1. A program that attaches itself to another executable (a host program) Whenever the host program...
-
date post
19-Dec-2015 -
Category
Documents
-
view
222 -
download
3
Transcript of 1. A program that attaches itself to another executable (a host program) Whenever the host program...
Viruses and Worms
1
A program that attaches itself to another executable (a host program)
Whenever the host program is executed, virus code is ran and it can make a copy of itself and infect other executables found in your memory or hard drive
Viruses can do any damage they want on your computer
2
What Is a Virus?
Viruses don’t break into your computer – they are invited by youo They cannot spread unless you run infected
application or click on infected attachmento Early viruses spread onto different applications on
your computero Contemporary viruses spread as attachments
through E-mail, they will mail themselves to people from your addressbook
Worms break into your computer using some vulnerability, install malicious code and move on to other machines o You don’t have to do anything to make them
spread 3
Viruses vs. Worms
Viruses attach themselves to other executables o For example, a Word template or a PowerPoint
presentationo They can infect any executable
Trojans claim to be other executables but instead contain malicious codeo For example, a cool new game is advertised on the
Web site but it also contains malicious codeo Trojan code will not spread to other programs on
your machine, it will simply gain access and do malicious stuff
4
Viruses vs. Trojans
File infectorso Attach to executable files or source codeo Direct action – selects and infects several
programs each time host program is runo Resident – load themselves into memory
whenever a host program is run and then remain in memory infecting any other executable that is executed
System (boot-sector) infectorso Infect some system area on disk, load
themselves on boot and then remain memory-resident
Hybrido Infect both files and boot sectors
5
Virus Types
File system (cluster)o Modify directory table entries so that virus code is
loaded and executed before the host programo Host program is not altered, only directory table is
Kernelo Target specific features of system files such as
location on disk, calling convention etc.
6
Virus Types
Stealth o Like rootkitso Hide the fact that they have infected the
system by modifying replies to system querieso Must be residento Can only be detected if we boot the system
from clean bootable floppy or CDPolymorphic
o Change virus code to avoid signature detectiono Encrypt themselves with variable key –
decryption code is always the sameo Use different encryption schemes
7
Virus Types
Fast infectors o Infect not only those files that are executed but
also those that are merely opened (e.g. by a virus scanner)
Slow infectorso Only infect modified or newly created files – fools
integrity checkersSparse infectors
o Infect infrequently (e.g. each 10th file) to avoid detection
8
Virus Types
Companionso Creates new file with similar name as the host
program o When host program is called, virus is executed
insteado Virus calls host program in the endo This fools integrity checkers that only look at
existing files
9
Virus Types
Cavitieso Overwrites part of the host program that is filled
with a constanto Does not increase the length of host program and
preserves functionalityTunneling
o Some viruses modify interrupt vectorso Tunneling viruses call interrupt handlers directly
10
Virus Types
You receive infected E-mail attachment You download infected code Your thumb drive gets infected
11
How Do Viruses Spread?
Wipe your hard driveModify or delete filesSteal filesSpread further
They frequently delay any malicious actions until they have spread sufficiently
12
What Can Viruses Do?
Changes in file sizes or checksumsUnaccounted resource consumptionChanges of interrupt vectorsBest detection would be to analyze all files
on your system for modifications – impractical
13
Indicators of Virus Infection
Activity monitoring systems (anomaly detect.)oLook for virus-like activity such as attempts to reformat disk
oMay generate false positivesScanners (signature detection)
oLook for patterns in virus code Use database of known virus signatures Detect polymorphic variations
oSometimes they use heuristics to detect new virus signatures
oMost scanners also include disinfection code
14
Virus Detection Systems
Integrity checkersoRemember file hashesoDetect file modifications
15
Virus Detection Systems
Usually residentSometimes can even be added to boot sector
to detect boot sector virusesSome virus detection systems will prohibit
access to external drives unless they have been scanned before
16
Virus Detection Systems
Defines non-writable areas of the disk for executable files
Sounds alarm and/or requires password in order to modify these areas
Might be annoying and generate false alarms
17
Virus Detection Hardware
Identify which files have been modifiedoVirus scanners will do this
Restore last known good copy of these files from your backup
It is not necessary to re-format the diskSome virus scanners can disinfect files –
remove the virus code
18
Virus Removal
Yes, but it will never be executed because data files do not contain executable code
Virus can be hidden in .gif and .jpeg files using steganography but it has to be extracted and run by an executable
19
Can a Virus Infect Data Files?
