INFORMATION

SECURITY BASICS

HOST:
SYED FARRUKH ALI RAZA
 TABLE OF CONTENTS

• Trojan Horses
• Malware
• Computer Virus
• Botnet
• Rootkit
• Morris Worm

Presented by – Syed Farrukh Ali Raza 2

 MALWARE FEATURES & TYPES

• Infectious:
• Viruses, worms

• Concealment:
• Trojan horses, logic bombs, rootkits

• Malware for stealing information:

• Spyware, keyloggers, screen scrapers

• Malware for profit:

• Dialers, scarewares, ransomware

• Malware as platform for other attacks

• Botnets, backdoors (trapdoors)

• Many malwares have characteristics of multiple types

Presented by – Syed Farrukh Ali Raza 3

 TROJAN HORSE

• Software that appears to perform a desirable function for the user prior to
run or install, but (perhaps in addition to the expected function) steals
information or harms the system.
• User tricked into executing Trojan horse
• Expects (and sees) overt and expected behavior
• Covertly perform malicious acts with user’s authorization

Presented by – Syed Farrukh Ali Raza 4

 TRAPDOOR OR BACKDOOR

• Secret entry point into a system

• Specific user identifier or password that
avoids normal security procedures.
• Commonly used by developers
• Could be included in a compiler.

Presented by – Syed Farrukh Ali Raza 5

 LOGIC BOMB

• Embedded in legitimate programs

• Activated when specified conditions met
• E.g., presence/absence of some file; Particular date/time or particular user

• When triggered, typically damages system

• Modify/delete files/disks

Presented by – Syed Farrukh Ali Raza 6

 SPYWARE & SCAREWARE

• Malware that collects little bits of information at a time about users without their
knowledge
• Keyloggers: stealthly tracking and logging key strokes
• Screen scrapers: stealthly reading data from a computer display
• May also tracking browsing habit
• May also re-direct browsing and display ads
• Malware that scares victims into take actions that ultimately end up compromising our
own security.
• E.g., paying for and installing fake anti-virus products

Presented by – Syed Farrukh Ali Raza 7

 RANSOMWARE

• Holds a computer system, or the data it contains, hostage against its user by
demanding a ransom.
• Disable an essential system service or lock the display at system startup
• Encrypt some of the user's personal files, originally referred to as cryptoviruses,
cryptotrojans or cryptoworms.
• Victim user has to
• enter a code obtainable only after wiring payment to the attacker or sending an SMS
message
• buy a decryption or removal tool

Presented by – Syed Farrukh Ali Raza 8

 VIRUS

• Attach itself to a host (often a program) and replicate itself

• Self-replicating code
• Self-replicating Trojan horses
• Alters normal code with “infected” version

• Operates when infected code executed

If spread condition then
For target files
if not infected then alter to include virus
Perform malicious action
Execute normal program

Presented by – Syed Farrukh Ali Raza 9

 THE MELISSA VIRUS (1999)

• Social engineering: Email says attachment contains vague site passwords

• Self-spreading: Random 50 people from address book
• Traffic forced shutdown of many email servers
• $80 million damage
• 20 months and $5000 fine

Presented by – Syed Farrukh Ali Raza 10

 WORM

• Self-replicating malware that does not require a host program

• Propagates a fully working version of itself to other machines
• Carries a payload performing hidden tasks
• Backdoors, spam relays, DDoS agents; …

• Phases
• Probing  Exploitation  Replication  Payload

Presented by – Syed Farrukh Ali Raza 11

 FEATURES OF THE WORM

• Self-hiding
• Program is shown as 'sh' when ps
• Files didn’t show up in ls
• Find targets using several mechanisms:
• 'netstat -r -n‘, /etc/hosts, …
• Compromise multiple hosts in parallel
• When worm successfully connects, forks a child to continue the infection while the parent
keeps trying new hosts

Presented by – Syed Farrukh Ali Raza 12

 MORRIS WORMS

• First major worm

• Written by Robert Morris
• Son of former chief scientist of
NSA’s National Computer
Security Center
• Infected ~10% of the net
• Spawned multiple copies,
crippling infected servers
• Sentenced to 3 years probation,
$10,000 fine, 400 hours
community service

