Module5 Internet Security Protocols, User Authentication

Authentication applications

 authentication functions developed to support application-level authentication & digital

signatures
 Kerberos – a private-key authentication service
 X.509 - a public-key directory authentication service
Kerberos

Overview
 authentication service designed for use in a distributed environment.
 makes use of a trusted third-party authentication service
o enables clients and servers to establish authenticated communication.
 developed as part of Project Athena at MIT
 Addresses the following threats
o user pretend to be another user operating from that workstation
o user may alter the network address and impersonate the workstation
o eavesdrop on exchanges and use a replay attack for gaining entry or disrupt
 provides a centralized authentication server to authenticate users to servers and servers to
users
 relies exclusively on symmetric encryption, making no use of public-key encryption
 two versions in use 4 & 5
Motivation / Requirements (SRTS)
 Secure
o A network eavesdropper should not be able to obtain the necessary information to
impersonate a user.
o strong enough such that a potential opponent does not find it to be the weak link.
 Reliable
o should be highly reliable
o should employ a distributed server architecture,
 one system able to back up another.
 Transparent
o user should not be aware that authentication is taking place
 beyond the requirement to enter a password.
 Scalable
o capable of supporting large numbers of clients and servers
 modular, distributed architecture.

Kerberos Encryption Techniques

Simple Kerberos Dialogue

Kerberos Overview

Kerberos Version 4 Message Exchanges

i) Authentication Service Exchange to obtain ticket-granting ticket

1) Client requests ticket-granting ticket

 User logs on to workstation and requests service on host

2) AS returns ticket-granting ticket

 AS verifies user's access right in database, creates ticket-granting ticket and

session key. Results are encrypted using key derived from user's password
ii) Ticket-Granting Service Exchange to obtain service-granting ticket
3) Client requests service-granting ticket

 Workstation prompts user for password and uses password to decrypt incoming
message, then sends ticket and authenticator that contains user's name, network

address, and time to TGS

4) TGS returns service-granting ticket

 TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested
server

iii) Client/Server Authentication Exchange to obtain service

5) Client requests service

 Workstation sends ticket and authenticator to server

6) Optional authentication of server to client

 Server verifies that ticket and authenticator match, then grants access to service. If
mutual authentication is required, server returns an authenticator

Kerberos Realms And Multiple Kerberi

Kerberos realm
 a set of managed nodes that share the same Kerberos database.
 database resides on the Kerberos master computer system, kept in a physically secure
room.
o A read-only copy on other Kerberos computer systems.
 all changes to the database must be made on the master computer system.
o requires the Kerberos master password

Kerberos principal
 a service or user that is known to the Kerberos system.
 Each Kerberos principal is identified by its principal name.
 Principal names consist of three parts: a service or user name, an instance name, and a
realm name
Requirements

1. The Kerberos server must have the user ID and hashed passwords of all participating
users in its database. All users are registered with the Kerberos server.
2. The Kerberos server must share a secret key with each server. All servers are
registered with the Kerberos server
3. The Kerberos server in each interoperating realm shares a secret key with the server in
the other realm. The two Kerberos servers are registered with each other
Exchanges

Request for Service in another Realm

 Environmental shortcomings of Kerberos version 4

Encryption system dependence

 Export restriction on DES as well as doubts about
the strength of DES In version 5,

 ciphertext is tagged with an encryption type identifier so that any encryption technique
may be used
 Encryption keys are tagged with a type and a length,
o allowing the same key to be used in different algorithms
o allowing the specification of different variations on a given algorithm.

Internet protocol dependence:

 Version 4 requires the use of Internet Protocol (IP) addresses. Other address
types, such as the ISO network address, are not accommodated.
 Version 5 network addresses are tagged with type and length, allowing any network
address
Message byte ordering
 In version 4, the sender of a message employs a byte ordering of its Own
 In version 5, all message structures are defined using Abstract Syntax Notation One (ASN.1)
and Basic Encoding Rules (BER), which provide an unambiguous byte ordering.

