Malicious Logic

Introduction

Malicious logic, more commonly called malware, is a set of instructions that cause a site's security

policy to be violated.

Example: The following UNIX script is named ls and is placed in a directory.

cp /bin/sh /tmp/.xxsh
chmod o+s,w+x /tmp/.xxsh
rm ./ls
ls $*
It creates a copy of the UNIX shell that set uid to the user executing this program. This program
is deleted, and then the correct ls command is executed. On most systems, it is against policy to
trick someone into creating a shell that is setuid to themselves. If someone is tricked into executing
this script, a violation of the (implicit) security policy occurs. This script is an example of malicious
logic.

Malicious code refers to a broad category of software threats to our network and systems.
Perhaps the most sophisticated types of threats to computer systems are presented by
malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or
destroys data, steals data , allows unauthorized access, exploits or damage a system, and does
something that user did not intend to do, is called malicious code. There are various types of
malicious code we will encounter, including Viruses, Trojan horses, Logic bombs, and
Worms.

A computer program is a sequence of symbols that are caused to achieve a desired functionality;
the program is termed malicious when their sequences of instructions are used to intentionally
cause adverse affects to the system. In the other words we can’t call any “bug” as a Malicious
Code. Malicious codes are also called programmed threats. The following figure provides an
overall taxonomy of Malicious Code.
As presented in the above figure, threats can be divided into two categories:

- Independents: are self contained program that can be scheduled and ran by the operating
system.

- Needs host program: are essentially fragments of programs that can not exist
independently of some actual application program, utility or system program.

Vulnerability to Malicious code (Malware)

Various factors make a system more vulnerable to malware:

 Homogeneity – e.g. when all computers in a network run the same OS, if you can hack
that OS, you can break into any computer running it.
 Defects – most systems containing errors which may be exploited by malware.
 Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be executed
without the user’s agreement.
 Over-privileged users – some systems allow all users to modify their internal structures.
 Over-privileged code – most popular systems allow code executed by a user all rights of
that user.

Trojan Horse

A Trojan Horse is a program with an overt (documented or known) effect and a covert
(undocumented or unexpected) effect. Dan Edwards was the first to use this term.

Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious.
Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a
Trojan horse to spread, we must invite these programs onto our computers; for example, by
opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo
is a Trojan horse.

When a Trojan is activated on computer, the results can vary. Some Trojans are designed to be
more annoying than malicious (like changing your desktop, adding silly active desktop icons) or
they can cause serious damage by deleting files and destroying information on our system. Trojans
are also known to create a backdoor on our computer that gives malicious users access to our
system, possibly allowing confidential or personal information to be compromised.

Example: In the example above, the overt purpose is to list the files in a directory. The covert
purpose is to create a shell that is setuid to the user executing the script. Hence, this program is a
Trojan horse.

Example: A program named "waterfalls.scr" serves as a simple example of a trojan horse. The
author claims it is a free waterfall screensaver. When run, it instead unloads hidden programs,
commands, scripts, or any number of commands without the user's knowledge or consent.

Example: The NetBus program is designed to control a Windows NT workstation remotely.

Victim downloads and installs this that is usually disguised as a game program, or in other fun
programs. It acts as a server, accepting and executing commands for remote administrator which
includes intercepting keystrokes and mouse motions and sending them to attacker and also allows
attacker to upload, download files.

Trojan horses can make copies of themselves. One of the earliest Trojan horses was a version of
the game animal. When this game was played, it created an extra copy of itself. These copies
spread, taking up much room. The program was modified to delete one copy of the earlier version
and create two copies of the modified program. After a preset date, each copy of the later version
deleted itself after it was played.

A propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates
a copy of itself.
Trojan horses are broken down in classification based on how they breach systems and the
damage they cause. The seven main types of Trojan horses are:

 Remote Access Trojans

 Data Sending Trojans
 Destructive Trojans
 Proxy Trojans
 FTP Trojans
 Security software disabler Trojans
 Denial-of-service attack (DoS) Trojans

- Remote Access Trojans

Abbreviated as RATs, a Remote Access Trojan is one of seven major types of Trojan horse designed
to provide the attacker with complete control of the victim's system. Attackers usually hide these
Trojan horses in games and other small programs that unsuspecting users then execute on their
PCs.

- Data Sending Trojans

A type of a Trojan horse that is designed to provide the attacker with sensitive data such as
passwords, credit card information, log files, e-mail address or IM contact lists. These Trojans
can look for specific pre-defined data (e.g., just credit card information or passwords), or they
could install a keylogger and send all recorded keystrokes back to the attacker.

- Destructive Trojan

A type of Trojan horse designed to destroy and delete files, and is more like a virus than any other
Trojan. It can often go undetected by antivirus software.

