 We've talked about mechanisms to try and secure our computer system. We've seen user authentication checked that the right person is accessing it We before that we saw general mechanisms of cryptography how to encrypt or to encrypt files You've had some homework to encrypt files public key cryptography and symmetric key cryptography and mentioned Some other cryptographic techniques last topic we looked at access control We control who can do what with different files or different resources This topic is looking at from the perspective of the attacker and some of the things that can go wrong on our computer system and That involves executing militia software Executing software that does something unexpected or does something bad on our computer system or shortened to malware Viruses worms and other militia software will will mention and talk about the The difference between them and Finish with a few ways for trying to protect against militia software. So this topic is about trying to describe militia software So that we're aware of it and So that we can work out ways to try and defend against it has anyone been Affected by militia software Anyone had a virus on their computer? Yes, how do you get rid of it? What would you suggest? Maybe your friends get a virus on that computer. What would you suggest? Antivirus antivirus is maybe too late once the virus is on there antivirus should stop the virus getting there if the virus is there What can you do? Well, maybe an extreme case what? Delete your hard drive and reinstall Because it infects software Unless your hard drive is infected The software on your hard drive is infected such that when you delete the hard drive the virus is still there We'll maybe see an example that Extreme cases of militia software don't just infect the applications on your operating system or your OS itself They may infect special software running on dedicated hardware and there's a case of the firmware on your hard drive gets infected So we'll talk about different types. What is a virus and what? The general operation of them We will not go into much detail about how individual viruses work. We'll give a couple of examples But just classify different militia software What is it malware militia software a program that is inserted into a system usually covertly So usually done in secret the insertion With the intent of compromising one of our three aims confidentiality integrity availability of The victims data applications or OS or just annoying the victim It may not release information It may not modified information. It may not Cause significant downtime of the system. It just may be an annoyance So that's one definition of malware, but there are many different types and The two general ways to classify different types of malware are the way that it moves the way that it propagates to other computers and What it does When it infects a particular computer the payload we say so the payload is a is the malicious thing that it does With regards to how it spreads how it propagates. So if the militia software is on one computer it may do some malicious actions but nowadays Militia software will try to spread and move to other computers as well and infect those so how does it spread or Different approaches will talk about viruses and worms there's a slight difference between a virus and a worm as militia software and Then social engineering which is not using computer techniques to spread but taking advantage of the fact that people will Maybe believe things which seem to be true, which are not so we'll mention them The other aspect is what does it do? So militia software can do different things it may corrupt the system the computer system We'll talk about zombies and bots which really take use your computer to launch other attacks May steal information. Okay, so you've got some confidential files on your computer The militia software gets on your computer such that that confidential information is then released Stealthing or hiding behind We're trying to hide itself and trying to collect some other information from the information theft So we'll see some classification or some examples of each of those through this topic. How do we stop it? How do we stop? Militia software anti militia software or we call it more specifically anti virus software All right, so we'll finish with a couple of techniques of of anti virus software Who uses anti virus software on their computer? Hands up Okay, many people would use anti virus software. What's wrong with it? Any problems with anti virus software? Sometimes it may slow down your computer a little bit because it needs to do some checking And if it's checking a lot checking of all the files on your disk Maybe all the network activity that takes some CPU time That's that takes some resources So that's one of the negatives of anti virus software that it it adds some inconvenience to the user and this This trade-off always comes up in security to be more secure. You are generally more inconvenienced If you want to have high security, you may have to accept that things are not so easy to use So let's go through and look at First militia software by the different propagation techniques How does it move from one computer to another? Any suggestions? How may a virus or a malicious general militia software get from say Someone's computer. It's infected and unfortunately infect your computer. How can you catch a virus? What do you think? How do you think a virus can get on your Mac? Probably there's one there How how do you think it we could get there a? Militia's piece of software run on here. No way that it could get on your computer How do you think militia software gets on other people's computers? Download a file so you're using your computer you download a file and You mistake that file to be something useful You think it's something useful, but it actually contains some militia software that when you execute that file Maybe even not just execute it but load it in a viewer But when you do something with a file that actually executes and does something malicious Okay, so downloading a file when you think it's something useful Maybe it's your advertisers a free application. Oh, that's great free. I'm going to download that But then when you