Ticket lifetime:
 Lifetime values in version 4 are encoded in an 8-bit quantity in units of five minutes.
o 1280 minutes, or over 21 hours
 In version 5, tickets include an explicit start time and end time, allowing tickets with
arbitrary lifetimes
Authentication forwarding:
 Version 4 does not allow credentials issued to one client to be forwarded to some
other host and used by some other client
 Version 5 provides this capability
Interrealm authentication:
 In version 4, interoperability among N realms requires on the order of N2
Kerberos-to-Kerberos relationships
 Version 5 supports a method that requires fewer relationships

Technical deficiencies

Double encryption
 second encryption is not necessary and is computationally wasteful
PCBC encryption
 Version 4 uses nonstandard mode of DES known as propagating cipher block chaining
(PCBC)
 Version 5 provides explicit integrity mechanisms, allowing the standard CBC mode to be
used
 o a checksum or hash code is attached to the message prior to encryption
Session keys

Password attacks
 Both versions are vulnerable to a password attack
 Version 5 does provide a mechanism known as Preauthentication

Kerberos Version 5 Message Exchanges

Authentication Service Exchange to obtain ticket-granting ticket

Ticket-Granting Service Exchange to obtain service-granting ticket

Client/Server Authentication Exchange to obtain service

New Elements

 Realm: Indicates realm of user

 Options: Used to request that certain flags be set in the returned ticket
 Times: Used by the client to request the following time settings in the ticket:
o from: the desired start time for the requested ticket
o till: the requested expiration time for the requested ticket
o rtime: requested renew-till time
 Nonce: A random value to be repeated in message (2) to assure that the response is fresh

Kerberos Version 5 Flags

X.509 Authentication services

■ ITU-T recommendation X.509 is part of the X.500 series of recommendations that define a
directory service.

■ The directory is, in effect, a server or distributed set of servers that maintains a database of
information about users.

■ The information includes a mapping from user name to network address, as well as other
attributes and information about the users.

■ X.509 defines a framework for the provision of authentication services by the X.500
directory to its users.

■ The directory may serve as a repository of public-key certificates of the type

■ Each certificate contains the public key of a user and is signed with the private key of a
trusted certification authority.

■ In addition, X.509 defines alternative authentication protocols based on the use of public-
key certificates.

■ X.509 is based on the use of public-key cryptography and digital signatures.

■ The standard does not dictate the use of a specific algorithm but recommends RSA.

■ The digital signature scheme is assumed to require the use of a hash function. Again, the
standard does not dictate a specific hash algorithm.
 ■ The 1988 recommendation included the description of a recommended hash algorithm; this
algorithm has since been shown to be insecure and was dropped from the 1993
recommendation.

■ issued by a Certification Authority (CA), containing:

– version (1, 2, or 3)

– serial number (unique within CA) identifying certificate

– signature algorithm identifier

– issuer X.500 name (CA)

– period of validity (from - to dates)

– subject X.500 name (name of owner)

– subject public-key info (algorithm, parameters, key)

– issuer unique identifier (v2+)

– subject unique identifier (v2+)

– extension fields (v3)

– signature (of hash of all fields in certificate)

■ Signature:

■ Covers all of the other fields of the certificate; it contains the hash code of the other fields,
encrypted with the CA's private key.

■ This field includes the signature algorithm identifier.

■ The standard uses the following notation to define a certificate:

■ CA<<A>> = CA {V, SN, AI, CA, TA, A, Ap}

■ Where, Y <<X>> = the certificate of user X issued by certification authority Y

■ Y {I} = the signing of I by Y.

■ It consists of I with an encrypted hash code appended

■ The CA signs the certificate with its private key.

■ If the corresponding public key is known to a user, then that user can verify that a certificate
signed by the CA is valid.

■ Obtaining a User's Certificate

■ User certificates generated by a CA have the following characteristics:

■ · Any user with access to the public key of the CA can verify the user public key that was
certified.

■ · No party other than the certification authority can modify the certificate without this being
detected.
 ■ CA Hierarchy Use

■ user A can acquire the following certificates from the directory to establish a certification
path to B:

■ X<<W>> W <<V>> V <<Y>> <<Z>> Z <<B>>

■ When A has obtained these certificates, it can unwrap the certification path in sequence to
recover a trusted copy of B's public key.

■ Using this public key, A can send encrypted messages to B.

■ If A wishes to receive encrypted messages back from B, or to sign messages sent to B, then B
will require A’s public key, which can be obtained from the following certification path:

■ Z<<Y>> Y <<V>> V <<W>> W <<X>>X <<A>>

■ B can obtain this set of certificates from the directory, or A can provide them as part of its
initial message to B.