- Proxy Trojan

A type of Trojan horse designed to use the victim's computer as a proxy server. This gives the
attacker the opportunity to do everything from your computer, including the possibility of
conducting credit card fraud and other illegal activities, or even to use your system to launch
malicious attacks against other networks.

- FTP Trojan
A type of Trojan horse designed to open port 21 (the port for FTP transfer) and lets the attacker
connect to your computer using File Transfer Protocol (FTP).

- Security software disabler Trojan

A type of Trojan horse designed to stop or kill security programs such as an antivirus program or
firewall without the user knowing. This Trojan type is normally combined with another type of
Trojan as a payload.

- Denial-of-service attack (DoS) Trojans

A type of attack on a network that is designed to bring the network to its knees by flooding it with
useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit
limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that
system administrators can install to limit the damage caused by the attacks. But, like viruses, new
DoS attacks are constantly being dreamed up by hackers.

Computer Worms

A computer virus infects other programs. A variant of the virus is a program that spreads from
computer to computer, producing copies of itself on each one. A computer worm is a program that
copies itself from one computer to another. Unlike a virus, it does not need to attach itself to an
existing program. Worms spread by exploiting vulnerabilities in operating systems.

A Worm uses computer networks to replicate itself. It searches for servers with security holes and
copies itself there. It then begins the search and replication process again

Research into computer worms began in the mid-1970s. Schoch and Hupp developed distributed
programs to do computer animations, broadcast messages, and perform other computations. These
programs probed workstations. If the workstation was idle, the worm copied a segment onto the
system. The segment was given data to process and communicated with the worm's controller.
When any activity other than the segment's began on the workstation, the segment shut down.
Example: Internet Worm of 1988 targeted Berkeley, Sun UNIX systems entered the Internet;
within hours, it had rendered several thousand computers unusable. It used virus-like attack to
inject instructions into running program and run them. To recover from this the machines had to
disconnect system from Internet and reboot. To prevent re-infection, several critical programs had
to be patched, recompiled, and reinstalled. The only way to determine if the program had suffered
other malicious side effects was to disassemble it. Fortunately, the only purpose of this virus turned
out to be self-propagation.

Example: The Father Christmas worm was interesting because it was a form of macro worm. It
was distributed in 1987 and was designed for IBM networks. It was an electronic letter instructing
recipient to save it and run it as a program that drew Christmas tree, printed “Merry Christmas!”
It also checked address book, list of previously received email and sent copies to each address.
The worm quickly overwhelmed the IBM networks and forced the networks and systems to be
shut down. This worm had the characteristics of a macro worm. It was written in a high-level job
control language, which the IBM systems interpreted.

Worms with good intent

The Nachi family of worms, for example, tried to download and install patches from Microsoft's
website to fix vulnerabilities in the host system — by exploiting those same vulnerabilities. In
practice, although this may have made these systems more secure, it generated considerable
network traffic, rebooted the machine in the course of patching it, and did its work without the
consent of the computer's owner or user.

In 1982, at the Xerox Park research institute, a worm was created to find idle machines. It was
used to distribute workloads and was not a malicious worm. So worms can be helpful.

Computer Viruses

When the Trojan horse can propagate freely and insert a copy of itself into another file, it becomes
a computer virus. A computer virus is a program that inserts itself into one or more files and then
performs some (possibly null) action. Computer virus works in two phases. The first phase, in
which the virus inserts itself into a file, is called the insertion phase. The second phase, in which
it performs some action, is called the execution phase. The following pseudo-code fragment shows
how a simple computer virus works.

beginvirus:
if spread-condition then begin
for some set of target files do begin
if target is not infected then begin
determine where to place virus instructions
copy instructions from beginvirus to endvirus into target
alter target to execute added instructions
end;
end;
end;
perform some action(s)
goto beginning of infected program
endvirus:

As this code indicates, the insertion phase must be present but need not always be executed.
Authorities differ on whether or not a computer virus is a type of Trojan horse. Most equate the
purpose of the infected program with the overt action and consider the insertion and execution
phases to be the covert action. To them, a computer virus is a Trojan horse. However, others argue
that a computer virus has no covert purpose. Its overt purpose is to infect and execute. To these
authorities, it is not a Trojan horse. In some sense this disagreement is semantic. In any case,
defenses against a Trojan horse inhibit computer viruses.
Programmers wrote the first computer viruses on Apple II computers. A virus developed for
research purposes in 1980 wrote itself to the disk boot sectors when the catalogue command was
executed. The Brain (or Pakistani) virus, written for IBM PCs, is thought to have been created in
early 1986 but was first reported in the United States in October 1987. It alters the boot sectors of
floppy disks, possibly corrupting files in the process. It also spreads to any uninfected floppy disks
inserted into the system. Since then, numerous variations of this virus have been reported. In 1987,
computer viruses infected Macintosh, Amiga, and other computers. The MacMag Peace virus
would print a "universal message of peace" on March 2, 1988, and then delete itself. This computer
virus infected copies of the Aldus FreeHand program, which were recalled by their manufacturer.
In 1989, Dr. Harold Joseph Highland developed a virus for Lotus 1-2-3. This virus, stored as a set
of commands for that spreadsheet, was loaded automatically when a file was opened. Because the
virus was intended for a demonstration only, it changed the value in a specific row and column
and then spread to other files. This demonstrated that macros for office-type programs on personal
computers could contain viruses.

