Stephen S. Yau 1CSE 465-591, Fall 2006 Viruses. Stephen S. Yau 2CSE 465-591, Fall 2006 Taxonomy of...

Stephen S. Yau 1CSE 465-591, Fall 2006

VirusesViruses


Taxonomy of Malicious Taxonomy of Malicious ProgramsPrograms

Malicious programs

Needs host program Independent

VirusesTrojan HorsesLogic BombsTrap doors Worm Zombie

Replicate


DefinitionsDefinitions Trap Doors (also called Back Doors)Trap Doors (also called Back Doors)::

Holes in securityHoles in security of a system deliberately of a system deliberately left in places by designers or maintainers left in places by designers or maintainers for privileged accesses for privileged accesses Example: Some operating systems have privileged Example: Some operating systems have privileged

accounts for use by field service technicians or accounts for use by field service technicians or maintenance programmers. In Unix-style operating maintenance programmers. In Unix-style operating systems, systems, rootroot is the conventional name of the user is the conventional name of the user who has all rights or permissions in all modes (single- who has all rights or permissions in all modes (single- or multi-user). Alternative names include or multi-user). Alternative names include baronbaron and and avataravatar on some Unix variants. BSD often provides a on some Unix variants. BSD often provides a toortoor ("root" backwards) account in addition to a root ("root" backwards) account in addition to a root account. The root user can make many changes an account. The root user can make many changes an ordinary user cannot, such as changing the ownership ordinary user cannot, such as changing the ownership of files and binding to ports numbered below 1024.of files and binding to ports numbered below 1024.


Definitions Definitions (cont.)(cont.) Logic BombsLogic Bombs:: Code surreptitiously inserted into Code surreptitiously inserted into

an application program or operating system to an application program or operating system to perform some perform some destructive destructive or security- security-compromisingcompromising activity whenever specified activity whenever specified conditions are met conditions are met Example: In 1998, Example: In 1998, Timothy Allen Lloyd, a former chief Timothy Allen Lloyd, a former chief

computer network program designer was sentenced to computer network program designer was sentenced to 41 months in prison for unleashing a $10 million “logic 41 months in prison for unleashing a $10 million “logic bomb" 20 days after his dismissal. The “bomb” deleted bomb" 20 days after his dismissal. The “bomb” deleted all the design and production programs of Omega all the design and production programs of Omega Engineering Corp., a New Jersey-based manufacturer Engineering Corp., a New Jersey-based manufacturer of high-tech measurement and control instruments of high-tech measurement and control instruments used by NASA and the U.S. Navy. used by NASA and the U.S. Navy.


Definitions Definitions (cont.)(cont.)

Trojan horseTrojan horse:: Malicious, security-breaking Malicious, security-breaking program program disguiseddisguised as something benign, such as as something benign, such as a directory listing software, archiving software, a directory listing software, archiving software, game software, or software to find and destroy game software, or software to find and destroy virusesviruses A Trojan horse is similar to a back doorA Trojan horse is similar to a back door

VirusVirus:: Program or piece of code that Program or piece of code that infectsinfects one one or more other programs by modifying them; or more other programs by modifying them; modification includes a modification includes a copycopy of virus program, of virus program, which can then infect other programswhich can then infect other programs Victim programs become Trojan horses Victim programs become Trojan horses Embedded virus is executed with the programs, Embedded virus is executed with the programs,

propagating the "infection" propagating the "infection" Normally invisible to userNormally invisible to user

T1: ch19.2,19.3 T2: ch22.2, 22.3


ExamplesExamples The Win95/Marburg virus got widespread The Win95/Marburg virus got widespread

circulation in August 1998, when it was included circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC on the master CD of the popular MGM/EA PC CD-ROM game "Wargames". CD-ROM game "Wargames". The CD contains one file infected by the Marburg The CD contains one file infected by the Marburg

virus: \EREG\EREG32.EXE virus: \EREG\EREG32.EXE


DefinitionsDefinitions (cont.)(cont.) WormWorm:: Program that propagates and Program that propagates and

reproduces itself as it goes over a network reproduces itself as it goes over a network Negative term, only crackers write worms Negative term, only crackers write worms CrackersCrackers: : a person who engages in illegal or a person who engages in illegal or

unethical circumvention of computer security unethical circumvention of computer security systemssystems

