 In this topic we're going to try and introduce some terminology about malicious software, malware, things like what is a virus, what is a worm, and some other types of malicious software. We will not go into much detail about each, it will be mainly about being aware of some of the different types of malicious software but we will not have enough time to go into how each different type works. So mainly the thing that I'd like you to pick up from this topic is be aware of some of the terms, the differences between different types of malicious software and some of the classifications. We may see in later topics a few specific cases in more detail, different types of attacks. So malicious software is software that does bad things and we're looking from the perspective of some attacker that wants to compromise some computer system. One way is to get that computer system to execute some software that does something unexpected and you know or you hear of a virus, viruses and that's one form of malicious software so we'll talk about and try and explain what we mean by a virus. So some general introduction and then we'll try and classify, talk about well malicious software if we get malicious software executing on one computer then it can do bad things for that one computer but most attackers would like to not just compromise one computer but to spread that malicious software through other computers. So somehow it needs to propagate to other computers so we'll look at the different propagation techniques and malicious software what does it do when it executes on a computer, what can it do bad so the payloads best indicate what that software does. And then briefly we'll look at the countermeasures, things that we can try to do to prevent the malicious software from causing harm. So what do we mean by a malicious software or in short malware? One definition, a program that is inserted into the system so a software program usually covertly that is it's trying to be hidden so that others cannot find it and has the intent of compromising the security. So returning to our first lecture the three main parts are confidentiality, integrity and availability of the victims data applications and other resources or otherwise annoying or disrupting the victim so that's a broad definition of malware or malicious software. So software that gets executed usually tries to be stay hidden so that it can run and continue to run without someone detecting and removing it and to do bad things for example read confidential information, modify information, modify or compromise the integrity of data and even attack the availability of a computer, make a computer system unavailable for the intended purpose. And we can broadly classify malicious software by how it propagates and the things that it does which is called the payload. A malicious software you can think it carries some payload that when it executes it does the compromising of the computer system. So the propagation is how that malicious software gets to other computers and we'll talk about a virus, a worm and the difference between a virus and a worm and the other form of propagation is social engineering. So viruses and worms are about using software and network facilities to move the software between computers. Social engineering is about taking advantage of the human's weakness to get a human to do something that supports the malicious software. So we'll talk about them and the payload is the actions that it takes so when the malicious software executes what does it do bad? It may corrupt the system, that is delete files, make it such that some programs cannot run or it cannot modify data for example. It can, a payload of malicious software may be to enable the computer that it runs on to be accessible for other purposes. And we'll introduce and talk about zombies and bots and botnets. That is to run the malicious software on a computer such that that computer now becomes available for the attacker to do other things, to steal information. So the payload may be to, once it executes on a computer is to get some information from that computer and send it back to the attacker. And the payload, the other action of the payload is to try and hide itself to do a stealthing or basically so that countermeasures cannot find that malicious software. And we'll mention just at the end countermeasures for example antivirus software. And antivirus software now is not just about pure viruses but it's about generally trying to stop malicious software of having an effect and there are different approaches to antivirus or stopping malicious software. First let's look at the propagation techniques and we'll first generally talk about what is a virus and a very simple virus as an example to demonstrate the concepts. We can say a virus is a piece of software that infects other programs. So I think we have a normal program on our computer like word.exe. So you can think of Microsoft Word, there's an executable that's, there's a file on your computer maybe msword.exe is the name of the file. A virus attaches itself to other programs such that when that program, that normal program executes the virus also executes. So a virus has a host and that host is a normal program usually or maybe some file and special cases. And generally we can say that a virus goes through, may potentially go through four different phases. So we have a virus attached to a normal program and that virus may be considered dormant. It's doing nothing. It's just sitting there and does nothing. So when it executes it, it doesn't perform any operations. So maybe dormant for some period of time until it's activated, activated in some way. And there are different ways it may be activated, maybe some event, some date or time is reached. So when the date is the 20th of February 2015 at 9.30 am then the virus changes from dormant to active. So there are different events that may activate the virus. A virus may try and copy itself into other programs or other areas of the computer system that it's running on. So you can think if the virus is initially attached to an existing file, for example word.exe is infected with a virus, when that virus executes one phase may be to copy itself to other executables on the file system. Copy itself to excel.exe, for example. So the propagation techniques we'll talk about, so copying itself to other programs such that when the normal user runs those other programs the virus will be executed again with a means of spreading. The virus may do some bad things and there may be a trigger to trigger it to start to do bad things, take those malicious actions. So the trigger activates the virus to perform some functions and the trigger is again maybe