Boot Sector Infectors

A boot sector infector is a virus that inserts itself into the boot sector of a disk. The boot sector is
the part of a disk used to bootstrap the system or mount a disk. Code in that sector is executed
when the system "sees" the disk for the first time. When the system boots, or the disk is mounted,
any virus in that sector is executed.

They first move or overwrite the original boot code, replacing it with infected boot code. They will
then move the original boot sector information to another sector on the disk, marking that sector
as a bad spot on the disk so it will not be used in the future. Boot sector viruses can be very difficult
to detect since the boot sector is the first thing loaded when a computer is starts. In effect, the virus
takes full control of the infected computer.

A boot sector virus infects or substitutes its own code for either the DOS boot sector or the Master
Boot Record (MBR). The MBR is small program that runs every time the computer starts up. It
controls the boot sequence and determines which partition the computer boots from. The MBR
generally resides on the first sector of the hard disk.

Since the MBR executes every time a computer is started, a boot sector virus is extremely
dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on
every startup. From memory the boot virus can spread to every disk that the system reads.

Example: Brain virus for the IBM PC is a boot sector infector. It moves the disk interrupt vector
(location 13H or 19) to an alternative interrupt vector (location 6DH or 109) and sets the disk
interrupt vector location to invoke the Brain virus now in memory. It then loads the original boot
sector and continues the boot. Whenever the user reads a floppy, the interrupt at location 13H is
invoked. The Brain virus checks for the signature 1234H in the word at location 4. If the signature
is present, control is transferred to the interrupt vector at location 6DH so that a normal read can
proceed. Otherwise, the virus infects the disk. To do this, it first allocates to itself three contiguous
clusters (of two contiguous sectors each). The virus then copies the original boot sector to the first
of the six contiguous sectors and puts copies of itself into the boot sector and the remaining five
sectors. If there are no unused clusters, the virus will not infect the disk. If it finds only one unused
cluster, it will simply overwrite the next two. This accounts for the sometimes destructive nature
of the Brain virus.

Executable Infectors

Executable infectors or File infecting viruses or file infectors are the viruses that infects executable
program. They generally copy their code onto executable programs such as .COM and .EXE files.
Most file infectors simply replicate and spread, but some inadvertently damage host programs.
There are also file infectors that overwrite host files. Some file infectors carry payloads that range
from the highly destructive, such as hard drive formatting, or the benign, such as the display of
messages.
Following figure shows how an executable infector works.

Header Executable code and data

0 100 First program instruction to be e xecuted 1000

Header Virus code Executable code and data

0 100 200 1000 1100

The executable infector inserts itself into the program so that the virus code will be executed before
the application code.

Example: Jerusalem (Israeli) virus is triggered when an infected program is executed. It checks if
system infected, if not, it sets up to respond to requests to execute files. It then checks date and if
it is not 1987 or Friday or 13th, it sets itself up to respond to clock interrupts (but it will not infect
on clock calls). It then loads and executes the file originally executed. When that file finishes, the
virus puts itself in memory. It then responds to calls to the DOS service interrupt. If it is a Friday
and the 13th, and the year is not 1987, the virus sets a flag in memory to be destructive. This flag
means that the virus will delete files instead of infecting them.

Multipartite Virus

A multipartite virus is one that can infect either boot sectors or applications. Such a virus typically
has two parts, one for each type. When it infects an executable, it acts as an executable infector;
when it infects a boot sector, it works as a boot sector infector. This type of virus can re-infect a
system over and over again if all parts of the virus are not eradicated. Multipartite viruses have
dual capabilities and typically infect both system sectors and files.

TSR Viruses

A Terminate and Stay Resident (TSR) virus is one that stays active (resident) in memory after the
application (or bootstrapping, or disk mounting) has terminated. TSR viruses can be boot sector
infectors or executable infectors. Both the Brain and Jerusalem viruses are TSR viruses. Viruses
that are not TSR execute only when the host application is executed (or the disk containing the
infected boot sector is mounted). An example is the Encroacher virus, which appends itself to the
ends of executables.

Stealth Viruses

Stealth viruses are viruses that conceal the infection of files. These viruses intercept calls to the
operating system that access files. If the call is to obtain file attributes, the original attributes of
the file are returned. If the call is to read the file, the file is disinfected as its data is returned. But
if the call is to execute the file, the infected file is executed.

