Upload
sarah-chapman
View
241
Download
5
Tags:
Embed Size (px)
Citation preview
Malicious CodeMalicious Code
By Diana PengBy Diana Peng
What is Malicious Code?What is Malicious Code?
Unanticipated or undesired effects in Unanticipated or undesired effects in programs/program parts, caused by an programs/program parts, caused by an agent with damaging intentionsagent with damaging intentions
Uses our everyday programs as a Uses our everyday programs as a vessel to access and change data vessel to access and change data storedstored
VirusesViruses WormsWorms Trojan HorsesTrojan Horses
Unpredictable BehaviorUnpredictable Behavior
Behaves in the same manner as any Behaves in the same manner as any other programother program
Has the ability to stop running Has the ability to stop running programs, generating a sound, programs, generating a sound, erasing stored data, etc. erasing stored data, etc.
Has the ability to remain dormant Has the ability to remain dormant until some event triggers the code to until some event triggers the code to actact
History of Malicious CodeHistory of Malicious Code
1981 Elk Cloner – spread on Apple II floppy 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from disks (containing the OS) originating from Texas A&M:Texas A&M:
It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!
1983 – Fred Cohen 1983 – Fred Cohen Computer Viruses – Theory Computer Viruses – Theory and Experiments and Experiments
1986 Brain –1986 Brain – 2 Pakistani brothers 2 Pakistani brothers analyzing the boot sector of a floppy disk, analyzing the boot sector of a floppy disk, develop a method to infect it. Spread develop a method to infect it. Spread quickly and widely on MS-DOS PC system. quickly and widely on MS-DOS PC system.
History (History (contcont.).)
1987 IBM Christmas Worm – fast 1987 IBM Christmas Worm – fast spreading 500,000 replication per hourspreading 500,000 replication per hour
1988 MacMag – Hypercard stack virus1988 MacMag – Hypercard stack virus Scores – 1Scores – 1stst major Mac major Mac
outbreakoutbreak 1991 Tequila – polymorphic, originated 1991 Tequila – polymorphic, originated
in Switzerland and changed itself to in Switzerland and changed itself to avoid detectionavoid detection
More recently – Love Letter(2000), More recently – Love Letter(2000), Blaster and SoBig(2003)Blaster and SoBig(2003)
DefinitionsDefinitions
Virus – a program that can pass on Virus – a program that can pass on malicious code to other nonmalicious malicious code to other nonmalicious programs by modifying the themprograms by modifying the them
1. Transient – life is dependent on 1. Transient – life is dependent on hosthost
2. Resident – stores itself in memory 2. Resident – stores itself in memory and acts as a stand-alone program and acts as a stand-alone program
Trojan Horse – contains obvious malicious Trojan Horse – contains obvious malicious intent and a 2intent and a 2ndnd unseen effect unseen effect
Definitions (cont.)Definitions (cont.)
Logic Bomb – “detonates” when a specified Logic Bomb – “detonates” when a specified condition occurscondition occurs
* Time Bomb – triggered by a time/date* Time Bomb – triggered by a time/date Trapdoor/Backdoor – allows one to access a Trapdoor/Backdoor – allows one to access a
protected program through an indirect protected program through an indirect methodmethod
Worm – program that replicates itself and Worm – program that replicates itself and spread those replications through a networkspread those replications through a network
* Rabbit – spreads w/out limits and tries * Rabbit – spreads w/out limits and tries toto exhaust the computer’s resources exhaust the computer’s resources
Virus QualitiesVirus Qualities
Easily createdEasily created Difficult to detectDifficult to detect Difficult to destroy or deactivateDifficult to destroy or deactivate Spreads intended infection widelySpreads intended infection widely Ability to re-infect original program Ability to re-infect original program
or other programsor other programs Machine and OS independentMachine and OS independent
Attaching VirusesAttaching Viruses
Must be executed in order to be Must be executed in order to be activatedactivated
Human intervention is key for initial Human intervention is key for initial activationactivation
Email attachmentsEmail attachments Once attached, the virus installs itself Once attached, the virus installs itself
on a permanent storage medium and on a permanent storage medium and on any/all executing programs in on any/all executing programs in memorymemory
Appended VirusesAppended Viruses
Most common attachment – easy to Most common attachment – easy to program and effectiveprogram and effective
Attaches to an existing program and is Attaches to an existing program and is activated whenever whenever the activated whenever whenever the program is runningprogram is running
Virus instructions execute 1Virus instructions execute 1stst, after the last , after the last virus instruction control is given back to virus instruction control is given back to the 1the 1stst program instruction program instruction
User is unaware of virus – original program User is unaware of virus – original program still runs the way it’s intendedstill runs the way it’s intended
Appended Virus (cont.)Appended Virus (cont.)
