Beruflich Dokumente
Kultur Dokumente
Malicious Code
Chapter 5
Virus and Malicious Code
Malicious
code can be a program or part of a program; a program part can even attach itself to another (good) program so that malicious effect occurs whenever the good program runs. Malicious code can do anything other program can such as writing a message on a computer screen, stopping a running program, generating a sound or erasing a stored file malicious code can even do nothing at all.
Malicious Code
So.. What is a malicious code? How can it take control of a system? How can it lodge in a system? How does malicious code spread? How can it be recognized? How can it be stopped?
Malicious Code
Types of Malicious Code Virus attach itself to program and propagates copies of itself to other programs. Trojan Horse contain unexpected, additional functionality. Logic bomb triggers action when condition occur. Time bomb - triggers action when specific time occur. Trapdoor allows unauthorized access to functionality. Worm propagates copies of itself through network. Rabbit as a virus or worm replicates itself without limit to exhaust resources.
Virus
A
Trojan Horse
Trojan
virus A program that pass on malicious code to other non malicious (program) by modifying them. Similar to biological virus, it infects healthy subjects Infects a program by attaching the program Destroy the program or coexist with it. A good program, once infected becomes a carrier and infects other program. Either transient or resident (stand alone).
Horse
A malicious code, in addition to primary effect, it has a malicious effect. Example 1: a login scripts that solicits a users identification and password, passes the info to the system for logging processing and keeps a copy for malicious purpose. Example 2: a cat command that displays text and sends a copy of the text to somewhere else.
4/9/2013
Trapdoor
Trapdoor/
Worm
Worm
backdoor A feature in a program by which someone can access the program using special privilege. e.g. ATM provides 990099 to execute something
Spread copies of itself through a network. Worm through network and virus through other medium. Spread itself as a stand-alone program.
Trapdoors
Trapdoors
A secret, undocumented entry point into a module which allows a specialized access. The trapdoor is inserted during code development
Test the modules, allow access in events of error
It can be used by anyone who discovers the trapdoor by accident or exhaustive trials. Examples of trapdoors in program development which can be abused
Debugging/testing software modules using drivers and stubs and debug control sequences Poor quality program, e.g use of CASE statement which captures all defaults Unused opcodes in hardware design which can be exploited to do other undocumented things
Trapdoor are vulnerabilities because they expose the system to modification during execution. The programmer usually removes trapdoors during program development. But sometimes,
forget to remove them leaves them in the program for testing and maintenance or as a covert means of access to the routine after it becomes an accepted production program.
virus attaches itself to a program. the program runs, the virus is activated. A virus simply inserts a copy of itself into the program file before the first executable instruction, so that all the virus instruction are completely executed and then followed by the real program instruction.
Whenever
4/9/2013
Original program
Original Program
Virus Code
Modified program
This kind of virus that runs the original program but has control before and after its execution.
virus might replace some of its target, integrating itself into the original code of the target.
Disk storage
Finally,
the virus can replace the entire target, either mimicking the effect of the target or ignoring the expected effect of the target and performing only the virus effect.
T
T
T
V
Before
A) Overwriting
After
The
virus (V) either has to be seen to be T, saying effectively Im T the virus (V) has to push T out of the way and become a substitute for T, saying effectively call me instead of T
V T
Or
B)
Changing Pointer
The virus change the pointers in the file table so that V is located instead of T whenever T is accessed through the file system.
4/9/2013
Before Infection
After Infection
Some part of OS or program execute, terminate and disappears, with their space in memory being available for anything executed later. Frequently used code remain in special memory and is called resident code or TSR. Virus writers also like to attach viruses to resident code because it is activated many times while the machine is running. Each time the resident code runs, the virus does too Once activated, the virus can look for and infect uninfected carrier Virus may target the uninfected diskette.
A popular home for viruses is an application program. Word Processing and spreadsheet has a macro where users may record a series of commands with a single invocation Writer may create a startup macro that contains virus It also embeds a copy of itself in data files so that the infection spread to anyone receiving it Libraries are also excellent places for viruses. Because it is used by many program and thus the code in them has broad effect and also shared between users
4/9/2013
Virus Signature
A virus code cannot be completely invisible. Code must be in memory to be executed. Viruses has their own characteristic/behavior signature
Virus Signature
(2) Execution Pattern A virus writer may want a virus to do several things:
spread infection avoid detection cause harm -
(1) Storage pattern - viruses that attach to programs that are stored on disks. The attached virus piece is invariant, so that the start of the virus code becomes a detectable signature. Small portion but JUMP to virus module
The harm that a virus can cause is unlimited Do nothing Display message on the screen Play music Erase file/entire disk Prevent booting Writing on the h/disk
Virus Signature
(3) Transmission pattern
A
Virus Signature
(4) Polymorphic Viruses
Is
virus also has to have some means of transmission from one disk to another Viruses can travel during the boot process, with an executable file, or in data files. Viruses travel during execution of an infected program. Because a virus can execute any instruction a program can, virus travel is not confined to any single medium or execution pattern.
a virus that can change its appearance. Poly means many and morph means form. To avoid detection, not every copy of a polymorphic virus has to differ from every other copy.
Preventing Virus
Use
only commercial software acquired from reliable, well established vendors. Test all new software on an isolated computers. Make a bootable diskettes and store it safely write protect before booting Make and retain backup copies of executable system files. Use virus detectors regularly. Dont trust any source from outside until its been test first.