Malicious Software

By

Mar 13th, 2015


“What is the concept of defense: The parrying of a blow. What is its characteristic future: Awaiting the blow.”

On War, Carl Von Clausewitz

Introduction: Malicious software of malware is a type of computer program which aims at exploiting the vulnerabilities in a computer. So it is important to know how a program can harm out computer. We should also need to know what are different types of a malicious program and in what ways these programs can harm our computer. So in the later part of the article we would focus on different types of malicious software.

Viruses and Related Threats:

  • Malicious Program: Following are some common forms of a malicious programs,
    • Virus: It is a program that attaches itself to a program and propagates copies of itself to other programs.
    • Worm: This type of program propagates its copies to other computers.
    • Logic bomb: This program takes a certain action when conditions fulfill.
    • Trojan horse: This program comes with unexpected additional functionality
    • Backdoor (trapdoor): Through program modification, this program allows unauthorized access to a function of computer.
    • Exploits: This type of malicious program targets a single type of vulnerability.
    • Downloaders: Generally sent in an e-mail, these programs download items to under attack computer.
    • Auto-rooter: These are hacking tools to break in to a remote computer.
    • Kit (Virus generator): It is a set of tools that generates new viruses automatically.
    • Spammer programs: This program allows sending large number of unwanted e-mails to other’s accounts.
    • Flooders: This technique is used to flood a network with huge traffic larger than the capacity of that network to carry out Denial of Service attack.
    • Keyloggers: This type of program is designed to track the keystrokes on a compromised system.
    • Rootkit: It is a set of hacker tools used after attacker has broken into a computer system and gained root-level access.
    • Zombie: program activated on an infected machine that is activated to launch attacks on other machines.
  • The Nature of Viruses: Virus is that type of malicious programs that infect the files of a computer. The major characteristic of a virus program is that it replicates and multiplies itself. That is why it is named as virus, a micro organism that replicates itself. Following are some phases of a virus’s life.
    • Dormant phase:
    • Propagation phase:
    • Triggering phase:
    • Execution phase:
  • Types of Viruses:
    • Parasitic virus:
    • Memory-resident virus:
    • Boot sector virus:
    • Stealth virus:
    • Polymorphic virus:
    • Metamorphic virus:
  • Macro Viruses: In the mid-1990s, macro viruses became by far the most prevalent type of virus. Macro virus is particularly threatening for a number of reasons. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. It can infect any hardware platform and operating system that supports Microsoft Word program. It does not infect executable portions of code, it infects a Word document. Macro viruses are easy to spread because most of the times these viruses are transmitted through e-mail, which a free mean of communication.
  • E-mail Viruses: A development in malicious software in the past was e-mail viruses. Melissa was the first rapidly used e-mail viruses. It used Microsoft Word macro as attachment in e-mail. When someone opens this kind of file, the Word macro gets activated. An e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package. The virus does local damage.
  • Worms:
  • State of Worm Technology:
    • Multiplatform:
    • Multiexploit:
    • Ultrafast spreading:
    • Polymorphic:
    • Metamorphic:
    • Transport vehicle:
    • Zero-day exploit

Virus Countermeasures:

  • Antivirus Approaches:
    • Detection:
    • Identification:
    • Removal:
    • First generation: simple scanners
    • Second generation: heuristic scanners
    • Third generation: activity traps
    • Fourth generation: full-featured protection
  • Advanced Antivirus Techniques:
    • Generic decryption:
      • CPU emulator
      • Virus signature scanner
      • Emulation control module
    • Behavior-Blocking Software:
      • Attempts to open, view, delete, and/or modify files;
      • Attempts to format disk drives and other unrecoverable disk operations;
      • Modifications to the logic of executable files or macros;
      • Modification of critical system settings, such as start-up settings;
      • Scripting of e-mail and instant messaging clients to send executable content;
      • Initiation of network communication.

Distributed Denial of Service Attacks:

  • DDoS Attack Description:
  • Constructing the Attack Network:
  • DDoS Countermeasures:
    • Attack prevention and preemption (before the attack):
    • Attack detection and filtering (during the attack):
    • Attack source traceback and identification (during and after the attack)

Virus Countermeasures

  • Antivirus Approaches: It important to prevent viruses to overcome out machines because once entered in to a machine, it is difficult to remove viruses because they keep infecting files and increasing their number. Only prevention of viruses is not enough to keep our machines safe, we also need to adopt following vital steps,
    • Detection: Detection of virus is important, because without detection we would remain unaware of the presence of viruses.
    • Identification: After successful detection, it is important to analyze what kind (risk level) of virus exists. What harm has been caused by virus should also be identified.
    • Removal: Most important part is to remove viruses from all locations of the machine. Restoring infected programs in to previous position is also important.

With the passage of time, viruses and antivirus softwares grew more complex. Following are the four generations of antivirus softwares.

  • First generation: simple scanners
  • Second generation: heuristic scanners
  • Third generation: activity traps
  • Fourth generation: full-featured protection
  • Advanced Antivirus Techniques: More sophisticated antivirus approaches and products continue to appear. In this subsection, we highlight two of the most important.
    • Generic decryption: Generic decryption technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds. Recall that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a generic decryption scanner, which contains the following elements:
      • CPU emulator: A software-based virtual computer. Instructions in an executable file are intercepted by the emulator rather than executed on the underlying processor. The emulator rather than executed on the underlying processor hardware, so that the underlying processor is unaffected by programs intercepted on the emulator.
      • Virus signature scanner: A module that scans the targets code looking for known virus signatures.
      • Emulation control module: Control the execution of the target code.
    • Behavior-Blocking Software: Unlike heuristics or fingerprint-based scanners, behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include the following,
      • Attempts to open, view, delete, and/or modify files;
      • Attempts to format disk drives and other unrecoverable disk operations;
      • Modifications to the logic of executable files or macros;
      • Modification of critical system settings, such as start-up settings;
      • Scripting of e-mail and instant messaging clients to send executable content;
      • Initiation of network communication.

Distributed Denial of Service Attacks (DDoS): Distributed denial of service attacks present a significant security threat to organizations. Distributed denial of service attacks, as its name suggests, is an attempt to prevent legitimate users of a service from using that service. Distributed denial of service attack makes a service inaccessible by flooding a network a load greater than the capacity of that system.

  • DDoS Attack Description: DDos attack attempts to consume the target’s resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed. Broadly speaking, the resource consumed is either an internal host resource on the target system or data transmission capacity in the local network to which the target is attacked.
  • Constructing the Attack Network: The first step in DDoS attack is for the attacker to infect a number of machines with zombie software that will ultimately be used to carry out the attack. The essential ingredients in this place of the attack are the following:
    • Software that can carry out the DDoS attack
    • A vulnerability in a large number of systems
    • A strategy for locating vulnerability machines, a process known as scanning
  • DDoS Countermeasures: In general there are three lines of defense against attacks:
    • Attack prevention and preemption (before the attack): These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. Techniques include enforcing policies for resource consumption and providing backup resources available on demand. In addition, prevention mechanisms modify systems and protocols on the Internet to reduce the possibility of DDoS attacks.
    • Attack detection and filtering (during the attack): These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target. Detection involves for suspicious patterns of behavior. Response involves filtering out packets likely to be part of the attack.

Attack source traceback and identification (during and after the attack): This is an attempt to identify the source of the attack as a first step in preventing future attacks. However, this method typically does not yield results fast enough, if at all, to mitigate an ongoing attack.

Leave a Reply

 
© 2006-2017 Latest Technology News.