 What I want to do in this topic is introduce some of the terminology, some of the classifications of malicious software, malware for short, viruses, worms, Trojans and a few other issues. We're not going into too much detail about the different types of malicious software. In subsequent topics we'll see some more detailed examples. So later there's a topic on denial of service attacks, which is somehow related to malicious software. I'll show a couple of examples of worms. So we may see other forms of malicious software and other topics. Malicious software or malware for short, a program that is inserted into a system usually covertly, so secretly, trying to hide the fact that we're inserting it with the intent of compromising the confidentiality, integrity or availability of the victim's data, applications or OS, operating system, or annoying or disrupting the victim. So many things you can do. So some program inserted into some system, computer system, CIA comes up here, confidentiality, integrity, availability, our requirements, our general set of requirements, and we want to compromise them. That's what this malicious software wants to do, from an attacker's point of view, or annoy the user. So we have a victim and we have an attacker or a malicious user who uses this software to annoy or attack the victim. There are different types, many different types of malware. So we will mention some of them and we'll try and classify them into different categories and you can classify them in different ways. There's not just one classification of what is malware. Two ways and we'll use that through these slides is how that malware propagates, how it moves from one computer to another computer and what that malware does, the payload. The payload is the operations carried by that malicious software that performs some action. So when it gets to the victim's computer, what does it do? So how it spreads, we'll talk about a virus, viruses, worms, and social engineering as examples of how to spread malicious software and what can it do? We'll talk about that it can corrupt the data or the software on a particular system, we'll introduce some mentioned zombies and bots, steal information, so that's one thing that it may do, hide, stealthing, hide itself and we'll finish with some countermeasures with some general concepts used in antivirus software. Antivirus software is usually trying to detect malicious software. Not just viruses, we'll see other malicious software. So we'll go through, look at some malware by the way that they propagate and then by what they do, the payloads and finish with some countermeasures. A virus, a piece of software that infects programs and copies itself to other programs, so programs from software, a virus somehow infects that existing software and then copies itself to other instances of either that software or other software. Simple example is that a virus infects, so think of Microsoft Word as a program, there's a executable word.exe, if a virus infects that program we can think it infects that executable file and then that virus may copy itself to other programs. So if it's infected word.exe, then it may later copy itself to xl.exe and try and infect that. That's the general concept. A virus will go through different phases. We can think it's initially dormant, it's doing nothing, it's idle and then there may be some event that happens on the computer that activates that virus. The event may be some time or date has been reached or the user does something on that computer that activates that virus. For example, the user opens a file and that triggers the virus to execute and move into the next stage. So the next stage is it propagates, it copies itself from one program to another. So this is the case if the virus has already infected word.exe, then some event like opening a Word document triggers that virus to then find other executables that it can infect and copy itself to those other executables. The virus often performs some function, some operation. So there may be some other event that triggers the virus. So again, it may be opening a file, it may be some time-date combination that triggers the virus to execute where the function is performed. And the execution that depends upon the payload, it may be some harmless, it may display some message on the screen saying you've been infected by this virus or it may be malicious like deleting your files on your hard disk. We'll see an example later of encrypting your files on the hard disk and asking you for money to decrypt them. So there are many different functions that can perform. So just the general phases. There are some events that trigger it to propagate to other pieces of software and some events that trigger it to perform some function and whatever function it's programmed to do. So viruses in this simple form we can think they infect other programs, normal programs on your computer think of executable files, although they don't have to be executable files. And then usually they want to spread and they try to infect other programs on your computer and often they'll perform some function depending on what they're trying to achieve. Because they infect executable files and they need to copy to other executables they need to know something about how those executable files are structured and how they're going to be used. So they're usually specific to operating systems because on one operating system the format for executable files is different than other operating systems. So the virus is programmed for a specific format of an executable file and therefore usually specific to OSs or hardware platforms. So a particular instruction set, a particular type of CPU because it's specific to the executable files. Yes, okay, so the virus is usually programmed specific to some executable files. So in detail it will depend upon how that existing program works. So yes that may depend upon the version of the program and especially the version of the operating system. So when we say it's specific to operating systems that may mean different versions of the same general operating system. Windows XP is a different operating system than Windows 8. Okay, all right, they're both Windows but if you look at the code of the operating system you can think they're different OSs. So yes it can be across specific to an OS and it can be