some events. I say like logic bombs, but I should have explained that or it's explained later. But I think for now logic bomb is just some event that happens for example on some time or date or when some files open but there's some trigger or some event that triggers an action. And the action depends upon the implementation of the virus. It may be do different things. It may do harmless things like display a message on your computer or relatively harmless. Say you've been infected by this virus or of course many different malicious things it may do. It may delete files, modify files, encrypt files and then ask you for money to decrypt those files which is a common form of malicious action that software takes nowadays. So there are many different functions that can perform to cause harm. A virus is executed when usually when the program that it infects executes and as a result it's usually they are usually specific to the operating system or the environments where those programs execute. So propagating to other operating systems is usually much harder because to execute programs on any operating system is much harder to write the software that will do that. So let's look at the pseudo code of a very simple virus or to explain the concept of a virus. It doesn't do anything but it points out those different phases of a virus and how it can attach itself to other programs. Before we go through that pseudo code let's explain the concept with a picture where we can think we have some program, some program P and let's say it's a file, let's say let's give it an example name. So we have some program, some file on our file system word.exe and you can think that program is made up of a set of instructions such that when we execute this program the instructions inside the file are run, are performed. What the virus does and or it will use in the simple example is it attaches itself to that existing program and will say it inserts itself or prepends itself to the existing program so it inserts itself at the start. So if this file is infected then the way that we can visualize it is that we have the file, the same file of word.exe and on top of that we have the virus. We have our normal program P and if that program is infected we can think with respect to the code, the virus code is at the start followed by the code of the normal program such that when someone opens Microsoft Word and it's just an example word.exe when they try and execute that program it actually executes the code in the virus first and then executes the code, the normal code for word.exe with the aim of when a normal user opens Microsoft Word in this case the virus code executes hopefully hiding itself from the normal user does whatever activities it needs to do and then the normal code for word executes and Microsoft Word opens up and the user uses it as normal. So the slide shows the pseudo code for this part the virus assuming it's already infected a particular program so the program V that's the virus the first thing think of the first operation go to main okay let's go to main is the main the main program and it actually calls a set of subroutines three subroutines so the first thing it does we've called there's a subroutine called infect executable with this virus is already attached to an existing program with it's already infected one program the aim here is to try and copy the virus and propagate it to other programs and infect other executables so the subroutine infect executable is called if we go up to the definition of that subroutine it's here what does it do think is a loop and the first thing it does is it tries to find some random executable file on the on your computer so this is just a simple virus where let's say what it does is searches through your computer looking for exe files that's this step and it returns a file and then it checks that file that it found finds and it checks say the first line of that file if that first line of the file contains some special string in this simple example one through to seven if it contains that special string then that special string is an indicator that that file is already infected because our virus if we go back to the start contains that special string the purpose here is to find a file that is not already infected if the file is infected it will start with this special string so that the loop is find a random file if it's already infected then go back to the loop and try again find another random file if it's already infected find another random file if we get one that's not infected that doesn't have this special string then what we do in the L statement is we attach the virus to that file that we found so prepend the virus to the file so this is the propagation step that is when someone opens word dot exe the virus executes the code within the virus executes before word actually opens and what it's doing at this stage is just finding some files on the file system checking are they already infected if not then attach the virus to that file so for example we may find eventually another file and say P2 another program so it finds this random file eventually finds it at the start it doesn't contain the special string of the virus so it attaches itself to that file and now it's infected another file so this is part of the an example of propagation technique how to copy itself to other files once it's done that so it prepends itself to the other file and then this subroutine in fact executable finishes it only in this case it only attaches itself to one other file and in fact execute cutable finishes so we move on to the next piece of the code in our main program if trigger pulled so trigger pulled is some other subroutine if it's returns true then we'll do what's inside the if statement trigger pulled well would code that to be some conditions that would tell us when we want to do damage when we want to perform our malicious actions so it could be some code that says if the date is the 20th of February and the time is 9 30 a.m. then return true or if the date is larger than that date and time is larger than that or it could be many of other possible triggers so it could be if a particular user is logged in or if a particular file exists on a file system so if some event occurs on the computer then return true with the idea of this is a way to ensure that the virus only does things under certain conditions and it may be useful to depending on what malicious activity wants to perform useful to hiding itself so if some conditions are met the concept here is if the trigger is pulled we're ready to do the damage then call the subroutine subroutine do damage and again we don't give the code here but that can do anything that the