Example: The Stealth virus (also called the IDF virus or the 4096 virus) is an executable infector.
It modifies the DOS service interrupt handler. If the request is for the length of the file, the length
of the uninfected file is returned. If the request is to open the file, the file is temporarily disinfected;
it is reinfected on closing. The Stealth virus also changes the time of last modification of the file
in the file allocation table to indicate that the file is infected.
Encrypted Viruses

Encrypted virus is a virus using encryption to hide itself from virus scanners. That is, the encrypted
virus jumbles up its program code to make it difficult to detect. An encrypted virus's code begins
with a decryption algorithm and continues with scrambled or encrypted code for the remainder of
the virus. Each time it infects, it automatically encodes itself differently, so its code is never the
same. Through this method, the virus tries to avoid detection by anti-virus software. Following
figure illustrates the technique. The ordinary virus code is at the left. The encrypted virus, plus
encapsulating decryption information, is at the right. Thus, an encrypted virus is one that enciphers
all of the virus code except for a small decryption routine.

Virus code Deciphering Enciphered virus code

routine
Deciphering k ey

Polymorphic Viruses

A polymorphic virus is a virus that changes its form each time it inserts itself into another program.
Consider an encrypted virus. The body of the virus varies depending on the key chosen, so
detecting known sequences of instructions will not detect the virus. However, the decryption
algorithm can be detected. Polymorphic viruses were designed to prevent this. They change the
instructions in the virus to something equivalent but different. In some sense, they are successors
to the encrypting viruses and are often used in conjunction with them. Consider polymorphism at
the instruction level.
add 0 to operand
or 1 with operand
no operation
subtract 0 from operand
All of the instructions above have exactly the same effect, but they are represented as different bit
patterns on most architecture. A polymorphic virus would insert these instructions into the
deciphering segment of code.
Polymorphism can exist at many levels. For example a deciphering algorithm may have two
completely different implementations, or two different algorithms may produce the same result. In
these cases, the polymorphism is at a higher level and is more difficult to detect

Macro Viruses

In computing terminology, a macro virus is a virus that is written in a macro language: that is to
say, a language built into a software application such as a word processor. Since some applications
(notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded
in documents, so that the programs may be run automatically when the document is opened, this
provides a distinct mechanism by which viruses can be spread. This is why it may be dangerous
to open unexpected attachments in e-mails. Modern antivirus software detects macro viruses as
well as other types.

A macro virus is a virus composed of a sequence of instructions that is interpreted, rather than
executed directly. A common way for a macro virus to infect a computer is by replacing normal
macros with the virus. The macro virus replaces the regular commands with the same name and
runs when the command is selected.

Example: The Melissa virus infected Word 97 and 98 documents on Windows and Macintosh
systems. It is invoked when the program opens an infected file. It installs itself as the "open" macro
and copies itself into the Normal template (so any files that are opened are infected). It then invokes
a mail program and sends copies of itself to people in the user's address book associated with the
program.

Other Forms of Malicious Logic

Rabbits and Bacteria

Some malicious logic multiplies so rapidly that resources become exhausted. This creates a denial
of service attack. A bacterium or a rabbit is a program that absorbs all of some class of resource.
A bacterium is not required to use all resources on the system. Resources of a specific class, such
as file descriptors or process table entry slots, may not affect currently running processes. They
will affect new processes.

Bacteria, also known as rabbits, are programs that do not explicitly damage any files. Their sole
purpose is to replicate themselves. A typical bacteria or rabbit program may do nothing more than
execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two
new files, each of which is a copy of the original source file of the bacteria program. Both of those
programs then may copy themselves twice, and so on. Bacteria reproduce exponentially,
eventually taking up all the processor capacity, memory, or disk space, denying the user access to
those resources.

This kind of attack is one of the oldest forms of programmed threats. Users of some of the earliest
multiprocessing machines ran these programs either to take down the machine or simply to see
what would happen. Machines without quotas and resource-usage limits are especially susceptible
to this form of attack.

Example: The following shell script would quickly exhaust either disk space or inode tables on a
UNIX system.

while true
do
mkdir x
chdir x
done

Logic Bombs

A logic bomb is a program which has deliberately been written or modified to produce results
when certain conditions are met that are unexpected and unauthorized by legitimate users or
owners of the software.

A logic bomb, sometimes referred to as slag code, is a string of malicious code used to cause harm
to a network when the programmed conditions are met. The term comes from the idea that a logic
bomb “explodes” when it is triggered by a specific event. Events could include a certain date or
time, a particular record being deleted from a system or the launching of an infected software
application.

The level of destruction caused by a logic bomb can vary greatly and the set of conditions able to
set one off is unlimited. Common malicious actions that logic bombs are able to commit include
data corruption file deletion or hard drive clearing.