specific to particular versions of programs that they're trying to execute to infect. Because the virus will need to take advantage of some knowledge of how that program that it's infecting works and that's usually specific to the OS, the particular OS, the version. But in some cases it may be general. The virus may work across multiple versions and even across multiple operating systems it's possible but it's just harder to do. Let's look at a virus and it's not a real virus, it's just the structure of a very very simple virus and try to give an idea of what it would do. It's just some pseudo code of a virus. Some program V, this is our virus V. And think of it as it infects an existing executable file. So some program. So it's going to attach itself to an existing program. One way to visualize it is that, and I think the next slide does it, forget about the details here, we have some program like Word.exe, that's the program we're trying to infect. And think that the virus when it infects it attaches itself to the start of that program. So we have an executable, a 5 megabyte file and if that's infected in this simple virus, think that that simple virus is inserted itself at the start of that executable. So if the virus was 100 kilobytes and our normal program was 5 megabytes then the normal program becomes what, 5.1 megabytes. Make that a bit clearer. Just with an example, the concept we're trying to show with this virus when we look at it is that we have our normal program, the one we're going to infect. Let's say as an example, that's the file. And if it's infected in the simple terms, the virus think it attaches itself to the start of that file. This is our virus code. So in fact Word.exe contains all of the instructions of the virus plus the original Word.exe. So when you now execute Word.exe, you double click on the file or you open Word by some means, then your computer executes the code in the virus first and then it executes the normal code for Word. That is opens up Microsoft Word and allows you to edit documents. So importantly, we think of that the virus code is inserted at the head of the executable program such that when you execute this program, it first executes the virus code. What is the virus code? That's what this pseudo code is showing. So this is the code that's at the start of the normal program, the idea behind it. What have we got? Go to main. Okay. Here's main. Just think of a subroutine or a function. The main program of this virus is that the steps, we infect the executable. We infect an existing program. If some trigger is pulled, if some event occurs, then we do some damage. Whatever damage we program the virus to do, like delete files, display some message. And then we go to next. So if we trigger is pulled after this check, we do damage. Then we go to next and next is here and think of after next is execute the normal program. So the code that comes after next is the normal code for Word.exe. The idea is that when someone starts Word, first the virus code is executed and then the normal Word code is executed so Word opens and the user doesn't know any different because they get Microsoft Word opening and they can edit their files. So that's the first approach. When someone opens Word, this virus infects other executables. If there's some event that says trigger pulled, then do some damage and then continues with the normal Word operation. And then the rest is really, well, what does infect executable do, what is trigger pulled and what is do damage? The subroutines above it. Infect executable. The concept here is that we perform some loop. We get some random executable file on the hard disk. So let's say we've infected Word.exe, go search the hard disk for other exe files. Okay, we find one. Excel.exe. If the first line of that file we just found contains this special string 1 through to 7, then try again. Then go back to loop and find another random file. This is saying if the file you just found is already infected, get another one. The idea is to infect other files which are not yet infected. So in fact, we include a special string at the start of our virus that is an indicator that this file is already infected. That's the concept here that find some file, check if it's already infected. If it is, then go back and find a different file. And keep doing that until you find a file that's not infected, that it doesn't have this special string at the start. And if we find a file that's not infected, then attach our code to the start of that file, prepend the virus to the file. So we find a file Excel.exe which is not infected. We take that and attach all this code to the front. So it's just the concept here. So the virus, when it executes, it looks for other files. So maybe there's another file on the system. It finds other files and if it finds one which doesn't have this special string at the front and it will not, if it's not infected, then it attaches itself to that file it just found. Our virus now infects this other executable file. And then when someone starts Excel, the virus will execute and then repeat, try and infect other executable files. There are many details that a real virus needs to check to do this. So it's not as simple as we show, but we're just showing the concept here. So infect another executable, once you've done that, then if trigger pulled, what does that mean? Well, it's just a check that if some conditions return true, and that's whatever the virus is programmed to check. For example, if the current date is greater than some value or if some special file exists on the system or doesn't exist. So perform some check and if the check returns true, the trigger is pulled, means we want to perform some damage, then we call the subroutine do damage, which does whatever it is programmed to do. And that can be many things. Delete all the MP3 files in a particular directory, or display a message on the screen you've been infected, or send a message across the Internet to some command and control server to say that this has been infected. So the damage may be many different things. Once we've done that damage, then we'll go to next, which then moves on to the code of word.exe. Word opens, the user just uses word, and they know no different. The user of the computer doesn't know that the virus has been executed, because from their perspective, they