Professional Documents
Culture Documents
Vulnerabilities
UNIT 2 SOFTWARE VULNERABILITIES
Structure
2.0 Introduction
2.1 Objectives
2.2 Infection Process
2.3 Viruses
2.3.1 Classification of Viruses
2.3.2 Types of Viruses
2.3.3 Infection Methods
2.3.4 Prevention and Cure
2.4 Worm
2.5 Trojan Horses
2.5.1 Types of Trojan
2.5.2 Stopping a Trojan Horses
2.6 Emerging Attacks: Social Engineering
2.6.1 Types of Social Engineering
2.6.2 Physical Social Engineering
2.7 Summary
2.8 Answers/Solutions
2.9 References/Further Readings
2.0INTRODUCTION
Software vulnerability is defined as we have studied in the previous unit, Virus is a
common term understood as software vulnerability by average people. It is a problem
that is potentially so dangerous that it threatens the proper functioning of the computer
system in today's information age. In this unit you will learn about the unwanted
software that is deliberately bad in intent which is “wrote for fun” or “for curiosity” or
simply to challenge to create the most destructive software ever built. This software is
popularly known as “malware” which is an acronym for malicious software. Malware
does nothing useful but rather more harmful. In this unit we will study several types of
malware each of which has different goals and propagates differently.
2.1OBJECTIVES
At the end of this unit you should be able to:
• understand and define computer viruses and its evolution;
• understand the process of malware infection;
• knew different software vulnerabilities;
• identify different types of common malicious codes such as Trojan horse, virus
and worm;
• describe/apply various preventive measures and solutions for malwares; and
• various aspects of social engineering attacks.
2.2THE PROCESS OF INFECTION
25
Information Security
To understand how a malware infects a system, we go back to the elementary working
of a computer. On booting, the system carries out the ROM (Read Only Memory)
instructions, the first being the power on Self Test which is followed by the bootstrap
process of reading the boot record and loading of the disk operating system. The
booting process culminates into the system prompt displayed on the monitor.
The infection may begin as soon as a computer system boots from a contaminated disk
or executes an infected program. Whatever malwares are present gets activated, which
immediately begin to spread throughout the system.
Another important aspect that needs mention here is the interrupt mechanism. All
input/output activities on a PC are carried out by interrupts. We will try to understand
the concept of interrupt with an example. Let us say, a user wishes to save his program
and presses on the key board. This is treated as an interrupt. The main memory has
specific routines to handle these user requests. The program that services the interrupt
request is termed as Interrupt Service Routines (ISR's) and is located in the memory
with their addresses. Then interrupt request activates a number and not the routine
address, thus, there exists a table with the interrupt numbers and the corresponding
routine address. When an interrupt request is made, the CPU looks up the table,
performs the required routines and transfers the control back to the program.
The contents of ISR address table being in the RAM is vulnerable to modification by
user programs and that is what a virus doesmodifying the ISR'S.
The first commercial application of malware was in 1985, when two Pakistani
brothers, in order to keep track of software piracy used Brain Virus (also known as
Pakistani virus) on their low cost software sold from their outlet in Lahore. Hidden in
nearly every disk they sold, was an extra program not supplied by the original
manufacturer a snippet of computer code, selfreplicating in nature that would infect
an unauthorized user's computer by disrupting his operations. These selfreplicating
programs multiplied so fast that, today, they created a great threat to the smooth
operation of a computer.
A boot sector is a sector
2.3VIRUSES
of a hard disk,
A virus is a malware that, when executed tries to replicate itself into other executable
floppy disk, or
data storage device that
code. When it succeeds, the code is said to be infected. The infected code when run
contains code for can infect new code in turn. The virus are self replicating and parasitic. It replicates
booting programs by being copied or initiating its copying to other program, computer boot sector or
stored in other parts of document. Viruses can be transmitted as attachments to an email note, downloaded
the disk. file or be present on a diskette or CD. Some viruses start their effects as soon as their
code is executed; other viruses lie dormant unless circumstances cause their code to be
executed by the computer. Generally speaking, viruses hide within computer files
rather than sitting out in open, in some obvious, visible and separate form. But viruses
must be run in order to allow them to proceed with their destruction work. Until this
happens they cannot do any harm. This explains why the most effective technique for
fending off viruses is to inspect all files and media that enter the system and then
looking for possible signs of infections and then refusing to copy the infected material
into memory.