Program
Program
Virus
Virus+ =
Surrounding VirusesSurrounding Viruses
To avoid detection on the disk, the To avoid detection on the disk, the virus will attach itself to the program virus will attach itself to the program constructing the listing of files on the constructing the listing of files on the diskdisk
The virus has control after the listing The virus has control after the listing program is generated and before it is program is generated and before it is displayed to delete itself from the displayed to delete itself from the listing listing
Surrounding Virus (cont.)Surrounding Virus (cont.)
ProgramProgramVirus
Virus
Virus
Integrated VirusesIntegrated Viruses
Virus will replace the program and Virus will replace the program and integrate itself into the original codeintegrate itself into the original code
Requires the creator of the virus to Requires the creator of the virus to know the original program in order to know the original program in order to insert pieces of the virus into it insert pieces of the virus into it
Replacement – the virus replaces the Replacement – the virus replaces the entire program with itself; user will entire program with itself; user will only see the performance of the virusonly see the performance of the virus
Integrated Viruses (cont.)Integrated Viruses (cont.)
Program ProgramVirus+ =
Document VirusDocument Virus
Implemented inside a formatted Implemented inside a formatted document (ex. Word document, document (ex. Word document, database, spreadsheet, etc.)database, spreadsheet, etc.)
Highly structured files containing Highly structured files containing both data and commandsboth data and commands
Command codes are a part of rich Command codes are a part of rich programming languageprogramming language
Gaining ControlGaining Control
The virus program must be activated in The virus program must be activated in place of the original programplace of the original program
Presents itself as the original programPresents itself as the original program Substitutes the original program by Substitutes the original program by
pushing the original one out of the waypushing the original one out of the way Overwriting - the virus replaces the Overwriting - the virus replaces the
original code in a file structureoriginal code in a file structure Pointer Changing - directs the file Pointer Changing - directs the file
system to itself and skips the original system to itself and skips the original codecode
One-Time ExecutionOne-Time Execution
Majority of viruses todayMajority of viruses today Activated and executed only once Activated and executed only once Email attachmentsEmail attachments
Boot Sector VirusesBoot Sector Viruses
Gains control early in the boot Gains control early in the boot process before detection tools are process before detection tools are active active
Boot area is crucial to the OS and is Boot area is crucial to the OS and is usually kept hidden from the user to usually kept hidden from the user to avoid modification/deletionavoid modification/deletion
Virus code is difficult to noticeVirus code is difficult to notice
Memory Resident VirusesMemory Resident Viruses
Resident code – code that is Resident code – code that is frequently used by the OS that has a frequently used by the OS that has a permanent space in memorypermanent space in memory
Resident code is activated many Resident code is activated many times and simultaneously activates times and simultaneously activates the virus each timethe virus each time
Ability to look for and infect Ability to look for and infect uninfected carriersuninfected carriers
Virus SignaturesVirus Signatures
Cannot be completely invisibleCannot be completely invisible Code is stored on computer and must be in Code is stored on computer and must be in
memory to executememory to execute Signature – the pattern the virus executes and Signature – the pattern the virus executes and
the method it uses to spreadthe method it uses to spread Virus Scanner Virus Scanner
– – detects virus signatures by searching detects virus signatures by searching memory memory
& long-term storage, and monitors execution& long-term storage, and monitors execution
– – must be kept up-to-date to be effectivemust be kept up-to-date to be effective
Storage PatternsStorage Patterns
Most viruses attach to programs Most viruses attach to programs stored on disks – file size growsstored on disks – file size grows
Attachment is usually invariant and Attachment is usually invariant and the start of the virus code is the start of the virus code is detectable (Appended Attachment)detectable (Appended Attachment)
JUMP instruction (Surrounding JUMP instruction (Surrounding Attachment) Attachment)
Execution PatternsExecution Patterns
Spread infectionSpread infection Avoid detection – Boot SectorAvoid detection – Boot Sector Cause harm – erasing files/disks, Cause harm – erasing files/disks,
preventing booting/writing to disk, preventing booting/writing to disk, shutting down, etc.shutting down, etc.
Transmission PatternsTransmission Patterns
Virus is only effective if it has the Virus is only effective if it has the ability to transmit itself from location ability to transmit itself from location to locationto location
Virus execution behaves just like any Virus execution behaves just like any other program execution and it’s other program execution and it’s form of transmission is not confined form of transmission is not confined to one medium.to one medium.