 So, this topic on malicious software or malware, we're just really classifying the different types and gone through some examples of viruses and worms, so we're classified based upon how the malicious software spreads because it genuinely tries to infect not just one computer but multiple computers, so it spreads in different manners, so a virus attaches itself to another program, so you can think a virus is some code that does something malicious that attaches to some normal program and spreads by finding other programs to attach itself to. A worm, you can think more as an independent program that finds its own way to spread like using network connections to copy itself from one computer to another, whereas a virus attaches to other programs, a worm distributes itself, copying itself, for example, across a network or between computers. Another form of spreading which we just mentioned was towards the end of the lecture was social engineering, taking advantage of tricking someone into doing something malicious on their computer and malware can take different actions to do harm. It may try and corrupt the computer system, it's infected, delete files, for example, will mention it may be used to take control of the computer to do other malicious things, so treat the computers that it's infected as zombies that it can then use them to perform a different type of attack on other targets, steal the information, hide itself as some of the things that it tries to do and we'll finish with some touch upon antivirus very briefly. So we've looked at viruses, some different types of viruses, polymorphic, metamorphic, to hide from antivirus software, the virus tries to change itself because if we know of a virus in advance, what an antivirus software can do is scan looking for patterns or a signature of that virus. So if we know the virus contains these lines of code, the antivirus software can look for those lines of code in any file or any email the computer receives. So therefore it's easy to detect. So as a way to conceal, the virus tries to change itself. So it's harder for the antivirus software to find that signature. One way to change is to change how it looks, which what a polymorphic virus does it, changes some code inside itself. The virus still does the same thing, but if you look at the code of the virus, it's different from the previous version. A metamorphic virus does that as well as changing its behavior. So a polymorphic virus just changes the way it looks, whereas a metamorphic virus also changes what it does, maybe what the payload is, how it infects other programs, which is harder to do, but if you can do it from the virus' perspective, harder to detect. We had a few examples. We mentioned worms, where did we get to last week. Social engineering, I think you've seen, we mentioned that, okay, Spam email is used where people send unsolicited email with the hope that the target will read the email, think it's a real email, and take some action, like click on some link or run some executable file or open some document attached to that email. And then that's the starting of the attack. And we mentioned phishing attacks as one example there. Trojan horses are software that are from the target's perspective useful, but also contain some malicious payload. You download a program to convert word to PDF. It's useful for you, but actually that software includes some malicious functions as well. What can malware do? What actions does it take? So once it's infected your computer or your software, what does it do? Well, different things. It can do data destruction, delete data, overwrite data. So it can be worse in some cases than deleting data is to overwrite it because you think the file is still there, is still on the system, maybe still the same size as before, but the contents has changed. Encrypt data and a recent and current malware present is called CryptoLocker. What it does, and I don't remember the details of how it initially infects, but once it infects a computer, CryptoLocker encrypts or searches for a set of files on your computer, like JPEGs, thinking about photos or other documents. It searches for files and then encrypts those files using a strong encryption algorithm, using public key cryptography. So it encrypts the files and then sends you an email or contacts you and says, if you want to decrypt these files, you need to pay some money. So that's an example of ransomware that the malicious software holds your data to ransom. So in this case it encrypts CryptoLocker, it encrypts the files with public key cryptography. The person who created the malware knows the private key to decrypt. You don't know the private key, they encrypt it with a public key and therefore they say, if you pay this amount of money then they'll decrypt the files and you'll get your files back. Otherwise your files will stay encrypted and they say that they'll delete the key so you can never get them again. And currently there are no known ways to decrypt those files. So that's a current malware that's in use today. We mentioned Stuxnet, which was a most likely a government sponsored worm that infected a number of hosts, but mainly factories and facilities in Iran with the intention of shutting down some of their nuclear power plants. And that did real well damage. By infecting the computers that control industrial systems, then it made those systems operate outside of their normal intended behaviour and made them fail. So it did real well damage via the computer. And related to both of them is a logic bomb which is something that activates a payload that activates when certain conditions are met. So here's some payload that's for example, your computer's been infected, the payload's on your computer when some conditions are met on your computer that payload is activated, whatever it does, whether it's data destruction or some real well damage. So that may be as simple as thinking about does this file exist on your computer? If so, then activate the payload, date and time, whether some particular software is being used on your computer or a particular user logs in, then activate the payload. So that's the general concept of a logic bomb that it performs some logic at a particular date and time or when some conditions are met. We saw a very simple example in the Melissa virus that we showed. At the bottom it had some code that says if the current date equals the current hour, then display some message. So it was a particular set of conditions. If this time and date are met, then do something, otherwise do nothing. So there may be some conditions to activate the payload. So we're going to finish with the last few slides to finish this topic today. What else have we