a.

c.
b.
d.
COMPUTER SECURITY
SCSR 3413
LAB 1

NAME:
METRIC

(i)
Marliza Zakaria
SX112013CRF04

(ii)

NO:
SECTION:
DATE:

1. Report the latest statistical data on malicious code attack.

In 2015, the number of zero-day vulnerabilities discovered more
than doubled to 54, a 125 percent increase from the year before.
Or put another way, new zero-day vulnerability was found every
week (on average) in 2015. Given the value of these
vulnerabilities, its not surprising that a market has evolved to
meet demand.
2. Fill in the Table 1 with the latest report on the different viruses
attack.
TABLE 1
Malicious
i.

Description of the attack (where, when,

Code
boot-sector

losses)
Infects a storage device's master boot record

virus

(MBR)/ copy their infected code either to the

floppy disk's boot sector or to the hard disk's
partition table. These viruses copy their infected
code either to the floppy disk's boot sector or to
the hard disk's partition table. During start-up, the
virus gets loaded to the computer's memory. As
soon as the virus is saved to the memory, it

ii.

e-mail virus

infects the non-infected disks used by the system.

An e-mail virus is computer code sent to you as an
e-mail note attachment which, if activated, will
cause some unexpected and usually harmful
effect, such as destroying certain files on your
hard disk and causing the attachment to be

iii.

macro virus

remailer to everyone in your address book

A macro virus is a computer virus that "infects" a

Microsoft Word or similar application and causes a

sequence of actions to be performed
automatically when the application is started or
something else triggers it. Macro viruses tend to
be surprising but relatively harmless. A typical
effect is the undesired insertion of some comic
text at certain points when writing a line. A macro
virus is often spread as an e-mail virus. A wellknown example in March, 1999 was the Melissa
iv.

logic bomb

virus virus.
Small programs or sections of a program triggered
by some event such as a certain date or time, a
certain percentage of disk space filled, the
removal of a file, and so on. For example, a
programmer could establish a logic bomb to
delete critical sections of code if she is terminated
from the company. Logic bombs are most
commonly installed by insiders with access to the

v.

backdoor

system.
A back door is a means of access to a computer
program that bypasses security mechanisms. A
programmer may sometimes install a back door
so that the program can be accessed for
troubleshooting or other purposes. However,
attackers often use back doors that they detect or
install themselves, as part of an exploit. In some
cases, a worm is designed to take advantage of a
back door created by an earlier attack. For
example, Nimda gained entrance through a back

vi.

stealth virus

door left by Code Red.

A computer virus that uses various mechanisms to
avoid detection by antivirus software. Generally,
stealth describes any approach to doing
something while avoiding notice. Viruses that
escape notice without being specifically designed
to do so -- whether because the virus is new or
because the user hasn't updated their antivirus
software -- are sometimes described as stealth
viruses too. Stealth viruses are nothing new: the
first known virus for PCs, Brain (reportedly created

by software developers as an anti-piracy

measure), was a stealth virus that infected the
vii

worm

boot sector in storage.

Standalone malware computer program that
replicates itself in order to spread to other
computers.[1] Often, it uses a computer network
to spread itself, relying on security failures on the
target computer to access it. Unlike a computer
virus, it does not need to attach itself to an
existing program. Worms almost always cause at
least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost
always corrupt or modify files on a targeted
computer.

vii

zombie

i.

Virus is a computer that's been infected by a

computer virus or compromised by a hacker. It can
be controlled under remote direction to perform
criminal tasks, as well as infect other computers
with viruses. A zombie computer can appear to be
performing normally, making it hard for you to

ix.

bot

know that your computer has been compromised.

a computer that a remote attacker has accessed
and set up to forward transmissions (including
spam and viruses) to other computers on the
Internet. The purpose is usually either financial
gain or malice.

3. Table 2 lists several countermeasures for virus protection. Complete the

table with the description of each countermeasure.
TABLE 2
i.

Virus protection
Integrity Checking

Description of the countermeasures (how)

Integrity checking products work by reading
your entire disk and recording integrity data
that acts as a signature for the files and system
sectors. An integrity check program with built-in
intelligence is the only solution that can handle
all the threats to your data as well as viruses.
Integrity checkers also provide the only reliable
way to discover what damage a virus has done.

ii.

Interception

Also known as resident monitors are particularly

useful for deflecting logic bombs and Trojans.
The interceptor monitors operating system
requests that write to disk or do other things
that the program considers threatening (such as
installing itself as a resident program). If it finds
such a request, the interceptor generally pops
up and asks you if you want to allow the request
to continue. There is, however, no reliable way
to intercept direct branches into low level code
or to intercept direct input and output
instructions done by the virus itself. Some
viruses even manage to disable the monitoring
program itself. Indeed, for one widelydistributed anti-virus program several years
back it only took eight bytes of code to turn its

iii.