■ Certificate Revocation

• certificates have a period of validity

• may need to revoke before expiry, for the following reasons eg:

1. user's private key is compromised

2. user is no longer certified by this CA

3. CA's certificate is compromised

• CA‟s maintain list of revoked certificates

1. the Certificate Revocation List (CRL)

• users should check certs with CA‟s CRL

■ Authentication Procedures

■ X.509 includes three alternative authentication procedures:

• One-Way Authentication

• Two-Way Authentication

• Three-Way Authentication

• all use public-key signatures

■ One-Way Authentication

• 1 message ( A->B) used to establish

– the identity of A and that message is from A

– message was intended for B

– integrity & originality of message

• message must include timestamp, nonce, B's identity and is signed by A

■ Two-Way Authentication

• 2 messages (A->B, B->A) which also establishes in addition:

– the identity of B and that reply is from B

– that reply is intended for A

– integrity & originality of reply

• reply includes original nonce from A, also timestamp and nonce from B

■ Three-Way Authentication

• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized

clocks

• has reply from A back to B containing signed copy of nonce from B

• means that timestamps need not be checked or relied upon

FIREWALLS

■ A firewall is a network security device, either hardware or software-based, which monitors

all incoming and outgoing traffic and based on a defined set of security rules it accepts,
rejects or drops that specific traffic.

■ Accept : allow the traffic

Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply

■ A firewall establishes a barrier between secured internal networks and outside untrusted
network, such as the Internet.
 ■ Firewall design principles

■ The firewall is inserted between the premise network and internet to establish a controlled
link and to erect an outer security wall or perimeter.

■ The aim of this perimeter is to protect the premises network from internet based attacks
and to provide a single choke point where security and audit can be imposed.

■ The firewall can be a single computer system or a set of two or more systems that cooperate
to perform the firewall function.

■ Firewall characteristics:

■ All traffic from inside to outside, and vice versa, must pass through the firewall. This is
achieved by physically blocking all access to the local network except via the firewall. Various
configurations are possible.

■ Only authorized traffic, as defined by the local security policy, will be allowed to pass.

■ Various types of firewalls are used, which implement various types of security policies.

■ The firewall itself is immune to penetration. This implies that use of a trusted system with a
secure operating system.

■ This implies that use of a trusted system with a secure operating system.

■ Four techniques that firewall use to control access and enforce the site‟s security policy is as
follows:

■ Service control – determines the type of internet services that can be accessed, inbound or
outbound. The firewall may filter traffic on this basis of IP address and TCP port number;
may provide proxy software that receives and interprets each service request before passing
it on; or may host the server software itself, such as web or mail service.

■ Direction control – determines the direction in which particular service request may be
initiated and allowed to flow through the firewall.

■ User control – controls access to a service according to which user is attempting to access it.

Behavior control – controls how particular services are used.

■ Capabilities of firewall

■ A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks.

■ A firewall provides a location for monitoring security related events. Audits and alarms can
be implemented on the firewall system.

■ A firewall is a convenient platform for several internet functions that are not security
related.

■ A firewall can serve as the platform for IPsec.

■ Types of firewalls
 ■ There are 3 common types of firewalls.

• Packet filters

• Application-level gateways

• Circuit-level gateways

Packet filtering router

■ A packet filtering router applies a set of rules to each incoming IP packet and then forwards
or discards the packet.

■ The router is typically configured to filter packets going in both directions.

■ Filtering rules are based on the information contained in a network packet:

· Source IP address – IP address of the system that originated the IP packet.

· Destination IP address – IP address of the system, the IP is trying to reach.

· Source and destination transport level address – transport level port number.

· IP protocol field – defines the transport protocol.

· Interface – for a router with three or more ports, which interface of the router the packet come
from or which interface of the router the packet is destined for.

■ The packet filter is typically set up as a list of rules based on matches to fields in the IP or
TCP header.

■ If there is a match to one of the rules, that rule is invoked to determine whether to forward
or discard the packet. If there is no match to any rule, then a default action is taken.

■ Two default policies are possible:

· Default = discard: That which is not expressly permitted is prohibited.

· Default = forward: That which is not expressly prohibited is permitted.

■ Advantages of packet filter router

· Simple
· Transparent to users

· Very fast

■ Weakness of packet filter firewalls

· Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that
employ application specific vulnerabilities or functions.

