DEPARTMENT OF INFORMATION TECHNOLOGY

Semester
Subject
Subject Professor Incharge
Assisting Teachers
Laboratory

T.E. Semester VI Information Technology

Systems & Web Security
Prof. Yogesh Doulatramani

Student Name
Roll Number
Grade and Subject
Teachers Signature

Hitesh Khade
12110B1056

Experiment No. 7

Aashna Parikh
L05A

Experiment Number
Experiment Title
Resources / Apparatus
Required

7
Case Study of Malicious & Non- Malicious Programs.
Hardware:
Software:
IBM PC Compatible Computer System
JDK, Netbean

Objectives
(Skill Set / Knowledge
Tested / Imparted)
Theory of Operation

Malicious & Non- Malicious Programs to be studied

Malicious code
Malicious code is the term used to describe any code in any part of a software
system or script that is intended to cause undesired effects, security breaches or
damage to a system.
Types of Malicious code are as follows:
1) Computer Virus
A computer virus is a self replicating computer program which can attach itself to
other files/programs, and can execute secretly when the host program/file is
activated. When the virus is executed, it can perform a number of tasks, such as
erasing your files/hard disk, displaying nuisance information, attaching to other
files, etc.
Example:
1. The Morris worm
In 1998 Robert Morris, a university student, unleashed a worm which affected 10
per cent of all the computers connected to the internet (at the time the net was
estimated to consist of 60,000 computers), slowing them down to a halt. Morris is

now an associate professor at MIT.

2. The Concept virus
The Concept virus, accidentally shipped on a CD-ROM supplied by Microsoft in
1995, was the first virus to infect Microsoft Word documents. Within days it
became the most widespread virus the world had ever seen, taking advantage of
the fact that computer users shared documents via email.
3. The Anna Kournikova worm
The Anna Kournikova worm posed as a picture of the tennis player, but was in fact
a virus written by Jan de Wit, an obsessed admirer from the Netherlands. He
ended up receiving a community service sentence.
4. ILOVEYOU
The Love Bug flooded internet users with ILOVEYOU messages in May 2000,
forwarding itself to everybody in the user's address book. It was designed to steal
internet access passwords for its Filipino creator.
5. The Melissa virus
The Melissa virus, written by David L Smith in homage to a Florida stripper, was
the first successful email-aware virus and inserted a quote from The Simpsons in
to Word documents. Smith was later sentenced to jail for causing over $80 million
worth of damage.

(2) Worms
A worm is a self-replicating program that does not need to attach to a host
program/file. Unlike viruses, worms can execute themselves. Worms have the
ability to spread over a network and can initiate massive and destructive attacks in
a short period of time.
One typical example of a massive attack is the "SQL Sapphire Slammer
(Sapphire)" that occurred on 25 January 2003. The Sapphire exploited an MS
SQL Server or MSDE 2000 database engine vulnerability. The weakness lays in
an underlying indexing service that Microsoft had released a patch in 2002. It

doubled in size every 8.5 seconds, and infected more than 90 percent of
vulnerable hosts within 10 minutes. It eventually infected at least 75,000 hosts and
caused network outages that resulted in:
Canceled airline flights
Interference with elections
Bank ATM failures
Example:
1. The Morris worm
In 1998 Robert Morris, a university student, unleashed a worm which affected 10
per cent of all the computers connected to the internet (at the time the net was
estimated to consist of 60,000 computers), slowing them down to a halt. Morris is
now an associate professor at MIT.
2. The Anna Kournikova worm
The Anna Kournikova worm posed as a picture of the tennis player, but was in fact
a virus written by Jan de Wit, an obsessed admirer from the Netherlands. He
ended up receiving a community service sentence.
3. ILOVEYOU
The Love Bug flooded internet users with ILOVEYOU messages in May 2000,
forwarding itself to everybody in the user's address book. It was designed to steal
internet access passwords for its Filipino creator.

(3) Trojan Horses

A trojan horse is a non-replicating program that appears legitimate, but actually
performs malicious and illicit activities when executed. Attackers use trojan horses
to steal a user's password information, or they may simply destroy programs or
data on the hard disk.
A trojan horse is hard to detect as it is designed to conceal its presence by
performing its functions properly.
Some recent examples are:

Trojan horses embedded into online game plug-ins which will help online
gamer to advance their game characters; however, the online game
account and password are also stolen. The gamer's cyber assets are
therefore stolen.

Trojan horses are embedded into popular commercial packages and

uploaded to websites for free download or to be shared across peer-topeer download networks.