double clicked on word.exe. This code executed in a very short amount of time and word opened. So they don't know it's been infected. So that's the basic concept of a very simple virus. Any questions on this concept? How to get that to be successful, that virus requires a lot of detail. Now if trigger pulled is just some condition saying, it could be always returned true. It's a condition that the virus programmer has said that we only want to do damage under certain conditions. Now what are those conditions? Well, what does the virus program want to achieve? That is, we may not always want to do that damage. It may be, if we want to delete, we want to delete particular files on the user's hard drive. We want to delete all the MP3s. So the virus infects the executables. When the user runs those executables, the virus deletes all the MP3 files. So it may want to just delete those MP3 files under certain conditions. If the computer has internet access and it's got a bit torrent application installed, if that's the condition, then delete all the MP3 files. Or if the date is after some pre-programmed value, then perform the damage. So what is the conditions? It depends upon what the virus is trying to achieve. There can be many different types of conditions. If a particular file exists on the computer, then do some damage. What is the damage? Again, I think you can think of many examples of damage you can do on a computer, both harmless and harmful. We'll see some examples of what damage other real viruses and malicious software has done. All right. How do you prevent such a virus? A very simple approach. Let's say word.exe originally, the file was one megabyte. And the virus code is 100 kilobytes. So when word.exe is infected, the file itself, word.exe, is now 1.1 megabytes. It's bigger than the original version of the word.exe file, because we've attached some extra code to it. So easy way to detect if we've got a virus attached is to look at the file sizes, compare them against some original known file size. We know that word.exe should be one megabyte. If we see it's larger, then something's changed it. So we can look at what the expected pattern or the expected file size is in this case and check whether it's been changed. That's what a simple virus, anti-virus software could do. One way around that, compress the virus. That is, the virus wants to hide itself so the anti-virus software cannot find it. Well, in this case, a compression virus could compress itself, sorry, not compress itself, compress the program that it infects such that the total size is the same as the original size. So this picture shows P is the program we're infecting. The original size was, if we can see it here, was this size. What the virus does when it infects is that it first compresses the word.exe file down to a smaller size, such that when we attach the virus code, the total size is the same as the original. So in this case, if word.exe was originally 900 one megabyte, then the virus would compress it to be smaller. So compress word.exe to be slightly smaller, and then attach the virus to that. So here's our virus, and this is the compressed word.exe such that the total size is the same as the original one megabyte. So a simple check of the file size doesn't help now with the antivirus off of that, because word.exe, after it's infected, is the same size as before. So the concept here is for the virus to try and hide itself by not making things look different on the computer. So the antivirus software cannot find the virus. A very simple approach. So the code itself for the compression virus, similar to before, but it also includes a step of when we infect the file, we actually compress that file. Compress it to a size such that it's, when we attach the virus code, we get the original size again. So that's a way for the virus to try and hide itself from antivirus software. Of course, you need to decompress the file when someone runs word.exe. So this is a very simple approach. Of course, the current viruses are much more complex in this, but they use the same concepts. They use concepts to try and hide themselves from antivirus software. So we need to infect the files from the virus's perspective. It wants to infect the files, but at the same time, it wants to stay hidden from software that's trying to detect it. Well, here's a case where I compress, but it becomes much more complex in this than that the antivirus can now look for patterns of code. So if it looks for patterns of code to try and detect the virus, then what does the virus do? Change itself such that the antivirus cannot detect those patterns. So the simple concept of a virus infect other programs and then do damage, optionally do damage when those programs are executed. There are many thousands, if not hundreds of thousands, of different viruses in existence, many different types. Here's a simple classification of types of viruses by the target that they infect, what they're trying to infect. A bootsector, a virus tries to infect the code that is executed when your computer boots, when it starts up. So not part of the operating system, but when your computer initially boots up, it usually runs some code in a particular part of the hard disk, the bootsector. And then that code starts the operating system. So this is before the OS even runs. So often called the master boot record or the boot record. That is the part of the hard disk that will then load the OS. If the virus can infect that boot record, then it can take control and stay hidden from everything that OS does. So a virus that infects the bootsector can be very damaging and very hard to find because it can then hide itself from everything that OS tries to do to detect that virus. But of course, hard to infect because it's not dependent on the operating system, it's dependent upon the code that boots the computer. You usually need some way to infect the computer using physical access. For example, plug in a USB disk, which infects it. We'll look at some ways for distributing later. The common one, file infectors. That's like the example we saw, that the virus attaches itself to other files, executable files normally. A macro virus. So most of the file infectors attach to executable files like Word.exe, things that the user normally executes, maybe even libraries which are used by