Malware- Types, Detection and Future

MalwareMenon Harishankar Krishnakumar

S6-CSE 13

ContentsO What is Malware?O Brain VirusO Morris WormO Code RedO SQL SlammerO Trojan O Malware DetectionO Future of Malware

What is Malware?O malicious software, such as a virus,

which is specifically designed to disrupt or damage a computer system.

O The infecting style of different malware are entirely different

O General Categories of malware

Trojan Horse

Rabbit

Trapdoor

Malware

Virus Worm

Brain VirusO First Virus introduced to world-1986.O Not malicious - not harmful – annoying.O Places itself in boot sector and other places.O Screens all the disk access to maintain.O On access it would reinstall itself.

Morris WormO An important attack occurred which

changed world security level.O Infecting via e-mail exchange - designed

by students of Cornell university.O Morris's worm failed – no rechecking.O Main Three procedures of this worm

O Determine whether it could spread.O Spread infection when possible.O Remain undiscovered.

O Designed in C code which gave a nuclear attack impact to internet of 1988.

Code RedO July -2001 Affects 2.5lakhs in 10-15 hours.O But only affected 7.5 lakh out of 60lakh

susceptible systems worldwide.O Gained access via Microsoft server and

undergoes the “buffer overflow”.O Working method Is based on days.

O Day 1-19:SpreadO Day 20-27: DDoS

O A copy cat version of code red-reboots the system to flush all traces of the worm.

SQL SlammerO Came in 2004- Affecting 2.5lakh in

10 minutes.O Affects via browsing Internet sites.O Attacks one internet site and inside

that site it randomly generates IP addresses and spread

O Burns down the bandwidth.O Worm code was small 376 byte as

firewall denies small packets.

Trojan HorseO Came from mac- harmless but annoying.

O It’s a click launch application virus.O Trojan visually looks like a simple file

(mp3,word,ppt etc..) but on click event launches the “duplicating virus code”

O Trojan is simple to design and its strength can be altered.

O Best example :Short cut virus a.k.a autorun virus

Malware DetectionO Three main methods:-

O Signature DetectionO Change Detection O Anomaly detection

O Signature Detection:O Each virus of a particular type have some

thing common.O Minimum burden for user.O Problems:

O Can only detect known virus.O May remove important files.

O Change Detection:O A change in file which is unexpected shows

presence of virus.O Hash functionO Advantages:

O Virtually no false negativesO Detect previously known malware

O Dis Advantage:O Many false positivesO Causes Heavy burden to user

O Anomaly Detection:O Based on Intrusion Detection systems(IDs).O Difficult part here is to make it realize what

is “normal”.O It can detect previously unknown malware.O A file can change its anomaly and enter.O This detection is not stand alone always

combines with any one above.

Future of MalwareO New malwares are created by writers

for future security.O Polymorphic virus:-

O Encrypted with different keys each time it propagates.

O Used to mask a signatureO Decrypted is also maskedO Difficult to detect but not impossible

O Metamorphic Virus:-O Mutates before infecting and spreads

inside the systemO Even If original virus/worm is detected

the mutated one still remains with different signature

O Warhol Worm:-O Similar like SQL Slammer but with

reduced bandwidth utility.O Creates “hit list”O Via each hit list sites are infected first

and finds vulnerable IP address.

O 507 209.235.136.112O 467 37.59.87.162O 312 212.122.222.32O 268 88.191.116.184O 245 216.69.224.11O 236 184.171.241.132O 225 94.23.230.97O 207 216.75.35.176O 207 209.235.136.116O 196 67.228.195.2O 178 176.31.124.28O 142 46.105.99.187O 133 88.198.164.237O 128 176.31.239.45O 126 200.98.137.215O 112 209.235.136.113O 108 193.34.131.144O 107 64.9.215.134O 102 201.47.74.114O 101 72.32.123.95O 98 74.63.216.3O 94 77.79.121.92O 93 94.73.156.146O 93 72.47.192.128O 93 1.234.4.69O 85 95.163.15.34

58 194.88.212.212 58 188.165.249.102 57 92.114.87.156 57 37.59.42.18 56 219.83.123.173 55 79.99.133.138 55 50.97.215.122 55 213.171.37.206 55 119.110.97.142 54 83.143.81.242 54 203.217.172.52 52 121.125.79.179 51 177.12.161.31 50 189.38.90.45 49 208.116.60.43 48 67.218.96.160 47 207.210.231.42 46 24.35.157.72 46 204.232.204.219 45 109.104.76.142 44 80.82.116.51 44 216.18.193.140 43 77.109.127.41 42 210.127.253.245 42 205.186.132.28 41 91.121.68.33

41 90.198.87.118 41 83.169.39.233 40 203.201.173.150 39 70.32.83.233 39 200.98.147.111 39 176.9.21.235 38 91.121.161.131 38 31.210.113.232 37 91.195.214.12 36 80.91.80.242 36 64.34.166.146 36 188.165.254.104 35 31.210.48.34 35 200.98.149.187 35 184.106.130.234 34 72.232.194.50 34 216.218.208.130 34 207.250.111.6 34 188.132.228.146 33 87.253.155.151 33 188.165.212.9 33 188.121.54.44 33 184.106.150.41 32 87.106.109.97 32 148.241.188.18 31 75.149.34.188

28 178.63.60.83 27 94.23.39.53 27 94.124.120.40 27 81.196.196.141 27 79.121.103.71 27 72.32.115.16 27 37.58.64.66 27 222.122.45.146 27 213.85.69.7 27 213.188.134.17 27 212.67.205.187 26 89.18.182.140 26 46.254.17.117 26 210.127.253.231 26 207.99.28.140 26 205.186.152.222 26 200.98.141.45 26108 193.34.131.144 107 64.9.215.134 102 201.47.74.114 101 72.32.123.95 98 74.63.216.3 94 77.79.121.92 93 94.73.156.146

Vulnerable IP Address generated Today

Thank You