+1443 776-2705 panelessays@gmail.com

I want this paper on 10/02 afternoon. Strictly NO plagiarism.

Use a search engine to find the names of five different cyber viruses.

Using WORD, write a short paragraph on each.

Use your own words and do not copy  the work of another student.

Materials needed:

https://www.youtube.com/watch?v=bjYhmX_OUQQ

Strictly NO plagiarism please use your own words.

Computer Security Fundamentals

by Chuck Easttom

Chapter 5 Malware

*

© 2016 Pearson, Inc. Chapter 5 Malware

*

Chapter 5 Objectives

  • Understand viruses and how they propagate
  • Have a working knowledge of several specific viruses
  • Understand virus scanners
  • Understand what a Trojan horse is

© 2016 Pearson, Inc. Chapter 5 Malware

*

Understand viruses (worms) and how they propagate, including the Sobig and Sasser types.

Have a working knowledge of several specific virus outbreaks.

Understand how virus scanners operate.

Understand what a Trojan horse is and how it operates.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Chapter 5 Objectives (cont.)

  • Have a working knowledge of several specific Trojan horse attacks
  • Understand the buffer overflow attack
  • Understand spyware
  • Defend against these attacks

© 2016 Pearson, Inc. Chapter 5 Malware

*

Have a working knowledge of several specific Trojan horse attacks.

Grasp the concept behind the buffer overflow attack.

Have a better understanding of spyware and how it enters a system.

Defend against each of these attacks through sound practices, antivirus software, and antispyware software.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Introduction

  • Virus outbreaks
  • How they work
  • Why they work
  • How they are deployed
  • Buffer overflow attacks
  • Spyware
  • Other malware

© 2016 Pearson, Inc. Chapter 5 Malware

*

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses

  • A computer virus
  • Self-replicates
  • Spreads rapidly
  • May or may not have a malicious payload

© 2016 Pearson, Inc. Chapter 5 Malware

*

Even without a malicious payload, rapid deployment may utilize network bandwidth, slowing the system down and generating a DoS.

Some people would take issue with the definition, saying that it blurs the difference between a virus and a worm. But today, so many hybrids (worm/virus combos) are written that maybe it doesn’t make any difference.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

How a virus spreads

  • Finds a network connection; copies itself to other hosts on the network
  • Requires programming skill

OR

  • Mails itself to everyone in host’s address book
  • Requires less programming skill

© 2016 Pearson, Inc. Chapter 5 Malware

*

How a virus spreads

Scans the host for a network connection and copies itself to other hosts on the network. This method requires a degree of programming skill.

OR

Reads host’s e-mail address book, sending itself to everyone in the address book. This method requires much less programming skill.

Any of these scripts are available on the web.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

  • E-mail propagation
  • More common for one major reason;
  • Microsoft Outlook is easy to work with.
  • Five lines of code can cause Outlook to send e-mails covertly.
  • Other viruses spread using their own e-mail engine.

© 2016 Pearson, Inc. Chapter 5 Malware

*

E-mail propagation is much more common for one major reason:

Microsoft Outlook is written for ease of programming and user convenience. Five lines of code can reference Outlook and send out an e-mail! A programmer can cause Outlook to send e-mails covertly.

Other viruses spread using their own e-mail engine.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

  • Network propagation.
  • Less frequent, but just as effective
  • Web site delivery.
  • Relies on end-user negligence
  • Multiple vectors for a virus are becoming more common.

© 2016 Pearson, Inc. Chapter 5 Malware

*

As virus writers become more sophisticated, the type of propagation also becomes more sophisticated.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

  • Virus Types
  • Macro
  • Multi-Partite
  • Armored
  • Memory Resident
  • Sparse Infector
  • Polymorphic

© 2016 Pearson, Inc. Chapter 5 Malware

*

As virus writers become more sophisticated, the type of propagation also becomes more sophisticated.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

Symantic site information on the Sobig virus

© 2016 Pearson, Inc. Chapter 5 Malware

*

The [email protected] worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The e-mail message has the following characteristics:
From: [email protected]
Subject: The subject will be one of these:

Re: Movies

Re: Sample

Re: Document

Re: Here is that sample

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

Information on the Minmail virus from the Sophos site

© 2016 Pearson, Inc. Chapter 5 Malware

*

W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your e-mail address. This e-mail address will be expiring.
Please read attachment for details.

Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent e-mails using the e-mail address [email protected]<your domain>.

Inside the message.zip compressed file is another file called message.html. If this file is opened, the worm will copy itself to

C:<Windows>exe.tmp
and
C:<Windows>videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months that reportedly fixes the vulnerability.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

Information on the Bagle virus from the internet.com site

© 2016 Pearson, Inc. Chapter 5 Malware

*

Bagle (beagle) is a mass mailing worm that alters the “From” field in e-mails and makes it appear as if it is from someone you know.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

Virus hoaxes from the McAfee site

© 2016 Pearson, Inc. Chapter 5 Malware

*

There are 94 hoaxes listed on this page alone.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

Wikipedia information on Robert Tappan Morris, Jr.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Some conspiracy theorists have noted that the story of Robert Morris would not be complete without mentioning his father, Robert Morris, who at the time of the release of the Morris Worm was the Chief Scientist of the NSA. He had a habit of bringing home neat things for his son to play with (like one of the original Enigma Code machines), so perhaps his son got his hands on a fledging NSA project? Maybe. Or perhaps he had something to prove to his father?

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

  • Examples
  • Rombertik
  • Gameover ZeuS
  • FakeAV

© 2016 Pearson, Inc. Chapter 5 Malware

*

Rombertik wreaked havoc in 2015. This malware uses the browser to read user credentials to websites

Gameover ZeuS is a virus that creates a peer-to-peer botnet. Essentially, it establishes encrypted communication between infected computers and the command and control computer, allowing the attacker to control the various infected computers.

This virus first appeared in July 2012. It affected Windows systems ranging from Windows 95 to Windows 7 and Windows server 2003. This was a fake antivirus (thus the name FakeAV) that would pop up fake virus warnings. This was not the first such fake antivirus malware, but it was one of the more recent ones.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Viruses (cont.)

  • Rules for avoiding viruses:
  • Use a virus scanner.
  • DO NOT open questionable attachments.
  • Use a code word for safe attachments from friends.
  • Do not believe “Security Alerts.”

© 2016 Pearson, Inc. Chapter 5 Malware

*

There's plenty of free antivirus software on the Web – get some!

If friends send attachments, have a code word in the subject line, indicating that the attachment is safe. Note that this “code word” concept is good, but difficult to implement, especially among numerous people.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Ransomeware

  • Examples
  • Cryptolocker
  • Cryptowall

© 2016 Pearson, Inc. Chapter 5 Malware

*

One of the most widely known examples of ransomeware is the infamous CryptoLocker, first discovered in 2013. CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.

CryptoWall is a variant of CryptoLocker first found in August 2014. It looked and behaved much like CryptoLocker. In addition to encrypting sensitive files, it would communicate with a command and control server and even take a screenshot of the infected machine. By March 2015 a variation of CryptoWall had been discovered that is bundled with the spyware TSPY_FAREIT.YOI and actually steals credentials from the infected system, in addition to holding files for ransom.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Trojan Horses

A program that looks benign, but is not

  • A cute screen saver or apparently useful login box can
  • Download harmful software.
  • Install a key logger .
  • Open a back door for hackers.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Example: It is simple for a script kiddy to download a VB script that canmimic a bank’s logon screen.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Trojan Horses (cont.)

  • Competent programmers can craft a Trojan horse:
  • To appeal to a certain person or
  • To appeal to a certain demographic
  • Company policy should prohibit unauthorized downloads.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Competent programmers can craft a personally appealing Trojan horse or one that would appeal to a certain demographic.

Company security policy should prohibit any unauthorized downloads.

Odds are that in a freely downloading environment, someone will eventually download a Trojan. This could spread to other hosts on the network. In the form of a logic bomb, deployed by the Trojan, the effect could be devastating.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Trojan Horses (cont.)

Still-valid CERT advisory on Trojan horses

© 2016 Pearson, Inc. Chapter 5 Malware

*

The CERT advisory is old, but the only thing that has changed with Trojans is the creative use of them. No one has come up with a better way of doing it, just different ways of using it.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Trojan Horses (cont.)

