Chapter 1

Introduction to
Computer Security and
Security Trends
14 Marks
Need for security
➢Information is a strategic resource
➢A significant portion of organizational budget
is spent on managing information
➢Have several security related objectives
• Confidentiality (secrecy) - protect info value
• Integrity - protect info accuracy
• Availability - ensure info delivery

2 Dheeraj S. Sadawarte *
Why we need security?
Good news: Your employees and partners
can now access your critical business
information

Bad news: Your employees and partners can

now access your critical business
information

3 Dheeraj S. Sadawarte *
 Why we need security?
FBI:
– 40% of security loss due to insider information leak
– Loss due to insider information leak has increased on
average 49% per year for the last 5 years

4 Dheeraj S. Sadawarte *
 Some Statistics
Financial loss reported due to attacks ~ $500 million
Not every one reports loss due to attacks

Type of attack Percentage

Virus 85%

Denial of Service 40%

Intrusion 40%

Internet as source of attack: 74%

5 Dheeraj S. Sadawarte *
What is Security?
Security is the protection of assets. The three
main aspects are:

• Prevention

• Detection

• Re-action

6 Dheeraj S. Sadawarte *
 Some differences between traditional
security and information security

• Information can be stolen - but you still have it

• Confidential information may be copied and

sold - but the theft might not be detected

• The criminals may be on the other side of the

world
7 *
Computer Security
Security is the protection of assets. The three
main aspects are:

• Prevention

• Detection

• Re-action

8 *
What is Security?
“Deals with the prevention and detection of
unauthorised actions by users of a computer
system.”
“The protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the integrity,
availability, and confidentiality of information
system resources (includes hardware, software,
firmware, information/data, and
telecommunications).”
9 *
 Security basics
• Data Confidentiality –protection of data from
unauthorized disclosure. (Secrecy)
• Data Integrity - assurance that data received is as sent
by an authorized entity. (Trust worthiness)
• Availability – resource accessible/usable
• Authentication - assurance that communicating entity is
the one claimed
– have both peer-entity & data origin authentication
• Access Control - prevention of the unauthorized use of a
resource
10 *
 Confidentiality
▪ Preserving authorized restrictions on information
access and disclosure
▪ Protecting personal privacy and proprietary
information
▪ Loss of confidentiality is the unauthorized
disclosure of information.

11 *
 Integrity
▪ Guarding against improper information modification
or destruction
▪ Loss of integrity is the unauthorized modification or
destruction of information.
▪ A B

Modifies data

Attacker

12 *
 Availability
▪ Ensuring timely and reliable access to and use of
information

▪ Loss of availability is the disruption of access to

or use of information

▪ Assures that systems work promptly and service

is not denied to authorized users

13 *
Security basics (cont…)

Availability

Ideal Information
Security

Integrity Confidentiality

14 *
 Authentication
▪ Authentication is the process of verifying
communicating entity is the one who claim to be.
▪ Authenticity is the property of being genuine, valid
or trusted.
▪ Authentication helps to establish proof of identities.
▪ Authentication gives confidence in the validity of
transmission, a message, or originator.
▪ The task of authentication mechanism is to make
sure that only valid user is admitted.

15 *
 Authentication Method
Something you know
Authentication based on users remembrance Ex.
Username and password
Something you have
Authentication based on some thing that user needs
to carry Ex. Access card,
Something you are
Authentication based on humans unique physical
characteristics. Biometrics.
16 *
 Access Control
▪ Access is the ability of a subject to interact with
an object.
▪ It is ability to specify, control and limit the access
to the host system or application, which prevents
unauthorized use to access or modify data or
resources
▪ prevention of the unauthorized use of a resource

17 *
 Non Repudiation
▪ Nonrepudiation prevents either sender or receiver
from denying a transmitted message.
▪ Thus, when a message is sent, the receiver can
prove that the alleged sender in fact sent the
message.
▪ Similarly, when a message is received, the sender
can prove that the alleged receiver in fact
received the message

18 *
 Authorization
▪ Authorization is a process of verifying that
a known person has the authority to perform
certain operation.
▪ Authorization cannot occur without
authentication.

