Virus and Malicious Code Chapter 5

Chapter 5Chapter 5

Virus and Malicious CodeVirus and Malicious Code

Malicious CodeMalicious Code

► Malicious code can be a program or part of a Malicious code can be a program or part of a program; a program part can even attach program; a program part can even attach itself to another (good) program so that itself to another (good) program so that malicious effect occurs whenever the good malicious effect occurs whenever the good program runs.program runs.

► Malicious code can do anything other program Malicious code can do anything other program can such as writing a message on a computer can such as writing a message on a computer screen, stopping a running program, screen, stopping a running program, generating a sound or erasing a stored file – generating a sound or erasing a stored file – malicious code can even do nothing at all. malicious code can even do nothing at all.


So…..So…..► What is a malicious code?What is a malicious code?► How can it take control of a system?How can it take control of a system?► How can it lodge in a system?How can it lodge in a system?► How does malicious code spread?How does malicious code spread?► How can it be recognized?How can it be recognized?► How can it be stopped?How can it be stopped?


Types of Malicious Code

► Virus – attach itself to program and propagates copies of itself to other programs.

► Trojan Horse – contain unexpected, additional functionality.

► Logic bomb – triggers action when condition occur.► Time bomb - triggers action when specific time

occur.► Trapdoor – allows unauthorized access to

functionality.► Worm – propagates copies of itself through network.► Rabbit – as a virus or worm replicates itself without

limit to exhaust resources.

VirusVirus

► A virus A program that pass on malicious code to other

non malicious (program) by modifying them. Similar to biological virus, it infects healthy

subjects Infects a program by attaching the program

►Destroy the program or coexist with it.►A good program, once infected becomes a

carrier and infects other program.►Either transient or resident (stand alone).

Trojan HorseTrojan Horse

►Trojan Horse A malicious code, in addition to primary

effect, it has a malicious effect. Example 1: a login scripts that solicits a

user’s identification and password, passes the info to the system for logging processing and keeps a copy for malicious purpose.

Example 2: a cat command that displays text and sends a copy of the text to somewhere else.

TrapdoorTrapdoor

► Trapdoor/ backdoor A feature in a program by which someone

can access the program using special privilege.

e.g. ATM provides 990099 to execute something

WormWorm

►Worm Spread copies of itself through a network. Worm through network and virus through

other medium. Spread itself as a stand-alone program.

Trapdoors

► A secret, undocumented entry point into a module which allows a specialized access.

► The trapdoor is inserted during code development Test the modules, allow access in events of error

► Trapdoor are vulnerabilities because they expose the system to modification during execution.

► The programmer usually removes trapdoors during program development. But sometimes, forget to remove them leaves them in the program for testing and

maintenance or as a covert means of access to the routine after

it becomes an accepted production program.

Trapdoors► It can be used by anyone who discovers the trapdoor by

accident or exhaustive trials.

► Examples of trapdoors in program development which can be abused Debugging/testing software modules using drivers and stubs and

debug control sequences Poor quality program, e.g use of CASE statement which captures

all “defaults” Unused opcodes in hardware design which can be exploited to do

other undocumented things

► Trapdoors are generally desirable in program development auditors introduce fictitious transaction and trace the

effect important for program maintenance

How Viruses Attach?How Viruses Attach?

(1) Appended Virus

Original Program

+

Virus code = Original Program

Virus code


(1) Appended Viruses►A virus attaches itself to a program.►Whenever the program runs, the virus

is activated.►A virus simply inserts a copy of itself

into the program file before the first executable instruction, so that all the virus instruction are completely executed and then followed by the real program instruction.


(2) Viruses that surround a program(2) Viruses that surround a program

Virus code

OriginalProgram

Virus code(Part a)

Original program

Virus code(part b)

This kind of virus that runs the original program but has control before and after its execution.

How Viruses Attach?How Viruses Attach?(3) Integrated Viruses and Replacement

Original Program

+

Virus Code

=

Modifiedprogram


(3) Integrated Viruses and Replacement

► A virus might replace some of its target, integrating itself into the original code of the target.

► Finally, the virus can replace the entire target, either mimicking the effect of the target or ignoring the expected effect of the target and performing only the virus effect.

How Viruses Gain Control?How Viruses Gain Control?