  • Competent programmers can craft a Trojan horse:
  • To appeal to a certain person or
  • To appeal to a certain demographic
  • Company policy should prohibit unauthorized downloads.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Competent programmers can craft a personally appealing Trojan horse or one that would appeal to a certain demographic.

Company security policy should prohibit any unauthorized downloads.

Odds are that in a freely downloading environment, someone will eventually download a Trojan. This could spread to other hosts on the network. In the form of a logic bomb, deployed by the Trojan, the effect could be devastating.

© 2016 Pearson, Inc. Chapter 5 Malware

*

The Buffer Overflow Attack

  • EliteWrap.

© 2016 Pearson, Inc. Chapter 5 Malware

*

There are a number of tools, some free for download, that will help a person create a Trojan horse. One that I use in my penetration testing classes is eLiTeWrap. It is easy to use. Essentially, it can bind any two programs together. Using a tool such as this one, anyone can bind a virus or spyware to an innocuous program such as a shareware poker game. This would lead to a large number of people downloading what they believe is a free game and unknowingly installing malware on their own system

© 2016 Pearson, Inc. Chapter 5 Malware

*

The Buffer Overflow Attack (cont.)

A Microsoft Security Bulletin on a buffer overflow attack

© 2016 Pearson, Inc. Chapter 5 Malware

*

Vulnerability Details

LSASS Vulnerability – CAN-2003-0533:

A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.

© 2016 Pearson, Inc. Chapter 5 Malware

*

The Buffer Overflow Attack (cont.)

Web tutorial for writing buffer overflows

© 2016 Pearson, Inc. Chapter 5 Malware

*

A source on the web for learning how to write buffer overflows!

© 2016 Pearson, Inc. Chapter 5 Malware

*

Spyware

  • Requires more technical knowledge
  • Usually used for targets of choice
  • Must be tailored to specific circumstances
  • Must then be deployed

© 2016 Pearson, Inc. Chapter 5 Malware

*

Spyware requires a more sophisticated perpetrator.

It is not usually used for targets of opportunity, but for targets of choice.

It must be created or tailored to a specific set of circumstances, and then deployed.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Spyware (cont.)

  • Forms of spyware
  • Web cookies
  • Key loggers

© 2016 Pearson, Inc. Chapter 5 Malware

*

Forms of spyware:

Web cookies – Recording a few facts to return to a Web site

Key loggers – Recording everything you type, including all your usernames and passwords plus all of your files and documents

This information is logged to a log file and uploaded or even e-mailed to the perpetrator at his convenience.

There are many more types of spyware. What about the one that looks for a particular type of web cam and then turns it on when it wants, such as when you are in the room?

© 2016 Pearson, Inc. Chapter 5 Malware

*

Spyware (cont.)

  • Legal Uses
  • Monitoring children’s computer use
  • Monitoring employees
  • Illegal Uses
  • Deployment will be covert

© 2016 Pearson, Inc. Chapter 5 Malware

*

When monitoring employees, make sure you have an acceptable use policy that everyone has signed informing them that there will be employee monitoring. When monitoring your kids, you are on your own!

© 2016 Pearson, Inc. Chapter 5 Malware

*

Spyware (cont.)

Example of free spyware removal software

© 2016 Pearson, Inc. Chapter 5 Malware

*

This is just one example of a free spyware remover. Many more Web sites with free antispyware exist, in addition to the ones mentioned in the text.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Other Forms of Malware

  • Rootkit
  • A collection of hacking tools that can
  • Monitor traffic and keystrokes
  • Create a backdoor
  • Alter log files and existing tools to avoid detection
  • Attack other machines on the network

© 2016 Pearson, Inc. Chapter 5 Malware

*

Rootkit is a collection of hacking tools. After getting root (administrative-level access), the rootkit is installed. It has various tools that may do the following:

Monitor traffic and keystrokes

Create a backdoor

Alter log files and existing tools to avoid detection

Attack other machines on the network

© 2016 Pearson, Inc. Chapter 5 Malware

*

Malicious Web-Based Code

  • Web-Based mobile code
  • Code that is portable on all operating systems
  • Multimedia rushed to market results in poorly scripted code
  • Spreads quickly on the web

© 2016 Pearson, Inc. Chapter 5 Malware

*

Web-based mobile code is code that is portable on all operating systems, such as HTTP or JAVA, and also has a malicious payload.