19 *
 Example of Security
Low
• Loss should have a limited effect on Org
operations, assets or individuals
• Cause degradation in mission capability
• Reduce effectiveness of function
• Minor damage to assets
• Minor functional loss
• Minor harm to individual
20 *
 Example of Security
Moderate
• Loss should have a serious effect on Org
operations, assets or individuals
• Cause significant degradation in mission
capability
• significantly reduce effectiveness of
function
• significant damage to assets
• significant functional loss
• significant harm to individual
21 *
 Example of Security
High
• Loss should have a sever effect on Org
operations, assets or individuals
• Cause sever degradation in mission
capability
• Organization is not able to perform one or
more primary function
• major damage to assets
• Major functional loss
• Major harm to individual
22 *
 Example of Security
Confidentiality
example
Integrity
example
Availability
example

23 *
 Challenges for Security
• Not simple, major requirement of CIA,
• While designing security mechanism
consider potential attack.
• Security mechanism is complex
• It is necessary to decide where to use
them (physical / logical).
• Involves more than one protocol/algorithm,
problem of secret information (encryption
key)
24 *
 Challenges for Security
• War between attacker and admin/designer
• Problem of human tendency, security
investment until failure
• Need regular, constant monitoring
• It is essential to add security at time of
designing rather than after design.
• Security is often afterthought (consider at
design time)
• Tendency, strong security is obstacle
25 *
 Model for Security
Security means protecting assets, and assets are
▪ Hardware
▪ Software
▪ Data
▪ Communication facilities and networks
Following are possible vulnerabilities
▪ Data can be Corrupted.
▪ Data can be leak.
▪ Data can be unavailable.
26 *
 Risk and Threat Analysis
• Risk
• Risk is some incident or attack that can
cause damage to system.
• An attack is done by sequence of actions
like, Exploiting weak points

27 *
 Risk and Threat Analysis
• Risk analysis is review of data gathered
and analysis of risk
• Risk assessment team determine asset
values, system criticality, likely threats,
and existence of vulnerabilities.
• Risk calculations
Risk = Assets X Threats X Vulnerabilities

28 *
 Risk and Threat Analysis
Assets
• Those items that an organization wishes to
protect.
• Asset can be any data, device or other
component that support information
related security.
• Assets can be hardware, software,
confidential information.
• Valuing of assets scope and guide security
risk assessment
29 *
 Risk and Threat Analysis
Threats
• An undesired event that may result in loss,
disclosure or damage to org asset.
• Threat is potential for violation of security
• When exist there is circumstance, capability,
action or event could breach security
• Threat can identified by damage done in asset.
– Spoofing identity of users
– Information may be disclosure
– User get more privileges
30 *
 Risk and Threat Analysis
Vulnerability
• Vulnerability is a weakness in the information
infrastructure of org.
• It will accidentally or intentionally damage the
asset
• Vulnerabilities can be
– Programs with unnecessary privilege
– Accounts default password not changed
– Program with known faults.
– Weak access control
– Weak firewall.
31 *
Threats to Security
• Viruses
• Worms
• Intruders
• Insiders
• Criminal organizations
• Terrorists
• Information warfare

32 *
 Viruses
• Piece of software that infects programs
– Modifying them to include a copy of the virus
– So it executes secretly when host program is run
• Specific to operating system and hardware
– Taking advantage of their details and weaknesses
• A typical virus goes through phases of:
– Dormant
– Propagation
– Triggering
– Execution
33 *
 Virus Structure
• Components:
– Infection mechanism - enables replication
– Trigger - event that makes payload activate
– Payload - what it does, malicious activity
• Pre appended / post appended / embedded
• When infected program invoked, executes
virus code then original program code

34 *
 Virus Classification
• Boot sector
• File infector
• Macro virus
• Stealth virus
• Polymorphic virus
• Metamorphic virus

