Ministry Of Higher Education 1

Paktia University
Faculty of Computer Science

Chapter 2

SUB: NETWORK SECURITY

 Malicious software(Malware) 2
 Malicious software, or malware, arguably constitutes one of the most
significant categories of threats to computer systems.
 malware as “a pro gram that is inserted into a system, usually covertly,
with the intent of compromising the confidentiality, integrity, or
availability of the victim’s data, applications, or operating system or
otherwise annoying or disrupting the victim.”
 we are concerned with the threat malware poses to application
programs, to utility programs, such as editors and compilers, and to
kernel-level programs.
 We are also concerned with its use on compromised or malicious Web
sites and servers, or in especially crafted spam e-mails or other
messages, which aim to trick users into revealing sensitive personal
information.
Terminology for Malicious Software 3
Terminology for Malicious Software… 4
 5
Viruses
 A computer virus is a piece of software that can “infect” other
programs, or indeed any type of executable content, by
modifying them.
 The modification includes injecting the original code with a
routine to make copies of the virus code, which can then go on
to infect other content.
 Computer viruses first appeared in the early 1980s, and the term
itself is attributed to Fred Cohen.
 6
Viruses…
a computer virus carries in its instructional code the recipe for
making perfect copies of itself.
 A virus that attaches to an executable program can do anything
that the program is permitted to do. It executes secretly when
the host program is run.
 Once the virus code is executing, it can perform any function,
such as erasing files and programs, that is allowed by the
privileges of the current user.
 7
Virus parts
 Infection mechanism: The means by which a virus spreads
or propagates, enabling it to replicate. The mechanism is
also referred to as the infection vector.
 Trigger:The event or condition that determines when the
payload is activated or delivered, sometimes known as a
logic bomb.
 Payload: What the virus does, besides spreading. The
payload may involve damage or may involve benign but
noticeable activity.
 8
Viruses Phases
 Dormant phase: The virus is idle.
 Propagation phase: The virus places a copy of itself into other
programs or into certain system areas on the disk.
 Triggering phase: The virus is activated to perform the function
for which it was intended.
 Execution phase: The function is performed.
 9
Viruses classification
 A virus classification by target includes the following categories:
 Boot sector infector: Infects a master boot record or boot record
and spreads when a system is booted from the disk containing the
virus.
 File infector: Infects files that the operating system or shell
consider to be executable.
 Macro virus: Infects files with macro or scripting code that is
interpreted by an application.
 Multipartite virus: Infects files in multiple ways. Typically, the
multipartite virus is capable of infecting multiple types of files, so
 10
Viruses classification…
 A virus classification by concealment strategy includes the following
categories:
 Encrypted virus: A form of virus that uses encryption to obscure it’s
content. A portion of the virus creates a random encryption key and
encrypts the remainder of the virus.
 Stealth virus: A form of virus explicitly designed to hide itself from
detection by anti-virus software.
 Polymorphic virus: A form of virus that creates copies during replication
that are functionally equivalent but have distinctly different bit patterns, in
order to defeat programs that scan for viruses.
 Metamorphic virus: As with a polymorphic virus, a metamorphic virus
 11
Worms
 Worm programs exploit software vulnerabilities in client or
server programs to gain access to each new system.
 They can use network connections to spread from system to
system.
 They can also spread through shared media.
 The concept of a computer worm was introduced in John
Brunner’s 1975.
 The first known worm implementation was done in Xerox
Palo Alto Labs in the early 1980s.
 12
Worms…
 To replicate itself, a worm uses some means to access remote
systems.
 Electronic mail or instant messenger facility: A worm e-mails a
copy of itself to other systems, or sends itself as an attachment via
an instant message service, so that its code is run when the e-mail
or attachment is received or viewed.
 File sharing: A worm either creates a copy of itself or infects
other suitable files as a virus on removable media such as a USB
drivee; it then executes when the drive is connected to another
system
 13
Worms…
 Remote execution capability: A worm executes a copy of itself on
another system, either by using an explicit remote execution facility
 Remote file access or transfer capability: A worm uses a remote
file access or transfer service to another system to copy itself from
one system to the other, where users on that system may then
execute it.
 Remote login capability: A worm logs onto a remote system as a
user and then uses commands to copy itself from one system to the
other, where it then executes.
 Target Discovery(worm) 14