got? Zombies and bots. So another common thing today is that once a computer is infected, then it allows the person who created the virus or worm to take control of that computer to get access to that computer via other means and then use that computer to perform attacks on other computers. And we get a set of bots from the perspective of the attacker. So if you can, for example, infect one computer and take control of that, take control may mean the attacker can trigger that computer to do something to other computers. For example, send packets to other computers. And if you can do that to many computers, then the attacker has control of many computers on the internet. That becomes their network of bots or botnet that they then use to attack some other target computer. And this is common in distributed denial of service attacks, where some malicious user takes control by infecting many other computers on the internet and then uses those many other computers to, for example, send many packets to one target computer, overloading that target computer so it's denied service. We will look at denial of service attacks in more detail in a later topic. So the general concept of a computer that you take control of is a zombie or a collection of them is referred to as a botnet. And there's thoughts that there are botnets that attackers have control of in the order of millions of computers. So attackers have compromised millions of computers via different means and can control them to do things that they'd like to do. For example, denial of service attacks, send spam. So instead of sending spam from the malicious user's computer, they take control of normal users' computers and get them to send spam to some target. Monitoring what's happening in terms of those computers, what they're sending and receiving, sniffing traffic, logging actions on those computers, spreading new malware and other things. So that's a common problem in network security today is that many computers are compromised and attackers can control those computers to do other more malicious things. We'll see more detailed examples of them when we look at denial of service. So another form of payload or an action that can do harm is information theft, that the attacker, they steal information from you. So one thing they can delete your files, but other thing they may try and steal information from you. For example, try and steal your password. And one form of doing that is monitoring the keys that you press. So if the attacker can install software on your computer that monitors the keys that are pressed by the keyboard and can keep a log of all those key presses and send that log back to the attacker's computer, then hopefully in that set of key presses will be your password to different accounts. And that's the general concept of a key logger. Some software that captures all the key strokes that you enter into your computer. So how to get the password out of it. For example, monitor what's happening on the computer when you log into another computer or when you log into a website. So you look for patterns of what may be a password. So assuming the attacker can see all the key presses on your computer, then they can search for specific combinations or specific patterns to try and identify when you entered in a password. And then they can discover your password for different systems. So a key logger fingers a piece of software that the attacker may install on your computer to steal information from your computer and send it back to them. That information normally being passwords. But maybe other things. Maybe messages that you send. Key loggers may be software on a computer that they may be done via extra hardware mechanisms. For example, software installed via USB keys on computers without your knowledge. Generally, it's not hard to do because the operating system always keeps track of the key presses. So you can get access to the key presses. So you just need some software to read that information from the operating system and you can get a complete log of everything that happens on the keyboard. And that can be extended to not just key presses but also mouse clicks. So if some websites as a security mechanism require you to not type in your password but to click on an on-boards keyboard, on-screen keyboard, that you click on the letter A, B and C instead of typing in the password in case there's a key logger there. But even then, if the software, the malicious software could monitor where you're clicking on your mouse, then although it's a little bit more complex and they can do the same thing that they can monitor that you're clicking on these locations on the screen and send that information back to the malicious user so that they know where you're clicking and then map that back to the on-board, on-screen keyboard. So key loggers monitor keystrokes but more generally we can monitor whatever activity is performed on the computer including mouse presses, mouse movement and clicks. Yes, so the idea of the on-screen keyboards is to avoid this problem of capturing keystrokes. So if you just type in the password and someone has a keylogger then it's quite easy for that keylogger to detect the password typed in. Therefore websites will have an on-screen keyboard. If that keyboard is fixed, that is the keyboard is like a QWERTY keyboard as an image on your screen, then again if the attacker can install software to detect where your mouse is and when the button is pressed then they can determine okay you clicked on the letter A then you clicked on the letter B and C based upon the position of the keys on the screen. So then other systems will each time you log in will have a different arrangement of the keys. It won't be the QWERTY or won't be ABCD but it may be a random arrangement of the keys making it harder for the malicious software to detect what you were clicking on even though it knows where you clicked it doesn't know which letter you clicked on. So that in that case the malicious software needs some other way to know the mapping from where you clicked to the letter you clicked on. That may be from getting a screen capture or it may be about predicting what the arrangement of the keys was how that website displays them. So it gets more complex making it more secure but making it more inconvenient for the user. Most users it's easy to type in a password it's a little bit slower to click on an on-screen keyboard it's even slower if that keyboard is changing the arrangement of letters all the time. So the first time you log in it's one arrangement of letters so you know where to click the next time you log in it's completely different arrangement so you need to look and spend a few seconds to