35 *
 Types of Viruses
Can classify on basis of how they attack
• Parasitic virus
-Attaches itself to executable files and
replicates
• memory-resident virus
-Lodges in the main memory and infects
every program that executes.
• Boot sector virus
-Infects a boot record and spreads when the
system is booted from the disk
36 *
 Types of Viruses…
• Stealth
-Designed to hide itself from antivirus
software
• Polymorphic virus
-A virus that mutates with every infection,
making detection very difficult
• Metamorphic virus
-Mutates with every infection, but rewrites
itself completely every time. Making it
extremely difficult to detect.
37 *
 Macro Virus
• Became very common in mid-1990s since
– Platform independent
– Infect documents
– Easily spread
• Exploit macro capability of office apps
– Executable program embedded in office doc
– Often a form of Basic
• More recent releases include protection
• Recognized by many anti-virus programs
38 *
 E-Mail Viruses
• More recent development
• e.g. Melissa
– Exploits MS Word macro in attached doc
– If attachment opened, macro activates
– Sends email to all on users address list
– And does local damage
• Much faster propagation

39 *
 Virus Countermeasures
• Prevention - ideal solution but difficult
• Realistically need:
– Detection
– Identification
– Removal
• If detect but can’t identify or remove,
must discard and replace infected program

40 *
 Add i to j Add i to j Delete all files
Print Virus Job send copy to
Close Close all users
end end return

Original Code Infected code due

To virus Virus Code

41 *
 Worm
• A worm is a program that can replicate itself
• It is a malicious s/w which does not require a
host program for its execution.
• Replicating program that propagates over net
but not infecting program
(does not attach itself to a program)
• worm is non destructive
• A worm can harm a computer system by filling
main memory with its replicated copies.
42 *
 Worm
• Worm is able to send multiple copies of
itself to other computer on network
• A worm can harm a network and consume
network bandwidth.
• Has phases like a virus:
– Dormant, propagation, triggering, execution
– Propagation phase: searches for other
systems, connects to it, copies self to it and
runs

43 *
 Morris Worm
• One of best know worms
• Released by Robert Morris in 1988
• Various attacks on UNIX systems
– Cracking password file to use login/password
to logon to other systems
– Exploiting a bug in the finger protocol
– Exploiting a bug in sendmail
• If succeed have remote shell access
– Sent bootstrap program to copy worm over
44 *
 Some Worm Attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
• Code Red II variant includes backdoor
• SQL Slammer
– early 2003, attacks MS SQL Server
• Mydoom
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Warezov family of worms
– scan for e-mail addresses, send in attachment
45 *
 Virus vs Worm
Virus Worm
A piece of code that attaches itself to A malicious program that spread
other program automatically
Virus modifies code Worm does not modify code
Some viruses cannot replicate itself It can replicate itself
Virus is destructive in nature Worm is non destructive
Aim of virus is to infect other program Aim of worm is to make computer or
stored on computer system network unusable

Virus infect files Worm does not infect other files but it
occupies memory space by replication

Virus may need trigger for execution Worm does not need any trigger.

46 *
 Logic Bomb
• One of oldest types of malicious software
• Code embedded in legitimate program
• Activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• When triggered typically damage system
– modify/delete files/disks

47 *
 Trojan Horse
• Program with hidden side-effects
• Which is usually superficially attractive
– eg game, s/w upgrade etc
• When run performs some additional tasks
– allows attacker to indirectly gain access they do
not have directly
• Often used to propagate a virus/worm or install
a backdoor
• Or simply to destroy data

48 *
 Zombie
• Program which secretly takes over
another networked computer
• Then uses it to indirectly launch attacks
• Often used to launch distributed denial of
service (DDoS) attacks
• Exploits known flaws in network systems

49 *
TYPES OF ATTACKS
 Backdoor and Trapdoors
• Secret entry point into a program
• Allows those who know access bypassing
usual security procedures
• Have been commonly used by developers
• A threat when left in production programs
allowing exploited by attackers
• Avery hard to block in O/S
• Requires good s/w development & update
51 *
 Intruders
• Hacking means act of accessing computer
system/n/w without authorization. (includes
authorized users)
• Intruders are extremely patience since the
process to gain access is requires persistence and
dogged determination
• If first attack gets fail they try in different angle
(search for another possible vulnerability)
• Second attack may be blocked/fail, they try for
third and so on till they get vulnerability or
access

52 *
 Intruders
Levels
• At low end the individuals who are not technically
experts to develop new script or find new vulnerability
• They use readymade scripts (downloaded) for known
vulnerability
• Next level, the peoples who are capable of writing
scripts to exploit known vulnerabilities.
• 8 to 12 % malicious internet activity
• Top end, called elite hackers.
• Capable of writing scripts that exploit vulnerability.
• Also capable of discovering new vulnerabilities.

