 We've introduced some different types of malicious software or short malware We talked about the concepts of a virus gave a couple of examples We Said there's a mouth malicious software called a worm and the difference is how they propagate Okay, so malware sometimes can be classified by how it moves between computers. It propagates a virus attaches itself to a file usually another program and When that program is executed It executes the virus as well, which then try to propagate by attaching to other files Now that's generally possible to do on the same computer, but to get to other computers maybe it will look for network connections or A common type of virus email type viruses. It's sent by email. So the executable is sent via an email Whereas a worm usually is it its own program Not attaching to normal files, but it is own program that executes and then looks for network connections to copy itself to other computers So they were some of the propagation techniques What was another propagation technique is to trick someone into running some software social engineering is the concept of not automatically getting the program to copy itself, but tricks someone into to executing that malicious software Calling them up on the phone and say I'm an important person from the computer center Do this visit this website or run this program that I sent by email Okay, but many other ways as well So that's about propagation techniques and then about well, what does malicious software do? The payload is what what it carries with it and and performs different things that Militia software can do Different types of payload the software could perform some corruption of the system of the computer system that executes on Including data destruction So we gave I think you gave some ideas that we can delete files overwrite data Not just delete the file, but replace the the one megabyte file with one megabyte of random data Encrypt data and then demand payment So called ransomware where the data is encrypted like your images your documents are encrypted and and What the attacker can do in this case is encrypt using a Public key So the key can be known and stored with the system encrypted with a public key such that The files can only be decrypted with the corresponding private key Remember from cryptography course of cryptography topic public key cryptography we have To two keys in a key pair you encrypt with one and then you can only decrypt with the other key in the key pair That's different from symmetric key cryptography where we have just one key So it was common it's common with ransomware that the files encrypted on your computer using a public key So everyone can see the public key. It doesn't matter if it's on your computer You can see it, but you cannot decrypt it because you need the corresponding private key So the attacker stores the private key on their computer on some server that only they have access to So the idea is they'll say if you want your files back Pay me some money and I'll send you the private key then you can decrypt it So that's an example of ransomware Of course, they can do also real well damage so that Physical damage on on computers on on systems and one example was is the stuck net worm Which we mentioned briefly you can read about it online But was the idea of a virus or a worm specifically that Was installed on computers eventually installed on computers that controlled machinery In this case in a nuclear facility Such that it made that machinery operate outside of its normal operating conditions Maybe you make something spin so fast such that if it keeps doing that it will break down So this was causing real physical damage through malicious software a Logic bomb is something that executes when certain conditions are met and we saw some Examples of that when we look at the Melissa virus the viruses there was some code that if If the date and the time match then do something So if there's some files that are present on the system or not present Then take some action if some date and time not data date and time are met Then perform some action Or maybe some particular software runs Then perform some action or a particular user logs in perform some action So that's another thing that malicious software will use to to corrupt the system The other aspect of malicious software and you've probably heard of them as is zombies and bots And they'll come up a little bit more when we look at the next topic on denial of service but the idea is that if the malicious software gets installed on a computer Not only can you cause damage on that computer, but you can get that computer under your control to do other attacks on other computers and that's Referred to that computer which is under control is often referred to as a zombie and the collection of those computers under the control of an individual attacker is Referred to as a botnet or the individuals are Bots and the collection is the botnet. So the idea is from the attacker's perspective They have malicious software through a virus or a worm and other other means that gets Executed or runs on multiple computers. So multiple computers are infected Instead of just doing damage on those computers that soft malicious software is just sits there and It responds to commands from the attacker from some coordinating computer So that the attacker may send a command to all of those infected computers saying do something Where that do something may be an action like a denial of service attack and that's our next topic It may trigger all of those computers under control to then send messages to some targeted computer to overload that targeted computer But other things that may get all of those infected computers to send spam emails So that the attacker isn't identified as the source of the spam just normal people's computer the source of the spam or to do other things So What Attackers often do is try and get many computers under their control and there's talk of botnets