Logic bombs are programmed threats that lie dormant in commonly used software for an extended
period of time until they are triggered; at this point, they perform a function that is not the intended
function of the program in which they are contained. Logic bombs usually are embedded in
programs by software developers who have legitimate access to the system.

Conditions that might trigger a logic bomb include the presence or absence of certain files, a
particular day of the week, or a particular user running the application. The logic bomb might
check first to see which users are logged in, or which programs are currently in use on the system.
Once triggered, a logic bomb can destroy or alter data, cause machine halts, or otherwise damage
the system. In one classic example, a logic bomb checked for a certain employee ID number and
then was triggered if the ID failed to appear in two consecutive payroll calculations

Example: An example of a logic bomb is any program that mysteriously stops working three
months after, say, its programmer's name has disappeared from the corporate salary database.

Zombies

A zombie is a program that secretly takes over another internet-attatched computer and then uses
that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used
in denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds
of computer belonging to unsuspecting third parties, and then used to overwhelm the target web
site by launching an overwhelming onslaught of internet traffic.
Zombies have been used extensively to send e-mail spam; as of 2005, an estimated 50–80% of all
spam worldwide was sent by zombie computers. This allows spammers to avoid detection and
presumably reduces their bandwidth costs, since the owners of zombies pay for their own
bandwidth. For similar reasons zombies are also used to commit click fraud against sites displaying
pay per click advertising. Others can host phishing or money mule recruiting websites.

Defenses
Defending against malicious logic takes advantage of several different characteristics of malicious
logic to detect, or to block, its execution. The defenses inhibit the suspect behavior. The
mechanisms are imprecise. They may allow malicious logic that does not exhibit the given
characteristic to proceed, and they may prevent programs that are not malicious but do exhibit the
given characteristic from proceeding.

Some malicious logic acts as both data and instructions. A computer virus inserts code into another
program. During this writing, the object being written into the file (the set of virus instructions) is
data. The virus then executes itself. The instructions it executes are the same as what it has just
written. Here, the object is treated as an executable set of instructions. Protection mechanisms
based on this property treat all programs as type "data" until some certifying authority changes the
type to "executable" (instructions). Both new systems designed to meet strong security policies
and enhancements of existing systems use these methods.

Virtual Machines

Virtual memory provides the illusion of physical memory. The abstraction allows a process to
assume that its memory space both is contiguous and begins at location 0. This simplifies the
process' view of memory and hides the underlying physical locations of the process' memory. The
physical memory corresponding to the virtual memory need not be contiguous. Indeed, some of
the locations in virtual memory may have no corresponding physical addresses until the process
references them.
Like virtual memory, a virtual machine provides the illusion of a physical machine. The abstraction
allows operating systems to assume that they are running directly on the hardware. This allows
one to run the operating system, and allows the operating system to run processes, with no changes
in either the operating system or the programs. A second, lower "virtual machine monitor" runs
directly on the hardware and provides the illusion of hardware to the operating systems run above
it. The physical machine may support many virtual machines, each running its own operating
system.

A virtual machine is a type of environment. A virtual machine is a program that simulates the
hardware of a (possibly abstract) computer system. A virtual machine uses a special operating
system called a virtual machine monitor to provide a virtual machine on which conventional
operating systems can run.

The primary advantage of a virtual machine is that existing operating systems do not need to be
modified. They run on the virtual machine monitor. The virtual machine monitor enforces the
desired security policy. This is transparent to the user. The virtual machine monitor functions as a
security kernel.

In terms of policy, the virtual machine monitor deals with subjects (the subjects being the virtual
machines). Even if one virtual machine is running hundreds of processes, the virtual machine
monitor knows only about the virtual machine. Thus, it can apply security checks to its subjects,
and those controls apply to the processes that those subjects are running. This satisfies the rule of
transitive confinement.

Virtual Machine Structure

A virtual machine runs on a virtual machine monitor. That monitor virtualizes the resources of the
underlying system and presents to each virtual machine the illusion that it and it alone is using the
hardware.

Sandboxing
A sandbox is an environment in which the actions of a process are restricted according to a security
policy. Sandboxing is a computer security term referring to when a program is set aside from other
programs in a separate environment so that if errors or security issues occur, those issues will not
spread to other areas on the computer. Programs are enabled in their own sequestered area, where
they can be worked on without posing any threat to other programs.

OR A sandbox is an isolated environment on a network that mimics end-user operating

environments. Sandboxes are used to safely execute suspicious code without risking harm to the
host device or network.

Using a sandbox for advanced malware detection provides another layer of protection against
new security threats—zero-day (previously unseen) malware and stealthy attacks, in particular.
And what happens in the sandbox, stays in the sandbox—avoiding system failures and keeping
software vulnerabilities from spreading.

