Malware: Viruses, Worms & Trojans


Malware: Viruses, Worms & Trojans

Malware is any malicious software, intentionally designed to cause damage to a computer, server, client, or a network. 
  • This software gets installed on the system without the user's content.
  • Malware can also be installed on a computer "manually" by the attackers themselves, either by gaining physical access to the computer or using privilege escalation to gain remote administrator access. 
  • Malware performs a wide range of tasks from stealing, encrypting, or deleting sensitive data, altering or hijacking core computing functions and spying on someone's computer activity without their knowledge.
  • There are many different classes of malware that have varying ways of infecting systems and propagating themselves. including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.

Viruses

  • computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its code. 
  • It cannot run independently. 
  • It requires a host program to run and to activate it. When this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

How they Spread?

Viruses spread when the software or documents they get attached to are transferred from one computer to another using a network, a disk, file sharing methods, or through infected e-mail attachments. Some viruses use different stealth strategies to avoid their detection from anti-virus software.

What do they do?

Viruses often perform the harmful activity on infected host computers, like
  •  Acquisition of hard disk space or central processing unit (CPU) time
  • Accessing and stealing private information (e.g., credit card numbers, debit card numbers, phone numbers, names, email addresses, passwords, bank information, house addresses, etc.)
  • Corrupting data,
  • Displaying political, humorous or threatening messages on the user's screen
  • Spamming their e-mail contacts
  • Logging their keystrokes
  • Rendering the computer useless

Operations and functions


A viable computer virus must contain a search routine, which locates new files or new disks that are worthwhile targets for infection. Secondly, every computer virus must contain a routine to copy itself into the program in which the search routine locates. The three main virus parts are:

Infection mechanism 

  • Also called 'infection vector', is how the virus spreads or propagates. 
  • A virus typically has a search routine, which locates new files or new disks for infection.

Trigger 

  •  The trigger, which is also known as a logic bomb, is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.

Payload 

  • The "payload" is the actual body or data that performs the actual malicious purpose of the virus.
  • Payload activity might be noticeable (e.g., because it causes the system to slow down or "freeze"), as most of the time the "payload" itself is the harmful activity, or some times non-destructive but distributive, which is called Virus hoax.

Phases


Virus phases are the life cycle of the computer virus. This life cycle can be divided into four phases:

Dormant Phase

  • The virus program is idle during this stage. 
  • The virus program has managed to access the target user's computer or software, but during this stage, the virus does not take any action. 
  • The virus will eventually be activated by the "trigger" which states which event will execute the virus. 
  • Not all viruses have this stage.

Propagation Phase

  • The virus starts propagating, which is multiplying and replicating itself. 
  • The virus places a copy of itself into other programs or into certain system areas on the disk. 
  • The copy may not be identical to the propagating version. 
  • Each infected program will contain a clone of the virus, which will itself enter a propagation phase.

Triggering Phase

  • A dormant virus moves into this phase when it is activated, and will now perform the function for which it was intended. 
  • The triggering phase can be caused by a variety of system events.

Execution Phase

  • This is the actual work of the virus, where the "payload" will be released. 
  • It can be destructive such as deleting files on disk, crashing the system, or corrupting files or relatively harmless such as popping up humorous or political messages on screen.

Common types of computer viruses


Resident vs. non-resident virus

  • resident virus installs itself as part of the operating system when executed, after which it remains in RAM from the time the computer is booted up to when it is shut down. 
  • Resident viruses overwrite interrupt handling code or other functions, and when the operating system attempts to access the target file or disk sector, the virus code intercepts the request and redirects the control flow to the replication module, infecting the target. 
  • In contrast, a non-resident virus, when executed, scans the disk for targets, infects them, and then exits (i.e. it does not remain in memory after it is done executing).

Macro virus

  • Many common applications, such as Microsoft Outlook and Microsoft Word, allow macro programs to be embedded in documents or emails, so that the programs may be run automatically when the document is opened. 
  • macro virus (or "document virus") is a virus that is written in a macro language and embedded into these documents so that when users open the file, the virus code is executed, and can infect the user's computer. 
  • This is one of the reasons that it is dangerous to open unexpected or suspicious attachments in e-mails. 
  • While not opening attachments in e-mails from unknown persons or organizations can help to reduce the likelihood of contracting a virus, in some cases, the virus is designed so that the e-mail appears to be from a reputable organization (e.g., a major bank or credit card company).

Boot Sector virus

Boot sector viruses specifically target the boot sector and/or the Master Boot Record (MBR) of the host's hard disk drive, solid-state drive, or removable storage media (flash drives, floppy disks, etc.).

 Email virus
  • Email viruses are viruses that, use the email system to spread. 
  • While virus infected files may be accidentally sent as email attachments, email viruses are aware of email system functions. 
  • They generally target a specific type of email system (Microsoft's Outlook is the most commonly used), harvest email addresses from various sources, and may append copies of themselves to all email sent, or may generate email messages containing copies of themselves as attachments.

Countermeasures

Antivirus software

  • Many users install antivirus software that can detect and eliminate known viruses when the computer attempts to download or run the executable file (which may be distributed as an email attachment, or on USB flash drives, for example). 
  • Some antivirus software blocks knew malicious websites that attempt to install malware. 
  • Antivirus software does not change the underlying capability of hosts to transmit viruses. 
  • Users must update their software regularly to patch security vulnerabilities ("holes"). 
  • Antivirus software also needs to be regularly updated to recognize the latest threats. 
  • This is because malicious hackers and other individuals are always creating new viruses. 