run it it infects your computer how else can militia software propagate flash drive You walking around and you see a flash drive on the ground you pick it up and stick it in your computer a free flash drive Infected your computer Through email, so you receive an email saying here's this great product for sale and you click on the open the attachment You open the attachment which executes and Infects your computer, so there are different propagation methods and you're aware of them. I think Some malware has different names on depending upon how it propagates First let's look at viruses So of the propagation will look at viruses worms and then later social engineering first. Let's look at viruses What is a virus a? piece of software that infects Programs and copies itself to other programs by programs so executable software, so What a virus does so some malicious software? That may do something bad it somehow attaches itself to another piece of software Like an executable file an exe file or some other file that can be run on your computer and Then we'll also try and attach itself to other programs as well as a way to to spread and We'll look at a general structure of a virus not not in detail, but the general approach What does a virus do we can think it goes through a number of phases? The virus is a piece of software Initially, it may do nothing if the software is attached to an existing program and we talk about how shortly Then it may be an adornment phase where it's just sitting there doing nothing Maybe some event triggers it to activate Once it's activated it will try to propagate So typically a virus doesn't just want to infect one piece of software It will try and infect other pieces of software and eventually on other computers So try to propagate and the means of propagation is copying itself into other programs that is There's some exe files on your computer ones infected when it runs It copies itself and tries to attach to another exe file executable on your computer such that when the other one is Executed the virus runs again and then propagates again and propagates Even further so attach itself to other programs or maybe in other parts of the operating system or in memory Such that when that memory is read than that virus is executed So a virus normally doesn't just propagate it may do something bad So we may trigger the execution of the virus the triggering is again some some event that activates it so Simple thing when some time or date is is met when we reach some date or time then the virus activates and Executes and the execution may be performing some function. It could be harmless Maybe it pops up a message on your screen saying you are infected by a virus or It could be malicious. Maybe it deletes all your files or your JPEG files on your hard disk It's a simple example I'm sure you can think of many malicious things that a virus could do so we will not go through too many of them we'll talk about some concepts of the propagation and Give an example of the triggering because the virus Infects other programs and those programs are specific to usually operating systems or Computer architectures therefore the viruses are specific to operating systems and computer architectures that is Your word .exe file that runs on Windows that binary program will not run on my Linux operating system It's a different operating system and it's different format for binary files Therefore a virus that infects word May not infect programs on a Linux operating system and vice versa a virus on Linux may not infect those on Windows So viruses are usually specific to the OS or maybe the hardware platform so we'll go through Just some pseudo code for a very very simple virus It doesn't do anything but just to illustrate those four or those steps But before we do that the idea we'll try and draw the idea is we have We have some program on our computer some file Let's say it's a one megabyte file So there's a file on on my computer when I installed Microsoft Word There's a word .exe file. Let's say it's one megabyte in length and what normally happens when I Click on the icon to start Microsoft Word, then this file is executed So it's loaded into to memory and executed and that brings up the Microsoft Word application So the file is executed So what we can think of virus does is that it attaches itself to this file If somehow this file gets infected by a virus then we can think that the file When we execute this program you can think remember the program Perform some instructions. So we run the code in the first at the start of the program and and run the code in here Now it's not the source code that's in the file. It's the machine instructions So if this file is infected then we can think that the virus attaches itself So this is the virus here. I'll just denote as V. It attaches itself to the file word .exe Say at the start of the file such that when you click on the word icon Then that triggers the word .exe file to be loaded into memory and executed What is executed? Well first the virus code is executed so the virus code is executed and Then the normal code for Microsoft Word is executed so that the application pops up and you can edit documents So the idea is that the virus will attach itself normally to other programs So that when you normally execute those other programs the virus gets executed as well So I denote V as the virus there and one thing the virus may do is try to propagate to other programs So if it's already already infected word .exe when you open Microsoft Word The virus runs and we'll see the pseudocode in a moment One thing it will do is try to copy other program a copy to other programs. So if we have Some other files on our computer Microsoft Excel so another file then what the virus does is looks say for other exe files and When it finds one attaches itself to those and now that that file is infected and Whenever you open Excel the virus executes and does the same maybe copies itself to other executables Now that's a simple approach. Maybe the copying is not just on side inside this computer. Maybe it's to other computers as well, so What is the pseudocode of this virus V? What happens when that is executed? That's what the slide tries to show us But in very general terms