executable files like DLLs in Windows. But another form is a macro virus. Many systems allow the user to essentially create their own executable files in the forms of macros to perform some operations automatically for the user. So you think about Microsoft Word and similar programs. You can program macros to do things automatically in Word. Those macros are not their own executable files. They're usually attached to documents. They're not programs or they're not standalone programs. They are software that's attached to Word files, Excel files, and so on. So if a virus can infect such a file, a macro, when someone opens that document, the Word document, and that program runs the macro, then it's effectively executing the virus. And the virus can take effect then. And that was a very common form of how viruses infected different computers. Or a virus that uses multiple techniques to try and affect different systems. Another way, even classify viruses by how they hide themselves, try and conceal themselves. So the idea from a virus's perspective, once it infects something, is to try and stay undetected from antivirus software. How does it do that? Encrypt itself, because if antivirus software looks for patterns of code in files. So a virus may have some common code in it to try and perform some operation. So what antivirus does is looks for patterns of code in some files. So it scans all your executable files. If it finds that pattern of code, then it detects a virus. How to hide that pattern? Encrypt yourself. So the virus encrypts itself such that when the antivirus scans, it will not find the pattern of code. So it usually has most of the virus code is encrypted and some key, and when the virus needs to run it, decrypts itself and then runs. Similar, find other ways to hide itself. So stealth virus explicitly creates its code such that it will be very hard for antivirus software to detect. So if you know the patterns that the antivirus software is looking for, create the virus such that it doesn't have those patterns. That's the concept. To avoid detection. A simple virus, when it infects another program, it just copies itself to the other program. The same code is copied. So when you infect word.exe and then you infect xl.exe, the same virus code is copied to xl.exe. It stays the same. A polymorphic virus tries to change itself, changes the code whenever it infects the other programs. It performs a mutation. So why? Well, because antivirus software is designed such in a simple antivirus software, it looks again for patterns of code. So if the antivirus software is programmed that it knows about a particular virus, it knows the code of that virus, then it just scans the files looking for that pattern. And once it finds it, it's found the virus. But if the virus is changing itself all the time, then what does the antivirus software scan for? So the idea for the virus then is to change itself when it infects other files. So when the antivirus software scans for this pattern of code, it may find the first instance of when it's infected, but when it infected other programs, it's changed its pattern so the antivirus software will not find it. How do you change code such that it still operates the same? You can do simple things like often in code you can rearrange the ordering of the code. It will still do the same thing, but you can change the ordering of the instructions. What's an example? Let's say the code, the virus code itself does some operations, it has some calculations. So one option is that the virus code sets some variables. X is set to X plus one, we increment some counter. This is the lines of code in the virus and then the next line sets some other variable. So there's some variables in the code to make the virus work and let's say there are two variables X and Y and the code sets them to the values. So if the antivirus software knows about this virus, it will go and look for patterns of code and the pattern will include these two instructions. Well, now the virus, when it wants to infect another file, it doesn't just copy the code as is to the other file, it changes the code. And a simple change is that, so this is just a portion of the code, there's other commands. When it infects another file, that's a simple example, just change the ordering of these. The virus will still do exactly the same thing, but the code will be different. And that makes it harder for antivirus software to look for the patterns of code because now the antivirus software to detect the virus here needs to look for different combinations of the ordering of the code. And right here, there's just two combinations, but if we have many lines of code, we can have many different combinations of how that code is structured. So the virus still does the same thing, but the code is ordered differently. Another thing is you can insert operations that do nothing. Another variation, most systems have what, a NOOP operation, which is if you think of assembly language, it's an operation that does nothing. And then Y equals Y plus two. So this is the third variant of that same virus. Very simple. When the virus copies itself, it inserts some operations that doesn't change the behavior of the virus. The virus still does the same thing, but the code is different. So that's a polymorphic virus. It makes it harder for antivirus to look for the patterns of code because now it needs to look for many combinations of the pattern of the code. The next step up is a metamorphic virus. It tries to change itself, the same as a polymorphic virus, but also changes its behavior. So a polymorphic virus changes its appearance. It changes the way it looks, but not the way, not what it does. A metamorphic virus does more than that. It also changes its behavior. So it does something different from the original version. And that makes it even harder for antivirus to detect because if the virus is doing different things, again, if we look at patterns, it's harder and if we look at the operations of the virus, it becomes harder from antivirus' perspective. So continuing with our simple example, a metamorphic virus may change when it copies itself to the new program, it does something different. The significance of these operations is not important, but the code changes its behavior. Now it's a different piece of software, not just in