2.3.1 Classification of Viruses
Viruses are classified on the basis of their mode of existence and there are three
categories of viruses:
1) Boot Infectors
26
Software Vulnerabilities
2) System Infectors
3) General Executable Programme Infectors
Boot Infectors: As the name suggests, they are characterized by the fact that they
physically reside in the boot sector [0 (zero)] sector of the disk. A system infected by
such a virus will have the virus residing in a particular area of the disk rather than in a
program file.
These viruses get loaded soon after the Power on Self Test and control the system and
remains in control at all times. They sometimes have the capability to trap soft booting
(i.e., CTRL ALT DEL) and remain in control even if the system is booted from a non
infected floppy, thereby contaminating the clean floppy.
Boot infectors displace information originally residing on the location which they
occupy. While writing onto the boot sector, the virus ensures that the boot record is
not deleted. Once the virus is loaded, it automatically transfers control to the area
where the boot record is available. The reason behind doing this is that the boot record
contains instructions to read booting file of an operating system and if these files are
not readable, access to the disk is not possible and so the virus becomes ineffective.
Boot infectors, typically create "Bad sectors". Boot infectors are the type which once
loaded would stay in the memory until the system is shut off and the disk reformatted.
System Infectors: This second category of viruses deals with the components of the
system itself. All machines without exception require an operating system in order to
create an environment in which the operator works. For example, in MSDOS,
COMMAND.COM contains all the internal commands. If no such command file
exists, commands such as COPY, DIR etc. are not loaded onto the memory when the
machine is booted. The System Infectors attach themselves to a file such as
COMMAND.COM or other memory resident files and manipulate these files.
System infectors differ from Boot infectors in the sense that system infectors gain
control after the computer is booted and infects a hard disk or bootable floppies which
contain the appropriate system files only. They have another peculiarity that they may
activate after a given period of time or may instantly begin subtle modifications in
system processing such as, increasing the time to perform system functions,
scrambling of data, or modification of systems error messages or information
messages.
General Executable Program Infectors: From the infection point of view, these
viruses are most dangerous and devastating of the three classes of viruses. They attach
themselves to program files and can spread to almost any executable program in any
system. These viruses change the original program instructions into a “jump” to its
own code and follow that code with a return to the original program. As a result,
whenever the program is executed, the virus gets loaded and executed first and then
allows the original program to proceed. It remains memory resident and infects each
and every program that is loaded for execution.
By attaching themselves to .EXE or COM files, they alter the file size and sometimes
multiple infections renders program files too large to be accommodated in the
memory.
The major differences between an EXE file and a COM file:
1) EXE file contains a header whereas a COM file does not.
27
Information Security
2) EXE program can contain more than one segment. But a COM has to contain
only a single segment
2.3.2 Types of Viruses
The virus list has become a non ending entity with new viruses joining the list every
other day. We would be discussing some of the most commonly prevalent viruses in
the computer industry.
Scores Virus: These viruses are prevalent in Macintosh machines. Scores virus has a
built in time trigger that activates at two, four and seven days after the disk has
become infected. The consequences are varied ranging form printing problems, system
clashes and malfunctioning of disk operations. Data files are not directly affected by
this virus, but removal of this virus requires deletion of all files.
Brain Virus: This is one of the first viruses that came into being. Also known as the
Pakistani virus, it was developed by the Pakistani brothers to keep track of low cost
software that were sold out of their outlet in Lahore. The virus pops up a screen saying
"Welcome to the Dungeon". These viruses are known to destroy data and are highly
contagious.
Lehigh Virus: This virus originated at the Lehigh University Computer Centre. This
virus stays in the stack space of COMMAND.COM. With the booting of a PC from an
infected disk, the virus is spread through commands such as COPY, TYPE, and DIR
etc. On any other disk with COMMAND.COM the virus code gets copied to the other
disk and a counter is incremented on the parent. When the counter reaches a value of
4, all files of the disk gets erased. The boot sector gets ruined and also the FAT.
Friday the 13th: This virus attacks not only the COMMAND.COM but also other
executable files. When A.COM or .EXE file is executed for the first time after
booting, the virus captures a specific interrupt and inserts its own code; after which,
whenever any. EXE file is executed, the virus code is written to the end of the file
resulting in increase in size of the file by 1808 bytes. In COM files the virus code is
written in the beginning of the file.
The increase in size of the EXE and COM files causes the program to become too
large to be loaded into the memory. Also after a certain interval of time, delays are
inserted resulting in considerable slowing down of the programs. The worst disaster
occurs, if the infected. EXE or .COM is executed when the system date is Friday the
13th, all files get deleted.