ZombieZombie:: Process that has terminated (either Process that has terminated (either killed or exited) and whose parent process has killed or exited) and whose parent process has not yetnot yet received notification of its termination received notification of its termination Exists as a process table entry Exists as a process table entry Consumes no other resourcesConsumes no other resources

T1: ch19.4 T2: ch22.4


Structure of a VirusStructure of a Virus Viruses have the following parts:Viruses have the following parts:

""engineengine" - code that enables virus to propagate " - code that enables virus to propagate ""payloadpayload" - set of instructions that defines the " - set of instructions that defines the

action (frequently destructive) which the virus action (frequently destructive) which the virus performs. Not all viruses have payloads, and performs. Not all viruses have payloads, and not all payloads cause harmnot all payloads cause harm

Viruses need: Viruses need: ""hosthost" - the particular hardware and software " - the particular hardware and software

environment on which viruses can run environment on which viruses can run ""triggertrigger" - the event that starts the virus " - the event that starts the virus

runningrunningEugene Kaspersky, “Computer Viruses”, Kaspersky Lab, Moscow, 2001

http://www.viruslist.com/eng/viruslistbooks.htmlhttp://www.viruslist.com/eng/viruslistbooks.html


Types of VirusesTypes of Viruses Boot Viruses Boot Viruses (boot sector infector)(boot sector infector)

Infect the boot sector of a floppy disk Infect the boot sector of a floppy disk and the boot sector or Master Boot and the boot sector or Master Boot Record (MBR) of a hard diskRecord (MBR) of a hard disk

Upon boot up, virus Upon boot up, virus forcesforces system to system to read into memory and pass control of read into memory and pass control of the system to virus code, not to the system to virus code, not to original loader routine code original loader routine code

A A residentresident virus in RAM will continue virus in RAM will continue to infect the disk after formatting the to infect the disk after formatting the disk unless the RAM is cleareddisk unless the RAM is clearedT1:

ch19.3.1 T2: ch22.3.1


Types of Viruses Types of Viruses (cont.)(cont.)

File VirusesFile Viruses Use OS file system in one way or Use OS file system in one way or

another to propagate themselvesanother to propagate themselves No known OS is secureNo known OS is secure May infect files containing program May infect files containing program

source code, libraries or object modulessource code, libraries or object modules



Macro VirusesMacro Viruses May be written in macro-languages May be written in macro-languages

built into some data-processing built into some data-processing systems, such as text editors, electronic systems, such as text editors, electronic spreadsheets.spreadsheets.

Most common in Microsoft Word, Most common in Microsoft Word, Microsoft Excel and Office due to their Microsoft Excel and Office due to their extensive use of macro-languages.extensive use of macro-languages.T1:

ch19.3.8 T2: ch22.3.8



Polymorphic VirusesPolymorphic Viruses Change their own form each time it inserts Change their own form each time it inserts

itself into another program; itself into another program; Can be of various kinds, such as boot, file or Can be of various kinds, such as boot, file or

macro viruses.macro viruses. Cannot, or with great difficulty to be detectedCannot, or with great difficulty to be detected

using so-called using so-called virus masksvirus masks (use parts of non- (use parts of non-changing virus specific code). changing virus specific code).

Generated in two ways:Generated in two ways: When encrypting main code of virus with When encrypting main code of virus with

non-constant encryption key uses random non-constant encryption key uses random sets of decryption commandssets of decryption commands

When engine of existing virus changes. When engine of existing virus changes. T1: ch19.3.7 T2: ch22.3.7



Stealth VirusesStealth Viruses Cover/hide their presence in the Cover/hide their presence in the

system system Can take the form of an existing Can take the form of an existing

file formatfile format Can reside inside a frequently Can reside inside a frequently

used applicationused application

T1: ch19.3.5 T2: ch22.3.5



Memory Resident Viruses Memory Resident Viruses Also called Terminate and Stay Also called Terminate and Stay

Resident (TSR)Resident (TSR) Leaves copy of virus in system memory, Leaves copy of virus in system memory,

intercepts some events (such as file or intercepts some events (such as file or disk calls), and runs infecting routines disk calls), and runs infecting routines on files and disk sectors in processeson files and disk sectors in processes

Active not only when an infected Active not only when an infected program runs, but also after that program runs, but also after that program terminates program terminates


Types of Viruses (Cont.)Types of Viruses (Cont.)