virus implementer wants it to do for example delete files modify files change some settings on the on the computer make use of any software on the computer depending on what the intention is so this is just the pseudo code that to show the concepts do the damage for example delete a set of files or a common thing now is to encrypt files and some viruses would encrypt all your image and document files on your hard disk search through your hard disk encrypt all those files with a key and say with a public key and to decrypt them you need the private key and the attacker the person who distributed the virus is the only person with the private key and therefore they're the only one who can decrypt your files and some attacks today say that once your files are encrypted the attackers gives you information about you can pay them and they'll decrypt your files for you so that's an example of some damage that can be done once the damage is done then go to next which is just really the end of the virus so the virus code ends here and we move on to execute the normal program so that was this code executing and then the next thing we do is we the computer executes the normal program for example it starts Microsoft Word so from the user's perspective when they double click on the word icon to start Microsoft Word it executes this file which is really executing the virus potentially doing damage and then it opens the normal program so that the user isn't aware that that virus was executed the normal program opens and the user just behaves as as if nothing has happened but what has happened is that that virus has copied itself to other files and potentially done some damage on the computer and of course the propagation to other files means when the user opens Microsoft Excel the virus will execute again copying itself to other files and that's a means of spreading across files and we'll see later techniques for spreading not across just files on one computer but moving to other computers propagating across the network any questions so far this is not a real virus it's just illustrating some of the concepts of a virus of what steps it goes through we will see a real virus in a moment how do we detect this if we want to develop a countermeasure anti-virus to detect this what could antivirus software do to detect this virus there are a number of ways what would it do what would the antivirus software do to detect this there's different ways again find the virus what would it look for you're right it needs to try and find the virus so it needs to look so one way is to look through the files so for example to find the virus look through Microsoft Word Word.exe look through the code in the files and try and detect some instructions which are typical of a virus so that's one way and we'll see that there are the more advanced ways of basically doing that try and look through existing files and see if they contain code which is representative of a virus in this case in fact a very simple way to detect if we knew that Microsoft Word was a particular size we knew when we installed Word the file size was a million bytes now we could check when we check as the antivirus software what's the size of Word.exe we'll see it's larger than a million bytes we don't expect the executable to change size as we run it as we do things on our computer so we install Word the file size is one million bytes for example and then the antivirus later comes back and checks it checks that Word.exe is one million and one hundred thousand bytes that's an indicator that something has been changed in the executable so there's a very simple check that antivirus can take is to check the file size and make sure the file size matches the the previous known file size the known good file size because the virus adds extra code it basically increases the file size so one way is just based on file size but that can be easily overcome by compressing the virus compressing itself so on the slides a compression virus is a way to overcome that simple check a simple virus could be detected by the file length so antivirus could go and check okay we know Word.exe is some known size for example if we knew when we installed it it was one million bytes and then the later the antivirus comes and checks and finds it's one million two hundred thousand bytes then the antivirus software can compare and see ah something's changed so that's an indicator that this may be infected and then maybe checking more detail from the virus's perspective that's easy to defeat by simply compressing the file such that the resulting file ends up the same as the original so a compression virus can take the original program attach itself but compress the original program such that when it attaches itself the resulting file there's the same size as the original file so that so our original program let's say was this size what the virus does is compresses it makes it smaller such that when we attach the virus the resulting size is the same as the original program so that the file length doesn't change effectively so there's a it's not sufficient just to look at file size you actually like people suggest you need to look at the code inside to be able to check and find a virus which takes some time okay that's why antivirus one of the the problems with antivirus is to find the virus take some time with respect to your computer and uses up resources so the concept is that you can do things to try and hide the virus one thing is to make sure the file size remains the same okay so if we want to detect the virus now and assuming we can't do it by file size we said we want to look for the virus what do we look for what would antivirus look for to try and find the virus now see the behavior so so viruses may have some code in common based on what they do for example delete this file or do this malicious action so antivirus could check the the code inside say every executable on your computer and check if that code contains some operations which are common to viruses if you know the virus in advance if the antivirus knows the the code for this virus in advance then it can simply check and compare does this word.exe file contain the code of the known virus so that's what some antivirus software will do they'll have a database of known viruses the code for each of them and they'll go and check and they'll check on your computer and see does your word.exe file contain this code for all of these known viruses if so then we've found a virus now that again can be resource consuming in that we need to compare against many known viruses and it also requires the antivirus software to know the virus in advance so if a new virus comes out the antivirus software