Sunnyvale Slug: This does a variety of things like displaying a message "Greetings
form Sunnyvale. Can you find me?" and also sometimes modifies the COPY
Command resulting in deletion of files instead of copying.
Raindrops: This virus infects COM files. It intercepts the load and execute function
of MSDOS. It cheeks whether the file is EXE or not, if the file is not an EXE file, the
first three bytes of the file are replaced by a jump instruction at the end of the file,
where it gets attached after encryption. This results in dropping or showering of
characters on the screen like raindrops and is also accompanied by appropriate sound
effects.
28
Happy Birthday 30th: 'This virus gets activated on January 5th, if any of the infected Software Vulnerabilities
programs get executed, and will ask the user to type "Happy Birthday 30th". It might
destroy all the data stored on a disk, spacing on 1.2 MB floppy. The symptoms of this
virus is that the computer memory is reported 6KB less than actual e.g. 634 KB
instead of 640 KB.
Storm Worm: The fast spreading threat was identified as an email spamming to
Microsoft systems. It starts collecting infected computers into the Storm botnet.
2.3.3 Infection Methods
Antivirus programs can spot a virus in one or two ways. First, the antivirus program
may recognize a particular virus's signature, which is nothing more than the specific
instructions embedded in the virus that tell it how to behave and act. A virus's
signature is like a criminal's fingerprint & each one is unique and distinct.
A second way antivirus programs can detect a virus is through its behaviour. Antivirus
programs can often detect the presence of a previously unknown virus by catching a
virus as it tries to infect another file or disk.
To sneak past an antivirus program, many viruses use a variety of methods to spread:
• Direct infection
• Fast infection
• Slow infection
• Sparse infection
• RAMresident infection
Direct infection means that the virus infects a disk, or one or more files, each time you
run the infected program or open the infected document. If you don't do either, the
virus can't spread at all. Direct infection is the simplest but also the most noticeable
way of infecting a computer and can often be detected by antivirus programs fairly
easily.
Fast infection means that the virus infects any file accessed by an infected program.
For example, if a virus infects your antivirus program, watch out! Each time an
infected antivirus program examines a file, it can actually infect that file immediately
after certifying that the file is virusfree.
Slow infection means that the virus only infects newly created files or files modified
by a legitimate program. By doing this, viruses attempt to further mask their presence
from antivirus programs.
Sparse infection means that the virus takes its time infecting files. Sometimes it infects
a file, and sometimes it doesn't. By infecting a computer slowly, viruses reduce their
chance of being detected.
RAMresident infection means that the virus buries itself in your computer's memory,
and each time you run a program or insert a floppy disk, the virus infects that program
or disk. RAMresident infection is the only way that boot viruses can spread. Boot
viruses can never spread across a network or the Internet since they can only spread by
physically inserting an infected floppy disk into a computer, although they can still
infect individual computers attached to a network.
29
Information Security
2.3.4 Prevention and Cure
Even though the computer industry has found somewhat plausible solution to the virus
problem in the form of vaccines, it is always advisable to follow the dictum
"Prevention is better than cure". Moreover, the viruses are made faster than the
vaccines. It is a good practice to follow some simple precautionary measures which
can reduce the possibility of a virus attack. The precautionary measures are:
• The CHKDSK command can be incorporated to the AUTOEXEC.BAT to check
the disk. If the numbers of hidden files increase, the matter should be looked
into.
• The use of pirated software should be stopped.
• Write protect tags should be used on the original software diskettes.
• Proper backup of all data and program files should he kept.
• copying of files should be done carefully; a better practice is to write the COPY
command in a batch file with CHKDSK command.
• Used floppies should be reformatted.
• avoid letting the system to be used by unauthorised users.
• restrict the use of outside floppies
CURE
The viruses are not simplified used. Viruses can be cured with antiviral programs.
The antiviral programs perform one or more of the following functions:
• Prevention
• Detection
• Vaccination
• Inoculation
• Identification, and/or
• Damage control.
A good antiviral utility is one which checks whether the system has been infected or
not. These programs stop the virus from infecting the system. They do not allow the
modification of executable files, so that a file virus cannot get a foothold.
Some of them refuse to let any program make itself resident in RAM unless allowed
by the user. Others do not allow the user to run a program unless it is on a list of
approved and tested applications. The detectors warn the user of the presence of a
virus after it is loaded into the machine or disk. These programs maintain a file with a
list of checksum values of the executable files. The identifiers rely on the fact that
when the virus replicates, it makes a copy of itself.