appearance, but in operation. Of course, that's hard from a virus perspective because changing the behavior, it still needs to do what it's trying to do of infect and to perform some damage. So it's harder to program such viruses, but if you can, it's harder to detect them. There are essentially development environments and libraries that virus writers can use to support such changes. That is, the virus programs their code and then there are libraries that it can use to change the behavior, to change the appearance and change the behavior of that code. So viruses try to may infect different targets, infect different victims and try to change themselves in different ways so that they stay hidden from the user, in particular antivirus software. The same file, okay, so yeah, another way to change or to hide is to make the virus looks like it's useful on the computer system, make it look like it's performing some normal operation. But currently when we're looking at viruses, they are infecting existing files, okay? So they're infecting a file that already is useful on the system. Now you can infect, if you infect particular types of files, then it may be harder for the antivirus software to detect. Yes, infecting some user application versus infecting operating system files, it may be harder for the antivirus to detect. So yes, the particular file that it tries to infect may be a way of hiding itself. So system files, for example, may be better than infecting word and other applications, user files. Have a look at an example. Actually, we'll come back in, we'll look at a different type of malicious software and then look at an example of a virus. Worms, there's some similarities between a virus and a worm. A virus infects a program and copies itself to other programs. What's a worm do? A worm is a program, usually a standalone program, that seeks out other, usually other computers to infect. So a virus may run on an individual computer, it may not necessarily try and infect other computers. It's infecting other pieces of software, whereas a worm is typically looking to infect other computers. But they use the similar techniques and sometimes we cannot distinguish between them. We'll see an example. So some program that tries to infect other computers, other machines. And to infect other computers, you need usually some network access and to get network access to another computer to be able to copy files. So the worm, maybe it's infected my computer, it wants to infect your computer. To do so, it needs to be able to contact your computer across the network and somehow copy a file, the infected file from my computer to yours. So to do so, it usually takes advantage of some bugs in network software. In client software like browsers or in server software, like web servers, secure shell or login servers. So the idea is that once one computer is infected, that worm will look for bugs present in other computers so it can gain the ability to copy itself to that other computer, therefore infecting that other computer. Similar to the virus, the worm when it runs on your computer can do damage. But then it copies itself to other computers to try and do damage on those computers as well. So it requires some network connections to spread. Although there are other ways to spread, you don't have to spread via just network via the internet, you can spread via manual means, shared media. Okay, so the worm is infected my computer, I plug my USB to copies and files, the worm automatically copies itself to my USB, I give you my USB to share some files and the worm then copies itself to your computer. So the spreading of the worm may not be via, may not just be via the internet, it may be via shared media. Another way to spread is to attach to emails. So again, using the network but using specifically emails because many people share emails. Again, like a virus, the worm may be activated by some event, some trigger and that may trigger it to replicate, to copy itself to other computers via different means and usually carries some payload that may do some damage. So the payload is the thing that performs the function of the worm, like delete all the files on your computer. So there's similarities between the virus, the main differences is a virus copies itself to other software, a worm copies itself to other computers. How does a worm copies itself to other computers? How does it replicate? Email is one common form or instant messaging. So when people send the emails to other computers, the worm attaches itself to the email. And therefore can potentially infect if that worm is attached to the email and someone, as say, an attachable program and someone opens that email and then opens a program, runs the program, then they infect their own computer. And it may not just be programs, it may be attachment to a document if we use a macro. Again, macros are usually attached to documents which can be executed. File sharing, so the way when people share files, if one of those files is the worm that they can infect other computers, the worm itself may have the ability to copy itself via a network. So if the worm is infected on my computer and the worm can log into your computer via maybe some vulnerability in your computer, you haven't set up the security on your computer so that someone can log in, then it can copy itself to other computers. All right, that was remote login. Remote execution is similar where we, what have we got? Execute a copy of itself on another system. So different ways for copying itself remotely. So there are remote procedure calls. For example, programs can have remote procedure calls that you can call a procedure or a program on a different system. So usually to replicate the worm uses network access and to get network access to some other computer, and remember the worm is usually software running. There's no one user controlling that and using that software. It needs to automatically be able to find other computers, copy itself to other computers, and then infect them. To do so, usually you need some bugs in those other computers because normally a computer should be set up such that no one can copy files to your computer remotely. But if there are bugs in the software you're running, then maybe they can. Let's have a look at two or three examples of both viruses and worms. In fact, the first one we'll