may not know about it yet and cannot check against that so it wants to be more general and try and check not just against known viruses but a check for common code that a virus may contain that's the pseudo code for compression virus will not go through that but the idea is to shrink it shrink the program it infects such that when we attach ourselves the resulting executable is the same as original right so we'll talk a little bit more about maybe we'll do the concealment strategies that about how a virus will try and avoid detection by antivirus we saw one approach using try and compress the file so that you cannot detect it based upon file size there are other approaches and some of the the types of approaches encrypt the virus again if antivirus software is looking for particular types of code if the virus is encrypted then the antivirus software won't be able to see the code and won't be able to compare against known or expected types of virus code so one form is the virus actually encrypts itself such that antivirus cannot see what it does it cannot encrypt its entirety but the majority of the virus can be encrypted such that it hides most of its operation from antivirus there may be other ways to try and hide itself a virus so compression is one thing but it may try and contain code which appears to be normal so again that antivirus cannot detect that other common ways as for the virus to change itself so in our example when the virus copied itself to excel.exe in this case the virus code is identical on both programs it's the same piece of code it just copies itself and therefore once the antivirus is aware of that code it can quite easily check all our executables and see if that code is attached to any of them and find the virus so one thing the virus can try to do is when it copies itself to the new program is to change the code and there's two approaches a polymorphic and a metamorphic virus the polymorphic virus is when it tries to copy itself to other programs will try and change the code but the code will still do the same thing as the original virus so just changes think the source code but the operation is still the same as before how can we change have two different programs that do exactly the same thing but have different lines of code different source code what can we do in terms of programming I know you're all expert programmers what could you do to write two different programs different source code but they do exactly the same things sorry change the language right that could be complex for a virus to do the exact same thing in a different language because so you're correct but the virus must do this when it copies itself to the other program maybe something easier it could do change the name of variables change the ordering of some operations so some statements it doesn't matter what order you execute them in you'll get the same result at the end you know set i equal to five set j equal to 10 so two lines of code if you reverse them you get different code but you'll get the same result at the end so that's the idea that if antivirus is looking for that exact piece of code then what the virus does is changes the code as it copies itself to other programs so that the antivirus now has to not just look for that exact piece of code but any variation and that makes it harder for antivirus so polymorphic the virus changes itself but it still performs the same things for example some examples maybe we have some code in the virus and then we have some statements that we can reorder set some variables that the change the new version can reorder those statements different source code but does the same thing or so this is is a virus one and this is when we copy ourselves to another program virus two or virus one has some code j that's a j and virus two inserts some operations that do nothing i equals five what's an operation that does nothing what's the name of an operation if you know assembly maybe you've seen it there's a no op usually that is most language the language of support a no op or if you think of the assembly code the compile code a no op operation it does nothing so by inserting this again we have different really code but it does the same thing so the idea is a polymorphic virus when it copies itself to other programs it would try and change itself to make it harder for the antivirus to detect how can antivirus detect that then it's a constant constant challenge for the virus trying to hide itself and antivirus trying to find it what can you do for antivirus now to try and detect this new virus or the new code try and check all combinations as you may imagine though so yes here's one variation of the virus so the antivirus looks for okay what if we have i equals five and j equal to 10 or let's try in the opposite order but you can imagine if we have many lines of code there are many combinations that the virus can change to that makes it very difficult for the antivirus to check all of those combinations okay because here's just two combinations but now we have thousands or hundreds of lines of code there are many opportunities for the virus to change the ordering or introduce no ops such that the antivirus would need to check all of them and that's very time-consuming for the antivirus to scan through your disk look for every executable file and for each executable file for each potential virus try many different combinations and check whether that code is present so that makes antivirus very slow so yes it can but it reduces the performance of antivirus another thing we could try and do is not look at the code itself but look at what happens when it executes so some antivirus will actually execute the code observe what happens and then if what happens is detected as something bad or something that a virus would do then you've detected the virus so the result in both of these viruses v1 and v2 would be the same that it will cause the same things to occur at the end so what antivirus could do is execute them in a safe environment and compare what the end result is with what it expects from this virus so it knows when it executes v1 that some end result will occur when it executes v2 if that same result occurs then we assume it's also a virus so it don't have to inspect the code we could actually execute it to see a way for a virus to get around that is to not just change its code but also change its behavior when it copies itself to another file the new copy v2 does something different than the original copy v1 and that's called a metamorphic virus you think it actually rewrites itself to do something different maybe it uh deletes different files maybe it the code in has different conditions different triggers and