find out where to click to type in your password. So again this is the trade-off between you can make it more secure but it becomes more inconvenient for the users. And this is moving on to almost the techniques used in spyware is that once a computer is compromised by some malicious software that malicious software spies on what that computer is doing or the user is doing with that computer it monitors what's happening which includes monitoring key presses mouse activity but other things like monitoring applications browsing history particular web page request documents opened to then learn about what you're doing so learn about your behavior and use that for other malicious things extracting data about websites you've visited things that you've done to use that for other purposes. Fishing we mentioned last week where we use someone uses social engineering they try to trick users into following some URL to some malicious website is it a common example they send you an email you think it's a real email you click on a link that link takes you to some fake website where you enter in your details and that malicious user now knows your details spear phishing is the specific case where it's targeted a particular person so the malicious user creates the email and that fake website especially for the person that are targeting so generally phishing target anyone but spear phishing is more more targeted to a specific user and therefore the website and email will have content that that specific user will think is real or more like likely to think is real any questions about the concept of phishing in a security context anyone seen examples anyone received emails spam emails which have links to other websites I receive them all the time yeah yes I think it's not limited to email email is the most common form of delivery of this this spam of this this social engineering technique but it's not limited to email so social networks chat software anything that makes it easy usually for the attacker to send the information to many users cheaply that that needs to be a part and most social networks email chat applications allow that it's about tricking in the user into usually visiting a website or executing some application that is malicious and there are many other types of malicious software so this topic is more about introducing several types you probably heard of a lot of them just to distinguish between several types but there are many others and there's some of them listed that you may come across and we may explain them as we go through some other topics when when needed just briefly to finish then well how do we stop them what countermeasures do we have so that the malicious software cannot take effect on our computer systems we'd like to prevent ideally prevent any malicious software into our computer prevent it from running but that's not always possible how do you prevent how do you prevent malicious software getting on your computer in an organization having some policy about what the user should do policy and awareness about don't follow links in emails or in unsolicited emails don't open attachments in emails which contain executables and awareness from the user's perspective will help vulnerability mitigation a lot of the malicious software takes advantage of that your computer has existing bugs vulnerabilities so make sure that those bugs or vulnerabilities are not present or as minimal as possible that includes making sure systems are computer systems up to date especially operating systems and software make sure that the the latest versions are installed and being used so in operating systems now have regular updates or patches so making sure that those patches are applied so that the software is up to date and there because many of those patches usually fix security bugs so if you don't update the software there still may be bugs with respect to security in that software that the malicious software can take advantage of make sure access controls are used and applied so that even if malicious software is executed on a computer that the access control can limit what it can do it cannot take control of all your files it cannot delete important files and so on so using access control to limit who can read write and execute different files can help limit the effectiveness of malicious software and an important part making sure users are aware of what malicious software is and how it may arrive detection is the main form used today as that as malicious software arrives at a computer system detect if it is present and then remove it detect identify what it is and remove it all the countermeasures to stop malicious software they have general or they have a set of requirements some of them listed here the countermeasures should work for any system and any type of malicious software be general you don't want a countermeasure that's tailored just to one type of malicious software they should work in a short amount of time if there are failures or if some malicious software gets in then the countermeasures should still work so if you think of antivirus software you have antivirus software as a countermeasure if some malicious software gets on your computer then resiliency means that that antivirus software will still work we shouldn't allow that malicious software to then take over the antivirus such that the antivirus no longer work it should be resilient to some forms of attack countermeasures like antivirus should not deny service too much at least that is if you install antivirus software on your computer and it takes up 50% of your CPU just scanning viruses all the time then that's effectively denying denying you service it denies you access to your the CPU to run your normal applications we want to minimize that the user should be transparent to the countermeasures so the user shouldn't have to deal too much with say the antivirus software should be transparent it should cover malware on your computer and across a larger set of computers not just across a single computer the three main approaches to provide countermeasures are to perform scanning on individual computers called host-based scanners for example antivirus on your own computer for an organization or a network perform perimeter scanning so think for SIT there's a gateway between SIT internal network and the rest of the world perimeter scanning would scan files as they pass through that gateway and try and detect and identify and remove malicious software at that gateway before they get into SIT's network so rather than relying on antivirus on all the computers inside SIT have one device on the perimeter of the network that performs the scanning and removal of malicious software that's better for