Chapter 10

Malicious code can be a program or part of a

program; a program part can even attach itself to
another (good) program so that malicious effect
occurs whenever the good program runs.
Malicious code can do anything other program
can such as writing a message on a computer
screen, stopping a running program, generating a
sound or erasing a stored file malicious code
can even do nothing at all.

Virus and Malicious Code

Hatim Mohamad Tahir

TIJ 6023 - Network Security

Malicious Code

Malicious Code

Virus attach itself to program and propagates copies of

itself to other programs.
Trojan Horse contain unexpected, additional
functionality.
Logic bomb triggers action when condition occur.
Time bomb - triggers action when specific time occur.
Trapdoor allows unauthorized access to functionality.
Worm propagates copies of itself through network.
Rabbit as a virus or worm replicates itself without limit
to exhaust resources.

Virus

A malicious code, in addition to primary effect, it has a malicious

effect.
Example 1: a login scripts that solicits a users identification and
password, passes the info to the system for logging processing
and keeps a copy for malicious purpose.
Example 2: a cat command that displays text and sends a copy of
the text to somewhere else.

TIJ 6023 - Network Security

Trojan Horse

TIJ 6023 - Network Security

Destroy the program or coexist with it.

A good program, once infected becomes a
carrier and infects other program.
Either transient or resident.

Trojan Horse

A virus
A program that pass on malicious code to other non malicious
(program) by modifying them.
Similar to biological virus, it infects healthy subjects
Infects a program by attaching the program

TIJ 6023 - Network Security

Types of Malicious Code

TIJ 6023 - Network Security

So..
What is a malicious code?
How can it take control of a system?
How can it lodge in a system?
How does malicious code spread?
How can it be recognized?
How can it be stopped?

Malicious Code

Trapdoor

Worm

TIJ 6023 - Network Security

A feature in a program by which someone can access the program using

special privilege.
e.g. ATM provides 990099 to execute something

Spread copies of itself through a network.

Worm through network and virus through other medium.
Spread itself as a stand-alone program.

How Viruses Attach?

Original
Program

TIJ 6023 - Network Security

Virus code

A virus attaches itself to a program.

Whenever the program runs, the virus is activated.
A virus simply inserts a copy of itself into the program file
before the first executable instruction, so that all the virus
instruction are completely executed and then followed by the
real program instruction.

How Viruses Attach?

TIJ 6023 - Network Security

(1) Appended Viruses

Virus code

How Viruses Attach?

(1) Appended Virus

Original
Program

TIJ 6023 - Network Security

Worm

Trapdoor/ backdoor

10

How Viruses Attach?

(3) Integrated Viruses and Replacement

(2) Viruses that surround a program

Original
Program

Original
program

Virus code
(part b)

This kind of virus that runs the original program but has control
before and after its execution.

11

Original
Program

Virus
Code

Modified
program

TIJ 6023 - Network Security

Virus code

TIJ 6023 - Network Security

Virus code
(Part a)

12

How Viruses Attach?

How Viruses Gain Control?

(3) Integrated Viruses and Replacement

TIJ 6023 - Network Security

14

Overwriting

(2) Changing Pointers

15

V
T

B)

Changing Pointer

The virus change the pointers in the file table so that V is located16
instead of T whenever T is accessed through the file system.

Home for Viruses

TIJ 6023 - Network Security

Home for Viruses

Boot Sector Viruses
A special case of virus attachment, but a fairly a popular
one.
When a computer is started, control start with a
firmware that determines which hardware components
are present, test them and transfer control to OS.
The OS is software stored on disk. The OS has to start
with code that copies it from disk to memory and
transfers control to it, called bootstrap load.
Booting: The firmware read the boot sector( a fixed
location on the h/disk) to a fixed location on memory
and jump to the address that contain bootstrap loader.

After
A)

TIJ 6023 - Network Security

Or the virus (V) has to push T out of the way and

become a substitute for T, saying effectively call
me instead of T

Before

TIJ 6023 - Network Security

The virus (V) either has to be seen to be T, saying

effectively Im T

How Viruses Gain Control?