Sandboxes can look like a regular operating environment, or they can be much more bare bones.
Virtual machines are often used for what are referred to as runtime sandboxes.Systems may
enforce restrictions in two ways. First, the sandbox can limit the execution environment as
needed. This is usually done by adding extra security-checking mechanisms to the libraries or
kernel. The program itself is not modified. For example, the Java virtual machine is a sandbox
because its security manager limits access of downloaded programs to system resources as
dictated by a security policy.

How Does Sandbox Technology Work?

Sandbox testing proactively detects malware by executing, or detonating, code in a safe and
isolated environment to observe that code’s behavior and output activity. Traditional security
measures are reactive and based on signature detection—which works by looking for patterns
identified in known instances of malware. Because that detects only previously identified threats,
sandboxes add another important layer of security. Moreover, even if an initial security defense
utilize artificial intelligence or machine learning (signature less detection), these defenses are only
as good as the models powering these solutions – there is still a need to complement these solution
with an advanced malware detection.

Sandboxing and virtual machines implicitly restrict process rights. A common implementation of
this approach is to restrict the program by modifying it. Usually, special instructions inserted into
the object code cause traps whenever an instruction violates the security policy. If the executable
dynamically loads libraries, special libraries with the desired restrictions replace the standard
libraries.
Information Flow Metrics
Cohen suggests an approach. This approach is to limit the distance a virus which can spread. The
flow distance metric fd(x) for some information x as follows. Initially, all information has fd(x) =
0. Whenever x is shared, fd(x) increases by 1.
Whenever x is used as input to a computation, the flow distance of the output is the maximum of
the flow distance of the input. Information is accessible only while its flow distance is less than
some particular value.

EXAMPLE: Anne, Bill, and Cathy work on the same computer. The system uses the flow distance
metric to limit the flow of information. Anne can access information with a flow distance less than
3, and Bill and Cathy can access information with a flow distance less than 2. Anne creates a
program dovirus containing a computer virus. Bill executes it. Because the contents of the program
have a flow distance of 0, when the virus infects Bill’s file safefile, the flow distance of the virus is
1, and so Bill can access it. Hence, the copying succeeds. Now, if Cathy executes safefile, when
the virus tries to spread to her files, its flow distance increases to 2. Hence, the infection is not
permitted (because Cathy can only access information with a flow distance of 0 or 1). This example
also shows the problem with the flow distance policy (which constrains sharing based on the flow
distance metric). Although Cathy cannot be infected by viruses that Bill has acquired, she can be
infected by viruses that Bill has written. (For example, had Cathy run Anne’s dovirus program,
she would have had her files infected.) The bounding constant limits the transitivity of trust. This
number should therefore be low. If it is 1, only the people from whom Cathy copies files are trusted.
Cathy does not trust anyone that they trust. (cc: Computer Security By Matt Bishop Pg; 1173)

Reducing the Rights

An alternative mechanism is interception of requests to open files. The user can reduce her
associated protection domain when running a suspect program. This follows the principle of least

privilege. The "watchdog" or "guardian" then performs a check to determine if the access is to

be allowed. This effectively redefines the system calls involved. The issues of determining how to
write watchdogs to meet the desired goals and allowing users to specify semantics for file accesses
may prove useful in some contexts—for example, in protecting a limited set of files.

All such mechanisms :

a.trust the users to take explicit actions to limit their protection domains sufficiently

b. trust tables to describe the programs' expected actions sufficiently for the mechanisms to apply
those descriptions and to handle commands with no corresponding table entries effectively,

c. trust specific programs and the kernel when they would be the first programs malicious logic
would attack.

EXAMPLE: Lai and Gray have implemented a modified version of Karger’s scheme on a UNIX
system. They combine knowledge about each command with the command-line arguments of the
current invocation. Their idea is to use this information to determine the user’s intent to access
files and the type of access. They do not protect these files, but instead prevent other files not
named on the command line from being accessed (with two exceptions).

Processes are divided into two groups. File accesses by trusted processes are not checked.
Associated with each untrusted process is a valid access list (VAL) consisting of the arguments of
the process plus any temporary files created. When an untrusted process tries to access a file, the
kernel executes the following sequence of steps.

1. If the process is requesting access to a file on the VAL, the access is allowed if the effective
UID and GID of the process allow the access.

