guide to operating system security chapter 2 viruses, worms, and malicious software

Guide to Operating System Security

Chapter 2

Viruses, Worms, and Malicious Software

2 Guide to Operating System Security

Learning Objectives

Explain how viruses, worms, and Trojan horses spread

Discuss typical forms of malicious software and understand how they work

Use techniques to protect operating systems from malicious software and to recover from an attack


Viruses, Worms, and Trojan Horses

Different forms of malicious software (malware)

Intended to Cause distress to a user Damage files or systems Disrupt normal computer and network functions


Viruses

Programs borne by a disk or a file that has the ability to replicate

Typically affect Executable program Script or macro Boot or partition sector of a drive


How Viruses Spread

Transported from one medium or system to another

Replicated throughout a system (eg, W32.Pinfi)


Virus Classification (Continued)

How they infect systems Boot or partition sector File infector Macro Multipartite


Virus Classification (Continued)

How they protect themselves from detection or from a virus scanner Armored Polymorphic Stealth Companion

Benign or destructive


Worms

Programs that replicate on the same computer or send themselves to many other computers

Can open a back door


How Worms Spread

Buffer overflow (eg, Code Red and CodeRed II)

Port scanning or port flooding Compromised passwords


Trojan Horses and How They Spread

Programs that at first appear useful, but can cause damage or provide a back door

Examples Backdoor.Egghead AOL4FREE Simpsons AppleScript Virus


Locations for Viruses, Worms, and Trojan Horses (Continued)


Location for a UNIX/Linux System


Location for a Windows XP System


Typical Methods Used by Malicious Software

Executable methods Boot and partitions sector methods Macro methods E-mail methods Software exploitation Spyware


Executable Methods

Files that contain lines of computer code that can be run Examples: .exe, .com, .bat, .bin, .btm, .cgi, .pl, .cm

d, .msi Can infect source or execution code of a

program


Boot and Partition Sector Methods

Particularly affect Windows and UNIX systems Typically infect/replace instructions in MBR or

Partition Boot Sector Can corrupt address of primary partition May move boot sector to another location if size of

virus exceeds space allocated for boot sector Eradication typically involves recreating MBR and

Partition Boot Sector instructions


Macro Methods

A virus can infect a macro and spread each time the macro is used

Software is configured so that macros are disabled unless digitally signed by a trusted source


Macro Protection


E-Mail Methods

Sent as attachments to e-mail


Software Exploitation

Particularly aimed at new software and new software versions

Examples of potential vulnerabilities DNS services Messaging services Remote access services Network services and applications


Spyware

Software placed on a computer typically without user’s knowledge reports back information about user’s activities

Some operate through monitoring cookies


Protecting an OS from Malicious Software

Install updates View what is loaded when a system is booted Use malicious software scanners Use digital signatures for system and driver

files Back up systems and create repair disks Create and implement organizational policies


Installing Updates for Windows

Windows Update Provides access to patches that are regularly issued

Service packs Address security issues and problems affecting

stability, performance, or operation of features included with the OS


Using Windows Update


Installing Updates for Red Hat Linux (Continued)

Issued frequently; can be downloaded from Web site

Red Hat Network Alert Notification Tool must be configured


Installing Updates for Red Hat Linux (Continued)


Installing Updates for NetWare

Download updates and/or consolidated support packs from Novell’s Web site


Installing Updates for Mac OS X

Software Update tool enables you to: Configure the system to automatically check for

updates at specified intervals Manually check for updates View currently installed updates


Installing Updates for Mac OS X


Viewing What Is Loaded When a System Is Booted

Windows 2000, Windows XP Professional, and Windows Server 2003 View information on-screen Have a log record information (Advanced Options

menu) Red Hat Linux and NetWare

Automatically display boot load information Mac OS X

Display boot process by booting into either single user mode or verbose mode


Advanced Options Menu


Using Malicious Software Scanners

Effective way to protect operating system Scan systems for virus, worms, and Trojan

horses Often Called Virus Scanners


Malicious Software Scanners: Features to Look For (Continued)

Scans memory and removes viruses Continuous memory scanning Scans hard and floppy disks and removes

viruses Scans all know file formats Scans HTML documents and e-mail

attachments


Malicious Software Scanners: Features to Look For (Continued)

Automatically runs at a scheduled time Manual run option Detects known and unknown malicious

software Updates for new malicious software Scans files that are downloaded Uses protected or quarantined zones for

downloaded files


Using a Virus Scanner


Virus Scanning Software (Continued)

continued…


Virus Scanning Software (Continued)


Using Digital Signatures for System and Driver Files

Digital signature Code placed in a file to verify its authenticity by

showing that it originated from a trusted source Driver signing

Placing a digital signature in a device driver to• Show that the driver is from a trusted source

• Indicate compatibility with an OS


Backing Up Systems and Creating Repair Disks

Most OSs offers ways to back up your system Some OSs enable creation of a boot disk or

repair disk Windows 2000

• Emergency Repair Disk (ERD) Windows XP or Windows Server 2003

• Automated System Recovery (ASR) set Red Hat Linux

• Boot disk


Creating a Windows 2000 ERD

Create a new ERD each time you: Install software Make a server configuration change Install a new adapter Add a NIC Restructure a partition Upgrade the OS

Enables you to fix problems with the server


Creating a Windows 2000 ERD


Creating an ASR Set

Two components Backup of all system files (1.5 MB or more) Backup of system settings (about 1.44 MB)

Does not back up application data files


Creating an ASR Set


Creating a Red Hat LinuxBoot Disk

Enables booting a system from a floppy disk


Creating and Implementing Organizational Policies (Continued) Provide users with training in security techniques Train users about common malicious software Require users to scan floppies and CDs before use Establish policies about types of media that can be

brought in from outside and how they can be used Establish policies that discourage/prevent users from

installing their own software


Creating and Implementing Organizational Policies (Continued) Define policies that minimize/prevent

downloading files; require users to use a virus scanner on any downloaded files

Create quarantine areas for files of uncertain origin

Use virus scanning on e-mail and attachments Discard e-mail attachments from unknown or

untrusted sources


Chapter Summary

Viruses, worms, and Trojan horses How they spread through operating systems and

across networks What they target and why

Typical forms of malicious software Boot sector viruses Viruses that attack through macros

How to set up defenses, such as operating system patches and repair disks

guide to operating system security chapter 2 viruses, worms, and malicious software

Documents

security boot

security locations

security trojan horses

program slide

door slide

security viruses programs

malicious software slide

security worms programs