53 *
 Intruders
• Often referred to as a hacker or cracker
• Three classes of intruders:
– Masquerader: An individual who is not authorized to
use the computer and who penetrates a system’s access
controls to exploit a legitimate user’s account
– Misfeasor: A legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuses his or her privileges
– Clandestine user: An individual who seizes
supervisory control of the system and uses this control
to evade auditing and access controls or to suppress
audit collection

54 *
 Insiders
• More dangerous than outside intruders
• Most difficult to detect and prevent
• Have access and knowledge to cause
immediate damage to an organization.
• Have knowledge of the security systems in
place and will be better able to avoid detection.
• Employees are not the only insiders but there
are other people who have access like
contractors or partners.
55 *
 Insiders
For Preventing Insider attacker
• Enforce least privilege, allow access to
resources that employee need to do their job
• Set logs to see what users access and what
commands they are entering.
• Protect sensitive resources with strong
authentication
• Upon termination, delete employees computer
and network access.

56 *
 Intruders Insiders
Intruders are authorized or Insiders are authorized users
unauthorized users who are who try to access system or
trying to access the system or network for which he is
network unauthorized
Intruders are hackers or Insiders are not hackers
crackers
Intruders are illegal users Insiders are legal user
Intruders are less dangerous Insiders are more dangerous
Intruders have to study or gain Insiders have a knowledge
knowledge about security about the security system.
system
Intruders do not have access to Insiders have easy access to
system system
Many
57
security mechanismsDheeraj
are S. There
Sadawarte
is no such mechanism *to
used to protect from intrudes protect system from insider
 Criminal organizations
• Organized groups of hackers now a threat
– Corporation / government / loosely affiliated gangs
– Typically young
– Often target credit cards on e-commerce server
• Criminal activities on the internet same as
criminal activities in physical world
– Fraud, extortion, theft, forgery
• Criminal hackers usually have specific targets
• Once penetrated act quickly and get out
• IDS / IPS help but less effective
• Sensitive data needs strong protection
58 *
 Terrorists and Information Warfare
• Nations are dependent on computer and
network
• Information is conducted against information
and information processing equipments.
• It is highly structured threat/attack
• It requires a longer period of penetration, large
financial backing, and large organized group of
attackers
• Military forces are key target

59 *
 Avenues of Attack
• The two most frequent types of attacks:
– viruses and insider abuse.
• 2 general reasons a particular computer system
is attacked:
– It is either specifically targeted by the attacker, not
because of the hardware or software the organization
is running but for some other reason, such as a
political reason
– Or it is an opportunistic target, is conducted against
a site that has hardware or software that is vulnerable
to a specific exploit.
• Targeted attacks are more difficult and take
more time than attacks on a target of opportunity
60 *
 The Steps in an Attack
• The steps an attacker takes are similar to the ones that a
security consultant performing a penetration test would take.
– gather as much information about the organization as
possible.
– determine what target systems are available and active.
1. ping sweep, sends an ICMP echo request to the target machine.
2. perform a port scan to identify the open ports, which indicates
the services running on the target machine.
3. Determine OS – refer
• An attacker can search for known vulnerabilities and tools that
exploit them, download the information and tools, and then use
them against a site.
• If the exploits do not work, other, less system-specific, attacks
may be attempted.