The vaccinators inject some code into the executable files. When the vaccinated file is
run, the injected code performs an integrity check on the program being executed and
warns if any changes have been made.
The inoculators insert the virus signature into infected areas or files at appropriate
locations. When the virus performs their selfdetection, they find their signature and
believe that the memory/disk/file is already infected and so do not infect.
30
Software Vulnerabilities
The better equipped antiviral programs control damages. They may be preventive or
restorative. Preventive techniques include stopping attempts at direct access such as
formatting and deleting, or even write protecting the hard disk while testing unfamiliar
software. The restorative process is achieved by maintaining a copy of the CMOS
information, boot sector information, the file allocation table etc. in a safe area like a
floppy.
As a virus can hide itself in many different ways, it is difficult to detect all viruses
with just one antiviral program. Moreover, the virus writers keep altering the viral
code, so that it cannot be detected by any existing antiviral programs. The point to
remember is that there is no cent percent foolproof antivirus program available and,
in principle there never will be.
Check Your Progress 1
1) What is the difference between .EXE and .COM files?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
2) Describe the process of booting?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
3) Name the first commercial application of virus?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
4) What is virus and classified different types of viruses available?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
5) How can you prevent your system from virus attacks?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
31
Information Security
2.4WORM
A worm shares many characteristics with a virus. The most important characteristic is
that worm is self replicating too. Worms seek to infect and replicate without targeting
and infecting specific files already present on a computer. . The two most common
ways a worm can spread are through email and security flaws in computers connected
to a network or the Internet.
If a virus infects a legitimate file, the virus code can be cleaned out and removed. But
this is not the case with worms. Worms generally create and occupy the files that
contain their code without using or involving any real data or binary files, the normal
cleanup technique for worms is to delete all infected emails or messages that provide
their containers.
Worms which use email to spread are known as massmailing worms and are typically
written in a variant of the Visual Basic programming language. They usually exploit
the Microsoft Outlook or Outlook Express emailing programs on Windows. Typically,
the worm checks a user's Outlook or Outlook Express address book for a list of stored
email addresses and then the worm sends a copy of itself to each address. Mass
mailing worms can spread particularly quickly since they tend to come from someone
that the victim knows. The recipient is likely to read the email and accidentally help
the worm spread to their own address book of email addresses. Massmailing worms
most often target Microsoft Windows users running Microsoft Outlook or Outlook
Express, because those are the most common operating systems and email programs.
Thus, one way to protect you against a massmailing worm is to either use a different
operating system (such as Linux or the Mac OS) or use a different email program.
Internet worms, in contrast, spread by searching the Internet for a computer running a
specific type of operating system or webserver with a known flaw in it. Once the
worm finds a vulnerable computer, the worm copies itself to that computer through the
known flaw and then proceeds to use that computer to look for other targets to attack.
Sometimes the mere existence of a worm mass mailing or copying itself across the
Internet can cause your computer to slow down or even crash without the worm
deliberately trying to harm your computer. Other times the worm may include a pay
load that wipes out data, infects your computer with a virus, or retrieves documents at
random from your hard disk (which could include sensitive business or highly
personal documents) before mass mailing them to everyone listed in your Microsoft
Outlook or Outlook Express address book.
2.5 TROJAN HORSES
Each kind of virus has different goals and objectives as we saw in the case of the
previous two. Like a virus, a Trojan horse is a hidden piece of code. Viruses enter in a
system secretly where Trojan horse enter by deceiving a user. A user allows or invites
a Trojan into the system, believing in it, but actually Trojan horse contain some
malicious code to perform some malicious activity.
Before a Trojan can attack, it must find a way to entice the victim to copy, download
and run it. Since few people would knowingly run a malicious program, Trojan must
disguise themselves as other programs that the victim believes to be harmless (such as
games, utilities or popular applications). This is not all, besides disguising themselves
as harmless programs, Trojan horses can also disguise themselves into a legitimate
program, such as Adobe Photoshop or Microsoft Excel. To do this, malicious hackers
have created special wrapper or binder programs with names such as Saran Wrap, silk
32
rope which can package any Trojan inside another program thereby reducing the Software Vulnerabilities
likelihood that someone would discover it. Since most users won’t suspect that a
program from a large, well known publisher would contain a Trojan, the victim is
likely to run the linked program containing the Trojan. Once someone has written a
Trojan, the next step is to spread it by copying in onto a victim’s computer, posting it
on a website for others to download, sending it as a file attachment via email. If
someone has a physical access to your computer, he can simply copy a Trojan to your
hard disk. If the attacker is particularly skilled he can create a custom Trojan that
mimics the appearance of a program that it unique to that particular computer such as
a company database program.
