Download Presentation7 - University Of Worcester

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts

Common cold wikipedia , lookup

Transcript 
COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2016
Week 7: Malware and
Protection

Objectives of Session
 Explain in principle how a computer virus
works, how it can enter a system/network
and how it can be removed
 Explain how adware and spyware can get
onto a client computer
 Implement a client security system to protect
on a permanent basios against viruses,
adware, and spyware
Cyber Beasties! Mutants,
Malware, everywhere!

“Malware”: all inclusive term for
deliberately engineered programs that can
be disruptive to a computer
can then interfere with the normal running of
that/other computers, or even whole network!


Further threat beyond last week’s OSI
layer hacking… although the malware has
to get in somehow!
Viruses, Worms and Trojans

Viruses – make copies of themselves
on any available storage medium

Worms – once in, can change/delete
files on local storage

Trojans – like viruses, but disguised as
“innocent” code so antivirus software
can’t detect them so easily
Entry of Malware (1)
?
nasty code

At one time, mostly boot sector attack on
hard disk
 usually via floppy disk…
 or via network

As vulnerabilities closed, new threats
emerged. Now…
infected files emerge via Internet or USB
Entry of Malware (2)

Modern operating systems not easily
susceptible to boot sector infection
 but many other ways to harm the computer!

Downloaded files, including email attachments, may
contain programs that (accidentally or by design!)
cause damage to data on PCs, or even to the
machine itself
 actually .exe files but disguised through being saved with a
different suffix…
 can enter as apparently harmless files
Detection of Malware

Each… unique digital footprint
 once detected, identified & catalogued by antivirus
manufacturers…
 malware “footprint” can be easily identified using
antivirus software & databases

Should be easily caught…
 however, not always be possible to detect harmful
programs held in compressed form
» e.g. in zip files; detection software needs to
have the capability to open the zip folder
 need powerful antivirus software; usually have to
pay a monthly/annual fee
Virus “Hall of Fame”

“Stoned” (1990)… bootsector virus
usually passed on via portable storage
medium, during bootup
next time computer boots it displays a
message “Your computer is stoned…”
“I love you” (1998): messes with files
 “Chernobyl” (1999): messes with
hardware configurations
 Many others…

What is a Virus?

A program that can:
 bind itself to executable code not belonging to itself
•
•
The virus can snuggle up in memory with other loaded
software, and be executed automatically when that
software runs…
the software will then perform the function(s) of the virus
 exist on a storage media in a form which, if loaded,
will:
•
•
perform all the functions of the virus
including binding itself to software…
When can a virus “strike”
Immediately…
 Next boot up (registry changes
apparent)
 At any time…

“lurks” dormant on a hard disk
starts automatically when a trigger date
occurs e.g. a particular date… (Chernobyl,
on 26.4)
How many viruses are there?

Don’t believe the virus manufacturers.
Use an independent source…
https://en.wikipedia.org/wiki/Timeline_of_co
mputer_viruses_and_worms

317 million created last year according
to CNN…
http://money.cnn.com/2015/04/14/technolo
gy/security/cyber-attack-hacks-security/
Type of Virus

One of the most common way to
categorize viruses is by method of
infection:
Boot Sector Viruses (BSVs)
Partition Sector Viruses (PSVs)
File Viruses (FVs)
Macro viruses (MVs)

Most common method of entry…
click on attachment in an email message…
“Attached File” viruses

If an infected file is run, the virus places
itself in computer memory
could just reproduce itself onto portable
media…
or could attack files, folders, even BIOS or
registry settings
settings may not come into effect until next
time computer boots… or doesn’t boot!
Macro Viruses

Similar to file viruses, but attach themselves
to normally non-executable files as “macros”
 a macro is embedded code - could tell the CPU to
do good or bad things!
 can easily attach to e.g. Word and Excel files

Can only infect other files that are able to
attach the same macro code
 but once an infected file is loaded the macro
executes
Trojans

Computer programs that enter your system on
false pretences
 then do something other than what it claims to do!
(like the Trojan Horse in mythology)

Example, 1989: The 'AIDS Information
Program' (first e.g. of ransomware?)
 claimed to tell you about AIDS but also contained
code which prevents access to the hard disk
unless a payment is made to a specific company!
Worms

Enter under false pretences like Trojans
 then “wriggle” round the hard drive corrupting files
or changing their indexing information
 e.g. : the “I love you” worm:
» destroys graphical image files & replaces them by its own
code and file suffix

“I love you” was initially transferred by email
 then developers changed so it could be easily
spread using floppy disks - especially devastating
for floppy disks containing graphics files
Stealth Viruses


Use “stealth” techniques to conceal their
presence
Example - sector masking:
 when an infected disk sector is read, a different
sector appears instead
 So the infected sector appears clean!