Trojan horses are particularly dangerous due to the fact that they can also open a
back door into a system and allow an attacker install further malicious programs
on your computer. Back Orifice and SubSeven are two well-known remote access
trojan horses that allow attackers to take control of a victim's computer.
Example:
The Japanese government has revealed that computers in the countrys
parliament suffered a cyber attack orginating from China in July.
Computers and servers in the lower house of the countrys parliament became
infected by a Trojan horse virus after one politician opened an email
attachment, according to a report from Channel News Asia.
It remains unclear exactly what information, if any, was compromised from the
incident as it was not reported until a month later. There is concern that during the
time it went unlogged, the Chinese based server behind the attack may have got
access to passwords and other data on the infected computers.
The government is reportedly investigating the issue, having not been aware of it
prior to todays announcement. It says that legal action will be taken if necessary.
News of this incident in Japan comes just a day after the UKs head of cyber
security warned of the threat that Chinese hackers pose to governments and
companies.
Maj Gen Shaw, who heads up the British Ministry of Defences cyber security
programme, told the Daily Telegraph that the biggest threat to [the] country by
cyber is not military, it is economic. Shaw recounted one example which saw a
company in the UK go bust after the blueprint for the revolutionary wind turbine
blades it designed was obtained by hackers who went on to develop a cheaper

version.
Japan is by no means the last government in Asia to have Internet security issues
of late. India recently pledged to improve its cyber security after revealing that 117
government websites had been hacked over a six month period.

(4) Spyware & Adware

Spyware is a type of software that secretly forwards information about a user to
third parties without the user's knowledge or consent. This information can include
a user's online activities, files accessed on the computer, or even user's
keystrokes.
Adware is a type of software that displays advertising banners while a program is
running. Some adware can also be spyware. They first spy on and gather
information from a victim's computer, and then display an advertising banner
related to the information collected.
A system with spyware / adware installed may display one or more of the following
symptoms:
The default start page of the web browser is changed to another website
and/or new items are added to the Favorites folder without the user's
consent. The user cannot undo the changes, and these browser hijackers
force the user to visit the unwanted websites in order to, for example,
inflate the hit rate of the websites for higher advertising value.
Pop-up windows with advertisements open on the screen even when the
user's browser is not running or when the system is not connected to the
Internet.
New software components, such as browser toolbars, are installed on a
user's computer without his or her permission.
Suspicious network traffic appears on the user's computer when he or she
is not performing any online activities.
However, there are some spyware carefully programmed to avoid being noticed,
and hence cannot be picked up by the above abnormalities. This type of spyware
can only be detected and removed by anti-spyware products / tools.
Example:
Adware (short for advertising-supported software) is a type of malware that
automatically delivers advertisements. Common examples of adware include
pop-up ads on websites and advertisements that are displayed by software. Often
times software and applications offer free versions that come bundled with
adware. Most adware is sponsored or authored by advertisers and serves as a

revenue generating tool.

While some adware is solely designed to deliver advertisements, it is not

uncommon for adware to come bundled with spyware (see below) that is capable
of tracking user activity and stealing information. Due to the added capabilities of
spyware, adware/spyware bundles are significantly more dangerous than adware
on its own.
(5) Rootkit
A rootkit is a collection of files that alter the standard functionality of an operating
system on a computer in a malicious and stealthy manner. By altering the
operating system, a rootkit allows an attacker to act as system administer on the
victim's system. (Or the "root" user in a Unix system - hence the name "rootkit".)
Many rootkits are designed to hide their existence and the changes they made to
a system. This makes it very difficult to determine whether a rootkit is present on a
system, and identify what has been changed by the rootkit. For example, a rootkit
might suppress directory and process listing entries related to its own files.
Rootkits may be used to install other types of attacker tools, such as backdoors
and keystroke loggers. Examples of rootkits include LRK5, Knark, Adore, and
Hacker Defender.
Example:

Lane Davis and Steven Dake - wrote the earliest known rootkit in the early
1990s.

NTRootkit one of the first malicious rootkits targeted at Windows OS.

HackerDefender this early Trojan altered/augmented the OS at a very

low level of functions calls.

Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This

rootkit creates hidden system calls and kernel threads.
(6) Active Content
Unlike the traditional methods of working with static data files using a software
program, today's data objects, such as web pages, email and documents can
interweave data and code together, allowing dynamic execution of program code
on the user's computer. The fact that these data objects are frequently transferred
between users makes them efficient carriers of viruses. The transparency of code
execution can be a security concern.
The two main 'active content' technologies are ActiveX controls and Java. In
general, ActiveX poses a greater threat because it has direct access to native
Windows calls, and hence any system function. Java, on the other hand, is