Trojans are commonly found on the websites which offer free software, such as
shareware programs. Even some people post Trojans on their own websites and
pretend to offer hacker tools or pornographic files for others to download. Naturally
some of these files are Trojans, so as soon as an unwary user downloads and runs
them, the program causes the damage as intended by their creator. Another common
way to spread a Trojan is to attach the program file to an email attachment which
might look similar to a useful utility, a contest announcement or tempting software.
Many people even send Trojans to people visiting online chat room because in that
case they don’t have to find even the email ids of the recipients. The hacker typically
invokes a friendly conversation with a potential victim and then offers to send the
person a hacker program or a tempting file. When the victim accepts the file and tries
to open it, the Trojan attacks. Hackers also send Trojans to people who use instant
messaging services such instant messenger.
If someone has physical access to your computer, he can simply copy a Trojan horse
to your hard disk. If the attacker is particularly skilled, he can create a custom Trojan
horse that mimics the appearance of a program that is unique to that particular
computer, such as a corporate login screen or a company database program. Not only
would such a Trojan horse be more likely to trick its victim, but the Trojan horse could
also perform an action specific to that particular computer, such as stealing a
company's list of credit card numbers or copying the source code of a game company's
unreleased products and posting them on the Internet.
2.5.1 Types of Trojan
Once a Trojan has entered your computer , it may offer different kinds of attacks
which range from harmless to destructive including displaying taunting or annoying
messages , wiping out data, stealing information such as password, placing another
malware on the PC, allowing remote access to your computer. Some of them are listed
as under:
• Joke Trojan: A joke Trojan causes no damage but may play an annoying
sound from a computer’s speaker, warp the appearance of the computer
screen ,or display a taunting message on the screen
• NVP Trojan: NVP Trojan is a Macintosh Trojan that modifies the system file
so that when the user types any text, the vowels (a,e,i,o,u) fail to appear.
• IconDance Trojan: The IconDance minimizes all application windows and
then starts rapidly scrambling all the desktop icons, it does nothing more than
make you take the time to reorganize your desktop window.
33
Information Security
• Destructive Trojans: These either wipe out the hard drive or selectively delete
or modify certain files. The password stealing Trojans steal the passwords typed
through the user’s computer.
2.5.2 Stopping Trojan Horses
To protect yourself against Trojan horses, use a combination of different protective
tools and a little common sense.
First of all, make sure you know who has access to your computer. Lock it up,
password protect it, or disconnect it from a network if you're not using it.
Second, be careful where you get your software. Anytime someone tries to give you a
program through email, a chat room, or an instant message, watch out! That program
could be infected with a Trojan horse, either with or without the sender's knowledge.
When downloading software, download only from the software publisher's official
website. If you download a program from another website, someone could have
inserted a Trojan horse into that program. Many hacker websites even post pirated
software and hacker tools for others to download, and some of those files could also
be infected with a Trojan horse.
But no matter how careful you may be with your computer, someone could also slip a
Trojan horse on your computer in your absence. To further protect yourself, consider
installing a rollback program, an antivirus program, a firewall, and an anti–Trojan
horse program.
Rollback programs: One of the biggest problems with today's software is that much
of it, once installed, seems to muck up even perfectly fine computers. Rollback
programs guard against these problems by tracking changes made to your hard disk
and taking periodic "snapshots" of the contents of your hard disk. That way, if a newly
installed program crashes your computer, you can run the rollback program to undo
the changes you made to your hard disk and return your computer to its prior
condition.
Although originally designed to protect against software conflicts, rollback programs
can also protect your computer against viruses or Trojans. The moment a Trojan wipes
out your data, run your rollback program to return your computer to the state it was in
before the Trojan horse wiped out your hard disk.
While rollback programs can recover your computer from damage caused by a Trojan
horse, virus, or even hard disk crash, they can't prevent problems from happening in
the first place. But when used together with frequent backups, a rollback program can
provide valuable insurance for your important data and reduce the chance that a Trojan
horse attack will prove catastrophic.
Some of the more popular rollback programs that you can buy include ConfigSafe
(http://www.imaginelan.com), FlashBack (http://www.aladdinsys.com), GoBack
(http://www.roxio.com), EasyRestore (http://www.powerquest.com), and Undelete
(http://www.execsoft.com).