 The first function in the propagation phase for a network worm is

for it to search for other systems to infect, a process known as
scanning or fingerprinting.
 whichexploit software vulnerabilities in remotely accessible
network services, it must identify potential systems running the
vulnerable service, and then infect them.
 Then, typically, the worm code now installed on the infected
machines repeats the same scanning process, until a large
distributed network of infected machines is created.
 Target Discovery(worm)… 15
 lists the following types of network address scanning strategies that
such a worm can use:
 Random: Each compromised host probes random addresses in the
IP address space, using a different seed. This technique produces a
high volume of Internet traffic, which may cause generalized
disruption even before the actual attack is launched.
 Hit-List: The attacker first compiles a long list of potential
vulnerable machines. This can be a slow process done over a long
period to avoid detection that an attack is underway.
 Target Discovery(worm)… 16
 Topological: This method uses information contained
on an infected victim machine to find more hosts to
scan.
 Local subnet: If a host can be infected behind a
firewall, that host then looks for targets in its own local
network. The host uses the subnet address structure to
find other hosts that would otherwise be protected by
the firewall.
 17
Trojan horses
 A Trojan horse is a useful, or apparently useful, program or
utility containing hidden code that, when invoked, performs
some unwanted or harmful function.
 Trojan horse programs can be used to accomplish functions
indirectly that the attacker could not accomplish directly.
 18
Trojan horses Model
 Continuing to perform the function of the original program
and additionally performing a separate malicious activity.
 Continuing to perform the function of the original program
but modifying the function to perform malicious activity
 Performing a malicious function that completely replaces the
function of the original program.
 19
Mobile Phone Trojans
 Mobile phone Trojans also first appeared in 2004 with the
discovery of Skuller.
 Trojans targeted Symbian phones. More recently, a
significant number of Trojans have been detected that target
Android phones and Apple iPhones.
 These Trojans are usually distributed via one or more of the
app marketplaces for the target phone O/S.
 Adversaries 20
 To defend against attacks on information and information
systems, organizations must begin to define the threat by
identifying potential adversaries. These adversaries can
include the following:
 Nation or states
 Terrorists
 Criminals
 Hackers
 Corporate competitors
 Disgruntled employees
 Motivation 21
 To defend against attacks on information and information
systems, organizations must define the threat in terms of
motivation.
 Motivations can include:
 intelligence gathering
 theft of intellectual property
 denial of service (DoS)
 embarrassment of the company or clients
 pride in exploiting a notable target.
Attack Methods 22
Attack Methods… 23
 IP spoofing Attack 24
 The prime goal of an IP spoofing attack is to establish a
connection that allows the attacker to gain root access to
the host and to create a backdoor entry path into the
target system.
 IP spoofing is a technique used to gain unauthorized
access to computers whereby the intruder sends
messages to a computer with an IP address that indicates
the message is coming from a trusted host.
 IP spoofing can also provide access to user accounts and
passwords.
 IP spoofing Attack 25
 The prime goal of an IP spoofing attack is to establish a
connection that allows the attacker to gain root access to
the host and to create a backdoor entry path into the
target system.
 IP spoofing is a technique used to gain unauthorized
access to computers whereby the intruder sends
messages to a computer with an IP address that indicates
the message is coming from a trusted host.
 IP spoofing can also provide access to user accounts and
passwords.
 Technical Discussion on IP Spoofing 26
 The client selects and transmits an initial sequence number.
 The server acknowledges the initial sequence number and sends its
own sequence number.
 The client acknowledges the server sequence number, and the
connection is open to data transmission.
Man-in-the-Middle Attacks 27
 A complex form of IP spoofing is called man-in-the-middle attack, where
the hacker monitors the traffic and introduces himself as a stealth
intermediary between the sender and the receiver.
 Hackers use man-in-the-middle attacks to perform many security
violations:
 Theft of information
 Hijacking of an ongoing session to gain access to your internal network
resources
 Analysis of traffic to derive information about your network and its users
 DoS
 Corruption of transmitted data

 Confidentiality Attack 28
 Confidentiality breaches can occur when an attacker attempts to
obtain access to read sensitive data.
 These attacks can be extremely difficult to detect because the
attacker can copy sensitive data without the knowledge of the
owner and without leaving a trace.
 A confidentiality breach can occur simply because of incorrect file
protections. For instance, a sensitive file could mistakenly be given
global read-access.
 Unauthorized copy ing or examination of the file would probably
be difficult to track without having some type of audit mechanism
running that logs every file operation.
 Confidentiality Attack 29
 If a user had no reason to suspect unwanted access, however, the
audit file would probably never be examined.
 Confidentiality Attack Methods 30
 Packet sniffing
 Port scanning
 Dumpsite Diving
 Emanation Capturing
 Wiretapping
 Social Engineering
 Overt Channel
 Covert Channel