Professional Documents
Culture Documents
Oct 2012
Introduction
Propagation of malicious code Malicious indicates the potential to do damage. Usually classified by the type of propagation. Sometimes classified by
Platforms and mechanisms it requires to run
E.g. macro viruses.
Oct 2012
Viruses
Program or piece of code that will reproduce itself. Sometimes perform a particular action. Definition from RFC 1135
A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
Oct 2012
Worm
A worm is similar to a virus, but it does not locally reproduce. Propagates between systems only. Definition from RFC 1135
A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself and can propagate a complete working version of itself on to other Oct 2012 machines.
Macro Virus
Sometimes considered worms. Require a host program to process/run it in order for it to execute. Often written in VBA (Visual Basic for Application) for Word, Access, Excel, PowerPoint, and outlook etc. E.g. Melissa
5
Oct 2012
Trojan Horses
Code disguised as benign programs, but behave in an unexpected, usually malicious manner. User needs to be convinced to accept/run them. E.g. Pokemon worm, which will display animated pictures of bouncing Pikachu on your screen while it e-mails itself to everyone in your address book and prepares to delete every files.
Oct 2012
The Trojan horses initially appears as an e-mail with the title "Pikachu Pokemon" and the English message "Pikachu is your friend.
The above picture is what the users see when executing pokemon.exe (its attachment). What they dont see is the application e-mailing itself and deleting files from the system.
Oct 2012
Anatomy of a Virus
Two primary components
Propagation mechanism Payload
Propagation
Method by which the virus spreads itself. Old days: single PC, transferred to other hosts by ways of floppy diskettes.
Nowadays: internet.
Oct 2012
Types of Propagation Parasitic Propagates by being a parasite on other files. Attaching itself in some manner that still leaves the original file usable. .com and .exe files of MS-DOS Macro virus Boot sector infectors Copy themselves to the bootable portion of the hard (or floppy) disk.
For a hard drive to be bootable, it must contain a Master Boot Record (MBR).
Chuck of code that lies at the beginning of the hard drive. Understand the partition table.
10
Oct 2012
The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code. This code is known as the boot sector.
11
Oct 2012
Boot sector viruses tend to take the existing MBR or boot sector code, relocate it elsewhere, and then insert themselves into the record. When the system boots, they can do their things, and then transfer control to the relocated code that they replaced.
12
Oct 2012
Multi-partite
Refers to viruses that can use multiple means of infection, such as
MBR Boot sector Parasitic
13
Oct 2012
Payload
Refers to what the virus does (besides propagation) once executed.
Do nothing Do cute things Malicious damage such as delete your partition table.
14
Oct 2012
Smart viruses usually use infrequent trigger so that they have ample time to ensure they have properly propagated, before alerting the users.
15
Oct 2012
Example: Melissa
Melissa works by infecting the Document_Open() macro of Microsoft word. Run immediately when the user opens the word files.
Private Sub document_open() On Error Resume Next
16
Oct 2012
17
Oct 2012
Replicator
Spread the virus.
18
Oct 2012
Copy small portion of its code to the beginning of the file. Copy the second part of itself to the end of the file.
19
Bomb
Does all things to annoy the user. Some possible bombs
System slowdown
Easily handled by trapping an interrupt and causing a delay when it activates.
File deletion. Message Display. Killing/Replacing the partition table or boot sector of the hard drive.
20
Oct 2012
Anti-virus Techniques
Integrity/behavioral Checkers Use good OS Use virus scanner on computer and emailserver. Use virus scanner Do not open attachments to emails. Frequent backups.
21
Oct 2012
Reference
Kevin L. Poulsen, "Hack Proofing Your Network: Internet Tradecraft", Chapter 14, p.383 405 Dark Angels Phunky Virus Writing Guide http://www.sirkussystem.com/virus.html
Introduction Installment II: the replicator
22
Oct 2012