34
Antivirus programs: Although antivirus programs are designed to detect and remove Software Vulnerabilities
computer viruses, many can also detect and remove the client files of the more
common RATs. However, antivirus programs may only recognize the most
popular Trojans, so they may not protect you against lesserknown,
destructive Trojans, RATs, or custom Trojans. Consider an antivirus program
a supplement to the defense of your computer, but not your sole defense
against Trojan horses.
An antivirus program employed with a variety of strategies. The one of the strategy is
Signatures which is involving in search out known malicious patterns in exe code.
Whenever viruses are created then a signatures can be updated; users can infected at
any time between creation and distribution of a signature such virus called zeroday
viruses. Using Antivirus program regularly harms the computer performance.
Firewalls: A firewall can isolate your computer network from any outside threats.
While a firewall can't remove a Trojan horse, it can monitor and shut down
external traffic flowing through any open ports on your computer. By shutting
down a port, a firewall prevents hackers from accessing your computer
through a RAT. Firewalls can also track and log all attempts to access your
computer, trace an intruder probing your computer for openings and sound an
alarm whenever someone tries to access your computer without your
permission.
Check Your Progress 2
1) Describe different types of viruses?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
2) What is a worm?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
3) What are Trojan Horses?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
4) Write down different types of Trojan?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
35
Information Security
…………………………………………………………………………………………...
2.6 EMERGING ATTACKS: SOCIAL ENGINEERING
Social Engineering is the name given to a category of security attacks in which
someone manipulates others into revealing information that can be used to steal data
access to systems, access to cellular phones , money or even your own identity. The
complexity of such attacks may vary from very low to high. Gaining access to
information over the phone or over website that one may visit has added new
dimensions to the field of social engineering. Social engineering is basically the
acquisition of sensitive information or inappropriate access privileges by an outsider
based upon the building of an inappropriate trust relationship with the insiders. The
“outsider” does not always refer to a person who is not an employee of the company
or is stranger to you; an employee who tries to tamper the company policies is also a
social engineer.
The goal of social engineering is to trick someone into providing valuable information
or access to that information or resource. The social engineer targets the human nature
of a person and exploits his/her human qualities such as:
• The desire to help others: Most of the competitive companies train their
employees to behave well with the customers and pose helpful to the customers.
The attitude of “ May I help you?” sometime becomes trouble as the employees
unknowingly disclose too much information about the company
• A tendency to trust others: Human nature is to trust others easily if the
physical appearance of a person goes in consistency with the statements he is
giving. The need is to train the employees of the company to not to trust others
easily and not to disclose information in such a case.
• The fear of getting into trouble: Too many of us have seen negative reaction
by superiors because verification of identity took too long or because some
official was offended. Management must support all employees who are doing
their assignment and protecting the information resources of the enterprise.
• Careless attitude: Sometimes we get lazy and leave our passwords open or
leave some sensitive material on the desktop of our office PC which is easily
accessible to others.
The important quality of a good social engineer is i.e., is able to do the harm silently
without getting noticed. It is about bad social engineers we know. The good social
engineers live happily between us and we are not able to catch them.
Human beings are the weakest link in a security chain. We cannot be sure of the
security of a system even if we install an antivirus, firewall, cryptography based
system or anything else. The machine can never be as intelligent and as destructive as
a human being (after all human creates machines). A social engineers therefore always
tries to exploit the human factor involved for instance why to go on to install a sniffer
on a network when a simple phone call to an employee of the company can allow you
to gain access to the user_id and password. Social engineering is difficult to defend
with the hardware or the software alone. A successful defense will require effective
information security architecture, making policies and standards to be followed strictly
etc. Let us now discuss some of the prevalent social engineering types.
2.6.1 Types of Social Engineering
36
Although the majority of social engineering attacks focus on humanbased interaction Software Vulnerabilities
by the social engineer, there are also some computerbased methods that attempt to
retrieve the desired information using software programs to either gain information or
deny service to a system. A social engineering initiated based system was initiated in
1993. The user attempting to log on to the system was met with the normal prompt and
after entering the correct user name and password, had the system prompt over again.
What actually happened that a social engineer managed to get a program installed for
in front of normal signon routine, gathered the information and passed the prompt to
real signon process. About 95% of the normal user got their codes compromised at
that time.
You must have got lucrative messages in your emails, offering you something for free,
or you have won some prize or contest (without applying for it). Many people get
emails that they have turned into billionaires overnight as some of their closed relative
has died leaving all the property and wealth worth several billions. You are requested
to just disclose your valid account number so that the money can be transferred into
your account. All these types of messages are socialengineering motivated.