larger organizations because you don't rely on the individual computers and more complex techniques use what's called distributed intelligence gathering which we'll not talk about but involves not just collecting information about your network but using information of what's happening in many networks to try and improve the ability to detect malicious software let's just look at some general concepts of scanners and you know them as antivirus scanners I think most people would would have installed an antivirus scanner on your computer so you'd use host-based scanning but many networks also use perimeter-based scanning that is that they at the edge of the network also try and detect and remove malicious software the general approaches or in improvements of antivirus software so either host-based or perimeter-based what does it do well the idea is to identify a malware to detect identify and then remove it once you've identified it so how to how does a piece of software antivirus software detect and identify malware and when we say antivirus software it doesn't just apply to viruses okay so it may apply to all types of malicious software but the common name is antivirus and this goes through the the improvements over time so first generation through the fourth generation so the first type of antivirus software just simple scanners they look for signatures of the viruses and other malicious software so if you know of an existing virus and you know the the structure of the code in that virus then that gives some signature of that virus so what the antivirus software does is when a file comes in to the computer it can it looks at that in that file compares it to the signature of the virus if they match then it makes the assumption that this file contains the virus the signature may be simple look for lines of code in the virus so if the virus contains these 100 lines of code and the file that come into your computer contains those 100 lines of code then assume that that file contains the virus but it can be more complex and that in the signature cannot just be about the exact match on the set of lines of code but can look for patterns in the lines of code for this to work the antivirus software must know about the malware in advance it must know the signature so if there's a new malware that's created then the antivirus will not detect that so the improvements were to follow some more general rules rather than looking for for specific lines of code in which match existing viruses or malware is to follow some rules and do some look for some probable lines of code that would be in the malware so the antivirus would have a set of rules as to what most viruses or most malware would contain and if a file comes in that matches those rules it would flag that file as containing malware so rather than looking at predefined pieces of code based on existing malware try and generalize and say okay most malware has this structure follows these rules in its in its code and try and detect files that come in whether they match those rules the other approach integrity checking is looking at files compared to some reference if a file on your computer system word.exe if we know that word.exe has this exact contents and then the antivirus software runs and find word.exe has a different set of contents then that may be used to try and detect that something's changed the word executable and is infected with a virus so check that the files have not been modified on your computer and you can use hashes and other approaches to do that checking of files. Next approach run or as the malicious software runs monitor what it's doing so malware comes in it's executed on your computer then the antivirus has some program that's monitoring the actions that everything that executes performs and if it's doing some malicious actions then identify that as malware so instead of looking at the structure of the code look at what the code does by letting it run that's the basic approach there so a virus or a file comes into your computer you haven't detected a virus in it but the antivirus software has some software running that when this new file executes and it tries to access particular files it tries to do things on your computer the antivirus monitors that and based upon what files it's trying to access what it's trying to do it can then try and detect if it's a virus or not an example of that some of the things that it may do is here for example the antivirus monitors the behavior of programs for example if some program tries to open files which it shouldn't normally need to try and open then that may be detected as some malicious action so if you know of a set of files on the operating system which normal programs don't need to access but this one does access like the password file then that may be detected as malware or attempts to modify existing executable files so a program runs it tries to change word.exe well in most cases another program shouldn't need to change word.exe to run so if that program takes that action the antivirus software detects that action and then identifies this as a virus or malicious software change system settings for example to change in Windows registry settings to change configuration files in Unix systems if the antivirus detects a program doing this then it again detects this as a virus or malicious software so this is when the malicious software is running it's not detecting it before it runs it doesn't depend upon any signatures about known malicious software the problem is that it run it allows a malicious code to run so therefore if it doesn't detect it then the malicious software still runs and can perform harm. The fourth or the generation here is really just a combination of all the techniques is to improve them and we'll talk about one more technique in a moment but antivirus has progressed from being looking at signatures based upon known malicious software to generating rules and trying to classify files and based upon the general structure and rules to work out with its malicious software to monitoring what software does and if it performs things which will be classified as malicious actions it detects it as malware. One example of that running the malicious software is called generic decryption. Most viruses will be encrypted and to execute they decrypt themselves so that the virus itself is encrypted when the virus runs it decrypts itself and then performs its actions so one approach is to allow that to happen so that's what generic decryption does it allows the virus to decrypt itself and then run but it does it all in a virtual machine not on your real operating system but in a virtual machine set up by the antivirus software so that virtual