Network VirusesNetwork Viruses Have characteristics of viruses and Have characteristics of viruses and

worms. worms. Make extensive use of network Make extensive use of network

protocols and the capabilities of protocols and the capabilities of local and global access networks to local and global access networks to multiply and transfer the virus’ multiply and transfer the virus’ code to a remote server or code to a remote server or workstation automatically workstation automatically

Sometimes called Sometimes called Network WormsNetwork Worms


Network Viruses vs. Network Viruses vs. WormsWorms

All network viruses are wormsAll network viruses are worms Not all worms are network virusesNot all worms are network viruses Worm can infect other computers for non-Worm can infect other computers for non-

malicious purpose.malicious purpose. Examples: Examples:

Worm can be used to install automatic Worm can be used to install automatic software updates across a very large software updates across a very large networknetwork

Worm can be used for spam e-mails Worm can be used for spam e-mails and disseminating announcements in a and disseminating announcements in a large organizationlarge organization


Virus Infecting Virus Infecting MechanismsMechanisms

Unlike a worm, a virus cannot Unlike a worm, a virus cannot infect other computers without infect other computers without assistance assistance

Propagated by interactions, such Propagated by interactions, such as humans trading programs with as humans trading programs with their friends their friends

Virus may do nothing, but Virus may do nothing, but propagate itself and then allow the propagate itself and then allow the program to run normally program to run normally


Nature of VirusesNature of Viruses

Four phases in lifetime of a Four phases in lifetime of a virus:virus: Dormant PhaseDormant Phase Propagation PhasePropagation Phase Triggering PhaseTriggering Phase Execution PhaseExecution Phase


Dormant PhaseDormant Phase

Virus is idleVirus is idle Eventually activated by some Eventually activated by some

conditions or events, such as conditions or events, such as System dateSystem date Presence of another program or filePresence of another program or file Current usage of disk space Current usage of disk space

exceeding some limitexceeding some limit Not all viruses have this phaseNot all viruses have this phase


Propagation PhasePropagation Phase

Virus places an identical copy Virus places an identical copy of itself on other programs or of itself on other programs or into certain system areas of into certain system areas of diskdisk

Each infected program Each infected program becomes a virus, which will becomes a virus, which will enter a propagation phaseenter a propagation phase


Triggering PhaseTriggering Phase

Virus is activated by an event Virus is activated by an event or condition to perform the or condition to perform the function for which it was function for which it was intendedintended

Can be caused by a variety of Can be caused by a variety of events or conditions. For events or conditions. For example, the number of times example, the number of times this copy of the virus has made this copy of the virus has made copies of itselfcopies of itself


Execution PhaseExecution Phase Virus function is performedVirus function is performed Virus function may be Virus function may be

Harmless, but annoyingHarmless, but annoyingExamples: A message on screen, Examples: A message on screen, distorted windows or harmless spamdistorted windows or harmless spam

HarmfulHarmfulExamples: Destruction of programs, Examples: Destruction of programs, files, or deleting important or files, or deleting important or sensitive datasensitive data


AntivirusAntivirus Antivirus Software:Antivirus Software: Programs to Programs to

detect and remove viruses detect and remove viruses Simplest: scans executable files and Simplest: scans executable files and

boot blocks for a list of known viruses boot blocks for a list of known viruses Others: constantly active, attempting to Others: constantly active, attempting to

detect the actions of general classes of detect the actions of general classes of viruses viruses