61 *
 Passive Attacks
• Eavesdropping on transmissions
• Attacker aims to obtain information in transit
– Release of possibly sensitive/confidential message
contents
– Traffic analysis which monitors frequency and
length of messages to get info on senders
• Does not perform any modification to data.
• Difficult to detect
• Can be prevented using encryption
62 *
 Passive Attacks

63 *
 Passive Attacks Types
• Release of Message contents
– A confidential message should be accessed
by authorized user otherwise a message is
released against our wishes
• Traffic analysis
– Attacker may try to find out similarities
between encodes message for some clues
regarding communication

64 *
 Active Attacks
• The contents of original message are modified
by the attacker
• These attacks can not be prevented easily.
• Types of active attack
• Interruption:
• Modification
• Fabrication.

65 *
 Active Attacks
• Masquerade
– pretending to be a different entity
• Replay
• Modification of messages
• Denial of service
• Easy to detect
– Detection may lead to deterrent
• Hard to prevent
– Focus on detection and recovery

66 *
 Active Attacks

67 *
 Denial of Service Attack
• Attacker is attempting to deny authorized users
access to specific information.
• Aim of DOS attack is to prevent access to target
system.
• Denial-of-service (DoS) attack aims at disrupting
the authorized use of networks, systems, or
applications.

68 *
 SYN Flooding Attack
• Used to prevent to prevent services to the system.
• Takes advantage of trusted relationship of TCP
SYN

SYN+ACK

ACK

TCP 3 Way Handshake

69 *
 SYN Flooding Attack
• The attacker sends fake request of communication
• Each of these requests will be answered by the
target system, which then waits for the third part of
the handshake.
• Since the requests are fake the target will wait for
responses that will never come.
• The target system will drop these connections after
a specific time-out period

70 *
 SYN Flooding Attack

Target
Attacker
SYN Reserve
With Fake IP address Connection

Wait for
ACK

Response to
Fake IP address SYN Flooding Attack
71 *
 SYN Flooding Attack
• If the attacker sends requests faster than the time-
out period eliminates them, the system will quickly
be filled with requests.
• The number of connections a system can support is
finite, when more requests come in than can be
processed, the system will soon be reserving all its
connections for fake requests.
• Any further requests are simply dropped

72 *
 Ping of Death (POD) Attack
• In the POD attack, the attacker sends an Internet
Control Message Protocol (ICMP) ping packet
equal to, or exceeding 64KB.
• Certain systems were not able to handle this size of
packet, and the system would hang or crash.

73 *
Distributed Denial of Service Attack
• DoS attacks are conducted using single system
• A DOS attack employing multiple attacking
systems is known as a distributed denial of service
(DDOS) attack
• The goal of a DDOS attack is the same: to deny the
use of or access to a specific service or system.
• Aim of DDOS is to overwhelm the target with
traffic from many different systems.

74 *
Distributed Denial of Service Attack

75 *
Distributed Denial of Service Attack
• A network of attack agents (Zombies) created by
attacker.
• When zombies/agent receives command attacker,
the agents commence sending a specific type of
traffic against the target.
• Systems are compromised and DDOS S/W agent is
installed
• Sleep zombies are activated after receiving attack
command.
76 *
 Sniffing
• It is software or hardware that is used to observe
traffic as it passes through a network on shared
broadcast media.
• used to view all traffic or target specific protocol,
service, or string of characters like logins.
• Some network sniffers are not just designed to
observe the all traffic but also modify the traffic.
• Network administrators use sniffers for monitoring
traffic.
77 *
 Sniffing
• used for network bandwidth analysis

Attacker
R

78 *
 Man_In_The_Middle Attack (MITM)
• A Man_in_The_Middle attack generally occurs when
attacker are able to place themselves in the middle of
two other hosts that are communicating in order to view
and/or modify the traffic.
Communication appears to be
direct
Host 1 Host 2

Attacker relays Communication

message to dest. actually sent to
host attacker

Attacker
79 *
 Man_In_The_Middle Attack (MITM)
∙ This is done by ensuring that all communication going to
or from the target host routed through the attacker host.
∙ The attacker can observe all traffic before relaying it and
can actually modify or block traffic.
∙ To the target host it appears that communication is
occurring normally, since all expected replies are
received
∙ A MITM attack can only be successful when the attacker
can impersonate each endpoint to the satisfaction of the
other.