Presented by – Syed Farrukh Ali Raza 13

 THE SLAMMER WORM (2003)

• Fastest spreading worm to date

• Only 376 bytes—Exploited buffer overflow in Microsoft database server products
• Spread by sending infection packets to random servers as fast as possible, hundreds
per second
• Infected 90% of vulnerable systems within 10 minutes! 200,000 servers
• No destructive payload, but packet volume shut down large portions of the Internet
for hours
• 911 systems, airlines, ATMs — $1 billion damage!
• Patch already available months previously,
but not widely installed

Presented by – Syed Farrukh Ali Raza 14

 EXAMPLES OF WORMS

• Love Bug worm (ILOVEYOU worm) (2000):

• May 3, 2000: 5.5 to 10 billion dollars in damage
• MyDoom worm (2004)
• First identified in 26 January 2004:
• On 1 February 2004, about 1 million computers infected with Mydoom begin a massive DDoS
attack against the SCO group
• $38 Billion in 2004 ~ $52.2

Presented by – Syed Farrukh Ali Raza 15

 ZOMBIE & BOTNET

• Secretly takes over another networked computer by exploiting software flows

• Builds the compromised computers into a zombie network or botnet
• a collection of compromised machines running programs, usually referred to as worms, Trojan
horses, or backdoors, under a common command and control infrastructure.
• Uses it to indirectly launch attacks
• E.g., DDoS, phishing, spamming, cracking

Risk Management Hierarchy

NIST SP 800-39,

Presented by – Syed Farrukh Ali Raza 16

 ROOTKIT

• A rootkit is software that enables continued privileged access to a computer

while actively hiding its presence from administrators by subverting standard
operating system functionality or other applications.

• Emphasis is on hiding information from administrators’ view, so that malware is

not detected
• E.g., hiding processes, files, opened network connections, etc

• Example: Sony BMG copy protection rootkit scandal

• In 2005, Sony BMG included Extended Copy Protection on music CDs, which are
automatically installed on Windows on CDs are played.

Presented by – Syed Farrukh Ali Raza 17

 TYPES OF ROOTKITS

• User-level rootkits
• Replace utilities such as ps, ls, ifconfig, etc
• Replace key libraries
• Detectable by utilities like tripwire

• Kernel-level rootkits
• Replace or hook key kernel functions
• Through, e.g., loadable kernel modules or direct kernel memory access
• A common detection strategy: compare the view obtained by enumerating kernel data
structures with that obtained by the API interface
• Can be defended by kernel-driver signing (required by 64-bit windows)

Presented by – Syed Farrukh Ali Raza 18

 HOW DOES A COMPUTER GET INFECTED WITH
MALWARE OR BEING INTRUDED?
• Executes malicious code via user actions (email attachment, download and
execute Trojan horses, or inserting USB drives)
• Buggy programs accept malicious input
• daemon programs that receive network traffic
• client programs (e.g., web browser, mail client) that receive input data from network
• Programs Read malicious files with buggy file reader program

• Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc)
• Physical access to computer

Presented by – Syed Farrukh Ali Raza 19

 FRONT DOOR ATTACKS

• What do many of these attacks (through email, web browsing

or downloads) have in common?
• They all require the actions of a legitimate user.
• They can be considered “front door” attacks because a user is
tricked into opening the door for the attack through their
action.

Presented by – Syed Farrukh Ali Raza 20

 UNDERSTANDING FRONT DOOR ATTACKS

• The key to understanding front door attacks is that when you

run a program it runs with *all* your rights and privileges.
• If you can delete one file, any program you run can delete all your files.
• If you can send one email, any program you run could send thousands
of spam emails.
• This includes any program you run even accidentally by opening
an email attachment or clicking on web link.

Presented by – Syed Farrukh Ali Raza 21

 BACK DOOR ATTACKS

• Not all attacks require action by a legitimate user.

• “Back door” attacks target vulnerabilities in server software that is running on your
computer.
• Server software is software that listens for requests that arrive over the network and
attempts to satisfy these requests.
• A web server is an example of server software.