see is considered both. And you don't need to write this down or just some examples of different, what was called the Melissa virus. In fact, also considered a worm. So in 1999, this was released by some guy and the approach was that they posted some message to some news group, so think some forum. They posted here's a message and it contained a Word document as an attachment. And that Word document contained some macro code. So some things to do something automatically. And that macro code contained the virus. We'll look at the virus in a moment. So someone downloaded the Word document. They opened it in Word, which executed automatically the macro code which executed the virus. And the virus then went to work and then copied itself to other Word files. And then as those Word files were distributed across between computers, say people sent it as an email attachment, other people executed it. It turned out it caused about a billion US dollars of damage because mainly because it infected many systems and therefore people had to shut down their computer systems to remove the virus. And that cost a lot of downtime that is users not working and cost a lot of money. The guy was arrested and spent two years in prison. I think maybe we said at the start of the course, but I hope it's obvious that we're talking about viruses. They cannot, of course, do damage. So we need to understand how they work so that we can detect them, not to program them, but to understand how to detect them. There are serious consequences of running viruses. Let's have a look at the Melissa virus. This is an old one, but you don't need to understand all the details, but it was a visual basic script, a macro for word. You may have seen them for different office documents. You can have some code using visual basic. And it's only a couple of hundred lines, so it's not very complex. This is the code. And I don't understand all of it, but we'll just highlight some important things, what it does. If you know, and remember this is 10, 15 years ago, that in Word there are some security features to do you automatically execute macros when you open a Word document that contains macros. So someone sends you a Word document, you open it up in Word. If it includes macros, should Word run them? Or does it give you a prompt saying, this document has macros, do you trust it? Do you want to run it? The first steps were to try and disable that feature, to set this security feature to be false, such that the user, when they open the document, it automatically runs the macro code. So that was the first step, which is what this code is doing, to try and set one of the controls, the security controls in Word, such that it's turned off. And it's by setting some registry entry, I will not see the details, but it's a registry entry in Windows that disables that feature. So try and make it so that it's easier to infect in the future. And this one used email to distribute, so the virus infected Word documents, it was macro code attached to Word documents, but then it distributed itself by sending that Word document in an attachment to an email to other people. So of course, for this to work, you must have Word installed, and you must open the document in Microsoft Word. And it also required the user to have Microsoft Outlook, the email client installed, because what it did is it opened the Outlook software, and automatically sent emails. And the next piece of code does that, essentially open up Microsoft Outlook, not open it graphically, but access it via some API. So if you have Outlook, then, and this code is go through the address book. So Microsoft Outlook, the email client has a list of addresses, your contacts, if it's running on your computer, goes through that address book and finds the first 50 entries in your address book. So there's some loop here to go through 50 times, saying find the first 50 people in your contacts, in your address book. And for each of them, create an email where the subject is, this is the subject, is important message from, the username is the username of this computer. Steve, for example, if it's my computer. So the email subject, important message from Steve. The email body, here is that document you asked for. Don't show anybody, I think it says. And then don't show anyone else. And then it attaches this Word document, to that email. Attachment, add the active document, the current document. So the Word document that was already infected is attached to an email and sent to 50 people in your contact list. And those 50 people receive an email, if some of them open it, then it infects their computers and does the same on their computers, goes through their Outlook email list and sends to 50 other people. And you can imagine that even if only five of those 50 open the email, the others were smart enough not to open it, but if five of them, then it spreads quite quickly. I send to 50, five open, those five send to another 50 and five open. So I've sent to five, they send to another five, 25, happens again, 125, and it happens a few times and you've got a million people who have been infected. What else does it do? Once it infects a document, so if you've opened the Word document, it tries to infect the template in Word. Know that when you open Word, usually it opens up a document using the standard template, the standard format, which is actually a file itself. So what it tries to do is attach this code to the template. What that means is the next time you open Word with another document which is not infected, that template, which contains a virus, is attached to that document that you create next time. So the next document you create or open is also infected. So it continues to infect files on your computer by attaching to the template. Sorry. What else does it do? These are just some checks, just only try to infect if it's not already infected. So some check. If we don't contain the word Melissa in it, don't infect it. If we don't contain the word Melissa, infect. If it does, don't infect. What else? So that's the code for attaching, I think to the templates. And that's it. Ah, one last thing, what's called down the bottom. If we consider the current time now, if the day is the same as the minute, so today is the 26th, is it? The 26th of December, the day is 26th. If the minute is in 22 minutes, at time 1026, the