Virus Lecture Noetes

8/3/2019 Virus Lecture Noetes

1/18

1L6

COIS/FRSC 2750H

Computer Crime and Forensics

Fall 2011

Malware: Viruses, Worms etc.

Edited by Brian HircockFall 2010

2L6

Reference Material

Primary sources of information contained in these slides are:

Taylor, R.W. et al, Digital Crime and Digital Terrorism(2006)

Jones, R., Internet Forensics(2006)

Volonino, L. et al, Computer Forensics: Principles and Practices(2007)

Wang, W., Steal This Computer Book 4.0: What they wont tellyou about the internet(2006)


2/18

3L6

First malware? - ANSI Bomb

In the DOS days, computers booted up by calling a program calledANSI.SYS

Device driver

However, you can remap the keys on the keyboard from this file

Allow you to make shortcuts, macros

But you could do things like have the computer erase whatever filethe user was working on every time they pressed say e

Or even worse plant a bomb

Every time the user presses a certain key say c or C, thecomputer tries to reformat hard drive

Before doing this the computer asks the user whether they really

want to do this So you reprogram the keyboard so that N = Y and n = y

Another precursor would be Core Wars in the 1960s

4L6

Viral Infections

Used to spread through use floppy disks or BBS

Now theyre primarily spread through Internet via

Email

Email attachments

Downloadable files

Web pages

Newsgroups

Peer to peer transfers

Instant messaging

And so on


3/18

5L6

Cost

Survey of government, private industry and universities showed that85% had a virus/worm problem in the last year

Average virus outbreak took approximately 20 person days torecover and cost the company $10,000 (median) and $100,000(average)

Types of damage include

Triggering disruptive events

Bogging down email and network servers

Deleting or modifying files

Accessing and sharing private information

System degradation

Compromised security Damage to software and hardware

6L6

How many viruses/worms are there?

Active viral programs are said to be in the wild

Wildness is a measure of the extent to which the virus is spreading

Number of viruses in the wild changes daily

You can see the current wild list at http://www.wildlist.org/WildList/

Preliminary results from Symantechttp://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

In 2009, 75% of all enterprises experienced some form of cyberattack

Symantec created 2,895,802 new malicious code signatures in2009 (thats over 7,300 a day), a 71 percent increase over 2008

the 2009 figure represents 51 percent of all malicious codesignatures ever created by Symantec.

2010 Report from Sophos


4/18

7L6

Malware

Well take a quick look at

Viruses

Worms Trojan Horses

Adware and Spyware

Blended Threats

8L6

Viruses

Overused term that has lost some of its original meaning

Often used now as a synonym for malware

Including viruses, worms, trojans etc.

By definition a virus exists only to replicate itself

Much like biological virus

Need other files or resources to run and replicate themselves

Harm often caused by bodys (computer's) reaction to virus, notby virus itself

Four primary environments

File virus

Boot virus

Macro virus

Network virus


5/18

9L6

File Virus

Use operating system (like Windows) to propagate

Can infect any type of executable file

Overwrite file with own code Easy to detect system stops working

3 main types of these

Parasite

Latch onto file (before, after or in middle of executable) andleave it operational

Companion

Clone target file so that virus runs rather than the .exe

Link virus

Modify fields of file system so that operating system runsvirus rather than intended file

10L6

Boot Virus

Attacks the boot sector of system, master boot record or change thesystem pointer to an active boot sector

After power on and hardware tests, system loader routine reads firstsector of boot record and passes control to the virus

Rather than operating system starting, the virus runs


6/18

11L6

Macro Virus

Takes advantage of macro language built into programs like MSOffice

Transfer themselves from one file to another and from one computerto another via file attachments or shared files

When file is opened program calls infected macro and virus is run

Can take control when user clicks on say File/Open, or File/Save oreven when the user presses a certain key on the keyboard

If using MS Word, can save itself as part of NORMAL.DOT file

Then every .doc file is infected

12L6

Network Virus

Make use of network protocols

Can transfer its code to a remote workstation or network

Can run own code or push users to run code on remote machines

Generally a companion type of virus

Do not alter existing files

Infiltrate computer memory from network

Calculate and record network addresses of other computers

Send copies of themselves to other computers


7/18

13L6

Starting Unauthorized Programs

14L6

How anti-virus software works

Antivirus program detect viruses 2 ways

Recognize the signature

A unique string of bits, or the binary pattern, of a virus.