Two of the oldest form of social engineering are dumpster diving and shoulder
surfing. The dumpster diver is willing to get dirty to the information it needs. Too
often companies throw out important information. Sensitive information, phone
directories should be shredded before disposing.
The final two types of social engineering are third party authorization and tech
support. The typical thirdparty authorization occurs when the social engineer drops
the name of higher –up who has the authority to grant access. The tech support method
is where the social engineer pretends to be someone from the infrastructure group and
wants a user to access a system while the social engineer scopes out the connection.
They will usually ask for the user’s accountid and password so that they can see it
across the network.
Some potential security breaches are so mundane that they hardly seem to be a
concern. With all the fires that we have to fight everyday and the deadlines we have to
meet, sometimes the most often are overlooked:
• Passwords: The numberone access point for social engineers is the good old
fashioned password. After all the awareness programs and reminder cards, we
still find that employeegenerated passwords are too short or too easy to guess.
Systemgenerated passwords are too long and employees have to write them
down to remember them. Even today some systems do not require that
passwords need be changed. We find this most often in email systems and
Internet accounts. We recommend an assessment of the password length and
interval for change standards; determine if they still meet the current needs of
the user community.
• Modems: Every company has more modems than they know about. Employees
and contractors will add a modem to the system and then install products such
as pcAnywhere to improve their remote access time.
• Help desk: Put in place processes that can assist the helpdesk employee in
identifying who is on the other hand of the phone call.
• Websites: There are two problems here: the dummy site which gathers the
information and the legal site that gives away too much information. Many
hackers use the information they gather from the enterprise Web site to launch
37
Information Security
attacks on the network. Make sure that the information available will not
compromise with the information resources of the enterprise.
2.6.2 Physical Social Engineering
A social engineer can simply walk in and behave like an employee. The employees of
a company are generally not being trained to challenge strangers or if they have been
trained there has not been much reinforcement of the challenge process. It is needful
that all personnel on site wear appropriate identification. Some organizations require
only visitors to wear badges. Therefore to become an employee a visitor must simply
remove the badge. By ensuring that only authorized personnel are permitted access,
the employees will have a safe working environment.
Because there is neither hardware nor software available to protect an enterprise
against social engineering, it is essential that good practices be implemented. Some of
those practices might be:
• Require anyone there to perform service to show proper identification.
• Establish a standard that passwords are never to be spoken over the phone.
• Implement a standard that forbids passwords from being left lying about
• Implement Caller ID technology for the help desk and other support functions.
To be effective, policies, procedures, and standards must be taught and reinforced to
the employees. This process must be ongoing and must not exceed six months
between reinforcement times. It is not enough to just publish policies and expect
employees to read, understand and follow what is required. They need to be taught to
emphasize what is important and how it will help them to do their jobs. This training
should begin at new employee orientation and continue throughout employment.
When a person becomes an exemployee, a final time of reinforcement should be done
during the exit interview process.
Another method to keep employees informed and educated is to have a web page
dedicated to security. It should be updated regularly and should contain new social
engineering ploys. It could contain a “security tip of the day” and remind employees to
look for typical social engineering signs. These signs might include the behavior such
as:
• Refusal to give contact information
• Rushing the process
• Namedropping
• Intimidation
• Small mistakes
• Requesting forbidden information or access
A social engineer with enough time, patience and resolve will eventually exploit some
weakness in the control environment of an enterprise. Employee awareness and
acceptance of safeguard will become our first line of defense in this battle against the
hackers. The best defense against social engineering requires that employees be tested
and that the bar of acceptance be raised regularly.
Check Your Progress 3
38
1) Define Social Engineering? Software Vulnerabilities
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
2) Write down different types of Social Engineering?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
3) What is the purpose of antivirus Programs?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
4) Write down different types of security breaches in social engineering?
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
…………………………………………………………………………………………...
2.7SUMMARY
This unit discussed about the threat faced by computer virus. It explains the evolution
characteristics of the virus and the damage they can do to a computer. We studied
different types of viruses and their characteristics. It also discussed about different
solutions and preventive measures to be taken to get rid of computer malwares.
As we know today with the growth of new applications and technologies new software
vulnerabilities are also emerging. Therefore, one has to keep track of latest
development in this field and know how to counter these problems. For example, how
mobile software is becoming common and you can see the malicious software is also
growing rapidly with them. The next unit of this block is going to discuss about
different issue of network security.