day is the same as the minute, then it displays some message on the screen or in some error console, whatever the virus writer wanted to display. So this is a case of something happening at a particular event. So an example, it's only 110 lines. And this cause, say, a billion dollars damage in the world. So it's not great code. It's, at that time, very easy to implement, but it's very severe consequences. You can find that code on many websites. There are others, okay? This is slides show a few. We will not go through any others in detail. Code Red was a particular worm that it spread via web servers. That was spreading by email, the previous one. So Microsoft web server, the internet information server, IIS. So what happened? The code was sent to a particular web server. So normally, browsers send requests to web servers, get requests. And the web server gets the document and sends it back. But in fact, you can send commands or you can send, like, when you have forms, you can send data to web servers. So this worm sent data to web servers. And in particular, some of the Microsoft web servers of a particular version had a bug in it such that if the request, the web server was structured correctly, the web server would load the information in the request in memory and execute it. So that's a problem. Normally, a web server would not execute code it receives, but there was a bug such that it would execute the code in a request. So the malicious user created a request such that it took advantage of this bug in the web server and the request contained the code, the malicious code, and it was loaded into the web server and executed. And it was stored in memory because normally web servers run continuously. So it was stored in RAM and it did different operations. If you rebooted the web server, it would disappear. But most web servers run continuously for days and for months. So it was always there. What did it do? It went through different states. Once it was infected the web server, the code was running, it would send requests to random IP addresses with the intention of infecting them. So once you've infected one web server, for 19 days of the month, it would choose random IP addresses, send requests to them, hoping to infect web servers at those random addresses. If you send to enough, you should get a few that you can infect. So infect others to spread. Then for eight days of the month, it did a denial of service attack on a particular website. So it sent many requests to that website. All of these infected servers are sending requests to this one website with the hope of overloading that website. And then it did nothing for a few days and then repeated. It was estimated that it infected 200,000 web servers in just the first five hours of operation. So it spread very quickly, just five hours. It's infected many computers on the internet. Not home computers, but web servers, usually. And it used up many resources. So it's effectively a denial of service attack. It denies users access to the web servers. In another topic, we'll look at detailed denial of service attacks. And there are variations of that. So that was another example of a worm. I Love You Worm was another one, more damaging in terms of cost. Last one I don't have here. We'll mention two recent ones. And I will not go into detail. Stuxnet was a more recent worm. I have a document that people have analyzed Stuxnet and we'll just highlight some features of that. And so this is from 2011 just a report on this Stuxnet worm. What it did was it used different ways to spread. Remember a worm is a malicious software that spreads to other computers. And this one used network connections to spread. So it tries to copy itself across a LAN. So if it's infected my computer, it tries to copy to other computers. But it also infected by USB and other shared media. So if I plugged a USB into my computer, it copied to the USB. And then when someone transferred the USB to another computer and plugged it in, it copied from the USB to their computer to infect. And then it did some damage. And the damage it did was it was targeting specific hardware. And the thought is it was a targeting nuclear facilities and other facilities in Iran to shut down those facilities. So it was a very complex attack. And I'll just try and highlight some characteristics of it. Just as an example, you may not be able to read this, but it replicated by removable drives. That is USB drives or hard disks. So that was one form of replication. Now, often nowadays operating systems all right, we'll come back to that one. It replicated via LAN. So if it was on one computer, it tried to copy to other computers and it took advantage of bugs in Windows printing service. So every Windows operating system has a printing server. So you can print to print us across the network. There was a bug in this printing server such that allowed computers to copy the file to other computers. So it took advantage of bugs in some of the software. So in some of the network capabilities of Windows had other bugs that allowed to copy. So different means of replicating itself. What else can we highlight? It took advantage of four unpatched Microsoft vulnerabilities or bugs. So if the computers were running Windows and they weren't up to date, that is that they haven't had the most recent updates and there were bugs in those software then it had a chance to copy itself. So an important point there is that one way to stop the spread of worms and viruses is to have up-to-date software. Not just up-to-date operating systems but up-to-date applications because there are always bugs in software and therefore most malicious software tries to take advantage of those bugs. So to stop them, update your software such that those bugs are not existing. What did it do? So once it infected many computers, it contacted a command and control server. So once it infected a computer, it contacted some server on the internet and tried to download an updated version of the malicious software. So it's infected my computer but maybe there's a new version of the virus or the worm. So it contacts a server and downloads the new version so it updates itself. So it can continually change and improve. And then what did it do? And maybe the last point. The idea was that the computers that it infected were the targets were attached