Virus signature is like a fingerprint in that it can be used to

detect and identify specific viruses. Compare files against database of known signatures

Cannot detect new viruses because their signature isnt indatabase

Need to get new virus to analyze

By its behaviour

Called heuristic analysis

Notices virus trying to infect another file


8/18

15L6

Infection Methods

Direct Infection

Simplest method

Every time user opens infected file or runs infected program

virus spreads These are easy to detect

Fast Infection

Virus infects every file accessed by infected program

If the infected program is your virus checker, itll infect every filein your system when you run a scan

Slow Infection

Virus only infects newly created files or files modified by alegitimate program

Harder to detect Files are only accessed by legitimate programs like windows

explorer

16L6

Sparse Infection

Spreads slowly and unpredictably

RAM resident Infection

Buries itself in RAM and any program or file opened is infected

Spread by boot sector viruses


9/18

17L6

Ways to avoid detection

Stealth

Viruses are usually detected when they change the size, timeand date stamps of infected files

A stealth virus will try to avoid making these changes to infectedfiles

Boot sector viruses are always stealth viruses

Like call forwarding

When you boot the system the virus starts, then thevirus loads a copy of the real boot sector

Polymorphism

Changes its signature every time it infects a file

But it still must keep a small signature so the same file doesntkeep getting infected over and over

Anti-virus developers can find these small signature withtime

One reason why you need to keep updating your virusdatabase

18L6

Retaliators

Attack anti-virus programs

Either

Modify anti-virus program so that it cant detect the virus

Infect the anti-virus program itself

Can be a race to see which finds the other first


10/18

19L6

Worms

Piece of software that copies itself somewhere else

Term taken from book Shockwave Rider(in book a tapeworm is aself-replicating piece of code

Stand alone program

It does not attach itself to or modify other files

Unlike a virus

Makes copies of itself from one drive to another or copies itselfusing email or another transport mechanism

Can move very quickly

Code Red Worm in 2001 infected over 250,000 machines in 9hours

20L6

Worms cont

Some worms may have built in DoS attacks, Web Site defacements,or some other surprise

Just their propagation is in effect a DoS attack because of their drainon resources

Scan traffic May crash routers

Overload networks

Tie up computer processing capability


11/18

21L6

How worms spread

Spread through always on Internet connections

4 common ways to spread

Email Worm searches for address book of email program and mails

itself to everyone

May be described as a graphic file, electronic greetingcard, or text file (MyDoom worm)

People are more likely to open these emails because theycome from known people

Once opened, the worm searches for that computersaddress book and so on

22L6

IRC channels or instant messaging services

IRC networks are groups of chatrooms

Worm sends an enticing message to everyone in chat room

If downloaded, the worm spreads

Internet worms Scans other computers for open ports

Or like the Santy worm they use a search engine

Searched for people using the PHP Bulletin Board

Dont waste time trying to infect computers that wonthelp it spread (like computers running Mac OS X)

Malicious web pages

Use ActiveX controls to pass worm onto visitors to web site

Only effective on computers running Windows and usingIE

Firefox and Opera dont allow ActiveX to run


12/18

23L6

Trojan Horse

An unauthorized program contained within a legitimate program thatperforms functions unknown to user

Usually wait for a trigger event to occur date, message etc.

Can

Open back doors to system

Allow someone to take control of computer

Destroy files

Send emails

Display messages

24L6

How do you get a Trojan Horse?

Email attachments

Chat rooms

File sharing

Physical access to machine

Web browser

Port scanners to find open ports to install code themselves

User is infected without doing anything

Can be used by people other than the creator of the code

Can sell lists of infected computers


13/18

25L6

Remote Control Trojans

Self contained program waiting for commands issued from remoteuser

Local user doesnt know what the computer is doing

Most have auto start capabilities so the program starts whenevercomputer is booted

Can join code to something like explorer.exe or modify systemfiles or Windows Registry

Has a server part and client part

When user unwittingly runs Trojan, it becomes server

Attacker then uses client to connect to the machine

26L6

Backdoor Sub Seven Trojan

According to SANS, popular and widely used

Trojan with multiple parts

First is the Sub Seven server

Allows attacker to connect to computer

Editserver part

Defines characteristics of infection

Modify server, auto start techniques, alter victims system

Determines whether to notify attacker when computer isonline

Port redirector and port scanner

To find new targets

Can do things like turn monitor on/off, open close CD drive, reverse

mouse buttons, record images from attached video camera, recordscreen shots


14/18

27L6

Types of Trojan Horses

Remote Access Trojans (RAT)

Allow attackers to do more on machine than person sitting atmachine

Allow for access to files, passwords, etc.