80 *
 Replay Attack
∙ A replay attack is a form of network attack in which a
valid data transmission is maliciously or fraudulently
repeated or delayed.
∙ A replay attack is an attack where the attacker captures a
portion of a comm. between two parties and retransmits
it after some time.
∙ A best way to prevent replay attacks is with encryption,
cryptographic authentication and time stamps.

81 *
 Replay Attack

82 *
 Malware
• The term malware also known as malicious code.
• Malware refers to S/W that has been designed for some
nefarious purpose.
• Designed to cause damage to a system such as deleting
all files,
• It may be designed to create a backdoor in the system in
order to grant access to unauthorized users.
• Different types of malicious S/W, such as viruses,
worms, Trojan horse, logic bomb.
• Malicious code runs under the users authority.
• Malicious code can read, write, modify, append or even
delete data or files without users permission.
83 *
 Virus
• A virus attaches itself to program and
propagates copies of itself to other programs.
• The essential component of virus is set of
instruction which, when executed, spreads
itself to other, previously unaffected, programs
or files.
• performs two functions:
I. It copies itself into previously uninfected programs
or files.
II. it executes whatever other instructions the virus
author included in.
84 *
•
Virus
It may damage by replicating itself and taking up
system resources, disk space, CPU time, or network
connection.
• A virus is a program that can pass on malicious code
to other non-malicious program by modifying them.
• The term ‘virus’ was coined acts like biological virus
• A virus can be either transient or resident.
– A transient virus has a life that depends on the life of its
host;
– The virus runs when its attached program executes and
terminates when its attached program ends.
– A resident virus locates itself in memory, then it can
remain active or be activated as a stand alone program,
even after its attached program ends.
85 *
 Virus types
• Two main classes
1. File infectors
– Which attach themselves to ordinary program files.
– These usually infect arbitrary .COM and/or .EXE files. though
some can infect any program for which execution is requested,
such as .SYS, .OVL, .PRG and .MNU files.
– File infectors can be either DIRECT ACTION or RESIDENT.
– A DIRECT ACTION Virus selects one or more other programs
to infect each time the program which contains it is executed.
– A RESIDENT virus hides itself somewhere in memory the first
time an infected program is executed, and thereafter infects
other programs when they are executed.
86 *
 Virus types
2. SYSTEM or BOOT-RECORD INFECTORS

– Those viruses infects executable code found

in certain system areas on a disk which is not
ordinary file.
– There are boot-sector viruses which infect
only the DOS boot sector,
– MBR virus which infect master boot record.
– E.g. Brain, Empire, Azusa, Michelangelo
87 *
 Virus types
• Stealth Virus
– A stealth virus is one which hides the modification it has
made in the file or boot record
– By monitoring the system functions used by programs to
read files or physical blocks from storage media
– undetected by anti viral programs
• Polymorphic Virus
– A polymorphic virus is one which produces varied and
fully operational copies of itself, in an attempt to avoid
signature detection.

88 *
 Virus types
• Fast and Slow Infectors
– A fast infector is a virus which, when it is active in
memory, infects not only programs which are executed,
but even those programs which are merely opened.
– A slow infector virus, when it is active in memory, infects
only those files as they are modified.
• Companion Virus
– A COMPANION virus is one which, instead of modifying
an existing file, creates new program which gets executed
instead of original program.

89 *
 Virus types
• Armored Virus
– Armored virus uses special tricks to make the tracing,
disassembling and understanding of their code more difficult.
• Macro Virus
➢Macro
• Macro allows a particular task that is performed by a user quite
often to be repeated again and again.
• Set of automated instructions or tasks.
– Viruses that consist of evil or viral macro VBA code that can
create havoc in the computer it is executed.
– Spread quickly
–90 Macro viruses are not platform specific. *
 Phases of Virus
a typical virus goes through phases of:
❑ Dormant
❑ Propagation
❑ Triggering
❑ Execution