2.8 ANSWERS/SOLUTIONS
39
Information Security
Check Your Progress 1
1) The major differences between an EXE file and a COM file:
i) EXE file contains a header whereas a COM file does not.
ii) EXE program can contain more than one segment. But a COM has to
contain only a single segment
2) On booting, the system carries out the ROM instructions, the first being the
power on Self Test which is followed by the bootstrap process of reading the
boot record and loading of the disk operating system. In MSDOS, it involves
the loading of booting files. The booting process culminates into the system
prompt displayed on the monitor.
3) The first commercial application of viruses was Brain Virus (also known as
Pakistani virus).
4) A virus is a malware that, when executed tries to replicate itself into other
executable code, when it succeeds, the code is said to be infected. The infected
code when run can infect new code in turn. The virus are self replicating and
parasitic.
Viruses are classified on the basis of their mode of existence and there are three
categories of viruses:
i) BOOT Infectors
ii) SYSTEM Infectors
iii) GENERAL EXECUTABLE PROGRAM Infectors
There are few methods to prevent your system from virus attacks:
• The CHKDSK command can be incorporated to the AUTOEXEC.BAT to
check the disk. If the numbers of hidden files increase, the matter should
be looked into.
• The use of pirated software should be stopped.
• Proper backup of all data and program files should he kept.
• avoid letting the system to be used by unauthorised users.
• restrict the use of outside floppies
Check Your Progress 2
1) There are the lists of some viruses:
• Scores Virus: These viruses are prevalent in Macintosh machines. Scores
virus has a built in time trigger that activates at two, four and seven days
after the disk has became infected.
• Brain Virus: This is one of the first viruses that came into being. Also known
as the Pakistani virus, it was developed by the Pakistani brothers to keep
track of low cost software that were sold out of their outlet in Lahore.
• Lehigh Virus: This virus originated at the Lehigh University Computer
Centre. This virus stays in the stack space of COMMAND.COM.
• Friday the 13th: This virus attacks not only the COMMAND.COM but also
other executable files.
40
Software Vulnerabilities
• Sunnyvale Slug: This does a variety of things like displaying a message
"Greetings form Sunnyvale.
• Raindrops: This virus infects COM files. It intercepts the load and execute
function of MSDOS.
• Happy Birthday 30th: 'This virus gets activated on January 5th, if any of the
infected programs get executed, and will ask the user to type "Happy
Birthday 30th".
2) A worm shares many characteristics with a virus. The most important
characteristic is that worm is self replicating too. Worms seek to infect and
replicate without targeting and infecting specific files already present on a
computer. The two most common ways a worm can spread are through email
and security flaws in computers connected to a network or the Internet.
3) A Trojan Horse is a program in which malicious or harmful code is contained
inside a apparently harmless software or file in such a way that it can get control
and do its chosen form of damage, such as running file allocation table on the
hard disk.
Before a Trojan can attack, it must find a way to entice the victim to copy,
download and run it. Trojans are commonly found on the websites that offer free
software, such as shareware programs.
4) The different types of Trojans are:
• Joke Trojan
• NVP Trojan
• IconDance Trojan
• Destructive
Check Your Progress 3
1) Social Engineering is the name given to a category of security attacks in which
someone manipulates others into revealing information that can be used to steal
data ,access to systems ,access to cellular phones , money or even your own
identity. The complexity of such attacks may vary from very low to high.
Gaining access to information over the phone or over website that one may visit
has added new dimensions to the field of social engineering.
2) The different types of social engineering are:
• Dumpster diving and shoulder surfing.
• Third party authorization and tech support.
3) Antivirus programs are used for the purpose to detect and remove computer
viruses. It can also detect and remove the client files of the more common
RATs. The antivirus programs are considered as a supplement to the defense of
your computer, but not complete defense against Trojan horses.
4) Some potential security breaches of social engineering are:
• Passwords
• Modems
41
Information Security
• Help desk
• Websites
2.9 REFERENCES/FURTHER READINGS
• Cryptography and network security principles and practice by William
Stallings, Pearson publication.
• Computer Networks, by Andrew S. Tanenbaum, Fouth Edition, Prentice
Hall of India.
• Networks Security Essentials: Application & Standards by W. Stallings, Pearson
Education.
• en.wikipedia.org/wiki/Trojan_horse_(computing)
• en.wikipedia.org/wiki/Computer_virus
• http://netsecurity.about.com/
• http://www.cert.org/
42