TMK 264: COMPUTER SECURITY

Prepared By: Razif Razali 1

TMK 264: COMPUTER TMK 264: COMPUTER SECURITYSECURITY

CHAPTER THREE : CHAPTER THREE : SECURITY SYSTEMSECURITY SYSTEM


INTRODUCTIONINTRODUCTION

• Consider what we mean when we say that a program is ‘secure’.

• We saw in chapter 1 that security implies some degree of trust that the program enforces expected confidentiality, integrity and availability.

• From the point of view of a program or a programmer, how can we look at a software component or code fragment and asses its security?

VIRUSES AND OTHER MALICIOUS VIRUSES AND OTHER MALICIOUS CODECODE

• By themselves, programs are seldom security threats.

• The programs operate on data, taking action only when data and state changes trigger it.

• Much of the work done by a program is invisible to users, so they are not likely to be aware of any malicious activity.



WHAT IS THE MALICIOUS WHAT IS THE MALICIOUS CODE?CODE?

• Malicious Code or a rogue program is the general name for unanticipated or undesired effects in programs or program parts.• Cause by agents that the computer system can be affected.• The agent is the writer of the program or the person or the person who causes its distribution.• Malicious code can do anything any other program can, such as writing a message on a computer screen, stopping a running program, generating a sound or erasing a stored file.• Malicious code runs under the user authority.


KINDS OF MALICIOUS CODEKINDS OF MALICIOUS CODE

WORMWORM

• Is a self relocating computer program.• Use network to send copies to other node.• Always harm the network, where viruses always

infect on targeted PC.• Can consume memory or network, bandwidth

which can cause a computer to crash.• Worm is similar to virus by its design, and is

considered to be a sub class of a virus.• Example: Sasser Worm, Blaster Worm, ILOVEYOU,

CodeRed, Nimbda.


TROJAN HORSETROJAN HORSE

• Trojan horse is a program that unlike a virus contains or installs a malicious code.

• Trojan horse may appear to be useful or interesting programs to an unsuspecting user, but are actually harmful when executed.

• Also known to create backdoor on your computer that gives malicious code users access to your system.


LOGIC BOMBLOGIC BOMB

• Also called slag code; is a programming code, inserted surreptitiously or intentionally, that is designed to execute under circumstances.

• When exploded, may design to display or print a spurious message delete or corrupt data, or have other undesirable effects.



VIRUS DEFINITIONSVIRUS DEFINITIONS

• A computer virus is a block of executable code that would replicate itself by attaching to other files or replacing another program.

• Attack of a computer or a computer system by virus spread over the network or the Internet.

• A virus is a program that can pass on malicious code to other no malicious programs by modifying them.

• What do computer viruses do?– A computer virus’s main purpose is to replicate itself

and copy its code into as many other files as possible.


Figure: How computer virus spreadFigure: How computer virus spread


CATEGORIES OF VIRUSCATEGORIES OF VIRUS

• A virus can be either transient or resident.– Transient

• Life that depends on the life of its hosts.• The virus runs when its attached program executes

and terminates when its attached program ends.• During its execution, the transient virus may have

spread its infection to other programs.

– Resident • Locates itself in memory; then it can remain active or

be activated as a stand-alone program, even its attached program ends.


VIRUS SYMPTOMSVIRUS SYMPTOMS


HOW VIRUS ATTACH?HOW VIRUS ATTACH?

• Virus is attached by using three methods:– Appended to program– Surrounding a program– Integrating into program


Virus appended to a programVirus appended to a program

• The program virus attached itself to a program, then, whenever the program is run, the virus is activated.

• This kind of attachment is simple and effective.• In the simplest case, a virus inserts a copy of

itself into the executable program file before the first executable instruction.

• Then, all the virus instructions execute first; after the last virus instruction, control flows naturally to what used to be the first program instruction.


Figure: Virus appended to a programFigure: Virus appended to a program


Virus Surrounding & IntegratingVirus Surrounding & Integrating

• Virus surrounding a program– Virus that runs the original program but has control

before and after its executions.– Example: the virus writer might want to prevent the

virus from being detected.

• Virus Integrated into a program – The virus replaces some of its target, integrating itself

into the original code of the target.– The virus writer has to know the exact structure of the

original program and must know where to insert the piece of the virus.



HOMES FOR VIRUSESHOMES FOR VIRUSES

• Since a virus can be rather smaller, its code can be ‘hidden’.

• Two hundred lines of a virus could be separated into one hundred packets of two lines of code.

• The virus writer may find these qualities appealing in a virus:– It is hard to detect– It is not easily destroyed and deactivated.– It spread infection widely.– It can reinfect it home program or other programs.– It is easy to create.– It is machine independent and operating system

independent.


Issues of virus residentIssues of virus resident

• One-Time Execution– The majority of viruses today execute only once,

spreading their infection and causing their effect in that one execution.