"sandboxed" or insulated from operating system services by the Java Virtual

Machine. However, this does not mean that there will never be a Java virus.
Example:
(7) Zombies and Botnets
A zombie computer, usually known in the short form zombie, is a computer
attached to the Internet that has been compromised and manipulated without the
knowledge of the computer owner. A botnet refers to a network of zombie
computers that have been taken over and put under the remote control of an
attacker.
A botnet might consist of thousands of zombie computers, and even more. The
zombie computers in the botnets can consist of computers at homes, schools,
businesses and governments scattered around the world.
A zombie computer itself may only be slowed down slightly, or displaying
mysterious messages. However, the whole botnet can be used by the attacker for
a massive attack, such as DDoS (the Distributed Denial of Service) attack, against
another system or network. Due to the large number of machines in a botnet, the
aggregate computing power can be enormous when all these machines work
together to launch a DDoS attack against a single target.
You should protect your machines or systems from becoming zombie computers.
Example:
Australian botnet-related case
In March 2006, the Australian High Tech Crime Centre (AHTCC) reported that a
Melbourne man had been charged with botnet-related activities after a joint
investigation by the AHTCC, the Australian Federal Police, and NSW and Victoria
Police. Initial information was provided by the Belgian Federal Computer Crime
Unit following a series of DDoS attacks on IRC servers in Australia, which also
affected the United States, Singapore and Austria. The suspect, a 22-year-old
male, faces charges under s 474.14 of the Criminal Code Act 1995 (Cth), which
creates an offence of using a telecommunications network (such as the internet)
with intention to commit a serious offence. The serious offence involved may be
any offence punishable by five years or more under Commonwealth, state,
territory or foreign laws, and the maximum penalty under s 474.14 is as for the
serious offence. A committal hearing in this prosecution was listed for December
2006.
(8) Scareware
Scareware, or sometimes called rogueware, comprises several classes of
ransomware or scam software with malicious payloads. While pretending as
legitimate anti-virus software or the likes, scareware is in fact dummy software
without functions, or sometimes even a malicious software which may, for
example, steal the victim's personal information and credentials such as

passwords or credit card details. Ransomware makes your computer files

inaccessible. The victim is then requested to pay a fee ("ransom") to regain
access to their files.
Scareware usually entices victims by convincing them that a virus has infected
their computer, then suggesting that they download (and pay for) an anti-virus
software to remove it. Very often, the virus is entirely fictional, and the software
installed is the scareware itself. In additional to the loss of money paid for the
scareware, the personal details and credit card information provided by the victim
during the purchase of the scareware can be used by criminals in further fraud or
sold on black market forums.
Ransomware is a twisted form of scareware. One of common tactics is that the
malware attacks victims through phishing emails with a malicious attachment.
Once infected, the malware makers of ransomware can "kidnap" users computer
and hold it to ransom by, for example, stopping the computer working, encrypting
key system files or locking up some of the personal information. The victim needs
to pay ransom to free their machines and get their files back.
Protection against scareware and ransomware would require the common best
practices against malware, in particular, users must be cautious and exercise their
common sense, and use of legitimate security software is of particular importance.
Some best practices for protection against scareware, ransomware, as well as
other virus and malicious code attacks are:
Don't use software from a dubious source under any circumstances.
Do learn to protect yourself from visual spoofing. Some criminals try to
use visual spoofing techniques to collect personal information or make
you believe you are installing and accepting software / plug-ins / active
content from a safe source.
Do not open email attachment in the suspicious emails, especially those
compressed files (e.g. .zip,.7zip) or executable files (.exe).
Do not visit suspicious websites and follow URL links from un-trusted
sources or emails.
Do install malicious code detection and repair software with the latest
signature and conduct full system scan periodically.
Do backup important data regularly. Keep the backups in a safe location
to avoid being affected by the malware.
Do constantly be aware of any suspicious activities.
Example:
i)Fear for others is regularly used as an emotional trigger. In January scammers
began circulating a phishing email that looked as though it was from a legitimate
funeral home, offering condolences on the death of "a friend" and asking them to

open the attached invitation to the funeral. The attachment, statistically more likely
to be opened by the elderly, contained malicious software.
ii)Other scammers try phone calls where you can hear someone screaming and
they tell you that your child has been kidnapped and you need to send them
money. Some threaten to shoot their "hostage" if you disconnect the call.
(9) Logic bombs
Logic bombs are small programs or sections of a program triggered by some
event such as a certain date or time, a certain percentage of disk space filled, the
removal of a file, and so on. For example, a programmer could establish a logic
bomb to delete critical sections of code if she is terminated from the company.
Logic bombs are most commonly installed by insiders with access to the system.
Example:
UBS PaineWebber system administrator Roger Duronio has been charged
with Logic bomb
Former UBS PaineWebber system administrator, Roger Duronio, has been
charged with sabotaging company computer systems in an attempt to manipulate
its stock price. Duronio placed logic bombs that deleted files on the computers.
Duronio has been charged with one count of securities fraud and one count of
violation of the Computer Fraud and Abuse Act.
(10)Time bombs
The ticking time bomb scenario is a thought experiment that has been used in
the ethics debate over whether torture can ever be justified. As a thought
experiment, there is no need that the scenario be plausible; it need only serve to
highlight ethical considerations. The scenario can be formulated as follows:
Suppose that a person with knowledge of an imminent terrorist attack, that will kill
many people, is in the hands of the authorities and that he will disclose the
information needed to prevent the attack only if he is tortured. Should he be
tortured?
Example:The Wall Street Journal online shortly after Feinstein began speaking,
six former directors and deputy directors of the CIA argued that was too narrow of
a reading of what a ticking time bomb means.
In the aftermath of the Sept. 11 attacks, former directors George Tenet, Porter