so on such that it's much harder for the antivirus to detect because there's no pattern or there's no easy pattern to compare different versions that virus with but that's much harder for the virus rider to implement because to getting code to change itself such that it still does something reasonable it is hard note that this change must occur must be implemented wrong place inside the virus that is when the first version of the virus executes and it copies itself to p2 and changes the code the virus itself must implement how it changes the code okay because so the virus must say change the source code from this to this so it must be programmed to change itself and that's quite complex to do to to write code to change itself self-changing code self-modifying code so just two general approaches that viruses require and take the first one polymorphic change the code but don't change the behavior that's generally easier to do with respect to the virus that's likely real reorder the lines of code or introduce no op statements that's a polymorphic virus easier to do for the virus and one way to try and detect for antivirus is to look at the output of the virus not just the source code a metamorphic virus is harder to detect but harder to write and what a metamorphic virus does is not only just changes the source code but changes the source code such that the virus will do something new in the new copy all about trying to conceal the virus from the antivirus software questions about the difference there and polymorphic especially with metamorphic let's look at before we look at an example a very simple example let's look at the target of the virus so the examples i've given so far as the virus attaches itself to a program like word.exe such that when we execute that program on our computer the virus executes but a virus may attach itself to other things or insert itself in other parts of the computer so the the example we use is what we call a file infector the virus infects files files that the operating system will execute so word.exe there's no need to there's no purpose of it infecting a text file because a text file doesn't get executed normally at least so they infect files which would be later executed by the operating system but there's other approaches a macro virus can infect files which again are executed but mainly executed by some application or interpreted by some application so the example and where the name macro virus comes from a word document normally we think a word document just contains some non-executable content text and pictures and so on so a word document normally is not executed but in fact most so word documents can include executable code macros macros allow you to program some functionality into your word document who's used macros before anyone seen them a macro in terms of microsoft office it allows you to automate things inside office for example you write your word document you can create a macro in some programming language that will automate that when you open the document it maybe it will format these words in a particular way it automates those operations so word documents and other office documents support macros such that when you open the document in word or in other software it actually executes some code and so a virus can attach itself to a word document or a similar document because so it's not just attaching itself to the executable word.exe it's attaching itself to my my homework doc doc file such that when you open that file in microsoft word microsoft word executes the macro code which contains the virus and now the virus executes and that was for a long time a common way for viruses to be distributed because people would email each other or send each other word documents or other documents someone would open that in microsoft word thinking there's no problems with it but it would contain some macros which included a virus that actually executes most office programs today will disable such macro features by default as a security feature so they're not executed another target is the boot sector that is here infect executable files that the operating system executes or documents that applications execute the boot sector so when you boot your computer there's the bios and what happens that the bios reads some part of the hard disk that then loads the operating system so the operating system is stored on your hard disk but to start the operating system there needs to be some special code to say let's load this operating system the boot sector of your hard disk if the virus is there if the virus gets infect can infect the boot set sector of your hard disk then it means when you start your computer the virus can infect the operating system and can do things to easily hide from antivirus which has started so if the virus is in the boot sector it can effectively control the whole computer because it has control of starting the operating system and it can trigger the operating system to do whatever it likes this was uh one of the first ways for distributing viruses in floppy disks everyone remembers floppy disks or at least the smaller versions what about the bigger ones five and a quarter inch floppy disks anyone use them okay so the floppy disks that the computers would use they were sometimes used to boot a computer so you you wouldn't have the computer boot from the hard disk you insert the floppy disk start the computer and the the operating system is loaded from the floppy disk and boots from there if that floppy disk is infected with a virus then effectively that infects the entire computer not so common today although some of the more recent attacks have taken advantage of uh a recent one of not just infecting the boot sector but infecting the hard disk so the hard disk that you buy from seagate or whoever has some code on it to run the hard disk some firmware if that is infected then everything you do with that hard disk can be compromised so different targets a multi-partite virus is one that can combine those methods really let's look at an example and i the examples i don't need you to remember but just to have a a quick look to have a look this is just a here's your quiz no this is just an example of a virus an old one take a copy i'll show it on the screen there are many copies don't worry i think there should be enough this is an old virus called the melissa virus can you use this virus to attack my computer first point is that no when we talk about viruses you you shouldn't you you may study them but you should not use them okay and secondly no this one won't work okay i don't run windows so you won't attack my computer you'd need another one but let's look at it just to show and we will not