Server and client part

Servers tend to be large programs (often a MB or more)

Can use a back door to send server file

Or use a binder program to join RAT to real program(typically game demos or trial versions)

Password Sending Trojans

Steals cached passwords and emails them to attacker

28L6

Keyloggers

Capture key strokes and email them to attacker periodically

Some have on or off line option

Destructive

Destroy and delete files Can work like a logic bomb becomes active when certainconditions are met

DoS or Mail Bomb Trojan

Infect as many machines as possible and then have all machinesbombard target with non-filterable emails

Proxy/Wingate Trojan

Turn victims computer into a zombie

Can be used by attacker or whole world for illegal activities

Software Detection Killers

Attacks anti-virus/firewall programs Then attacker has free access to machine


15/18

29L6

To avoid worms and Trojan Horses

Eventually your computer will be attacked by one of these

Need to detect and remove them and to prevent them from comingback

Use an antivirus program free is OK For protection from RATs get a dedicated anti-Trojan Horse

program

Like Bo Clean, The Cleaner, Hacker Eliminator, TrojanHunter

Need a firewall to block ports

Download all operating system updates

Consider not using popular software (Windows and Office)

Use Linux, BSD, Macs, OpenOffice

Dont use Windows Outlook or Outlook Express for email

Use Thunderbird, Pegasus Mail or Eudora If you must use IRC, use Visual IRC, XIRCON or X-CHAT

Disable Microsoft IM (Instant Messenger)

30L6

Adware and Spyware

Usually delivered in email attachments, downloaded as part ofanother piece of software, or downloaded from a web site (possiblyas a cookie)

Adware does things like

Redirects startup pages on your Internet browser Makes changes to browser

Replaces search functions within browser

Generates pop-up ads

Spyware are programs that send information over the Internet to theprogrammers for marketing purposes without notification to the user

Browsing habits

Hardware and software in the system

Often downloaded as part of other functional software


16/18

31L6

Read the EULA

Often take advantage of fact that most users do not read the EndUser License Agreement (EULA)

Or they make text so convoluted no one knows what it means

Often very difficult to remove adware or spyware as program oftenmakes complex changes to computer system

Sometimes have to reformat hard drive and reinstall operatingsystem

32L6

Avoiding Adware and Spyware

If possible dont use Windows

Most malicious code written against Windows

Use a safe browser

Firefox or Opera or even better use VMWare Player and Browser

Appliance Creates a virtual computer in memory that runs Firefox under

Ubuntu Linux

Install a firewall

Monitor your startup programs

System Mechanic, Process Guard, MalWhere and StartupManager display a list of startup programs

Run anti spyware programs

Problem is that spyware developers are making deals with antispyware companies


17/18

33L6

Blended Threats

Combine viruses, worms, Trojan Horses and other malicious code

Effective because most security products cannot prevent the attack

Just advise user after the fact Sometimes better to shut down network if theres an imminent threat

and wait for patches and detection routines

34L6

Why do people write viruses?

Why take the time to write and test code that will be destructive andharmful to someone that they dont know?

Several possible reasons

In the early days it was often for fun

A challenge of the writers skill

Viruses tended to be annoying, not destructive E.g. stoned virus

For notoriety

Increased reputation in underground virus community

To get a job

Virus writers are often hired by Internet security companies

As part of your job

Governments, terrorist groups, corporations are all capableof hiring virus writers to attack enemies

Because they can and they most often get away with it


18/18

35L6

Virus Hoaxes

Can be as costly or more costly than real viruses

Time wasted trying to detect or remove virus e.g. Teddy BearHoax http://www.hoax-slayer.com/teddy-bear-virus-hoax.html

Virus hoaxes: Contain a warning message about a virus

Usually from an individual or company, but not cited source

Warn not to read or download virus preaches salvation bydeletion

Describe the virus as having horrific powers

Usually many words in caps and exclamation marks

Urge the reader to forward the email

Seek credibility by citing a credible source

Claim the source says the virus is bad or has them worried Use baseless technical jargon

Virus Lecture Noetes

Documents

Transcript of Virus Lecture Noetes