No, virus contains OS specific codeoYou may receive virus on another OS but it won’t run and therefore won’t spread
oHow about worms?
20
Can a Virus Spread To Other OS?
Yes but it’s harderoMainframe computers have write protections among users so virus can only infect user A’s files
oHowever if user A sends his file to user B then B’s files also get infected
o If virus is places in shared area then all user’s files may get infected
oMainframe computers are generally better maintained and it is hard to write a good mainframe virus – only a few exist so far
21
Can a Virus Infect Mainframe Computers?
Add an integrity-checking code to every file so that it checks whether it is infected every time it is run
If the file is infected virus will be executed first
It can also fiddle with integrity-checking code and disable it
Ineffective against companion viruses
22
How About Self-Checking Code?
They spread beyond our control – there is no way to stop the spread of a virus that you release
It is hard to distinguish between viruses and benign code
They eat resourcesThey may do malicious thingsThey may disable self-checking programsThey may infect cyber-physical systems and
do irreparable damage
23
Why Are Viruses Perceived As Harmful?
People have toyed with the idea of useful viruses but this has not been acceptedo Virus idea simply seems to dangerouso Good virus code may be buggy and thus vulnerableo Good virus could ask for permission to infect the system – imagine this scenario on a hospital computero Bad virus code could be attached to a good virus to slip detectiono Legal issues might ariseo People don’t like the idea that someone takes control over their computer
24
How About Good Viruses?
Detect viruses and fix infected filesCompress files and decompress them at run
timeEncrypt hard drive and require user password
for decryptionMaintain machines, e.g. delete temporary
files – come by invitationPeople haven’t been able to come up with a
controlled way to plant a good viruso Asking for acceptance wastes (maybe precious) time
o Checking for invitation wastes resourcesPeople haven’t come up with a compelling
use of a good virus
25
What Would Good Viruses Do?
A program that:o Scans network for vulnerable machineso Breaks into machines by exploiting the
vulnerabilityo Installs some piece of malicious code – backdoor,
DDoS toolo Moves on
Unlike viruseso Worms don’t need any user action to spread – they
spread silently and on their owno Worms don’t attach themselves onto other
programs – they exist as a separate code in memory
Sometimes you may not even know your machine has been infected by a worm 26
What is a Worm?
They spread extremely fastThey are silentOnce they are out, they cannot be recalledThey usually install malicious codeThey clog the network
27
Why Are Worms Dangerous?
Robert Morris, a PhD student at Cornell, was interested in network security
He created the first worm with a goal to have a program live on the Internet in Nov. 1988o Worm was supposed only to spread, fairly slowlyo It was supposed to take just a little bit of resources
so not to draw attention to itselfo But things went wrong …
Worm was supposed to avoid duplicate copies by asking a computer whether it is infectedo To avoid false “yes” answers, it was programmed
to duplicate itself every 7th time it received “yes” answer
o This turned out to be too much 28
First Worm Ever – Morris Worm
It exploited four vulnerabilities to break ino A bug in sendmailo A bug in finger deamon o A trusted hosts feature (/etc/.rhosts)o Password guessing
Worm was replicating at a much faster rate than anticipated
At that time Internet was small and homogeneous (SUN and VAX workstations running BSD UNIX)
It infected around 6,000 computers, one tenth of then-Internet, in a day
29
First Worm Ever – Morris Worm
People quickly devised patches and distributed them (Internet was small then)
A week later all systems were patched and worm code was removed from most of them
No lasting damage was causedRobert Morris paid $10,000 fine, was
placed on probation and did some community work
Worm exposed not only vulnerabilities in UNIX but moreover in Internet organization
Users didn’t know who to contact and report infection or where to look for patches 30
First Worm Ever – Morris Worm
In response to Morris Worm DARPA formed CERT (Computer Emergency Response Team) in November 1988o Users report incidents and get help in handling
them from CERTo CERT publishes security advisory notes informing
users of new vulnerabilities that need to be patched and how to patch them
o CERT facilitates security discussions and advocates better system management practices
31
First Worm Ever – Morris Worm