2. If the process is opening the file for reading and the file is word-readable,the open is allowed.

3. If the process is creating a file, the creation is allowed if the effective UID and GID of the
process allow the creation. The file is entered into the VAL of the process and is marked as a new
nonargument (NNA) file. The file’s protection modes are set so that no other user may access the
file.
4. Otherwise, an entry in the system log reflects the request, and the user is asked if the access is
to be allowed. If the user agrees, the access is allowed if the effective UID and GID of the process
allow it. Otherwise, the access is denied. VALs are created whenever a trusted process spawns an
untrusted process, and are inherited. Files marked NNA have permissions such that only the
creating user can access them. They are in the VAL of the creating process, and no others, so
only that process and its descendants can access the NNA file. However,
neither the creating process nor its descendants may change the protection modes of that file.
When the file is deleted, its entry is removed from the VAL. When the process terminates, the user
is notified of any existing NNA files. The trusted processes in a UNIX environment are UNIX
command interpreters (csh and sh), the programs that spawn them on login (getty and
login), programs that access the file system recursively (ar, chgrp, chown, diff, du, dump, find, ls,
cp, restore, and tar), programs that often access files not in their argument lists (binmail, cpp, dbx,
mail, make, script, and vi), and various network daemons (fingerd, ftpd, ntalkd, rlogind, rshd,
sendmail, talkd, telnetd, tftpd, and uucpd).

Malicious Logic Altering Files

Mechanisms using manipulation detection codes (or MDCs) apply some function to a file to obtain
a set of bits called the signature block and then protect that block. If, after re-computing the
signature block, the result differs from the stored signature block, the file has changed, possibly as
a result of malicious logic altering the file. This mechanism relies on selection of good
cryptographic checksums

Proof Carrying Code

Necula has proposed a technique that combines specification and integrity checking. His method,
called proof-carrying code (PCC), requires a "code consumer" (user) to specify a safety
requirement. The "code producer" (author) generates a proof that the code meets the desired safety
property and integrates that proof with the executable code. This produces a PCC binary. The
binary is delivered (through the network or other means) to the consumer. The consumer then
validates the safety proof and, if it is correct, can execute the code knowing that it honors that
policy. The key idea is that the proof consists of elements drawn from the native code. If the native
code is changed in a way that violates the safety policy, the proof is invalidated and will be rejected.
Notion of Trust
The effectiveness of any security mechanism depends on the security of the underlying base on
which the mechanism is implemented and the correctness of the implementation. If the trust in the
base or in the implementation is misplaced, the mechanism will not be secure. Thus, "secure," like
"trust," is a relative notion, and the design of any mechanism for enhancing computer security
must attempt to balance the cost of the mechanism against the level of security desired and the
degree of trust in the base that the site accepts as reasonable. Research dealing with malicious logic
assumes that the interface, software, and/or hardware used to implement the proposed scheme will
perform exactly as desired, meaning that the trust is in the underlying computing base, the
implementation, and (if done) the verification.

Antivirus
Antivirus software is a class of program designed to prevent, detect and remove malware infections
on individual computing devices, networks and IT systems.

Antivirus software, originally designed to detect and remove viruses from computers, can also
protect against a wide variety of threats, including other types of malicious software, such
as keyloggers, browser hijackers, Trojan horses, worms, rootkits, spyware, adware, botnets and
ransomware.

How antivirus software works

Antivirus software typically runs as a background process, scanning computers, servers or mobile
devices to detect and restrict the spread of malware. Many antivirus software programs include
real-time threat detection and protection to guard against potential vulnerabilities as they happen,
as well as system scans that monitor device and system files looking for possible risks.

Antivirus software usually performs these basic functions:

 Scanning directories or specific files for known malicious patterns indicating the presence
of malicious software;
 Allowing users to schedule scans so they run automatically;
 Allowing users to initiate new scans at any time; and
 Removing any malicious software it detects. Some antivirus software programs do this
automatically in the background, while others notify users of infections and ask them if
they want to clean the files.
In order to scan systems comprehensively, antivirus software must generally be given privileged
access to the entire system. This makes antivirus software itself a common target for attackers, and
researchers have discovered remote code execution and other serious vulnerabilities in antivirus
software products in recent years.

Types of antivirus programs

Antivirus software is distributed in a number of forms, including stand-alone antivirus scanners

and internet security suites that offer antivirus protection, along with firewalls, privacy controls
and other security protections.

Virus detection techniques

Antivirus software uses a variety of virus detection techniques.

Originally, antivirus software depended on signature-based detection to flag malicious software.

Antivirus programs depend on stored virus signatures-- unique strings of data that are characteristic
of known malware. The antivirus software uses these signatures to identify when it encounters
viruses that have already been identified and analyzed by security experts.

Signature-based malware cannot detect new malware, including variants of existing malware.
Signature-based detection can only detect new viruses when the definition file is updated with
information about the new virus. With the number of new malware signatures increasing at around
10 million per year as long ago as 2011, modern signature databases may contain hundreds of
millions, or even billions, of entries, making antivirus software based solely on signatures
impractical. However, signature-based detection does not usually produce false positive matches.

Heuristic (strategies derived from previous experiences with similar problems) -based detection
uses an algorithm to compare the signatures of known viruses against potential threats. With
heuristic-based detection, antivirus software can detect viruses that haven't been discovered yet,
as well as already existing viruses that have been disguised or modified and released as new
viruses. However, this method can also generate false-positive matches when antivirus software
detects a program behaving similarly to a malicious program and incorrectly identifies it as a virus.