· Because of the limited information available to the firewall, the logging functionality present in
packet filter firewall is limited.

· It does not support advanced user authentication schemes.

· They are generally vulnerable to attacks such as layer address spoofing.

■ Application level gateway

■ An Application level gateway, also called a proxy server, acts as a relay of application level
traffic.

■ The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the
gateway asks the user for the name of the remote host to be accessed.

■ When the user responds and provides a valid user ID and authentication information, the
gateway contacts the application on the remote host and relays TCP segments containing
the application data between the two endpoints.

■ Application level gateways tend to be more secure than packet filters.

■ It is easy to log and audit all incoming traffic at the application level.

■ A prime disadvantage is the additional processing overhead on each connection.

■ Circuit level gateway

■ Circuit level gateway can be a stand-alone system or it can be a specified function performed
by an application level gateway for certain applications.
 ■ A Circuit level gateway does not permit an end-to-end TCP connection; rather, the gateway
sets up two TCP connections, one between itself and a TCP user on an inner host and one
between itself and a TCP user on an outer host.

■ Once the two connections are established, the gateway typically relays TCP segments from
one connection to the other without examining the contents.

■ The security function consists of determining which connections will be allowed.

■ Bastion host

■ It is a system identified by the firewall administrator as a critical strong point in the

network‟s security.

■ The Bastion host serves as a platform for an application level and circuit level gateway.

■ Common characteristics of a Bastion host are as follows:

· The Bastion host hardware platform executes a secure version of its operating system, making it a
trusted system.

 Only the services that the network administrator considers essential are installed on the
Bastion host.

 It may require additional authentication before a user is allowed access to the proxy
services.

· Each proxy is configured to support only a subset of standard application‟s command set.

■ Each proxy is configured to allow access only to specific host systems.

■ Each proxy maintains detailed audit information by logging all traffic, each connection and
the duration of each connection.

■ Each proxy is independent of other proxies on the Bastion host.

■ A proxy generally performs no disk access other than to read its initial configuration file.

■ Each proxy runs on a non privileged user in a private and secured directory on the Bastion
host.
 ■ 1. Screened host firewall, single-homed bastion configuration

■ In this configuration, the firewall consists of two systems: a packet filtering router and a
bastion host. Typically, the router is configured so that

· For traffic from the internet, only IP packets destined for the bastion host are allowed in.

· For traffic from the internal network, only IP packets from the bastion host are allowed out.

■ The bastion host performs authentication and proxy functions. This configuration has
greater security than simply a packet filtering router or an application level gateway alone,
for two reasons:

· This configuration implements both packet level and application level filtering, allowing for
considerable flexibility in defining security policy.

· An intruder must generally penetrate two separate systems before the security of the internal
network is compromised.

Screened host firewall, dual homed bastion configuration

■ Screened subnet firewall configuration

 ■ In this configuration, two packet filtering routers are used, one between the bastion host
and internet and one between the bastion host and the internal network.

■ This configuration creates an isolated subnetwork, which may consist of simply the bastion
host but may also include one or more information servers and modems for dial-in
capability.

■ Typically both the internet and the internal network have access to hosts on the screened
subnet, but traffic across the screened subnet is blocked.

SET E-commerce Transaction

■ Secure Electronic Transaction (SET) is a communications protocol standard for

securing credit card transactions over networks, specifically, the Internet.

■ SET was not itself a payment system, but rather a set of security protocols and formats that
enabled users to employ the existing credit card payment infrastructure on an open network
in a secure fashion.

■ Secure Electronic Transaction (SET) is a system for ensuring the security of financial
transactions on the Internet. It was supported initially by Mastercard, Visa, Microsoft,
Netscape, and others.

■ With SET, a user is given an electronic wallet (digital certificate) and a transaction is
conducted and verified using a combination of digital certificates and digital signatures
among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy
and confidentiality

INTRUDERS

■ One of the most publicized attacks to security is the intruder, generally referred to as hacker
or cracker. Three classes of intruders are as follows:

■ Masquerader – an individual who is not authorized to use the computer and who penetrates
a system’s access controls to exploit a legitimate user’s account.

■ Misfeasor – a legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuse his or her
privileges.
■ Clandestine user – an individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection.

■ INTRUSION DETECTION:

■ The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the
clandestine user can be either an outsider or an insider.