– A virus often arrives as an email attachment of a document virus.

• Boot Sector Viruses– When a computer is started, control begins with

firmware that determines which hardware component is present, tests them and transferred to the operating system.

– A boot sector is an especially appealing place to house a virus.


Issues of virus residentIssues of virus resident

• Memory Resident Viruses– Some parts of the operating system and most user

programs execute, terminate and disappear, with their space in memory being available for anything executed later.

– Example of resident code is the routine that interprets keys pressed on the keyboard, the code that handles error condition that arises during program executions.

• Other homes for viruses– A virus that does not take up residence in one of these

cozy establishments has to fend more for it.– One popular home for a virus is an application program.– Many applications, such as word processors and

spreadsheet, have a ‘macro’ feature, by which a user can record a series of commands and repeat them with one invocation.


VIRUS SIGNATUREVIRUS SIGNATURE• A virus cannot be completely invisible. • Code must be stored somewhere, and the code must be in

memory to execute.• Moreover, the virus executes in a particular way, using

certain method to spread.• Each of these characteristics yields a telltale pattern,

called a signature.• Specific strings of binary code in most viruses (except

polymorphic ones) that allow antivirus software to detect them.

• New viruses contain new signatures, which is why it is essential to keep signature files up to date.

• The virus signature is important for creating a program, called a virus scanner.

• The scanner searches memory to search the virus signatures


Figure: Example of Virus SignatureFigure: Example of Virus Signature


DENIAL OF SERVICE (DOS)DENIAL OF SERVICE (DOS)

• Also known as Distributed Denial of Service Attack.

• DOS is an attempt to make a computer resource unavailable to the intended users.

• It simply aims to prevent legitimate users from accessing the system.



HOW VIRUS GAIN CONTROL?HOW VIRUS GAIN CONTROL?

• Virus can control the program by – Overwriting the part of the program

• The virus can overwrite T in storage (simply replacing the copy of T in storage, for example (a))

– Changing the pointers.• Alternatively, the virus can change the

pointers in the file table so that the virus is located instead of T whenever T is accessed through the file system. (See example (b))


Figure: Virus completely replacing a Figure: Virus completely replacing a programprogram

HOW VIRUSES MAY EFFECT FILESHOW VIRUSES MAY EFFECT FILES

• Viruses can affect any files; however, usually attack .com, .exe, .sys, .bin, .pif or any data files.

• Increase the files size, however this can be hidden. • It can delete files as the file is run. • It can corrupt files randomly. • It can because write protect errors when executing

.exe files from a write protected disk. • It can convert .exe files to .com files. • It can reboot the computer when executed.



VIRUS EFFECTS AND CAUSESVIRUS EFFECTS AND CAUSES


PREVENTION OF VIRUS INFECTIONPREVENTION OF VIRUS INFECTION

• The only way to prevent the infection of a virus is not to share executable code with an infected source.

• Techniques used to control virus:– Use only commercial software acquired from

reliable, well establish vendor.– Test all new software on an isolated computer.– Open attachments only when you know them to

be safe.– Make a recoverable system image and store it

safely.– Make and retain backup copies of executable

system files.– Use virus detectors regularly and update them

daily.


TRUTH ABOUT VIRUSTRUTH ABOUT VIRUS• Viruses can infect only Microsoft Windows

operating systems – FALSE• Viruses can modify ‘hidden’ or’ read only file’. –

TRUE• Virus can appear only in data files, or only in word

document, or programs – FALSE• Virus spread only on disks or only in e-mail.- FALSE• Virus cannot remain in memory after a complete

power off/power on reboot – TRUE• Virus cannot infect hardware – TRUE• Virus can be malevolent, benign or benevolent -

TRUE

SALAMI ATTACKSALAMI ATTACK

• This approach gets its name from the way odd bits of meat and fat are fused together in a sausage or salami.

• Some books refer salami attack as a salami shaving.• In the same way, a salami attack merges bits of seemingly

inconsequential data to yield powerful result.• Example of salami attack:

– With salami shaving, a programmer alters a program to subtract a very small amount of money from an account – say, two cents- and diverts the funds to the embezzler’s account.

– Ideally, the sum is so small that it’s never noticed.– In a business that handles thousand of accounts, an

insider could skim tens of thousands of dollars per year using this method.



CONCLUSIONSCONCLUSIONS

• Introduction• Virus and malicious code

– What is malicious code?– Kinds of malicious code– Virus Definition– How virus attach

• Appended virus• Surround a program• Integrated viruses• Home for virus• Virus signature• How viruses may effect files• Virus effect and cause• Prevention of virus infection• Truth about virus

• Salami attack• Example of salami attack

TMK 264: COMPUTER SECURITY

Documents

razif razaliprepared

razif razaliwormis

razif razaliviruses

kinds of malicious code

malicious programs

computer system

razif razalilogic bombalso

computer viruses