Okay, so you can think of the source code for that virus What would it may it look like? Well the general approach is like this The program V the virus All right, we start at One of the first line go to main see so What we do so just to explain this code we have some subroutines or functions One's called infect executable one's called do damage one is trigger pools So the general concept so the first thing we do is we try to infect other executables If we're infected word and someone opens word it tries to find other programs to infect Once it's done that if some conditions are met if the trigger has been pulled Then it will try to do some damage And once it's done that it will go to next and what follows next is in fact The code of the actual program So this is the end of the virus and now the next thing that runs is the the word.exe the original program Which starts up Microsoft Word so that the user when they click on the link to word They don't know that the virus runs because they click on the link and then word pops up But what's happened they click on the link The virus infects other executables Maybe it does them damage and then the normal program starts So that's the general approach Where those subroutines infect executable Well, you can not just infect one you may go through a loop with some conditions Find some random executable file. So this is just one approach look for other files other.exe files on the hard disk Once you find one Check if it's already infected How do you know if it's already infected? Maybe the first line of the code of that file contains a special string Right in our simple virus the special string is is one two three four five six seven If the first line of code contains a special string or the start of the file contains a special string Then it's already infected. No need to infect again So if it's already infected Then go back and try again find another file Until we find a file that is not yet infected once we do that We attach ourselves to that currently uninfected Uninfected file that is we prepend the virus to the file So that's the case of copying the virus to another file And of course it may do that in in different ways It may look for multiple files files of particular types in different locations You may have a list of files to search for Because the virus may have been programmed to run on windows So it knows what are common exe files on windows acrobat word excel and others So it looks for them and infects where possible if trigger pulled So after we infect other executables if the trigger pulled the concept here is that if we want to if some event has occurred so with program some conditions Return true of some conditions hold what conditions Maybe some date and time has been met it's the Third day of the third month in and it's a third minute of the third hour or something So some condition is programmed into it or maybe the presence of a particular file Or the virus has infected ten files already. So now do some damage So it's already propagated multiple times once it's propagated then start to Do some damage What some damage can that can be done? Give me some examples. What could a virus do? What damage could it do on your computer if it executes? Put on your black hats now think of what you want program your virus to do if you want it to do damage destroy what Destroy some data. So look for some data like maybe there's some certain location where people commonly store important data passwords or Personal data and delete it. Okay delete files So deleting files is damage. What what else? Not just delete them. Get those files and send them back to a server Okay, so take a copy of those files Edit the files modify them encrypt the files Encrypt the files and then ask you to pay for the key to decrypt them Okay to make some money off that so there is viruses that do that that They don't just delete it and make it inconvenient for you They encrypt your file with public key cryptography such that they have The secret key to decrypt the virus creator has the key to decrypt Your file is encrypted if you want it back you need to pay the virus creator some money and they'll give you the secret key to decrypt So that was an example of Anyone know the name of soft viruses that did that? anyone been infected You're very lucky So some some viruses can do different types of damage crypto locker was one of them crypto locker was one that When it infected your computer it looked for I think jpegs documents in your documents Directory or maybe there's an equivalent version for the Mac and it encrypts your files pops up a window to you saying sorry you've been infected if you want to decrypt your files You need to transfer some money some Bitcoin in this case transfer some money to this account and Then I'll send you the key and you can decrypt them and because it's using public key cryptography There's no way to decrypt unless you have that key that they have So it's effective you lose your files unless you pay for them Often referred to as ransomware they hold your files at ransom So that's some examples of what do damage could be So that's a simple approach of a virus try to attach to files copy to others When it's executed it may do damage if some conditions are met How do you detect that? before it's executed What could your antivirus software do? to detect this Detect that there's a virus All right Microsoft Word Word dot exe the file itself If it's been modified exe file should not change all right once the word is installed the file should Remain the same. There's no need for the program to change unless there's a software update so if there are Unexpected modifications to a file Then that may be flag a warning or flag to the antivirus software that something has gone wrong Okay, so detect changes changes may be quite simple the file size This size shouldn't get larger or smaller here our virus attached to the file Word was originally one megabyte, but if we attach the virus code, it's bigger Okay, so now the file word dot exe maybe if the virus is Maybe another 20 kilobytes there So the file is actually one megabyte plus that extra 20 kilobytes of virus So very easy to detect, but if you know the file size say when it's first installed Keep track word dot exe