Chapter four
Worms and other Malwares
1
�Outlines
• Worms
• Other malwares
• Prevention and mitigation of malwares
• Buffer overflow
• Security system assessment and evaluation
• Code review using static analysis tools
• Security testing
• Penetration testing
• Abuse case development
2
�Worms
Worms and other types of malware are malicious software designed to damage, disrupt, or gain
unauthorized access to computer systems and networks
Worms are a type of malware that can replicate themselves and spread across networks without
needing to attach to a host program. They exploit vulnerabilities in operating systems and
applications to propagate.
Characteristics of Worms:
Self-replicating: Worms can create copies of themselves and spread autonomously.
Network Propagation: They often spread through network connections, exploiting security
flaws.
Resource Consumption: Worms can consume significant bandwidth and system resources,
leading to slowdowns or crashes.
Examples:
Morris Worm (1988): One of the first worms distributed via the Internet.
ILOVEYOU Worm (2000): Spread through email, causing widespread damage.
Conficker Worm (2008): Exploited Windows vulnerabilities, creating a large botnet. 3
�Other Types of Malware
1. Viruses: Malware that attaches itself to legitimate programs and requires user action to
spread (e.g., opening an infected file).
o Impact: Can corrupt or modify files, making them unusable.
o Examples: Melissa Virus, Mydoom.
2. Trojans: Malware disguised as legitimate software that, once installed, can carry out
malicious activities.
o Impact: Can open backdoors, steal information, or download other malware.
o Examples: Zeus Trojan, Emotet.
3. Ransomware: Malware that encrypts files on a victim’s computer and demands a ransom
for the decryption key.
o Impact: Can result in significant financial loss and data unavailability.
o Examples: WannaCry, Cryptolocker.
4
�Other Types of Malware….
4. Spyware:Software that secretly monitors and collects user information without their knowledge.
o Impact: Can steal sensitive data such as passwords, credit card numbers, and personal
information.
o Examples: Keyloggers, Pegasus.
5. Adware: Malware that displays unwanted advertisements on a user’s device.
o Impact: Can be intrusive and slow down system performance; sometimes bundled with
spyware.
o Examples: Fireball, Gator.
6. Rootkits: Software that enables unauthorized users to gain control of a system while hiding its
existence.
o Impact: Can provide persistent, undetectable access to a system, often used to launch other
attacks.
o Examples: Sony BMG rootkit, Stuxnet.
5
�Other Types of Malware….
7. Botnets: Networks of infected computers (bots) controlled by an attacker to perform
coordinated tasks.
o Impact: Can be used for DDoS attacks, spamming, and data theft.
o Examples: Mirai, Zeus.
6
�Prevention and Mitigation
1. Regular Updates: Keep operating systems, software, and security patches up to date.
2. Antivirus and Antimalware Tools: Use reputable antivirus and antimalware software to
detect and remove threats.
3. Firewalls: Implement firewalls to monitor and control incoming and outgoing network
traffic.
4. User Education: Educate users about safe browsing practices, recognizing phishing
attempts, and not downloading suspicious attachments.
5. Backup Data: Regularly back up important data to recover it in case of an attack.
6. Network Security Measures: Use intrusion detection systems (IDS) and intrusion
prevention systems (IPS) to monitor and protect networks.
NOTE: By understanding the different types of malware and implementing robust
security measures, individuals and organizations can better protect their systems and
data from malicious threats.
7
�Buffer Overflows
A buffer overflow is a type of vulnerability that occurs when a program writes more data to
a buffer than it can hold. Buffers are contiguous memory locations, typically arrays or
allocated memory blocks, used to store data temporarily. When more data is written than the
buffer can accommodate, the excess data overflows into adjacent memory spaces,
potentially leading to unpredictable behavior, crashes, or security breaches.
How Buffer Overflows occurs
1. Buffer Definition: A buffer is defined with a fixed size. It is allocated a certain amount of
memory. For example, an array in C might be allocated enough space to hold 10 integers.
char buffer[10];
2. Excess Data Writing: When more data is written to the buffer than it can hold, the excess
data spills over into adjacent memory. This can overwrite other variables, return addresses,
or control data. If the program writes more than 10 characters to the buffer, such as 15
characters, the extra 5 characters overflow into adjacent memory.
8
�Types of Buffer Overflows
•Stack-based Buffer Overflow: This occurs in the call stack. Local variables, function
parameters, and return addresses are affected. Overflowing a stack buffer can overwrite the
return address, leading to arbitrary code execution.
void vulnerableFunction() {
char buffer[10];
strcpy(buffer, "This string is too long for the buffer");
}
• Heap-based Buffer Overflow: This occurs in the heap, where dynamically allocated
memory is managed. Overflowing a heap buffer can corrupt the heap structure, leading
to arbitrary memory reads or writes.
void heapOverflow() {
char *buffer = malloc(10);
strcpy(buffer, "This string is too long for the buffer");
free(buffer);
}
9
�Consequences of Buffer Overflow
1. Program Crashes: Overwriting important control data can cause the program to crash or
behave unpredictably.