machine really emulates a CPU so the virus let's say is attached to some executable it's arrived at your computer the antivirus software runs that program in a virtual machine monitoring what it does there in the virtual machine if it does some malicious things like opens files it shouldn't try to open changes executable files then it may detect that as a malware if it's passed as successful was okay it's not malicious then that program can be passed back to the the host computer so basically run the virus in a virtual machine such that if it runs and does damage it only does it in the virtual machine which can be deleted and it's easier when the map the malicious software is running to detect that it's malicious software based upon the actions it takes the general trade-offs here is that okay as a file arrives at your system it needs to be executed in a virtual machine how long do you execute it for so you received a file via email you downloaded a file the antivirus software before it allows you the user to use that file runs it in a virtual machine trying to detect is this file malicious or not but how long does it run it for to detect if it's malicious because that file may only do a malicious action after some period of time so if you run it for too long then it means you have to wait a long time and it degrades the performance of the system if you only run it for a millisecond then you may not see that the malicious events taking place so generic decryption is the process of really allowing the virus to run but run it in a virtual machine to see what it does if it does something bad classify as malware if it doesn't do anything bad then let it be as a normal file yes a sandbox is more general not just for this but yes the same concept as a sandbox you run it in a in a virtual machine that is protected and and kept separate from your normal files on your computer so even if the virus runs it doesn't do any damage to your normal files so that's all the detail we're going to go into with antivirus or countermeasures so just a simple classification that most counter measures look for patterns as they receive files signatures that can be improved to a search based on general rules or to allow files to execute and monitor what they do there are many more aspects of antivirus and malware we've covered some main types of malware viruses and worms and a little bit on social engineering the different payloads is what actions the malware takes there are multiple approaches for antivirus either on a host or on a perimeter of a network for all hosts inside that network and the technique they approach they take of course a lot of this becomes this cat and mouse game of that the the people who develop the malware develop the malware and then the people are trying to block it once they learn about it they develop techniques to stop it but then new techniques are developed so new counter measures need to be developed and there's always continual improvements in both the malware and the counter measures for the malware and a main problem with antivirus techniques malware detection is the performance degradation in that trying to detect to be very accurate in detecting you make it inconvenient for the user either their computer slows down the network access slows down or the ability to access files is reduced so it makes the more effective the counter measures are the more of a performance degradation or denial of service for the normal user of course the one issue that arises is that can you trust the antivirus software what if the antivirus software is malicious or has been compromised then everything becomes a problem because you can't trust the results of that antivirus software so then is what if the operating system has been infected what can you trust at that point well people say once a computer is infected it's you might as well just delete the whole computer format the hard drive and start again because it's very hard to trust any piece of software once one infection has a rise because if a if a malware infects your computer and it has found a vulnerability in the operating system as infected the operating system then the operating system then can control the antivirus software and when new files arrive it can the infected the operating system can tell the antivirus software to to accept those new files to pretend that everything is okay so future attacks can be go undetected and the ways around that lead to things that we're not going to cover but interesting trust of computing making sure the whole chain of the bios when your computer boots the bios that loads the operating system the operating system all the applications the on the operating system are trusted cryptographically trusted that is using signatures and so on and some other topics that you may explore but we will not questions on malicious software yes so that the antivirus software that you install or is commonly available at least for home computers today again they modify key files on your system and they effectively integrate into the operating system and they have their own set of rules for detecting they don't just look based upon signatures of known malware they look up based upon actions of other software rules being programmed into them and it may be possible that they think other antivirus software is doing malicious activity as it meets its criteria is doing something that's unexpected it's commonly recommended that just one antivirus software be installed but which one's best I don't know and it may change over time any final questions on malware so just understand the concepts what's a worm what's the difference between a virus and a worm what what antivirus software does what is generic decryption what else with respect to the the upcoming midterm exam I would not ask you about any details of this particular virus or so on just the concepts be able to compare and maybe give an explanation of what is fishing what is a key logger what what are some actions of a logic bomb the details about a specific virus will not be in the exam although I know we had examples last lecture but we'll not cover them in the exam what types of viruses there may be what's the difference maybe simple things about a simple questions about this simple virus if it was given again you don't need to remember this but if if I gave you this you should be able to answer some questions about okay which line of code is considered a logic bomb or or or take some conditions as to perform some action okay you note that trigger pulled if return true if some conditions hold so here we could implement our logic bomb of say the conditions are if the date equals the 2nd of January 2014 then take this action okay enough