is one megabyte if that changes or Then or if it's attempted to be changed then that's a detection of a virus or if it has changed and we see it's a different size It's likely to be a virus So that's a very simple way now that one could be overcome at least the file size check What the virus could do is dig is to compress the file as part of the infection So not just infect itself by attaching Infect itself by attaching but also decompressing the original word dot exe file such that The decompressed version plus the virus still adds up to one megabyte So that you can't just check the size you need to check the content as well so on the slides To overcome the file length check what the virus can do is compress the program itself So a compression virus Compresses the program P1 such that when you combine it with the virus that the file size is the same as the original So the file size doesn't change and when it wants to run it uncompresses or decompresses the The the the program how else can we detect it if it's not based on file size How could antivirus check all right? We don't want to trust just the file size How can we know if it's changed? Yeah Right, so we could calculate the hash of the file that is when again when word dot exe is installed a new programs installed the virus so antivirus software Calculates a hash of the file remember a hash function takes any size input and produces a small fixed and generally unique output and We store that hash value The antivirus software stores the hash value so that if The file is modified even if exactly the same size if the contents are modified by the attachment of the virus and We calculate the hash Again, it'll get a different hash value if the contents change the hash value will change if the hash value changes Something's gone wrong The hash value should not change for that file. So the hash value is like a signature of that file and that's a common technique used by virus antivirus software You know that the the intended file is this structure You store the hash of the file If later when you go and check either when the program runs or a periodic check if the hash is changed Then maybe the file has been changed and we should check and see if it's infected Of course another way would be for the antivirus to scan the contents of the file But that's time-consuming and that really slows down Your computer if it has to scan the contents of every file very often Then that can be a significant inconvenience to the user But maybe something to stay secure So that's a simple concept of a virus that attaches it to another program There's a further classification of viruses this is by what they target what they try to attach themselves to so some of the names given here the a Boot sector Infector Infects infects the master boot record. So when your computer boots up before the operating system loads The the BIOS runs and it needs to run some software to load the operating system to Boot things up if that area of software or area of memory is infected If there's a virus in there Then whenever you boot your computer that virus executes and the virus can then infect other things So as soon as the virus is executed we've been compromised So a boot sector infector would Have the virus installed in the area of memory on a disk usually that When the device boots up it runs that virus that originated in Floppy disks, okay, you know the old style maybe you don't know the old style, you know the you've used one floppy disks Not USB drives How big was a floppy disk? 58 okay, how big physically was the disk? So there was three and a what three and a half inch Little square floppy disk, but before that floppy a floppy disk the five and a quarter inch disks so And probably earlier than that as well So floppy disk and they were in the old days commonly used to boot the computer there may not have been a hard disk There is no hard disk. How does your computer store the operating system on a floppy disk? so what you did to boot your computer you insert your disk and Then the The master boot record is read and then that Reads from that disk and then that loads the operating system up So if that disk was infected it essentially Infects the entire operating system or the entire operating system is compromised and anything you run Any program you run can be compromised then a Similar one which is more relevant today and much more complicated just from some websites as one last year called From what's called the equation group There was a virus found on the Firmware there's not much to read here the equation group was the group attributed to this virus It was found on the firmware of some hard drives So you go by a hard disk. Is there anything installed on your hard disk when you buy it? You buy a new seagate or Western digital hard disk. There's nothing on there Well, there is the hard disk has its own microcontroller and Simone it's own cold code to run the hard disk All right, so the hard disk itself has what's called firmware that controls how the hard disk works So what happened this group was able to compromise that firmware on the hard disk somehow they got the hard disk manufacturers Not deliberately that they they got inside such that they got Militia software on the firmware on the hard disk So you buy the hard disk. It's already infected. It doesn't have any files on it, but the firmware is infected now what that means is that Because the firmware is compromised anything that that hard disk does is essentially compromised Because what the firmware can do is it can maybe reserve a certain certain part of the hard disk and So when the operating system loads from the hard disk the firmware infects the operating system immediately You find a virus, so you delete your operating system, but the virus is still there in the firmware on the hard disk So that was a very hard virus to Both create Probably took a country or a large organization to create the virus and very hard to get rid of on and detect Antivirus software couldn't detect it because antivirus software just reads the operating system not the firmware So the equation group created a virus, which was like a boot sector Infector a file Infector is Like we saw in the example in fact word.exe infect other files a