DoS  to  DDoS  

64!
From  DoS  to  DDoS  

65!
Distributed  DoS  ANack  

66!
 DDoS  Countermeasures  
•  Three  broad  lines  of  defense:  

1.  aNack  prevenAon  &  preempAon  (before)  

2.  aNack  detecAon  &  filtering  (during)  

3.  aNack  source  trace  back  &  idenAficaAon  (aEer)  

67!