Includes a regular update service Includes a regular update service allowing antivirus software to keep up allowing antivirus software to keep up with latest viruses as they are releasedwith latest viruses as they are released


Antivirus TerminologyAntivirus Terminology False Positive: False Positive: Uninfected object (file, sector or Uninfected object (file, sector or

system memory) triggers the antivirus program system memory) triggers the antivirus program False Negative:False Negative: Infected object arrives undetected Infected object arrives undetected On-demand Scanning:On-demand Scanning: Virus scan starts upon user Virus scan starts upon user

request request Antivirus program remains inactive until a user invokes it Antivirus program remains inactive until a user invokes it

from a command line, batch file or system schedulerfrom a command line, batch file or system scheduler On-the-fly Scanning:On-the-fly Scanning: All objects processed in any All objects processed in any

way (opened, closed, created, read from or written to, way (opened, closed, created, read from or written to, etc.) are being constantly checked for viruses etc.) are being constantly checked for viruses Antivirus program is always active, memory resident and Antivirus program is always active, memory resident and

checking objects without user requestchecking objects without user request


Generations of AntivirusGenerations of Antivirus First:First: Simple scanners Simple scanners

Require aRequire a virus signaturevirus signature to identify a virus to identify a virus Virus signatureVirus signature is a unique string or a binary is a unique string or a binary

pattern of a virus, used to detect and pattern of a virus, used to detect and identify specific viruses. E.g. “identify specific viruses. E.g. “Istanbul-turkey”.”.

Limited to detection of known virusesLimited to detection of known viruses

Second:Second: Heuristic scanners Heuristic scanners Uses heuristic rules to search for probable Uses heuristic rules to search for probable

virus infectionvirus infection Looking for Looking for fragmentsfragments of code that are of code that are

often associated with virusesoften associated with viruses


Generations of Antivirus Generations of Antivirus (cont.)(cont.)

Third:Third: Activity traps Activity traps Identify virus by the Identify virus by the virus’ actionsvirus’ actions

(trap malicious activities) rather (trap malicious activities) rather than the structure in an infected than the structure in an infected programprogram

No need to develop signatures and No need to develop signatures and heuristics for wide variety of virusesheuristics for wide variety of viruses

Need to identify set of actions that Need to identify set of actions that indicates an infection is being indicates an infection is being attempted and then to interveneattempted and then to intervene


Generations of Antivirus Generations of Antivirus (cont.)(cont.)

Fourth:Fourth: Full-featured protection Full-featured protection Packages consisting of a variety of Packages consisting of a variety of

antivirus techniques used togetherantivirus techniques used together Include scanning and activity trap Include scanning and activity trap

componentscomponents Access control capability limits ability of Access control capability limits ability of

viruses to penetrate a systemviruses to penetrate a system Limits ability of a virus to update files Limits ability of a virus to update files

and prevents from spreading an infectionand prevents from spreading an infection


Virus PreventionVirus Prevention

Install latest antivirus updatesInstall latest antivirus updates Institution-wide licenses for Institution-wide licenses for

antivirus softwareantivirus software Protect passwords for accessProtect passwords for access Do not open suspicious e-mailsDo not open suspicious e-mails Protect network through firewallsProtect network through firewalls Implement a virus-prevention Implement a virus-prevention

policy for an organizationpolicy for an organization


ReferencesReferences

Matt Bishop, Matt Bishop, Introduction to Introduction to Computer SecurityComputer Security, Addison-Wesley, , Addison-Wesley, 2004, ISBN: 03212474422004, ISBN: 0321247442

Matt Bishop, Matt Bishop, Computer Security: Art Computer Security: Art and Scienceand Science, Addison- Wesley, 2002, , Addison- Wesley, 2002, ISBN: 0201440997ISBN: 0201440997

Stephen S. Yau 1CSE 465-591, Fall 2006 Viruses. Stephen S. Yau 2CSE 465-591, Fall 2006 Taxonomy of...

Documents

Transcript of Stephen S. Yau 1CSE 465-591, Fall 2006 Viruses. Stephen S. Yau 2CSE 465-591, Fall 2006 Taxonomy of...