91 *
 Categories of Viruses
1. Destructive Viruses
❖ Massive destruction i.e. low level format of disk
❖ Partial destruction i.e. Erasure or modification of a portion
of disk.
❖ Selective Destruction i.e. Erasure or modification of
specific files or file groups.
❖ Random havoc - randomly changing data on disk or RAM,
changing keystroke values
2. Non Destructive Viruses intended to cause attention
to the author or to harass the end user.
❖ Annoyances
• Displaying a message, changing display colors, changing
keystroke values
92 *
 Triggers of the Virus Attacks
Attacks begin upon the occurrence of a certain event
➢On a certain Date/ time of year.
➢At a certain time of day
➢When a certain job is run
➢After cloning itself n times
➢when a certain combination of keystrokes occurs
➢When a computer is restarted.
The virus code must put itself into a position to either
start itself when the computer is turned on, or when a
specific program is run
93 *
 Protection against viruses
1. Education

1. Backup and recovery procedures

1. Isolate software libraries

1. Implement software library management

procedures

1. Develop a virus alert procedure

94 *
 Anti-Virus Software Anti-Virus
Software
• Anti virus S/W continuously monitors
the system.
• When it detects an infected file, or when
it sees suspicious activity, it uses three
methods to identify the virus.
1. The Signature Approach
2. The Sandbox Approach
3. The Heuristic Approach

95 *
 Anti-Virus Software
1. The Signature Approach
▪ Just like police trace.
▪ Every virus has signature (which is mostly
unique)
▪ This signature is added to database
▪ So when a antivirus performs a virus scan each
file is scanned for matches with anti virus
signature.
▪ This is reason why antivirus s/w must update

96 *
 Anti-Virus Software
2. The Sandbox Approach
✓ A sandbox is an advanced program that
emulates an OS.
✓ A suspect executable file is run within the
confines of sandbox
✓ Then the sandbox is examined to see what
changes were made
✓ These changes are used to determine which
viruses infect the file
97 *
 Anti-Virus Software
3. The Heuristic Approach
❖ This analyses a program for seemingly
malicious behavior.
❖ Heuristic is effective against undocumented
viruses.
❖ The Blaster of the future might eliminate the
need for continual monitoring of new viruses.

98 *
 Removing Viruses
1. Removal of the virus code
Removing of viral code from file, best case scenario, no harm
2. Quarantine of the infected file
Buster tries to make file inaccessible to programs without deleting it
3. Deleting the infected file
Buster simply Deletes the file if the code cannot be removed
4. Physical removal of the infected file
If the file is se by OS, user needs to manually delete it (not critical file)
or Manually replace it from a clean backup (if Critical)
5. Seeking help
users are directed to the company’s web site.
99 *
Mechanism of Virus Attachment
▪ A printed copy of virus does nothing
and threatens no one.
▪ Even executable virus code sitting on
a disk does nothing.
▪ To do malicious work and spread
itself, virus must be activated by being
executed
▪ The setup program that you initiate on
your computer.
100 *
 Mechanism of Virus Attachment
▪ A more common means of virus activation is an
attachment to an email message.
▪ The virus writer tries to convince the victim to open the
attachment.
▪ Once the viral attachment is opened, the activated virus
can do its work.
▪ Some modern email handlers automatically open
attachments as soon as the receiver opens body of email.
▪ The virus can be executable code embedded in an
executable attachment.
▪ It is safer to force users to open files on their own rather
automatically.
101 *
 Appended Viruses
• A virus attaches itself to a program.
• Whenever the program run, the virus is activated.
• This kind of attachment is usually simple, easy and
effective to program.
• A virus inserts a copy of itself into the executable
program file before the first executable instruction.
• Then, all the virus instructions execute first; after
the last virus instruction, control flows naturally to
the first program instruction.
102 *
 Appended Viruses
• The virus writer does not need to know anything
about the program to which the virus will attach.

Virus Code
+ Virus Code =
Original
Program
Original
Program

Virus Appended to a program

103 *
 Viruses that surround a program
• An alternative to the attachment is a virus that
runs the original program but has control before
and after its execution
• A virus writer might want to prevent the virus
from being detected.
• The virus writer might arrange for the virus to
attach itself to the program that constructs the
listing of files on the disk.

104 *
 Logically
Physically Virus code
Part (a)

Virus code

Original Original
Program Program

Virus code
Part (b)

Virus Surrounding a Program

105 *