Viruses can also use Memory Resident
stealth techniques. This allows them to stay in
memory and infect programs as they are
loaded
Polymorphic Viruses

Encrypts the virus code in an
unpredictable way, making it harder to
trace through its footprint
the loader which does the decryption
changes with each infection!
makes it harder for virus scanners to detect
the virus, as the code is apparently
constantly changing!!
Infection: downloading
from the Internet

Downloading software that looks ok (!)
 forced/voluntary downloading through unprotected
TCP ports
» e.g. zipped files via FTP or HTTP
 E-mail attachments/headers
» (don’t click on .EXE files from strange email addresses!)
» even clicking on a header can be enough!
 web pages…???
» hyperlinks that download malware…
» pop ups…
Protecting Dynamic
Web Pages

Client-side scripts contain executable
code which could be infected…
could in turn infect client machine

Server-side scripts and data
downloaded to client machine from
server
if client is contaminated, could infect the
server…
could then crash the server!!!
Protecting Dynamic Web Data

Good idea for one particular reason…
customer data is private!
protected in EU countries by local Data
Protection Act
» could be picked up by malware at the client
end…
» Could also be intercepted en route:


Downloading: server --- client
Uploading: client --- server
Businesses, the web, and
Protection of Data

Many businesses now trading online
lot of sensitive data…
» on the move, through the Internet
» held on their servers
loss or illicit copying of that data could
have a devastating effect…
» fines from ICO
» loss of business because server can’t run
properly & has to be rebuilt
Employees and
Protection of Data


Special (DPA) responsibility if dealing with
data accessible from outside via Internet
Ensure that
 sensitive data is stored as encrypted
 data that needs to go to/from clients cannot be
hacked on the Internet
» should use the secure Internet (Public Key Infrastructure)
» designed by Netscape & Internet gurus especially for this
purpose:

look up https, SSL, public key encryption…
E-commerce and
Securing Data

E-commerce involves
 personal data (policed by ICO)
» large fines possible
 financial data (policed by FSA)
» fines of several million (happens regularly!)

ANY business even thinking about
buying/selling online must consider this
carefully
 evidence suggests that many still don’t…
 especially in matters regarding personal data
Detecting/Removing Malware


Many new viruses appear every day
Each leaves its own footprint
 if active… in memory
 if dormant… in secondary storage

Detection requires running software
through 1. memory 2. secondary storage
requires a database of virus footprints
database updated daily!
Removing Malware


A number of companies specialise in virus
detection and removal. Remove virus code and
placed in quarantine area… can be deleted
Most popular antivurus:
 McAfee (www.mcafee.com )
 Norton (www.symantec.com )
 Sophos (www.sophos.com )
 Malwarebytes (www.malwarebytes.com )

30-day try/buy versions available…
 only completely effective if virus footprint database
updated daily
Prevention is better than cure!

CMOS Protection:
 Some viruses (e.g. Exebug) wrote data to the
CMOS part of the BIOS chip on the motherboard
 It is possible to protect the BIOS from being
attacked in this way, although PC performance is
slightly affected

Antivirus companies have Memory and File
Scanners
 can be programmed to run each time the
computer boots up
 can continue to be active even after boot up, but
will slow the machine down
Microsoft Defender

Free virus scanning tool provided by
Microsoft
works on same principle as Mcafee and
others
database of virus footprints needs regular
updating…
Email Viruses

Outlook is vulnerable:
 e.g. “Melissa” virus: sends an embarrassing
message to everyone in the address book!
 e.g. “Bad Trans”…
 hwhen a contaminated email message is opened,
1. installs itself on the computer
2. becomes resident in memory next time the computer
boots up
3. When Outlook is opened, it sends a copy of itself back to
the sender of each unread message in the mailbox
 Bad Trans 2 … even worse will do the above as
soon as the message header is highlighted!
Email Viruses



Because of the nature of email messages,
and the presence of an address book, the
potential for embarrassment is ENORMOUS!
Outlook has regular updates to help prevent
infection by email viruses
BUT…
 new email viruses become available all the time
 Not always detected by conventional scanners
 could in theory send a copy of any email from any
folder to any address, and add as copy of itself for
good measure!!!
Removing and Preventing
E-mail Viruses

E-mail viruses spread very quickly…
 often before Microsoft or the manufacturers of antivirus software can make a fix available!!!

Therefore worth getting anti-virus software
from an email virus specialist
 often freely available on the Internet (e.g. VCatch)
» www.vcatch.com
 provide protection (phew!) for the address book
Spyware and Adware

“Of questionable legality” software that allows:
 snooping on browsing activity
 adding browser toolbars and “searchbars”
 flooding the browser screen with popups

Also malicious in other ways:
 invade your PC in such a way as to make
themselves difficult to remove
 take up your hard drive space and slow down CPU

As with cookies
 happens “behind the scenes”
 an infringement of UNCHR personal privacy
Removal of
Spyware and Adware


Very many products available on the
Internet
Well worth the investment, in terms of:
 safeguarding the performance of your PC
 protecting your personal data

Freeware options detect them all, and
then just delete one…
 rest only deleted on payment… (!)
Thanks for Listening

Related documents
Viruses - StantonAPBiology
Viruses - StantonAPBiology
Deardorff COBRE seminar 082913 (PDF)
Deardorff COBRE seminar 082913 (PDF)
Viruses - BealBio
Viruses - BealBio
Chapter 24- Viruses, section review answers
Chapter 24- Viruses, section review answers
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
Understanding viruses classwork
Understanding viruses classwork
Viruses can enter a computer system in a number of ways, including
Viruses can enter a computer system in a number of ways, including
Computer Virus Could Become Biological
Computer Virus Could Become Biological
Sample Test Questions: LIfe Ch6 Bacteria
Sample Test Questions: LIfe Ch6 Bacteria
Communications Course Test 1
Communications Course Test 1