(1) Overwriting Target

T T

File Directory

A) Overwriting

T

V

V

Disk storage

BeforeAfter

How Viruses Gain Control?How Viruses Gain Control?

(1) Overwriting Target

► The virus (V) has to be invoked instead of the target (T).

► The virus (V) either has to be seen to be T, saying effectively “I’m T”

► Or the virus (V) has to push T out of the way and become a substitute for T, saying effectively “call me instead of T”

How Viruses Gain Control?How Viruses Gain Control?(2) Changing Pointers

T T

B ) Changing Pointer

T

VT

V

The virus change the pointers in the file table so that V is located instead of T whenever T is accessed through the file system.

Home for VirusesHome for Viruses

Boot Sector Viruses► A special case of virus attachment, but a fairly a

popular one.► When a computer is started, control start with a

firmware that determines which hardware components are present, test them and transfer control to OS.

► The OS is software stored on disk. The OS has to start with code that copies it from disk to memory and transfers control to it, called bootstrap load.

► Booting: The firmware read the boot sector( a fixed location on the h/disk) to a fixed location on memory and jump to the address that contain bootstrap loader.


► The loader load the OS to the memory.► Boot sector on PC is less than 512 byte► Chaining is used to support big bootstrap► This mechanism can be utilized by virus installation► Virus writer can break the chain and point to the virus

code and reconnect the chain after virus installation► The advantage: virus gains control early during the

boot process.► Hiding in the boot area which is not accessible by

users.


Bootstrap loader

System initialize

Bootstrap loaderSystem

initialize

Virus code

Before Infection

After Infection

Boot Sector

Boot Sector

Other sectors

Other sectors


A virus can:► attach itself to the system files IO.SYS

or MSDOS.SYS► attach itself to any other program

loaded because of an entry in CONFIG.SYS or AUTOEXEC.BAT or

► add an entry to CONFIG>SYS or AUTOEXEC.BAT to cause it to be loaded

► Example: CIH virus, BRAIN virus


Memory-Resident Viruses

► Some part of OS or program execute, terminate and disappears, with their space in memory being available for anything executed later.

► Frequently used code remain in special memory and is called “resident code” or TSR.

► Virus writers also like to attach viruses to resident code because it is activated many times while the machine is running.

► Each time the resident code runs, the virus does too► Once activated, the virus can look for and infect

uninfected carrier► Virus may target the uninfected diskette.


Other Homes For Viruses

► A popular home for viruses is an application program.► Word Processing and spreadsheet has a macro where

users may record a series of commands with a single invocation

► Writer may create a startup macro that contains virus► It also embeds a copy of itself in data files so that the

infection spread to anyone receiving it► Libraries are also excellent places for viruses.

Because it is used by many program and thus the code in them has broad effect and also shared between users

Virus SignatureVirus Signature

► A virus code cannot be completely invisible.► Code must be in memory to be executed.► Viruses has their own characteristic/behavior – signature

(1) Storage pattern - viruses that attach to programs that are stored on disks.

The attached virus piece is invariant, so that the start of the virus code becomes a detectable signature.

Small portion but JUMP to virus module


(2) Execution Pattern► A virus writer may want a virus to do several things:

spread infection avoid detection cause harm -

The harm that a virus can cause is unlimited► Do nothing► Display message on the screen► Play music► Erase file/entire disk► Prevent booting► Writing on the h/disk


(3) Transmission pattern

► A virus also has to have some means of transmission from one disk to another

► Viruses can travel during the boot process, with an executable file, or in data files.

► Viruses travel during execution of an infected program.

► Because a virus can execute any instruction a program can, virus travel is not confined to any single medium or execution pattern.


(4) Polymorphic Viruses

►Is a virus that can change its appearance.

►“Poly” means “many” and “morph” means “form”.

►To avoid detection, not every copy of a polymorphic virus has to differ from every other copy.

Preventing Virus Preventing Virus

► Use only commercial software acquired from reliable, well established vendors.

► Test all new software on an isolated computers.

► Make a bootable diskettes and store it safely - write protect before booting

► Make and retain backup copies of executable system files.

► Use virus detectors regularly.► Don’t trust any source from outside until its

been test first.

Virus and Malicious Code Chapter 5

Technology

Transcript of Virus and Malicious Code Chapter 5