understand the and all of it the code but just to show maybe the simplicity of this virus where is it okay thank you i've got it somewhere this was maybe a bit hard to see on the screen but you have the hard copy this was implemented in visual basic and this was a virus attached to a word document so a macro virus so what happened so there was a normal word document that was distributed and attached with that word document was some macros a macros are used to automate things in word in other office applications to to automate you run run some code that automate some actions and this is the code which was attached to the word document the macro and we'll have a look at some of the things that it does we don't have to understand everything and i don't but just so when the document is opened so when the word document is opened in word then this code gets executed that was the idea and some of the things that it does here it's doing some check about some settings in microsoft word at the security level and checking if what this current security level is so in word there are some security levels which allow the user to disable the execution of macros so it's doing some checking and setting the security level to a particular value depending upon the current level such that in the future so the idea is to turn off the security features in word so the next time someone opens an infected document the security features will not be enabled that's the idea of this let's find this virus used microsoft outlook what's microsoft outlook anyone know email client mainly used in so in businesses when people have not just web mail but email clients microsoft outlook is a widely used program for for email and so in large companies many people would have microsoft outlook installed as well as office and other microsoft applications so this took advantage of microsoft outlook to actually distribute by email so it does some checking to make sure that microsoft outlook is is is available and let's see what it does the easy parts to understand what it does with microsoft outlook is it gets it reads the user's address book so in an email client you have a your address book your contacts so what it does is it reads the address book and for each entry in the address book it goes through let's see this code for each entry in the address book it goes through and creates an email the subject of that email is here import message from and the the subject of the email contains the actual username of the person who whose computer is infected so if it was my computer infected it would say important message from Steve in the subject of the email and it creates the body of the email here is that document you asked for don't show anyone else it attached attaches this word document to that email and then it sends the email so in this case the propagation is via email so what it did is that it and it did it for 50 different addresses so this x greater than 50 here is the limit you'll only do it for 50 users so it looks in my address book for the first 50 people in my address book it creates an email and sends them an email and those 50 people will get an email from me saying important message from Steve here is that document you asked for and then the attachment and the attachment is the infected word document which is executing this code so those 50 people would receive the word document and if they open the word document then the virus will run on their computers as well so this is the propagation technique in this case so that's propagation what else does it do we go down and see some of the activities I think towards the end it becomes the main thing it actually tries to also infect the the word template file in word you have templates such that when you create a new document there's some basic template format and the template file was usually called normal dot dot a template file and it tried to infect that as well but we get down to the end and it says what this virus does here's a trigger or a logic bomb if the day if the current day equals the current minute then display some message on the screen so this is a harmless message and it's triggered at a particular date and time so if the current day is the 20th and the current minute is minute 20 in the hour then this would be true and it simply displays some message on the screen saying so that the user would see that they get this strange message and maybe detect that this virus is present so this doesn't do anything dangerous like deleting files it just displays a message what's the problem with this virus in terms of what damage can it can it cause so it just displays a message not so much of a problem what's the problem on a computer system or a computer network that it can cause what does it do that can cause us damage it sends an email to 50 of my contacts okay all right not a big problem yet so it sends to 50 of my contacts those 50 people get it let's say 10 of them open the email and click on the attached document so they are infected and they send 50 emails to their contacts so there's another 500 emails 10 of the people who receive mine open and send to 50 so another 500 emails and those 500 people to receive say some of them will open and then send another whatever 20 000 emails and within a short period of time there are now millions if not billions of emails being sent due to this virus across the world and the main problem with this virus the the the result was not that it deleted files or anything it was that it used up network resources and many email servers started to crash because there were so many emails being sent and when email servers crashed no one can access the email and that may damage business operations so without understanding all of the code I think you can realize that what it's 104 lines so it's not long this virus it's just 104 lines of visual basic code it doesn't do much but this is again information you don't have to remember but this was in 1999 that was released the way that it was first distributed that it was the original document was sent to some news group and the people who opened that were infected with the virus it was estimated at the time it caused one billion US dollars of damage the damage was in terms of having the the email service not working because they were overloaded with emails and as a result the they had to spend time each company had to spend time to fix their their computer systems and remove the virus so that the damage was thought in terms of unavailability of the computer system the guy who released it was arrested and spent about two years in prison because of that so that 104 lines of code and it requires some conditions so it required Microsoft Outlook to be