Introduction to (Malware) MALICIOUS CODE

MALICIOUS CODE - some observations

• Deﬁnition: Malicious code is any code added, changed or removed from a software system in order to intentionally cause harm or subvert the intended function of the system. Introduction to • “If you let somebody else execute code on your computer, MALICIOUS CODE then it is not your own computer” • Malicious code can be many things: viruses, worms, trojan (Malware) horses, rabbits, etc etc • Note that from a technical/scientiﬁc viewpoint: malicious code is “normal” code!! • Thus: the malware problem is a software problem.

MALICIOUS CODE - some recent trends MALICIOUS CODE - reasons for increase

• there are a few trends that largely influence the wide • previously malware was normally of one specific kind. spread of malicious code: Nowadays, it is “multifunctional” and very complicated. • Growing number and connectivity of computers • all kinds of malware tend to be called “virus”. - “everybody” is connected and dependant on computers • Top 6 (2004): - the number of attacks increase Bagle, Mydoom, Netsky, Sasser, Kargo and Sober (2004) - attacks can be launched easily (automated attacks) • Most viruses today are non-destructive. • Growing system complexity - unsafe programming languages • Rather they try to take control over your computer, so that - heterogenity it can be used for other, malicious purposes, a zombie, - hiding code is easy e.g. to distribute spam. - verification and validation is impossible (let alone proofs) (It is claimed that 70% of all email today is spam.) • Systems are easily extensible - mobile code, dynamically loadable modules - incremental evolution of systems

TYPES OF MALICIOUS CODE TYPES OF MALICIOUS CODE

• Traditional virus (1988) • Hoax virus - attaches to existing program code - is no virus at all. It is an email with a bogus warning - intervenes in normal execution • Rabbit (bacteria, greedy programs) - replicates and propagates - is a virus (or worm) that replicates without bound, • Document virus (macro virus) thus exhausting some computing resource. Does not - highly formatted documents include commands (+data) spread to other systems. (attacks availability only) • Stealth virus • Worm (1975, 1982) - hides the modiﬁcations it has made in the system, - is a stand-alone program that replicates and spreads normally by monitoring system calls and forging the copies of itself via the network. Non-trivial to make. results of such calls • Trojan Horse • Polymorphic virus - is a “normal” program that contains some hidden - avoids virus scanners by producing multiple variant functionality, that is unwanted by the user. of itself or encrypting itself. TYPES OF MALICIOUS CODE MALICIOUS CODE - IMPLEMENTATION METHODS

• Logic bomb • Attack script - malware that triggers on a condition and “detonates” - is a program that exploit some security weakness to carry out an attack. • Time bomb - malware that triggers on a time condition and “detonates • Java attack applet - is a program that is embeeded in Web page. • Trap door (Back door) - spreads through web browsers - is an undocumented and unknown (to the user) entry point to a system. • ActiveX control - it is normally inserted during the system design phase - is a Microsoft version of a Java applet - could be put there for a useful purpose (trouble shooting, - it is much more powerful that the Java applet testing, maintenance, but left by mistake. - ActiveX controls are extremely dangerous if used for • Salami attack malicious purposes - acheiving some economic beneﬁt but making a large number of insigniﬁcant changes, e.g rounding errors.