numbering in the order of millions of computers So millions of computers across the world are infected And the attacker essentially has control of them or can get them to do certain things so If they can get a million computers to send email spam email then they can have a Large amount of spam sent and people make money from sending spanning email because people take some action People makes money why do people send spam not just to annoy you and me, but they do it to make money They send spam Unsolicited email which often involves some other form of either security attack or Action like please transfer some money to my bank account if you send a million emails and one person responds You may make some money Can you be arrested for sending spam? Yes, you can now it depends on the laws in the different country, but some will have laws which Are inappropriate use of the computer network, okay? So spam can be considered is the inappropriate use of computer resources So it may be illegal in certain countries however, sometimes it's very hard to either detect or not to detect but to Identify and classify as it spam because if it's coming from many different source computers from all over the world from a botnet It's hard to identify that individual source other things that militia software can do once it's under the control of some botnet Sniffing traffic means listening to the packets being sent and you all know how to do that from other tasks You know how to capture packets with TCP dump or wire shark to see what others are sending and from that observe confidential information key logging Install some software on a computer such that it records all the key presses So every time you log in to a system like your bank website and hit the keyboard to type in your username and password Those characters are saved by the militia software and eventually sent in a log back to the the coordinating computer So the attacker Gets the keys that you've pressed which include usernames and passwords So key logging software can be used to capture confidential information Of course if the attacker gets militia software running on some collection of computers Then it gets those computers to try and distribute militia software to others just to build up and spread and To get more computers under their control militia software may Once it's infected a computer may pop up advertisements Okay, so if your computer is infected then your web browsing it may show advertisements Which are not from the website but are from a militia software running on your computer You'll think they are from the website and again people make money from displaying ads either people click on the the links and And They get money from the the payments for the ads So some of the uses of a collection of infected computers via militia software So we mentioned keyloggers so the concept is quite simple just record all key presses So have some software on your computer that intercepts or gets a record from every time you press a key It records what value what a key was pressed log it into a file and Send that file back to the attacker so that they have a record of all the keys you pressed And then the attacker does some analysis and does some filtering to try to identify the The keys that most likely identify passwords spyware So this is an example of the payload being information theft the attacker is stealing information spywares again militia software installed that Monitors the activity on the computer system It monitors say your web browsing activity The history of the URLs that you visited or monitors the software that you're running What software you've installed whether you've paid for the license for that software or if you've installed pirated software Monitors that and maybe sends their record back so that they can take other action So spying on your activities on your computer is what spyware does maybe redirect you to certain web pages for fake websites So it's another type of payload of a virus or a worm So once it gets infected on your computer, what can it do? Maybe it's a keylogger a spyware or some of the others We mentioned I think phishing But let's go through it again phishing is using that concept of social engineering to try to pretend to be someone else and get you to do something that installs or runs militia software For example, and you probably see emails like this an email you receive an email and in it maybe the source address comes from someone you you trust or Very similar and you don't recognize it from someone that Has a very similar address to someone you trust and maybe it contains a link in that email that links to your Website which is actually a fake website for example an email comes from the SIT computer center your SIT login account has met Has had too many faked has too many wrong passwords Please reset your password by going to this website and typing in your username old password a new password So if you receive such an email you may think our computer center wants me to reset my password So you click on the link you go to the website You enter in your username your old password, and then your new password But this website was a fake website Which just collects your old password and now they know your old password, so that's a common type of attack of phishing Which it depends upon Tricking the user to believe this is an email from the real person the real computer center Usually it suggests that you need to do something quickly to reauthenticate to create a new password and Once the attacker learns that account information the username and password then they can log in as that real user a special case is called spear phishing Where it's very targeted phishing in general at the the attacker may send emails to many people Sends emails to all students at SIT With the hope that some of them respond or fall for the attack most of them may ignore that But some respond Whereas spear phishing is the attacker targets a particular person They