running and that it was widely distributed because it sent email to 50 people so that spreads very quickly 50 people send to 50 other people and so on and it doesn't take long to be to millions of people and at that time in 1999 most people when they received a word document would just open it up and have a look and that executed the virus so that's one simple example any questions so far of course you're not going to write a virus but one thing that you may be tasked with in the future is to say set up antivirus and be aware that for a company that you work for that how to stop viruses how to educate your users and to set up software techniques to stop viruses so you need to be aware of them we may present a couple of other examples later let's talk about worms and there's similarities between a virus and a worm and sometimes some overlap so it's hard to tell the difference but we often think a virus attaches itself to other software or other documents to be executed a worm think is a standalone program so think of its own executable that also tries to spread and to do damage on other computers so a worm usually think of it as some program that once it's executing will try and seek out other computers to spread to and then infect those other computers and and continue and once that worm can execute on other computers then it can do other things like damage on those computers or set up for other attacks on those computers and to spread worms usually need to take take advantage of some some bugs or vulnerabilities in networking software we'll show an example which took advantage of the bugging web servers such that someone could send a request to a web server which would require that web or resulting that web server executing some malicious code and then spreading to other websites so worms usually take advantage of spreading via network connections network software they may be spread via shared media so you plug in your USB into someone's computer and a worm is copied onto your USB so when you plug your USB into another computer it can be copied from the USB to that new computer so that's some form of manual transmission and they may be spread in macros in in documents in the similar one that we saw with the melisa virus what a worm will try and do is try and replicate make copies of itself and spread to other computers and it usually carries some payload which can maybe doing some damage in terms of deleting files or other things i think we'll go direct to an example and i think you don't have a just to give a quick example of a worm again these are some old examples from some of my old lecture notes so i haven't provided them to you but just to make you aware of some of the effects the code red worm back in 2001 what it did was it took advantage of bugs in the microsoft web server the microsoft web server is called IIS or it was at the time so what it did so many people run this web server to host their websites what it did is it sent a special HTTP get request like a browser normally sends a get request to a server to initiate it sends a special request to the server where that a bug in that server allowed the code in the request to be stored on the server normally a server when it gets receives a request for a web page just grabs the web page and returns it to the user but sometimes a server will execute some code in or do some operations based upon the the request and there was a bug in the server that meant that if you coded the request in a particular way that the server would store what's in the request in memory which would later be executed so the worm was attached to the get request sent to a web server and if the web server had that bug it would store it in memory and that worm would be executing in that web server it was stored in RAM so a reboot of the server deleted the worm but most web servers are not rebooted because they just keep running and what it did once it infected a particular web server is that it went through a different period so for the first 19 days of the month it would try to infect other web servers so it would send random or send requests containing itself to other websites randomly with a hope of spreading to those other websites infecting them then for eight days of the month it would then send many messages for all those web servers which were infected send many messages to a particular target in this case the white house website so send many messages to that website with the aim of overloading that website which is a denial of service attack and then it was dormant and then it repeated it infected about 200 thousand servers in the first five hours that was available so that's a very fast spread rate in that as soon as it infects one web server that web server now then starts to seek out other web servers and it took five hours to get many infected and again the main cost of it was not doing things like deleting files it was using up network resources the web servers become overloaded and many packets being sent so the network slowed down and affected the the normal users so a denial of service attack was the main result and there were modifications of that to try and do some other things as well so that's an example of a worm which spread via infecting web servers there are other ways that they can spread some of them are listed there so via email they can spread file sharing via usb drives and so on or file sharing applications for example usually network software software that allows you to send packets across the network if they can take advantage of that software that they can copy the worm from one computer to another and I think that's always say about worms at this stage the other aspect of spreading so we're about propagating viruses propagate by attaching themselves to other executables or to documents a macro virus worm spread by copying the actual program across a network the other approach is to trick users to to assist the attacker in compromising the system so social engineering and a common example is spam email send many emails to people unsolicited bulk email so many emails bulk email unsolicited you didn't ask for it or it's not from someone who would normally send you an email with the aim of tricking that user to execute some compromise software so this takes advantage of tricking the users to do something they shouldn't do maybe open a link that leads them to some other malicious software or to download an attachment like an attachment that contains a virus and I think you may have seen of course you may unfortunately see many spam emails and you may see some of them contain links in them and many of those links would take you to websites which when you visit the website under certain