Antivirus software may also use behavior-based detection to analyze an object's behavior or
potential behavior for suspicious activities and infers malicious intent based on those observations.
For example, code that attempts to perform unauthorized or abnormal actions would indicate the
object is malicious, or at least suspicious. Some examples of behaviors that potentially signal
danger include modifying or deleting large numbers of files, monitoring keystrokes, changing
settings of other programs and remotely connecting to computers

Most modern antivirus software is capable of providing real-time protection. They are not wholly
dependent on running scans to find malware that has already obtained a foothold on a system.
Real-time protection analyzes data as it is loaded into the working memory of the computers, such
as when an application auto-executes upon insertion of a USB memory key, or when opening an
email or completing a web transaction
Features in an Antivirus
1. Anti-Malware
This component of antivirus software protects your computer from infection by malicious
software, also known as malware. Malicious software includes trojans, viruses, spyware and
other software designed to cause your computer to malfunction or destroy your data.

2. Protection Against Browser Exploits

Browser exploits usually involve website code that is written to take advantage of a vulnerability
in a web browser. For example, hackers using a technique called ‘click jacking’ may embed code
on a web page that virtually ‘steals’ your click and applies it toward an action you never
intended. Like taking your ‘Cancel’ click and making it a ‘Confirm … Yes’ I’d like to transfer
all my money to a Nigerian Prince’ click.

3. Anti-Virus
An antivirus guards your computer against infection by checking activity on your computer
against a database of ‘known suspicious activity’. For example, if your computer is attempting to
modify critical files, the antivirus may recognize that as a malicious activity and block it.
Antivirus software will also attempts to locate and eliminate the source of the malicious activity.

4. Anti-Trojan
Anti-Trojan software performs an integrity check on programs you install on your computer. It
identifies and isolates software that may be performing a clandestine activity. For example, a
handy text editor, that also sends snapshots of you from your webcam to some undisclosed
location.

5. Anti-Spyware
Spyware is a type of malware that can secretly steal files and record the activity of an infected
computer. Spyware can be used to gather information used to access password protected
accounts or view a listing of visited websites. The operative word here is ‘SPY’.

6. Anti-Worm
A worms is a type of malware infection that spreads by duplicating itself across networks and
onto infected hard drives. Worm activity can cause a computer to run more slowly and
eventually crash by filling all available hard disk space.

7. Anti-Rootkit
A rootkit is a type of software infection that can integrate into an operating system and replace
critical files, with corrupt and malicious versions. Anti-rootkit functionality can help to detect,
prevent the installation of, and remove certain rootkit infections. Unfortunately, the most reliable
way to remove a root kit is to reformat the infected hard drive and reinstall the operating system.

8. Anti-Phishing
Anti-Phishing software typically integrates with web browser and email client software. It then
attempts to identify and notify the user of any phishing content encountered on the web or by
email.
9. Secure Network
There are automated programs running on computers around the world whose purpose is to find
any vulnerable computer connected to Internet. The network can be a potential vulnerability for
any device that uses one to connect to the Internet. Software with features designed to secure
your network will typically close unnecessarily open ports to your computer and monitor activity
between the programs on your computer and the Internet.

10. Email Protection

Email Protection features of antivirus software include the ability to scan inbound and outbound
email for infected attachments and URLs to malicious websites. Some antivirus software include
quarantine and blocking features.

11. Automatic Virus Updates

One of the biggest problems users have with antivirus software is simply keeping it up to date.
Most antivirus software can be configured to automatically connect with the vendor site and
download new updates on a regular basis.

12. Automatic Program Updates

The scan engine(s) and program itself may periodically be updated to add functionality to detect
newer threats. Many antivirus software programs can be configured to automatically check for
new updates and download and install them if they are available.

13. Heuristic Scanner

Antivirus software typically has a heuristic scanner as well. Heuristic scanning uses what is
known about existing malware and what it has learned from past experience to identify new
threats even before the antivirus vendor creates an update to detect it.

Or it can be summarized as:

 Effective Antivirus Security

 Extreme protection against online cyber threats
 Blocks all web pages which support virus scams and personal data phishing
attempts
 Instantly monitors your USB as soon as you plug it in your system
 Block ads and insecure website
 Proactive data recovery of lost/deleted data
 Prevention of unauthorized data leakage from different external sources
 Reporting and monitoring of user’s application and internet use
 Secured data encryption in case of laptop theft
 Enhances system performance
 Wipes off unwanted files from your system
 Blocks all ports with the help of Port Locker Software
 Captures all Internet/Application activity with features of Blacklist and White list
 Secure Webpage for every user to Keep (monitor) a close eye on movement of
person with the designated laptop e.g. company employee
 Recovers deleted or lost files if they are lost from your PC, even if they are not
available in Recycle Bin