Goss and Michael Hayden wrote that the CIA had evidence that al Qaeda was
planning a second wave of attacks, that Osama bin Laden had met with Pakistani
nuclear scientists and reports (which turned out not to be accurate) that nuclear
weapons were being smuggled into New York and evidence that al Qaeda was
trying to manufacture anthrax.
It felt like the classic ticking time bomb scenarioevery single day, they wrote.
(11)Rabbit worm
1974- The Rabbit (or Wabbit) virus, more a fork bomb than a virus, is written. The
Rabbit virus makes multiple copies of itself on a single computer (and was named
"Rabbit" for the speed at which it did so) until it clogs the system, reducing system
performance, before finally reaching a threshold and crashing the computer.
Non-Malicious code
Non malicious (but intentional) flaws are often features that are meant to be in the
system, and are correctly implemented, but nonetheless can cause a failure when
used by an attacker
Types of Non-Malicious
1)Buffer Overflows
A buffer overflow is the computing equivalent of trying to pour two liters of water
into a one-liter pitcher: Some water is going to spill out and make a mess. And in
computing, what a mess these errors have made!
Definition
A buffer (or array or string) is a space in which data can be held. A buffer resides
in memory. Because memory is finite, a buffer's capacity is finite. For this reason,
in many programming languages the programmer must declare the buffer's
maximum size so that the compiler can set aside that amount of space.
Example:

Buffer overflow vulnerabilities were exploited by the the first major

attack on the Internet. Known as the Morris worm, this attack infected
more than 60,000 machines and shut down much of the Internet for
several days in 1988.

A buffer overflow in a 2004 version of AOLs AIM instantmessaging software exposed users to buffer overflow vulnerabilities. If a
user posted a URL in their Im away message, any of his or her friends
who clicked on that link might be vulnerable to attack. AOLs response
was to suggest that users update to a new version that would fix the bug.
The Blaster worm that attacked Microsoft Windows Systems in August
2003 relied upon a known buffer overflow in remote procedure call
facilities. Once it was installed on a given computer, Blaster would attempt
to find other vulnerable computers. Upon finding a vulnerable computer,
Blaster would issue instructions that would create a process on the target
and cause the worm to be downloaded to it.
(2) Race Condition Exploits
Race conditions arise from multiple processes/threads that operate on related
entities in an OS that has preemptive scheduling. Any good OS book will describe
race conditions. The effects are often an unexpected result in a computation, a
deadlock, or a livelock.It is also called as Time-Of-Check To Time-Of-Use
Within user processes, almost all race conditions reduce to races in the file
system. Within OS kernels, race conditions are present in various places, e.g., in
virtual memory management code.
Exploits based on race conditions are subtle. They typically require repeated
attempts within the short time period. These exploits can be eliminated by
understanding the ideas and techniques of atomicity and mutual exclusion from
concurrent programming courses. To keep up performance, the race condition
eliminations have to be done after deep analyses. Real systems continue to suffer
from race conditions because of sloppy design and construction.

Example:
Internet Explorer 2011
"Race condition in Microsoft Internet Explorer 6 through 8 allows remote attackers
to execute arbitrary code or cause a denial of service (memory corruption) via
vectors involving access to an object, aka 'Window Open Race Condition
Vulnerability.' "
This vulnerability was discovered in Jan 2011 and a patch was released and
publicly disclosed in August 2011. An attacker composes a web page with
malicious code and when a user visits this page, the exploit happens.
(3)Incomplete Mediation
Incomplete mediation is another security problem that has been with us for
decades. Attackers are exploiting it to cause security problems.

Definition
The two parameters look like a telephone number and a date. Probably the client's
(user's) web browser enters those two values in their specified format for easy
processing on the server's side. What would happen if parm2 were submitted as
1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many?
Something would likely fail. As with buffer overflows, one possibility is that the
system would fail catastrophically, with a routine's failing on a data type error as it
tried to handle a month named "Min" or even a year (like 1800) which was out of
range. Another possibility is that the receiving program would continue to execute
but would generate a very wrong result. (For example, imagine the amount of
interest due today on a billing error with a start date of 1 Jan 1800.) Then again,
the processing server might have a default condition, deciding to treat
1Aardvark2Many as 3 July 1947. The possibilities are endless.
Conclusion

Thus we studied the programming errors security implications.