Recovery strategies and methods

  • One may reduce the damage done by viruses by making regular backups of data and the operating systems on different media, that are kept unconnected to the system. 
  • This way, if data is lost through a virus, one can start again using the backup. 
  • If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus. 
  • Likewise, an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. 
  • Backups on removable media must be carefully inspected before restoration. 
  • The Gammima virus, for example, propagates via removable flash drives.

Worms 

  • A computer worm is a standalone malware computer program that replicates itself to spread to other computers. 
  • It often uses a computer network to spread itself, relying on security failures on the target computer to access it. 
  • It will use this machine as a host to scan and infect other computers.
  • Computer worms use a recursive method to copy themselves without host programs and distribute themselves and then controlling and infecting more and more computers in a short time. 
  • Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
  • Many worms are designed only to spread and do not attempt to change the systems they pass through. However, as the Morris worm and Mydoom showed, even these "payload-free" worms can cause major disruption by increasing network traffic and other unintended effects.

Features

  • Independent - A worm does not get restricted by the host program as it can run independently and actively carry out attacks.
  • Exploit Attacks - Because a worm is not limited by the host program, worms can take advantage of various operating system vulnerabilities to carry out active attacks. 
  • Complexity - Some worms are combined with web page scripts and are hidden in HTML pages using VBScript, ActiveX, and other technologies. When a user accesses a webpage containing a virus, the virus automatically resides in memory and waits to be triggered. Some worms are combined with backdoor programs or Trojan horses.
  • Contagiousness - Worms are more infectious than traditional viruses. They not only infect local computers, but also all servers and clients on the network based on the local computer. Worms can easily spread through shared folders, e-mails, malicious web pages, and servers with a large number of vulnerabilities in the network.

Countermeasures

Users can minimize the threat posed by worms by keeping their computers' operating systems and other software up to date, avoiding opening unrecognized or unexpected emails and running firewalls and antivirus software.

Topological Worms

  • Machines vulnerable to such a worm can be represented as a graph with nodes representing the vulnerable machines.
  • Topological worms have focused targets. 
  • Their immediate targets are their neighbors who, in turn, spread the infection to their neighbors and soon.
  • Consider an edge b/w machine V1 & V2 exists, if V1 knows the address of V2 and is capable of directly infecting V2 by sending it a malicious payload.
  • Thus their rate of spreading is potentially faster than internet scanning worms.
Topology graph of network link with worm propagation | Download ...
Examples: Email-Worm, P2P Worms

Email-Worm

  • An Email-Worm (also known as a mass-mailer or less commonly, an Internet worm) is a type of worm that distributes copies of itself in infectious executable files attached to fake email messages. 
  • Email-Worm typically arrives as executable files attached to fake email messages. 
  • Many worms send themselves as attachments with double extension, for example, .MPG.EXE or AVI.PIF. 
  • Often, a recipient will only notice the first extension listed and will try to open such attachments thinking, that they are multimedia files.

P2P Worms

  • P2P Worms spread via peer-to-peer file-sharing networks (such as Kazaa, EDonkey, FastTrack, etc.). 
  • Most of these worms work in a relatively simple way, to get onto a P2P network, all the worm has to do is, copy itself to the file-sharing directory, which is usually on a local machine. 
  • The P2P network does the rest, when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer.

Trojans


  • In computing, a Trojan horse, or trojan is any malware that misleads users of its true intent.
  • Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves as viruses and worms do.

What do Trojans do?

  • Creating backdoors: Trojans typically make changes to your security system so that other malware or even a hacker can get in. This is usually the first step in creating a botnet.
  • Spying: Some Trojans are essentially spyware, designed to wait until you access your online accounts or enter your credit card details, and then send your passwords and other data back to their master.
  • Turning your computer into a zombie: Sometimes, a hacker isn't interested in you, but just wants to use your computer as a slave in a network under their control.
  • Sending costly SMS messages: Even smartphones get Trojans, and a common way for criminals to make money is by making your phone send costly SMS messages to premium numbers.

Countermeasures

  • Installing an antivirus
  • Use a firewall
  • Be wary of downloads
  • Avoid pirated files and media

Internet propagation models for worms

Simple Epidemic Model

  • The simplest model for all disease models.
  • Some infections, which do not confer(grant) any long-lasting immunity, do not give immunity upon recovery from infection, and individuals become susceptible again.
  • This model assumes only the individuals who are susceptible and infected in the population.

SIS compartmental model


The differential equation 

 {\displaystyle {\frac {dI}{dt}}\propto I\cdot (N-I).}

 where,
N - the total population 
# I(t) -  the number of people infected
beta is the infection rate 
gamma  is the recovery rate

In the long run, in this model, all individuals will become infected.

Kermack-McKendrick Model


The model consists of three compartments: 
  • The number of susceptible (S)
  • The number of infectious (I)
  • The number of recovered individuals (R)
SIR compartment model
The model consists of a system of three coupled nonlinear ordinary differential equations,

 SIR Model
where,
N - the total population 
# t - time
# S(t) - the number of susceptible people
# I(t) -  the number of people infected
# R(t) - the number of people who have recovered and developed immunity to the infection
beta is the infection rate 
gamma  is the recovery rate

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Monk and Inversions

using System; public class Solution { public static void Main () { int T = Convert . ToInt32 ( Console . ReadLine...

  • Important Questions: Information Security
      1. What is brute force attack? A brute force attack is a trial-and-error method used to obtain information such as a user password or pe...
  • Software Life Cycle
      The software life cycle is a process that consists of a series of planned activities to develop or alter the Software Products. lt s use...