As the market calls for more and more interactive multimedia experiences, a rush to market results in poorly scripted code.

The web increases the mobility of these untrustworthy programs.

Consumers love all the fun things. Security techs are nervous about ActiveX, VBScript, and so forth.

Logic Bombs

  • Go off on a specific condition
  • Often date
  • Can be other criteria

© 2016 Pearson, Inc. Chapter 5 Malware

*

© 2016 Pearson, Inc. Chapter 5 Malware

On October 29, 2008, a logic bomb was discovered in the company’s systems. This logic bomb had been planted by a former contractor, Rajendrasinh Makwana, who had been terminated. The bomb was set to activate on January 31, 2009 and completely wipe all of the company’s servers https://www.fbi.gov/baltimore/press-releases/2010/ba121710.htm

*

APT

  • Advanced Persistent Threat
  • Advanced techniques, not script kiddy’s
  • Ongoing over a significant period of time

© 2016 Pearson, Inc. Chapter 5 Malware

*

© 2016 Pearson, Inc. Chapter 5 Malware

The security firm Mandiant tracked several APTs over a period of 7 years, all originating in China[md]specifically, Shanghai and the Pudong region. These APTs were simply named APT1, APT2, and so on.

The attacks were linked to the UNIT 61398 of China’s Military. The Chinese government regards this unit’s activities as classified, but it appears that offensive cyber warfare is one of its tasks. Just one of the APTs from this group compromised 141 companies in 20 different industries. APT1 was able to maintain access to victim networks for an average of 365 days, and in one case for 1,764 days. APT1 is responsible for stealing 6.5 terabytes of information from a single organization over a 10-month time frame. We will discuss the Chinese attack in more detail in Chapter 12 as part of our discussion of cyber terrorism and information warfare.

*

© 2016 Pearson, Inc. Chapter 5 Malware

*

Detecting and Eliminating Viruses and Spyware

  • Antivirus software operates in two ways:
  • Scans for virus signatures
  • Keeps the signature file updated
  • Watches the behavior of executables
  • Attempts to access e-mail address book
  • Attempts to change Registry settings

© 2016 Pearson, Inc. Chapter 5 Malware

*

Get antivirus software and use it!

© 2016 Pearson, Inc. Chapter 5 Malware

*

Detecting and Eliminating Viruses and Spyware (cont.)

© 2016 Pearson, Inc. Chapter 5 Malware

*

Click on any of these links to show a trial version.

© 2016 Pearson, Inc. Chapter 5 Malware

*

Summary

  • There are a wide variety of attacks.
  • Computer security is essential to the protection of personal information and your company’s intellectual property.
  • Most attacks are preventable.
  • Defend against attacks with sound practices plus antivirus and antispyware software.

© 2016 Pearson, Inc. Chapter 5 Malware

*

*

*

Understand viruses (worms) and how they propagate, including the Sobig and Sasser types.

Have a working knowledge of several specific virus outbreaks.

Understand how virus scanners operate.

Understand what a Trojan horse is and how it operates.

*

Have a working knowledge of several specific Trojan horse attacks.

Grasp the concept behind the buffer overflow attack.

Have a better understanding of spyware and how it enters a system.

Defend against each of these attacks through sound practices, antivirus software, and antispyware software.

*

*

Even without a malicious payload, rapid deployment may utilize network bandwidth, slowing the system down and generating a DoS.

Some people would take issue with the definition, saying that it blurs the difference between a virus and a worm. But today, so many hybrids (worm/virus combos) are written that maybe it doesn’t make any difference.

*

How a virus spreads

Scans the host for a network connection and copies itself to other hosts on the network. This method requires a degree of programming skill.

OR

Reads host’s e-mail address book, sending itself to everyone in the address book. This method requires much less programming skill.

Any of these scripts are available on the web.

*

E-mail propagation is much more common for one major reason:

Microsoft Outlook is written for ease of programming and user convenience. Five lines of code can reference Outlook and send out an e-mail! A programmer can cause Outlook to send e-mails covertly.