macro virus is Not necessary infecting applications, but attaching itself to documents which are normally not executable a Word document is not executable But often nowadays the programs have some code so that you can program those documents macros Microsoft Word has macros you can write in what language visual basic or something such that the word document you could automate some tasks so macro virus infected those Was implemented in the macro language infected the macros which was attached to files What that meant when you open up a word document? if the macro code was executed the virus is executed and that was much easier for a while at least to spread because People learn not to trust exe file sent you an email Someone sends you an exe file in an email don't execute it But if someone sends you a word document in email Coming from your boss or your friend. Maybe you'll open it. It's only a word document. What can go wrong? What could go wrong is that it has a macro attached to it which executes and therefore your computer gets infected So macro viruses were a significant threat for some time now Therefore don't open word documents in emails and it's not just word documents. It's other files as well Maldipata virus infects using a combination of those techniques an example of a macro virus You don't have this but Because I'm just giving examples that just to illustrate some simple concepts the Melissa Melissa virus was one from Many years ago 1999 now. Okay, so this was a widespread virus in 1999 And it was a macro virus What happened was that someone created this virus so they They wrote some visual basic code. We'll see it in a moment They wrote some code and they attach it to a word document and They posted a message in this case on a news group like on a forum and when other people read that message and Then opened up that word file the macro executed and the virus executed And at that stage it was common or or at least in some cases that whenever word opened the word file Automatically it would execute the macro code which it was a security problem and that since then it's been disabled so it don't Macro code is not executed. So it was originally spread and then it Quickly spread to other computers because in this case it distributed itself by email Okay, so it didn't necessarily what it copied itself to other word documents But also it created an email Automatically created an email from you who you've just been infected and sent to 50 of your friends 50 of the people in your contact book Including the attachment and if some of those 50 people just two of those 50 people were infected Then a day sent to 50 of their friends and then another four are infected and so on It doesn't take long. Maybe I've here if If you infect four new computers every hour Just four per hour it in one day More than all of the compute people in the world are infected. Okay, so it doesn't long take long to spread That's the idea there And this one spread quite quickly and what it meant is that especially companies people in companies it meant that the The virus had to be removed from all the systems and that took a lot of effort and effectively Cost a large amount of money for companies to remove the virus The guy who created it spent two years in prison. So we will see the code It's very simple, but just because we see it doesn't mean you should do something like that. It's just an example. I Think I may have included the code at the back of your handouts Did I Sometimes I do yes, it's there on page 181 We will not look at everything. I don't fully understand visual basic But we will see some of the key features in here and See how many lines of code is it? It's maybe What one one and a half pages of code? So this one and a half pages of visual basic code called a billion dollars of damage Melissa, I don't know who Melissa was. Maybe it was one of the creators friends The idea so this is attached to a word document So when you open up this word document, this code gets executed some of the things that it does the first thing so Here's an if statement this code here. This is checking and word had some security second settings such that If it was security setting was on then word would not execute the macros So what this virus does is turns the security setting off So that next time this word Document is loaded that virus is executed again So this is just a check if this setting is set then try to set the security setting to be one Okay, so if it was So that's what's happening here trying to turn the security of Of the macro code in word off then what it does is that it It tries to spread and it spreads in two ways One ways attaching to other files on the system and the other is emailing itself to other people and for email to work The a common email client and Systems especially not large organizations is Microsoft Outlook Microsoft Outlook is an email client and many large companies will use that not the the web-based system, but an actual program installed and What it does is If we look at these lines of code it gets your address list from Microsoft Outlook and For 50 of your the people in your address book so the first 50 people in your address book So grabs the address entries And it will stop after X is 50 it creates an email It sets the subject to this subject here important message from and It gets the username from the address book So when you got it it would say important message from Steve and whenever you get an email saying important message from Steve You of course open it and if it's a word document you trust it So it created that and it said as a body of the email here is that document you asked for don't show anyone else So you get an email from someone you know saying here's the document. You think oh, okay Open up the word document, and then you're infected And it sent that email So that was one way and that's how it spread very fast to other systems it also tried to Attach itself to other word documents, so The active document that the document is currently opening word it attaches this is that that's in the next few lines of code and To the normal template, you know word you use template files a Template file is read when you open a new document So what it tried to do is attach to the template