are targeting me They want me to be fooled so what they do is they create an email that's to me and it's tailored based on the knowledge of the target Such that it's more chance that I'll be fooled into following what that the instructions were So that involves usually a targeted Victim in this case Whereas phishing in general the attackers will target anyone within a large set and there are many other types of malicious software or different Classifications some of you may have heard of some of them listed here We will not go through the definitions for you can look up and and you'll hear about them backdoors a Backdoor is a some feature or some implementation in some normal software that allows a Malicious user to access that software through our unintended feature a Root kit provides a set of Services to a malicious user to run other malicious software on on a system By usually over Overriding the permissions so giving them root access to the system and another a number of other types of malicious Software what we want to do to finish this topic is just briefly mentioned some of the counter measures and The counter measures we often refer to as antivirus. It may not just be antivirus though anti other techniques as well So first we'd like to prevent The malicious software being run But it's almost impossible Okay, that is we cannot prevent it to be run if we think of an organization We'd like to prevent malicious software to be run on all computers inside SIT. How do we do that? It's quite difficult. How do we prevent malicious software to be run? have rules Have a policy that says that all the employees of SIT cannot Insert a USB drive into their own computer Because that USB drive may carry some malicious software. Alright, so there's a rule and it may help to prevent but in practice it may be hard to control and It may make things inconvenient for the users because users generally want to insert a USB drive into their computer So even though we can create such policies. They may not be effective or they may severely limit how we can operate awareness Make the users aware of the implications of inserting USB drive into your computer Don't just copy files and trust other computers. So this is more like training of the users So they are aware of what can go wrong Try to mitigate the impact or the chance of vulnerabilities bugs try to minimize the number of bugs and different threats that can arise reduce them Another way to prevent malicious software is to make sure that the software that's running is up to date because most malicious software takes advantage of bugs and as software is constantly upgraded Bugs old bugs are usually fixed So if you update to the most recent software, hopefully those old bugs are fixed And there's less chance of a malicious software taking advantage of them. So having a good Scheme for updating software is another way to Try to prevent malicious software apply access controls such that The malicious software cannot run on the computer. So the malicious software needs to execute Access controls can be set such that the software doesn't have permissions To do the malicious things that it needs to do. So have appropriate access control Like the permissions on the files the permissions on the what can be executed? What network functionality is possible on different computers? and in Ensure the users are aware and are trained of what is malicious software and how it can Get onto their computer So we'd like to prevent malicious software, but with a large organization It's hard to prevent malicious software from running on a single computer because There are many different avenues where our computers can become infected So We'd also like to be able to if our computers get infected detect it Detect it as soon as possible Identify what it is and remove it And that's what a lot of antivirus tries to do in any of these techniques we need them to be Have a number of different requirements Timeliness means that they need to be able to detect and remove this malicious software as soon as possible So Antivirus software needs to work quickly. It can't Detect the the malicious software one day after it was installed because it may have done the damage by then Generality is that the antivirus software should work for any type of malicious software It shouldn't be targeted just for a very specific virus or a very specific worm. It should be quite general The antivirus software should be resilient to attacks on itself So malicious software shouldn't be able to compromise the antivirus software because if you install some antivirus software to protect your computer and some malicious software Compromises that you think you can trust the antivirus software, but now it is compromised. So Basically anything it returns is not accurate We shouldn't be able to perform denial of service attacks or the attacker shouldn't get the antivirus to overload and To be running all the time such that your computer slows down And maybe you've had some experience with that if you run antivirus software in some cases The antivirus software spends a lot of time either when your computer boots up scanning Therefore slowing down your computer Which is if the attacker can get the antivirus software to do that often then that can be considered a denial of service attack The antivirus software should be transparent. That is we should know what it's doing. It shouldn't hide what list of viruses it's trying to detect and it should work for Local coverage that is on your computer, but also work for In general in an organization cover not just a single computer, but a range of computers So I think I asked before who has antivirus on their computer some antivirus software Almost everyone who doesn't then One two You don't have antivirus. Why not? Why not? You don't think you can be infected. What operating system do you use? Windows and no viruses yet. It doesn't you have had viruses. Okay, so maybe you should get antivirus right many