(1) Overwriting Target

The virus (V) has to be invoked instead of the
target (T).

13

How Viruses Gain Control?

Disk storage

17

The loader load the OS to the memory.

Boot sector on PC is less than 512 byte
Chaining is used to support big bootstrap
This mechanism can be utilized by virus installation
Virus writer can break the chain and point to the virus code and
reconnect the chain after virus installation
The advantage: virus gains control early during the boot process.
Hiding in the boot area which is not accessible by users.

TIJ 6023 - Network Security

Finally, the virus can replace the entire target,

either mimicking the effect of the target or
ignoring the expected effect of the target and
performing only the virus effect.

File Directory
TIJ 6023 - Network Security

A virus might replace some of its target,

integrating itself into the original code of the
target.

(1) Overwriting Target

18

Boot Sector

Other sectors
System
initialize
TIJ 6023 - Network Security

Bootstrap
loader

Home for Viruses

Before Infection

Other sectors

Boot Sector
Virus code

System
initialize

Bootstrap
loader

A virus can:

attach itself to the system files IO.SYS or MSDOS.SYS

attach itself to any other program loaded because of an

entry in CONFIG.SYS or AUTOEXEC.BAT or

add an entry to CONFIG>SYS or AUTOEXEC.BAT to cause

it to be loaded

Example: CIH virus, BRAIN virus

19

TIJ 6023 - Network Security

Home for Viruses

20

After Infection

Home for Viruses

Other Homes For Viruses

Some part of OS or program execute, terminate and

disappears, with their space in memory being available
for anything executed later.
Frequently used code remain in special memory and is
called resident code or TSR.
Virus writers also like to attach viruses to resident code
because it is activated many times while the machine is
running.
Each time the resident code runs, the virus does too
Once activated, the virus can look for and infect
uninfected carrier
Virus may target the uninfected diskette.

A popular home for viruses is an application program.

Word Processing and spreadsheet has a macro where
users may record a series of commands with a single
invocation
Writer may create a startup macro that contains virus
It also embeds a copy of itself in data files so that the
infection spread to anyone receiving it
Libraries are also excellent plac4es for viruses. Because it
is used by many program and thus the code in them has
broad effect and also shared between users

TIJ 6023 - Network Security

Memory-Resident Viruses

21

Virus Signature

(1) Storage pattern - viruses that attach to programs that

are stored on disks.

The attached virus piece is invariant, so that the start of the virus code
becomes a detectable signature.
Small portion but JUMP to virus module

23

spread infection
avoid detection
cause harm -

The harm that a virus can cause is unlimited

Do nothing

Display message on the screen

Play music

Erase file/entire disk

Prevent booting

Writing on the h/disk

TIJ 6023 - Network Security

(2) Execution Pattern

A virus writer may want a virus to do several things:

A virus code cannot be completely invisible.

Code must be in memory to be executed.
Viruses has their own characteristic/behavior
signature

22

Virus Signature

TIJ 6023 - Network Security

TIJ 6023 - Network Security

Home for Viruses

24

Virus Signature
(4) Polymorphic Viruses

A virus also has to have some means of

transmission from one disk to another
Viruses can travel during the boot process, with
an executable file, or in data files.
Viruses travel during execution of an infected
program.
Because a virus can execute any instruction a
program can, virus travel is not confined to any
single medium or execution pattern.

Is a virus that can change its appearance.

Poly means many and morph means form.
To avoid detection, not every copy of a polymorphic virus has
to differ from every other copy.

TIJ 6023 - Network Security

(3) Transmission pattern

25

TIJ 6023 - Network Security

Virus Signature

26

Use only commercial software acquired from

reliable, well established vendors.
Test all new software on an isolated computers.
Make a bootable diskettes and store it safely write protect before booting
Make and retain backup copies of executable
system files.
Use virus detectors regularly.
Dont trust any source from outside until its
been test first.

TIJ 6023 - Network Security

Preventing Virus

27