Other viruses spread using their own e-mail engine.

*

As virus writers become more sophisticated, the type of propagation also becomes more sophisticated.

*

As virus writers become more sophisticated, the type of propagation also becomes more sophisticated.

*

The [email protected] worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The e-mail message has the following characteristics:
From: [email protected]
Subject: The subject will be one of these:

Re: Movies

Re: Sample

Re: Document

Re: Here is that sample

*

W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account <random letters>
Message text:
Hello there, I would like to inform you about important information
regarding your e-mail address. This e-mail address will be expiring.
Please read attachment for details.

Best regards, Administrator
Attached file: message.zip

W32/Mimail-A spoofs the From field of the sent e-mails using the e-mail address [email protected]<your domain>.

Inside the message.zip compressed file is another file called message.html. If this file is opened, the worm will copy itself to

C:<Windows>exe.tmp
and
C:<Windows>videodrv.exe

The worm exploits a known security vulnerability. A patch has been available from Microsoft for some months that reportedly fixes the vulnerability.

*

Bagle (beagle) is a mass mailing worm that alters the “From” field in e-mails and makes it appear as if it is from someone you know.

*

There are 94 hoaxes listed on this page alone.

*

Some conspiracy theorists have noted that the story of Robert Morris would not be complete without mentioning his father, Robert Morris, who at the time of the release of the Morris Worm was the Chief Scientist of the NSA. He had a habit of bringing home neat things for his son to play with (like one of the original Enigma Code machines), so perhaps his son got his hands on a fledging NSA project? Maybe. Or perhaps he had something to prove to his father?

*

Rombertik wreaked havoc in 2015. This malware uses the browser to read user credentials to websites

Gameover ZeuS is a virus that creates a peer-to-peer botnet. Essentially, it establishes encrypted communication between infected computers and the command and control computer, allowing the attacker to control the various infected computers.

This virus first appeared in July 2012. It affected Windows systems ranging from Windows 95 to Windows 7 and Windows server 2003. This was a fake antivirus (thus the name FakeAV) that would pop up fake virus warnings. This was not the first such fake antivirus malware, but it was one of the more recent ones.

*

There's plenty of free antivirus software on the Web – get some!

If friends send attachments, have a code word in the subject line, indicating that the attachment is safe. Note that this “code word” concept is good, but difficult to implement, especially among numerous people.

*

One of the most widely known examples of ransomeware is the infamous CryptoLocker, first discovered in 2013. CryptoLocker utilized asymmetric encryption to lock the user’s files. Several varieties of CryptoLocker have been detected.

CryptoWall is a variant of CryptoLocker first found in August 2014. It looked and behaved much like CryptoLocker. In addition to encrypting sensitive files, it would communicate with a command and control server and even take a screenshot of the infected machine. By March 2015 a variation of CryptoWall had been discovered that is bundled with the spyware TSPY_FAREIT.YOI and actually steals credentials from the infected system, in addition to holding files for ransom.

*

Example: It is simple for a script kiddy to download a VB script that canmimic a bank’s logon screen.

*

Competent programmers can craft a personally appealing Trojan horse or one that would appeal to a certain demographic.

Company security policy should prohibit any unauthorized downloads.

Odds are that in a freely downloading environment, someone will eventually download a Trojan. This could spread to other hosts on the network. In the form of a logic bomb, deployed by the Trojan, the effect could be devastating.

*

The CERT advisory is old, but the only thing that has changed with Trojans is the creative use of them. No one has come up with a better way of doing it, just different ways of using it.

*

Competent programmers can craft a personally appealing Trojan horse or one that would appeal to a certain demographic.

Company security policy should prohibit any unauthorized downloads.

Odds are that in a freely downloading environment, someone will eventually download a Trojan. This could spread to other hosts on the network. In the form of a logic bomb, deployed by the Trojan, the effect could be devastating.

*

There are a number of tools, some free for download, that will help a person create a Trojan horse. One that I use in my penetration testing classes is eLiTeWrap. It is easy to use. Essentially, it can bind any two programs together. Using a tool such as this one, anyone can bind a virus or spyware to an innocuous program such as a shareware poker game. This would