■ Inevitably, the best intrusion prevention system will fail. A system's second line of defense is
intrusion detection, and this has been the focus of much research in recent years.

■ This interest is motivated by a number of considerations, including the following:

■ If an intrusion is detected quickly enough, the intruder can be identified and ejected from
the system before any damage is done or any data are compromised.

■ An effective intrusion detection system can serve as a deterrent, so acting to prevent

intrusions.

■ Intrusion detection enables the collection of information about intrusion techniques that
can be used to strengthen the intrusion prevention facility.

■ Intrusion detection is based on the assumption that the behavior of the intruder differs from
that of a legitimate user in ways that can be quantified.

■ It consists of following blocks: Log File: Packet sniffer Win Dump collects packet headers of
data coming from internet or LAN. Data captured from WinDump is redirected to a file. This
file is called as log file.

■ Data Formatting Unit: Data collected in log file is classified according to various fields in the
packet header.

■ Protocols used for different packets are identified using some specific fields or predefined
values of these fields.

■ Log Database: It contains different tables according to different protocols (like TCP/IP, UDP,
ICMP, and ARP).

■ For each protocol there is one table. Each table consists of attributes related to that
particular protocol. Formatted Data is stored in the database.
 ■ Misuse Detection Block: Misuse Detection technique is used for detection of known attacks.
Many computer attacks have fix signature.

■ These attack signatures can be used to identify particular attack. We use predefined rules
and compare the captured data packet header with them. If pattern matches, intrusion
detection system declares it as intrusion and alerts administrator about it.

■ Attack Database: Attack database also contains tables for different protocols as in case of
log database. The entries from log database which are declared as attacks are stored in
attack database. This database can be referred in future for drawing some conclusions or as
a table showing statistics of past attacks on the system.

Trusted systems

■ One way to enhance the ability of a system to defend against intruders and malicious
programs is to implement trusted system technology.

■ Data access control

■ Following successful logon, the user has been granted access to one or set of hosts and
applications. This is generally not sufficient for a system that includes sensitive data in its
database. Through the user access control procedure, a user can be identified to the system.
Associated with each user, there can be a profile that specifies permissible operations and
file accesses. The operating system can then enforce rules based on the user profile. The
database management system, however, must control access to specific records or even
portions of records. The operating system may grant a user permission to access a file or use
an application, following which there are no further security checks, the database
management system must make a decision on each individual access attempt. That decision
will depend not only on the user’s identity but also on the specific parts of the data being
accessed and even on the information already divulged to the user.

■ A general model of access control as exercised by an file or database management system is

that of an access matrix. The basic elements of the model are as follows:

■ Subject: An entity capable of accessing objects. Generally, the concept of subject equates
with that of process.

■ Object: Anything to which access is controlled. Examples include files, portion of files,
programs, and segments of memory.

■ Access right: The way in which the object is accessed by a subject. Examples are read, write
and execute. One axis of the matrix consists of identified subjects that may attempt data
access.

■ Typically, this list will consist of individual users or user groups. The other axis lists the
objects that may be accessed. Objects may be individual data fields. Each entry in the matrix
indicates the access rights of that subject for that object. The matrix may be decomposed by
columns, yielding access control lists. Thus, for each object, an access control list lists users
and their permitted access rights. The access control list may contain a default, or public,
entry.

■ The concept of Trusted Systems:

■ When multiple categories or levels of data are defined, the requirement is referred to as
multilevel security.

■ The general statement of the requirement for multilevel security is that a subject at a high
level may not convey information to a subject at a lower or noncomparable level unless that
flow accurately reflects the will of an authorized user.

■ For implementation purposes, this requirement is in two parts and is simply stated. A
multilevel secure system must enforce:

■ · No read up: A subject can only read an object of less or equal security level. This is referred
to as simple security property.

■ · No write down: A subject can only write into an object of greater or equal security level.

■ Reference Monitor concept

■ The reference monitor is a controlling element in the hardware and operating system of a
computer that regulates the access of subjects to objects on the basis of security
parameters of the subject and object.

■ The reference monitor has access to a file, known as the security kernel database that lists
the access privileges (security clearance) of each subject and the protection attributes
(classification level) of each object.

■ The reference monitor enforces the security rules and has the following properties:

■ Complete mediation: The security rules are enforced on every access, not just, for example,
when a file is opened.