2. Arbitrary Code Execution: By carefully crafting the overflow data, an attacker can
manipulate the program’s execution flow, potentially running malicious code.
3. Data Corruption: Overwriting adjacent memory can corrupt data, leading to incorrect
program behavior or data loss.
4. Security Breaches: Buffer overflows are often exploited to gain unauthorized access to
systems or escalate privileges.
Preventing Buffer Overflows
5.Bounds Checking: Ensure that all buffer accesses are within bounds.
if (strlen(input) < sizeof(buffer)) {
strcpy(buffer, input);
}
10
�Preventing Buffer Overflows….
2. Safer Functions: use functions that limit the amount of data copied, such as ‘strncpy’
instead of ‘strcpy’
strncpy(buffer, input, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0’;
3. Use Modern Languages: programming languages that perform automatic bounds
checking, such as Python or Java.
4. Address Space Layout Randomization (ASLR): Randomizes the memory address space
layout of processes, making it harder for attackers to predict the location of specific
functions or data.
5. Data Execution Prevention (DEP): Marks certain areas of memory as non-executable,
preventing code execution from those regions.
6. Static and Dynamic Analysis Tools: Use tools that analyze code for potential buffer
overflow vulnerabilities, such as static analyzers (Coverity, Clang Static Analyzer) and
dynamic analysis tools (Valgrind).
11
�Security System assessment and evaluation
Security system assessment and evaluation involve systematically examining an organization's
security measures to identify vulnerabilities, assess risks, and evaluate the effectiveness of
existing controls. It helps ensure that the organization's security posture is robust and can
effectively protect against potential threats. Different Steps involved in SSAE are:
1. Define Scope and Objectives: Determine the scope of the assessment (e.g., specific systems,
networks, applications).
o Establish clear objectives, such as identifying vulnerabilities, evaluating compliance, or
testing incident response capabilities.
2. Information Gathering: about the systems and processes being assessed.
o Review policies, architecture diagrams, network topologies, and previous assessment reports.
3. Identify and Analyze Threats and Vulnerabilities:
o Use tools and techniques to identify potential threats and vulnerabilities in the system.
o Common methods include vulnerability scanning, penetration testing, code reviews, and
configuration audits.
12
�Steps in SSAE ….
4. Risk Assessment:
o Evaluate the potential impact and likelihood of identified threats and vulnerabilities.
o Use qualitative or quantitative risk assessment methodologies to prioritize risks.
5. Evaluate Existing Controls:
o Assess the effectiveness of existing security controls in mitigating identified risks.
o Review access controls, encryption, incident response procedures, and other security
measures.
6. Gap Analysis:
o Compare the current security posture against industry standards, best practices, and
regulatory requirements.
o Identify gaps and areas needing improvement.
13
�Steps in SSAE ….
7. Reporting:
o Document findings, including identified vulnerabilities, risk levels, and the
effectiveness of current controls.
o Provide recommendations for improving security measures and reducing risks.
8. Remediation and Mitigation:
o Develop a remediation plan to address identified vulnerabilities and improve security
controls.
o Implement the necessary changes and monitor their effectiveness.
9. Continuous Monitoring and Improvement:
o Establish a process for continuous monitoring and regular reassessment of security
measures.
o Adapt to evolving threats and changes in the organization's environment.
14
�Methodologies for Security System Assessment
1. Vulnerability Assessment:
o Identifies, quantifies, and prioritizes vulnerabilities in a system.
o Uses automated tools (e.g., Nessus, OpenVAS) to scan for known vulnerabilities .
2. Penetration Testing (Pen Testing):
o Simulates real-world attacks to test the effectiveness of security measures.
o Can be external (testing from outside the network) or internal (testing from within the
network).
o Includes different phases: reconnaissance, scanning, exploitation, and reporting.
3. Security Audits:
o Comprehensive reviews of security policies, procedures, and controls.
o Can be internal (conducted by the organization’s security team) or external (conducted by
third-party auditors).
o Focuses on compliance with standards like ISO 27001, NIST, GDPR, HIPAA.
15
�Methodologies for Security System Assessment…
4. Risk Assessment:
o Identifies and evaluates risks based on their impact and likelihood.
o Uses methodologies such as OCTAVE, FAIR, or ISO 31000.
5. Configuration Reviews:
o Examines system and network configurations to ensure they follow best practices.
o Identifies misconfigurations that could lead to vulnerabilities.
6. Code Reviews:
o Analyzes source code for security flaws and vulnerabilities.
o Can be manual (performed by security experts) or automated tools(like SonarQube, etc)
7. Social Engineering Assessments:
o Tests the organization’s susceptibility to social engineering attacks, such as phishing.
o Involves simulating attacks that target employees to evaluate their awareness and response.