file So whenever you open a new document in word that one would also be infected And that's what the next few lines of code do Attached to those other documents. I think it's just cleaning up here closing the documents and Then at the end this is what we sometimes call a logic bomb or a trigger There's something that triggers under a certain event if the day If today's day is the same as to the minute right now Then print a message on the screen. Okay, so it didn't do anything Didn't do any damage or malicious, but it did a harmless message to indicate you've been infected So that was just a an example of what we call a logic bomb. It's triggered to execute When some logic conditions are met and that was it so it's 104 lines of code In this virus quite simple Now would not work because of some other security mechanisms. So word normally would not Automatically execute this But in 1999 around 2000 created a significant damage Of course antivirus can try and detect viruses So if you receive an email your antivirus software may scan that email if it finds a document that contains virus code in there then it can Remove that So a virus will therefore try to be programmed to conceal itself So it's not detected by antivirus and there are different concealment strategies The virus may be encrypted So the virus code is encrypted then All the antivirus software sees is random Strings so it's difficult to detect It's generally hard to do because the virus must Have a key to decrypt. So he's usually using some other malicious software to try and decrypt itself a stealth virus will try to Hide itself from known antivirus detection mechanisms like the file size like signatures maybe Try to Overcome some of the antivirus software and two ways that it can do We'll talk about briefly a polymorphic and a metamorphic virus a polymorphic virus Changes itself So what some antivirus software will do is that they know about viruses already So if a virus has been found so the antivirus software keeps a database This Melissa's Melissa virus contains this code and here's a hash of The Melissa virus so if you ever see a file with that same hash, then you've found the Melissa virus So the antivirus software would compare files with known viruses So what a polymorphic virus tries to do is try to change It tries to change every time it infects It doesn't change how it works, but it changes its appearance and the appearance maybe it changes some code inside So it still does the same thing By changing it means that now when the antivirus Software sees this file It doesn't match the known virus because the code has changed So that's a way that it tries to hide itself a metamorphic virus also tries to change By changing the code But it not only changes how it appears, but it also changes what it does And this makes it even harder for virus to detection software to work because it's the significant changes in how it behaves and virus detection software Sometimes even looks at what the code does to determine if it's a virus or not and if it's changing its behavior all the time It's very hard for the virus detection software to know what to look for so metamorphic virus is Harder to detect but generally harder to create Give me how give me some guide of how to write code that will be different in two versions of the virus But do the same thing How can you change some code such that the functionality is the same but the code looks different The virus needs to change itself Not you the programmer the virus needs to be programmed so that when it copies to another Application the code changes the virus still needs to execute But the code needs to be different All right, so the assembly code or the machine instructions need to be different every time you copy to the other executable It looks different each time Well the base there are some basic ways that the concept is That is you have the virus Which is the original virus maybe version one virus one and it has some code in it and Maybe the code and this is not realistic, but maybe the code sets some variables In his assembly instructions not in this language, but sets some variables in the code and Then does something with those variables Then when that virus copies itself and Creates a new version virus version two All the other lines of code are the same we could swap these two So that's what we mean by changing the code But it still does exactly the same thing because it doesn't matter what order we set those variables It will still use them. They'll have the same value. So that's one simple example of what the virus does It's programmed such that when it copies itself it changes specific lines of code. It will still work But it will not be exactly the same as the previous version The other way would be When it copies itself again from version two to version three same lines introduce a operation that does nothing and Assembly or machine instructions, there are instructions that do nothing and no op I'm sure all your good at assembly or Hardware programming, but there are no op operations which Do nothing All right. So now the code is different But the functionality is the same So we've inserted when the code copies itself it inserts some no ops such that everything still works But the virus detection software Recognizes are this v3 is not the same as v2 So it's harder to detect That's the idea of polymorphic viruses Metamorphic viruses. We're not showing example is they'll change but they'll do different things And that's much harder to program right software such that when it runs it changes itself the software changes itself It becomes a new type of virus right it may do different things So much harder to detect But much harder to create as well Well example viruses we saw the Melissa virus as an example another one The crypto locker Or we mentioned the equation group crypto locker is Called ransomware which is Once it infected a computer. We said it the damage it does is encrypts the files So that's a special case called ransomware It encrypts your files and then pops up a message saying your files have been encrypted if you want to decrypt them within two days You must send $300 to this account using Bitcoin, which is considered anonymous payment such that once you pay you You'll