File Extensions

monitoring functions off.

An identifier specified as a suffix to the name of
a computer file. The extension indicates a
characteristic of the file contents or its intended
use. A file extension is typically delimited from
the filename with a full stop (period). Some file
systems implement filename extensions as a
feature of the file system itself, and may limit
the length and format of the extension, while
others treat filename extensions as part of the

iv.

Safe Computing

v.

Practices
Disable Scripting

filename without special distinction.

How to protect your computer

Open your Internet Explorer browser.

Click on the Gear icon, also known as the
Action or Tools menu, located in the upper
right-hand corner of your browser window.
A drop-down menu will now appear.
Choose the option labeled Internet
options.
The Internet Options dialog will now
appear, overlaying your main browser
window. Click on the tab labeled Security.
In the 'Select a zone' section, click on the
option labeled Internet.
In the 'Security level for this zone' section,
click on the button labeled Custom
Level....

vi.

Backup Strategy

A Security Settings dialog will now appear.

Scroll down until you reach the 'Scripting'
section. Under the 'Active Scripting'
header, select the radio button labeled
'Disable'. You can also choose to have IE
ask you for permission each time a script
attempts to run rather than disabling
them all in one fell swoop. If you prefer
this option, simply select the radio button
labeled 'Prompt'.
Click on the button labeled OK.
A warning message may now appear
asking 'Are you sure you want to change
the security settings for this zone?' Click
on the button labeled Yes.
You will now be returned to the Internet
Options dialog. Click on the button labeled
OK.
Restart your Internet Explorer browser.
Application data: Apps create and maintain
data files such as e-mail messages, browser
favorites, calendar entries, and contacts that
require daily backing up. Most programs store
them in a hidden folder inside your user folder
(in
XP,
C:\Documents
and
Settings\your
name\Application Data; in Vista, C:\Users\your
name\AppData). Also, in XP, Microsoft stores
Outlook
and
Outlook
Express
data
in
C:\Documents and Settings\your name\Local
Settings\Application Data). Fortunately, any
well-designed backup program intended for
everyday, nonexpert users (as opposed to IT
departments) knows where to look for Outlook
data.
Media: If your backup medium is sufficiently
roomy and fast, you can back up your photo,
music, and video files every day. But these large
files may require a separate backup strategy.
System: You can always reinstall Windows and
your apps, if you have the original discs or can
download the programs. But if Windows
becomes unusable or your hard drive crashes,
switching to a system backup (also called a
disaster recovery backup) that you create a
couple of times a year can get your machine up
and running smoothly without much effort

4. Compare and contrast three common anti-virus applications.

kaspersky

Antivirus engine
Anti-phishing
safe surfing
gamer mode

technical support

Bitdefender

antivirus engine
ramsomware protection
privacy protection
spam filter
windows XP-10 support

TrendMicro

antivirus engine
ramsomware protection
privacy protection
spam filter
windows XP-10 support

5. Discuss:
a. The question arises as to whether it is possible to develop a program
that can analyse a piece of software to determine if it is a virus. Consider
that we have a program that is supposed to be able to do that. That is,
for any program P, if we run D(P), t result returned is TRUE (P is a virus)
or FALSE (P is not a virus). Now consider following program:
Program CV :=
{ ...

main-program .(if D(CV) then goto next: else

infect-executable;
}
next:

In the preceding program, infect-executable is a module that scans

memory for executable programs and replicates itself in those programs.
Determine if D can correctly decide whether CV is a virus.

Answer:
Yes, it is possible to develop a program that can examine a part of
software to find out if it is a virus.
Program explanation:
The program D check the CV program and returns TRUE if CV is
computer virus and returns FALSE if it is not a virus.
If D states that the program CV is a virus, then it just goes to
next part to process.
Thus CV will not infect an executable program
But, if D states that the program CV is not a virus, then it
infects an executable program.
The given condition in the program is wrong.
b. The following code fragments show a sequence of virus instructions and a
metamorphic version of the virus. Describe the effect produced by the
metamorphic code.
Original Code
mov eax, 5
add eax, ebx
call [eax]

Metamorphic Code
mov eax, 5
push ecx
pop ecx
add eax, ebx
swap eax, ebx
swap ebx, eax
call [eax]
nop

Answer:

Same effect as 1st code fragment

1st line - same eax=5
2nd sample, push then pop ecx, do nothing with that
Next line same: eax=eax+ebx
2nd sample swap eax <=> ebx, then back again (no net change)
Next line same call [eax]
2nd sample nop ( do nothing / wait)