16
�Best Practices for Security System Assessment and Evaluation
Regular Assessments: Conduct security assessments regularly to stay ahead of evolving
threats.
Holistic Approach: Consider all aspects of security, including technical, administrative,
and physical controls.
Engage Stakeholders: Involve relevant stakeholders, including IT, security, and business
units, in the assessment process.
Document Findings: Keep detailed records of assessment findings, recommendations,
and remediation efforts.
Continuous Improvement: Use the results of assessments to continuously improve the
organization’s security posture.
17
�Code review using static analysis tools
It involves analyzing the source code of an application without executing it. These tools
scan the code to identify potential vulnerabilities, bugs, or code smells based on predefined
rules or patterns. Steps in Code review using static analysis tools:
1. Static Analysis Tools Selection: Choose an appropriate static analysis tool based on the
programming language and the type of analysis needed (e.g., security, performance,
style).
2. Code Submission: Submit the code to the static analysis tool. This can be done through
the tool's interface, command line, or integration with a version control system.
3. Analysis: The static analysis tool scans the codebase, checking for issues such as
security vulnerabilities, coding standard violations, and potential performance bottlenecks.
18
�Code review using static analysis tools….
1. Results Review: Review the results provided by the static analysis tool. It typically
categorizes issues based on severity and provides details on each identified problem,
along with suggestions for remediation.
2. Issue Resolution: Address the identified issues by making the necessary changes to the
codebase. This may involve fixing bugs, improving code quality, or enhancing security
measures.
3. Re-Analysis (Optional): After making changes, you can re-run the static analysis tool to
ensure that all identified issues have been addressed.
19
�Benefits of using static analysis tools for code review
Early Issue Detection: Helps in identifying and fixing issues early in the development
process, reducing the cost and effort required for later fixes.
Consistency: Enforces coding standards and best practices across the codebase, ensuring
a consistent code quality.
Security Enhancement: Identifies security vulnerabilities that may be missed during
manual code review, helping in building more secure applications.
Code Quality Improvement: Helps in improving the overall quality of the codebase by
identifying and fixing potential bugs and issues.
Popular static analysis tools include SonarQube, Checkmarx, and Fortify, among others.
20
�Security Testing
Security testing is a type of testing that focuses on identifying vulnerabilities and
weaknesses in an application's security. The goal is to uncover potential security risks that
could be exploited by attackers. Security testing can include various types of testing, such
as:
• Vulnerability Assessment: Identifying and prioritizing vulnerabilities in the application,
network, or infrastructure.
• Penetration Testing: Simulating real-world attacks to identify and exploit
vulnerabilities, providing a deeper understanding of the potential impact of a successful
attack.
• Security Audits: Reviewing the application's code, configuration, and architecture to
ensure compliance with security best practices and standards.
• Risk Assessment: Evaluating the potential impact and likelihood of security risks to
prioritize mitigation efforts.
21
�Penetration Testing
Penetration testing, also known as pen testing, is a specific type of security testing that involves
actively trying to exploit vulnerabilities in a system to determine whether unauthorized access or
other malicious activities are possible. The process typically involves the following steps:
• Planning: Define scope of penetration test, including target systems, testing methods, and goals.
• Reconnaissance: Gather information about target system, such as its architecture, operating
system, and network configuration.
• Scanning: Use automated tools to scan target system for known vulnerabilities, open ports, and
other potential entry points.
• Exploitation: Attempt to exploit identified vulnerabilities to gain unauthorized access to target
system.
• Post-Exploitation: Once access is gained, further exploit the system to gather more information
or perform additional attacks.
• Reporting: Document the findings of the penetration test, including the vulnerabilities that were
exploited, the impact of the exploits, and recommendations for mitigating the vulnerabilities.
Penetration testing is a valuable tool for identifying and addressing security vulnerabilities before
they can be exploited by attackers. It helps organizations improve their security posture and protect
their systems and data from unauthorized access and other security threats.
22
�Abuse case development
Abuse case development is a process used in software and system development to identify
potential misuse or abuse scenarios. These scenarios describe how a system could be
intentionally misused or abused by attackers or malicious users.
The purpose of abuse case development is to:
• Identify Vulnerabilities: By considering how a system could be abused, developers can
identify potential vulnerabilities that need to be addressed.
• Improve Security: Understanding potential abuse scenarios can help developers design and
implement security controls to mitigate these risks.
• Enhance Requirements: Abuse cases can help refine system requirements to ensure they
consider security and misuse prevention from the start.
Abuse cases are typically documented in a similar format to use cases, but they focus on the
misuse of the system rather than its intended use. They often include details such as the actor
(the attacker or malicious user), the goal of the abuse, the actions taken to achieve the goal, and
the potential impact on the system or its users.
Developing abuse cases typically involves brainstorming sessions with security experts,
developers, and other stakeholders to identify potential misuse scenarios. These scenarios are
then documented and used to inform the design and implementation of security controls. 23
� you
a n k
T h s ?
t i on
ue s
Q
24