get the key to decrypt and get all your files back So that was an example of The damage that a virus could do what about worms a worm There's similarities between a worm and a virus sometimes we we mix them up But a worm is usually a standalone program Doesn't attach to another one to execute It's a standalone program and it would normally seek out other computers to infect so copy itself as a program and Because it was a standalone program and to copy itself to other computers It usually uses some network software to do that and often had to take advantage of bugs in other network software like web servers like client applications May also be spread via media So again, you pick up the USB drive install it and there's a file on there Which is the worm which executes so it can do the same as a virus But the distinguishing thing is that a virus attaches itself to other files Programs to execute a worm is a standalone program that executes There's not much more to say about worms. I think How does it spread How does a program get to other computers how does it replicate? Different network software file sharing software you install some file sharing software and it copies itself to others other computers Email or instant messaging so there's an attachment so the program is an attachment to an a message which is then executed Often problems or bugs in software that allows you to remotely log in to computers or remotely connect to computers So usually required network software to to distribute itself So an example Just one example of a worm. This was in 2001. It was called the code red worm. There's no need to copy this down It's just one example The idea was that the worm infected web servers All right, so web server specifically there was a web server from Microsoft called IIS internet information server So the web servers are running this software. What a web server normally does a web browser Sends a HTTP get request to the server The server finds a file and sends back a response So that's HTTP to communicate from browser to server. So the server just receives requests Gets the file sends it back There are some other things you can do with a server. You can send information to the server and the server may Trigger some operations like update a database There was a bug in the web server such that you could send a very special encoded request from a browser a special HTTP get request such that when the web server received that it Stores some some part of that message in in memory in RAM So the web server received this very strange request. There was a bug in the server such that What was inside the request was stored in memory? And in a location Such that it was executed So it was essentially executed by the web server So that infected the computer running the web server The worm was stored in RAM Of course if you shut down that computer the RAM is cleared and the worm is deleted But most web servers they running 24-7. So they're not shut down So the worm was left there running And what the worm dot did once it infected that computer is It tried to infect other computers So the web servers infected now the worm would send requests to random other computers other web servers trying to infect them And it did that for 19 days. This was the design To spread the other computers Then it tried to do a denial of service attack and our next topic is on denial of service attacks But I think you know the idea is to overload Some service here was overload to the White House website So it just sent many requests to a particular website with the idea that not just this one But all the other infected web servers are also sending requests to that one one website to overload it It didn't last that long. It infected about 200,000 web servers in about five hours And that caused a lot of the network resources due to the denial of service attack to to be consumed So a lot of the messages being sent meant the network was very slow there was a modified versions that took advantage of of Even though the holes in the web server were fixed they tried to take advantage of other bugs So a key point here is that often worms will take advantage of bugs in software So when you're going out with your job and you're working in IT security, what do you do to overcome this? What's a simple thing you can do to overcome such a worm? Well, you can't you can't necessarily fix all the bugs in the software. Okay, but a simple thing is make sure that your software is up to date Because commonly what happens is that the software servers especially Bugs are found and they're fixed and updates are issued So if you update or keep your software up to date or at least keep track of the bugs which are found Then it's less likely that someone can take advantage of bugs in your software that's running So keeping software up to date and keeping track of bugs in software is a key security mechanism Because many attacks take advantage of bugs in the same way that you keep your operating system up to date So that was an example of a worm. What have we got? Well social engineering So worms and viruses are spreading of malicious software via usually via network means social engineering is tricking users into compromising their own system and you've probably received the email saying Your email account has reached its limit Please send your username and password back to this and we'll increase the limit or the quota on your email account or please Follow the instructions in this link So that we can give you something extra. So these are spam email Coming from people with the intention that you will think it's a real email from someone that you should follow the instructions You follow the instructions and that leads to installation of malicious software on your computer and So it's usually done by attachments or maybe even nowadays links in those emails So you see a link you click on the link it takes you to what you thought was your bank website But it's actually a fake website that then gathers information and that's commonly used in what's called phishing attacks What's a phishing attack? anyone know user lure right You pull them in you use a lure when they take the bait you pull them in right well But with respect to tricking them to doing something. So