to hardware that controls industrial systems, factories and so on. And in particular in a nuclear power plant, there are centrifuges and there is what's called PLC, Programmable Logic Controllers, the hardware that controls different industrial systems that makes equipment work. So the computer was attached to that. This worm then infected that controller, the PLC, with the aim of making that controller operate the industrial system outside of its normal behavior. And what people think is the aim was to make say the centrifuges think of they spin to make them spin too fast that they'll fail so that the factory or the nuclear power plant will shut down, it will not work. So it had a very specific aim of shutting down particular hardware attacked or targeted specific hardware, Siemens Logic Controllers. It's thought that it was one of the most complex worms seen and probably created by some government or some country. So there are many details of it. This document goes through 50 or 60 pages explaining them. We'll not go through them. Just some highlights. So the timeline from 2008 through to 2010 maybe more interesting, who did it infect? And the Semantic is an antivirus software company that tries to keep track of the infections across different software and different computers. And it turned out that most of the infected computers were from Iran. I.R. here. Infected very few other computers in other countries. So the thought is that it was targeting a particular country and in particular factories or machinery in that particular country. So it was a very advanced worm. And at the difference between some of the examples we saw is that it deliberately spread slowly to avoid detection. The Melissa virus, the Code Red and other worms spread quite quickly. 200,000 servers in five hours. Quickly noticed. It did a lot of damage, but people noticed that within a day or within a few hours and then found ways to stop it. Whereas with Stuxnet it was spread slowly. It infected two or three computers and then deleted itself with the aim that no one would be able to detect it. And it was thought that it was in the wild that it was infecting computers for one or two years before it was even detected. So doing damage before people detected it. I think you can browse through that document. You'll see in the first few talks about who it infected. And then it goes through details of how it went through the approach of infecting and how long it took to infect. So I'll let you browse through that only if you're interested. What else can we do? We have viruses. We have worms. What's social engineering? Tricking users into allowing the malicious user to compromise their system. Using social... using techniques to make a user think that you can access their system or you should be able to access their system. And there are two main ways. Spam is common. What is spam? Well, unsolicited email. You receive emails. No one... you didn't ask for them You don't know. And many emails, bulk email. And often those emails are containing either attachments with malicious software or links to websites with malicious software. The idea is that the email contains some message that you think is relevant for you and you follow the instructions in that email. For example, it says, please click on this link to reset your password for the SIT login system. So you click on the link because you're a student in SIT and you click on the link to change your password and the actual website that allows you to change the password collects your password. It's not the real SIT website. It's the malicious user's website. You enter in your username and password. Now the malicious user knows your username and password. So this is using social engineering because the user is tricked into thinking that this was an email from the SIT computer centre but it was from some malicious user. That's an example of a phishing attack. Trojan horses are software, useful software, normal software that also perform harmful functions. So there's some software that does something that you need it to do. It converts word documents to PDF. You need to convert a word to PDF. You download the software, convert it but the software also contains some harmful functionality. In the background it's also collecting information about your computer, about you, or doing something malicious. So that's an example of a Trojan horse. So you're tricked into using that harmful software because you think it's useful software. In fact it is useful software but it's also harmful software. What have we got left? We'll come back to the others next week, phishing. So an example of social engineering. Like the example I said, you trick someone into accessing some site. So you send someone spam email, unsolicited email, and it contains a URL and it contains a message such that the reader of the email thinks it was to them and they are tricked into doing something that they shouldn't have to do. So the example is a login page. You receive an email. It looks like it's from your bank. It contains a URL saying, please update your password. You haven't refreshed it for the last six months. So go to this URL and change your password. The URL is in fact that pointing to some malicious web server, not the real bank web server, and that you enter in your username and password and now that malicious user knows your username and password for your bank. I think you may have seen, you probably see such emails like this called phishing. Spear phishing is a specific instance where it's an attack on a particular recipient. So maybe someone knows me. So it's a student doing spear phishing on me. They know something about me. So they tailor the email to be specific to me. They say, Dear Dr. Steve, your account for the SIT login needs updating from the computer centre. So they can target the message particularly to me to make it easier to fool me into visiting a particular site and doing something wrong. We'll go through a few of the other slides on Thursday next week. It won't take long, 20 minutes or so. We'll look at some other malicious software and then we'll try and review some of the material and talk about what's in the midterm exam. So we'll have a lecture on Thursday next week. We'll finish this, won't take long and then talk about the midterm exam. Questions about any of the things we've done?