people do but What about for an organization one of the issues with the antivirus is that let's say for SIT We have to have it installed on every computer to protect all computers because as soon as one is infected It's very easy for that one computer to infect others then so With an organization one other approach is instead of having antivirus on all computers have it on a device that Controls the traffic coming in and out of the network and We'll deal with that when we talk more about firewalls. So one roll of a firewall could be a device at the edge of the network that Scans for viruses as they come in and out of the network as opposed to just running on your computer the antivirus antivirus runs on one device that Keeps track of coming in and out of the network Right when we see with firewalls a firewall generally will only protect Based upon traffic coming in and out through a specific device. There are ways around a firewall One of them is the manual USB approach so Antivirus on a firewall doesn't protect against attacks from USB or other Loading approaches so organizations will often have a combination of techniques both at the firewall and in Internally on the computers. I Cannot recommend any antivirus. I Don't use any So but but there are a number of different I have used some in the past but because I don't use Windows anymore But there are a number of different ones and most of them are free and okay the Microsoft one I think in the past was always considered. Okay. It was called Microsoft security essentials at some stage I don't know if it's still called that in Windows 10 was considered quite good as a free antivirus But I've used a AVG and I've asked and others but they change over time so you need to keep Keep up to date of which ones are good ones because they have different features Right so we all we've all used antivirus We may have even seen viruses infect our computers. What do they do? What does antivirus software do? But before that coming back to that question, how else can we stop USB infections people coming along with their USB drive and Infecting their computer. How can we stop that? All right, we can have a policy. Please don't plug a USB drive into our computers But not many people will listen to that. They'll plug their phone in. Okay, they want to plug their phone in so Some organizations will disable the USB drives on the computers in very high security installations they may put some Basically some glue over the USB slot so you can't plug a USB drive in so one way is to physically prevent USB access So there's a way to stop the infection, but of course makes things more inconvenient for the users So there are different approaches So host based scanners so virus scanners or these countermeasures Antivirus in general host based means it runs on your computer on the host on the computer So that's what we commonly use you run antivirus on your own computer and it just protects that one computer Perimeter based scanning is like a firewall a device at the edge of the network that scans for viruses Coming into the network possibly even going out With the intention of protecting all of the computers internal for the network on the perimeter We scan for viruses with the hope that it doesn't get in This is good because it covers a large number of computers But it doesn't protect a gun against certain attacks Host based scanners protect their individual computer the problem with host based scanners When you have a large organization you have to keep them up to date Let's say you have thousands of computers in your organization. You must keep the antivirus up to date on all of them and distributed intelligence gathering is using information from The individual computers the individual hosts collecting information about what's happening with respect to viruses and then supporting Upgrading the host based in the perimeter scanning software. So we'll see that I think just at the end so what does antivirus software do how does it detect a virus and Some very basic. So here we list based upon how antivirus software has evolved over time has improved So starting from the simple initial antivirus scanners The antivirus software Has a list of known viruses or known malicious software and It knows the signature of those nine viruses. What's the signature a simple way? We can think of if the virus is a file Or a piece of code part of a file the signature could be a hash of that file Should be unique for that file But it could be more complex it could be the actual file contents But something that uniquely identifies that malicious software and the antivirus as new files arrive on your computer Compares the signature of those new files with the list of signatures of known viruses If there's a match is detected a virus What's the problem with that approach? What's the problem with the first approach? Apart from limited to the detection of no malware. What's another problem? What's another problem? Your antivirus software has to have an up-to-date list Of all the known malicious software as new as the the point there as malicious software is New malicious software is created then it won't be on the the known list so go undetected We mentioned different types of viruses last Lecture we mentioned polymorphic and metamorphic viruses A normal virus stays the same as it copies itself to other files a polymorphic virus Copies itself to other files, but changes its code when it copies does the same thing But add some extra operations so it will change as it copies a Metamorphic virus changes its code and also changes its functionality So both of those would be undetected by such simple scanning So I have some more general rules heuristic rules to have some conditions to check So instead of have yes. No, this is a virus have a probability If this file has characteristics that strongly match a known virus Not everything is the same, but there's similarities assigned some probability that that's a Militia software Going