Presented by – Syed Farrukh Ali Raza 22

 BUFFER OVERFLOW ATTACKS

• This type of attack is called a “buffer overflow attack” because

it overflows the buffer of space left for a request with too many
characters.
• Such an attack could be prevented if the server always checked
for requests that are too long.
• Sometimes programmers neglect to do that and this is what produces
the weakness or flaw that is exploited by the attacker.
• If you are learning to program, you should know that you can prevent
many viruses by following good programming practices.

Presented by – Syed Farrukh Ali Raza 23

EXAMPLE OF HOW WORMS SPREAD: BUFFER
OVERFLOW BUG
From: COS 116 Staff
Subject: Welcome Students! Return
Space reserved for email subject
address
Memory

… We l c ome S t u d e n t s ! 1 2 6 0 0

 memory address: 100000

Buffer overflow bug:: Programmer forgot to insert check for

whether email subject is too big to fit in memory “buffer”

From: Bad Guy

Subject: <evil code . . . . . . . . . . . . . . . . . >100000

… < e v i l c o d e . . . . . . . . . . . . . > 1 0
2 0
6 0 0
 WORLD-WIDE DAMAGE ESTIMATES

• Computer viruses cause a huge amount of damage worldwide.

• Damages from just one virus (The I Love You Virus) are estimated at
$10 billion dollars. It is also estimated that 45 million people
worldwide were affected.

• Costs come from restoring damaged systems, replacing lost

information, steps taken to prevent attacks and steps taken to
prepare to recover from attacks.

Presented by – Syed Farrukh Ali Raza 25

 WORLD-WIDE DAMAGE ESTIMATES

• Ransomware
• Wannacry ~ $4 Billion estimated by Symantec ($4.9 Billion)
• NotPetya ~ $10 Billion assessed by whitehouse

Presented by – Syed Farrukh Ali Raza 26

 WORLD-WIDE DAMAGE ESTIMATES

• Mydoom – $38 billion

• Sobig – $30 billion
• Klez – $19.8 billion
• ILOVEYOU – $15 billion
• WannaCry – $4 billion
• Zeus – $3 billion
• Code Red – $2.4 billion
• Slammer – $1.2 billion
• CryptoLocker – $665 million
• Sasser – $500 million

Presented by – Syed Farrukh Ali Raza 27

 BLACKHAT VS. WHITEHAT

• Black hat computer hackers look for flaws in software to exploit

them or break into computer for malicious purposes.
• White hat computer hackers look for flaws in software to fix them
or attempt to break into computers to audit their security.
• Analyze server software for flaws that could be exploited and
recommend fixes.
• Analyze new viruses or malware to characterize what they are doing
and to build patches.
• Audit the overall security of computer systems.

Presented by – Syed Farrukh Ali Raza 28

 PROTECTING YOUR COMPUTER

Six easy things you can do…

• Keep your software up-to-date

• Use safe programs to surf the ‘net
• Run anti-virus and anti-spyware regularly
• Add an external firewall
• Back up your data
• Learn to be “street smart” online

Presented by – Syed Farrukh Ali Raza 29

 DEFENSES

• Even if you are not whitehat hacker there is a lot you can do to defend your computer
against attack
• Defending against front door attacks means being careful about what programs you run
and what attachments and links you open
• Defending against back door attacks means knowing what services are running on your
machine and keeping them patched

Presented by – Syed FarrukInformation Security Risk Managementh Ali Raza 30

DEFENDING AGAINST FRONT DOOR ATTACKS

• Be careful opening email attachments even from friends.

• Be careful clicking on web links found on less reputable web sites.
• Beware of free downloads that seem too good to be true.
• Use a good virus scanner and keep your virus signatures up-to-date.
• Consider using less popular email readers and web browser software.(
Attackers target the most popular software.) There are excellent and free
open source options.

31
 DEFENDING AGAINST BACK DOOR ATTACKS

• Use netstat to see what services are running.

• Periodically check to see if any new services have been started.
• Keep your server software patched and up-to-date.
• Consider shutting down any services you do not need.

Presented by – Syed Farrukh Ali Raza 32

Presented by – Syed Farrukh Ali Raza 33
Presented by – Syed Farrukh Ali Raza 34