you lure them in to do By offering something Offering something free offering something of use to them the other the users and when they follow a link Open an attachment then that leads them to execute the malicious software will see some Further examples in the later slides and another aspect of social engineering is called a Trojan horse and this is Software that we think is useful and is useful Right, it does something that we want, but it also does some harmful things. So I need some software to Unzip my files. Alright, so I go download a free zip utility very useful for me Unzips all my files, but included in that software is all some hidden malicious actions So now when I download that software and use it it also does some malicious things on my computer So that's called a Trojan horse. So the harmful functions are hidden inside something that's quite useful so another way that Malicious software can propagate. What have we got left? Let's just see Right, let's just go through these four slides. I think briefly Now we'll go through them next week. Let's give one last example these examples No need to remember a couple of them that I think are links from the website And this one is an interesting one because it was quite a complex example I don't expect you to read it, but there is a it's a 60 or 70 page PDF from a security company explaining a particular security attack malicious software and this malicious stuff software was called Stuxnet Okay, everyone's heard of Stuxnet Maybe when it was released you may have heard it in the news. So this was in 2011 and this is a nice document because it explains how it works and what Stuxnet was was some malicious software it actually took advantage of multiple bugs at the time and What people think it did was to shut down or to Compromise the nuclear reactors or the nuclear research facilities in Iran So they think it was done from a government Agency tried to stop Iran from developing nuclear materials By and the way they did that was to get the equipment that helps in the development of nuclear materials to malfunction centrifuges things that spin get them to Operate outside of their normal condition so that they fail and that was done with malicious software So just highlight some of the things in here and we'll some will recognize some will see in the next few slides No need for you to read I'll just mention some of the things. It's very hard to see but It this malicious software Took advantage of several bugs in Microsoft files like You can have link files LNK files on a disk which will automatically There was a bug that it will automatically be executed when you open a disk with that file It's spread through lands using print some bugs in printers or print software and Through some other network software Samba or SMB What did it do Let's see what it did was Tried to compromise industrial control systems So in factories in this case in nuclear power or not nuclear research centers where they're trying to develop materials there's certain equipment that And which are controlled by computers Okay, so say a centrifuge that spins and to create materials and it's controlled by a computer and Those computers that control the hardware the equipment are usually not on a network or not on the Internet They don't have an internet access They may be on a land inside the the building, but they don't have external internet access So how can we infect a computer from the other side of the world which we don't that doesn't have internet access? How do they get started? We've got a computer that operates a machine. We want to make that machine fail So we're going to try and infect that machine with militia software. How can we infect that machine if it has no internet access? How do we infect something that we can't connect to via the Internet? We need some physical means maybe some USB drive. So the first Portion of the attack was to get someone from outside to Inside the land. There's no external internet access But there is a local area network to get someone with a USB or some other disk drive to plug it into a computer whether it was deliberately or Whether it was accidentally that is someone had had their infected USB drive They plugged it into a computer that computer doesn't have internet access but it does have access to a land and That computer was then infected and then that spread and tried to find computers inside the land and The way that it spread inside the land using some of these different techniques of the errors in the print software and windows the file sharing software and windows and Then what it did and describes the scenario here. It's worth reading just the first two or three pages it Eventually found the computer that controls the machinery in the factory or in the the building And essentially what it did is then it had another piece of malicious software that Made it operate outside of its normal conditions. Maybe make it spin too fast for example spin so fast that it would break down and That was the end result that the machines would break down with the aim of stopping them from developing nuclear material We will see in some of the later topics that for this to work for windows to run software nowadays windows checks the drivers and checks whether they are signed So the windows won't run any or allow you to install any drivers for hardware. It must be signed by a trusted organization so another form of this attack was to compromise the organizations that sign the drivers and to get a signed driver on this malicious software to Make sure that the hardware or the windows would accept the software So we'll see this the role of digital certificates in a later topic as well so What I suggest for homework before next week and I think there's a link on the website If not, you'll find it. There's read at least the first. So this is just page three read the attack scenario here the first three pages of this Document just one page of the attack scenario the executive summary and you'll see some of the malicious software that we've talked about and You'll see in a real attack and the complexities involved What we'll do next week is Quickly go through the malicious software by payloads and then some of the countermeasures that antivirus users