conditions that would then infect your computer that is visiting the website downloads a file to your computer which is infected now that's a one-way of spreading malicious software we'll talk about I think towards the end phishing attacks what's phishing prince phishing you've heard of phishing what's the definition pretend that someone sends an email right searching for yeah so a social engineering attack searching for you're pretending to to be someone with the aim of getting information from that person so sending them an email and with the hope that they'll do something like click on a link or or respond in a particular way to get some information from them that you can use then to compromise a system Trojan horses refers to software which is normally useful but can also do harmful things so you go to a free download website where you can download lots of software and you download your favorite software and it does the normal things the things that you need it to do but included in that software is also some code that does malicious things so that's an example of a Trojan horse that is the software is the normal software plus the malicious software let's just quickly look at what the malicious software may do the payloads the things it can contain the payload can be performing system corruption so try and cause cause problems on your computer system data destruction so delete data delete files overwrite data is usually better than deleting data if you delete a file then it you can have checks to check quite easily don't has that file been deleted and therefore try and detect things go wrong if you overwrite a file let's say you have a file of one megabyte a photo and virus overwrites that with one megabyte of zeros then of course you've lost your photo and that your system may not be aware that it's been lost because you still have a when one megabyte file there the only way you're aware is when you try and open that photo and you see it no longer is viewable so overriding can have different effects and just deleting and ransomware is available which I mentioned before where the virus or malicious software encrypts data usually using a public key and if something is encrypted with a public key the only way it can be decrypted is with a private key and who has the private key the attacker does so what they do is they encrypt your files and then you get a message saying your files are encrypted if you want to see them again if you want to get access to your files again send me some money and I'll send you the key to decrypt and if you and don't don't send the money then your file stay encrypted so effectively lost some system corruption not just on data but on real well damage so can damage hardware we want to get it today but we'll I'll point you next week to Stuxnet a very advanced piece of malicious software which one uh aim was to cause some power plants and some industrial control systems to fail that is we have computers controlling different things in factories or in different machinery and if that malicious software can get the machinery to operate outside of its specs to do things that it shouldn't do then that machinery may fail so Stuxnet one thought intention of that was to cause some machinery that works in nuclear power plants to fail such that those resources could not be used and logic bombs we mentioned before is when some certain conditions are met it takes some action like data destruction or real world damage the conditions may be the presence of files some date or time or some particular software or user is being software is being run or user is present we'll come back to zombies and bots next week but quickly information theft try and steal information so get some malicious software on the computer for example that captures all the keystrokes all the the keys you press on your keyboard because if the software can record every key you press then usually they'll include your password your secret information that you type in so if it captures all the keys you press then it can go through and look through that log of all the keys you pressed and try and look for sequences that may mean your password so keyloggers can can do that with the aim of stealing people's passwords and spyware refers to software that will try and monitor the activity on the computer system monitor the history the the browsing activity with the aim again of learning something about what the user is doing to to support some other attack redirect you to other fake websites maybe because the attacker owns that fake website and gets money for every time someone visits it through advertising and maybe even changing data between your browser and and other websites for performing some malicious actions was there one more fishing so pretend to be someone that you would normally trust for example sending you an email and pretending to appear as if it's from someone that you would trust so that you would follow the instructions in that email for example visit the link or download and open the attachment and then say visiting that link to a website would cause you to do download some other malicious software it could be linking to a fake website for a bank so please go to your bank and change your username and password so you click on the link go to the website you enter in your new username and password that website was a fake bank website run by the attacker and now the attacker knows your username and password for your real bank account spear fishing is a more targeted case of fishing where the attacker usually knows something about the the recipient the person they're targeting so fishing on its own is usually done in bulk that is an attacker sends messages to many people with the hope of some of them will be tricked into following those links and they'll get some information from them spear fishing is about the attacker targeting say one person they know something let's say you want to target me you know something about me therefore you can write an email which is something that i would believe and it's much higher chance that you can get me to follow the link open the attachment and and you be successful as the attacker so spear fishing is about a targeted fishing attack and there's many other types of malicious software some of them are listed here you may go and read about them we won't cover them but many types of malicious software you should be aware of the basic ones we've mentioned next week we'll just go over the ones we skipped zombies and botnets i'll give you a couple more examples mentioned stuxnet and one or two others we'll talk about the counter measures some different approaches for stopping malicious software and that will finish this topic