further run the software a new file comes on your computer abc.exe You don't want it. You're the antivirus software. You want to check is this a virus or not? run the software But runner in a protected environment So have the software run But monitor what it does so as as the software runs you'll see what it does Does it try to modify files which it shouldn't does it tries to contact a server outside where it shouldn't and From the actions then try and detect. Ah, that's a virus Now that can either be done in a protected environment or if it's done in the real environment It must do the detection very quickly before it does any harm So this is not just comparing files and checking if it's a virus But this is actually seeing it operate and see if what it does Corresponds to what a virus would do and nowadays Antivirus uses a combination of these techniques. So it will use all of these techniques One thing a virus will often do is encrypt itself So it's hard to check what the contents of it are. So it will decrypt itself when it runs So coming on from this memory memory resident programs what a Concept called generic decryption Antivirus software when it has a file again, it runs that file in Some protected environment usually a virtual machine for example Virtual box VM where a virtual machine software what of antivirus software can have is it's cut down Virtual machine software it runs the virus inside there and observes what it does So when it runs the virus if it was encrypted decrypts itself and Then the virus scanner tries to see what happens once it's decrypted check if the signature of the decrypted form matches a known militia software and tries to detect if the militia software tries to Access files inappropriately access the network inappropriately to try and identify this is a virus or not So this is the idea for antivirus software that will try to decrypt encrypted viruses So that they cannot hide behind encryption Now the problem with this is that the virus actually runs and It takes time to run it Even though it's in a protected environment that virus takes time to execute if it wasn't a virus. It was just a real file The antivirus software runs it for some short period of time Realize it's not a virus and then that's the user use the software The problem with this approach is it takes time so the user has to wait some time while the antivirus is running So the question then is how long should you run it for? If you allow it to run for too short of time, you may not see the malicious operations take place if you allow it to run for too long a time then the user must wait for it to run and your Computer may slow down while it's running So the general approach run them potential mist malicious software in a protected environment like a virtual machine observe what it does and That's possible To then detect polymorphic viruses Because if you see they copy each other then you could detect that the new copy is also a virus The other thing that you probably see your antivirus software do is show pop-ups when you maybe install software and say This software is trying to access this other feature. Do you want to allow it or not? All right, so your antivirus software will try and detect When maybe some software is accessing out on the network or trying to access particular files Or when it's trying to install the antivirus will confirm. Do you want to allow this? Do you trust it or not? So this is some behavior blocking software Running on your host on your computer the antivirus tries to observe the behavior and block certain things For example some software runs it tries to open some files The antivirus software will see well this file shouldn't be opened by this piece of software. There's no need to open this file there's no need for Some PDF reader software to open Microsoft Word Okay, so the antivirus software detects. It's trying to open this file We will not allow it to do that will block the behavior or will at least prompt the user Do you want to allow this software to open this file so the user can decide? Or the software tries to format a disk you install some normal some music playing software tries to format the disk There's no reason for it to do that so the antivirus will detect that So based upon different activities the antivirus will detect if they take place and stop them from occurring This doesn't depend upon known viruses this monitors actions or behavior The problem is that the malicious code gets to run To be able to observe the behavior you need to allow the code to run and maybe some actions go undetected So the virus may do harm So that's a brief overview of some of the countermeasures that antivirus and other techniques provide To summarize on this topic We've had a very quick rundown of different types of malicious software. We've mentioned viruses different types classified by propagation method and payload worms and other Exploits a worm Distributes itself a virus attaches to other files We've mentioned some of the things that a virus or malicious software can do the payloads it can disrupt or destroy data it can damage physical objects and There's always a challenge for antivirus software To try and keep up to date with the new viruses and try to detect new viruses using new techniques because the viruses or the malicious software is trying to avoid detection while the antivirus is trying to detect and they Continually upgrade it So there's a challenge of how do you keep detecting new malicious software? There's a challenge of if you're using countermeasures your computer performance may Degrade to the point where there's no you can no longer use your computer a denial of service attack and Then there's the challenge of can you really trust the antivirus software? If you can't trust the antivirus software, then you have problems So there are a number of other techniques to try and improve upon that if you have higher security environments So having trusted hardware and your computer