■ Isolation: The reference monitor and database are protected from unauthorised
modification.

■ Verifiability: The reference monitor’s correctness must be provable. That is, it must be
possible to demonstrate mathematically that the reference monitor enforces the security
rules and provides complete mediation and isolation. Important security events, such as
detected security violations and authorized changes to the security kernel database, are
stored in the audit file.
VIRUSES AND RELATED THREATS

■ Perhaps the most sophisticated types of threats to computer systems are presented by
programs that exploit vulnerabilities in computing systems.
■ The Nature of Viruses

■ A virus is a piece of software that can "infect" other programs by modifying them; the
modification includes a copy of the virus program, which can then go on to infect other
programs.

■ During its lifetime, a typical virus goes through the following four phases:

■ · Dormant phase: The virus is idle. The virus will eventually be activated by some event, such
as a date, the presence of another program or file, or the capacity of the disk exceeding
some limit. Not all viruses have this stage.

■ Propagation phase: The virus places an identical copy of itself into other programs or into
certain system areas on the disk. Each infected program will now contain a clone of the
virus, which will itself enter a propagation phase.

■ Triggering phase: The virus is activated to perform the function for which it was intended. As
with the dormant phase, the triggering phase can be caused by a variety of system events,
including a count of the number of times that this copy of the virus has made copies of itself.

■ · Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.

■ Virus Structure:

■ A virus can be prepended or postpended to an executable program, or it can be embedded

in some other fashion. The key to its operation is that the infected program, when invoked,
will first execute the virus code and then execute the original code of the program.

■ An infected program begins with the virus code and works as follows.

■ The first line of code is a jump to the main virus program. The second line is a special marker
that is used by the virus to determine whether or not a potential victim program has already
been infected with this virus.

■ When the program is invoked, control is immediately transferred to the main virus program.
The virus program first seeks out uninfected executable files and infects them. Next, the
virus may perform some action, usually detrimental to the system.

■ This action could be performed every time the program is invoked, or it could be a logic
bomb that triggers only under certain conditions.

■ Finally, the virus transfers control to the original program. If the infection phase of the
program is reasonably rapid, a user is unlikely to notice any difference between the
execution of an infected and uninfected program.

■ Types of Viruses

■ Parasitic virus: The traditional and still most common form of virus. A parasitic virus
attaches itself to executable files and replicates, when the infected program is executed, by
finding other executable files to infect.

■ Memory-resident virus: Lodges in main memory as part of a resident system program.

 ■ Boot sector virus: Infects a master boot record or boot record and spreads when a system is
booted from the disk containing the virus.

■ Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus
software

■ Polymorphic virus: A virus that mutates with every infection, making detection by the
"signature" of the virus impossible.

■ E-mail Viruses

■ A more recent development in malicious software is the e-mail virus. The first rapidly
spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded
in an attachment. If the recipient opens the e-mail attachment, the Word macro is activated.

■ 1. The e-mail virus sends itself to everyone on the mailing list in the user's e-mail package.

■ 2. The virus does local damage.

■ Worms

■ A worm is a program that can replicate itself and send copies from computer to computer
across network connections. Upon arrival, the worm may be activated to replicate and
propagate again.

■ Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every
infection. The difference is that a metamorphic virus rewrites itself completely at each
iteration, increasing the difficulty of detection. Metamorphic viruses my change their
behavior as well as their appearance.

■ Macro Viruses : In the mid-1990s, macro viruses became by far the most prevalent type of
virus.

■ 1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft
Word documents. Any hardware platform and operating system that supports Word can be
infected.

■ 2. Macro v i r us e s i n f e c t do c u m e n ts , n o t e x ec u t a b l e p o r t i o ns o f c od e .
Most o f t he information introduced onto a computer system is in the form of a document
rather than a program.

■ 3. Macro viruses are easily spread. A very common method is by electronic mail.

■ Antivirus Approaches

■ The ideal solution to the threat of viruses is prevention: The next best approach is to be able
to do the following:

· Detection: Once the infection has occurred, determine that it has occurred and locate the virus.

· Identification: Once detection has been achieved, identify the specific virus that has infected a
program.

· Removal: Once the specific virus has been identified, remove all traces of the virus from the
infected program and restore it to its original state. Remove the virus from all infected systems so
that the disease cannot spread further.