malicious code n.
Skip this Video
Loading SlideShow in 5 Seconds..
Malicious Code PowerPoint Presentation
Download Presentation
Malicious Code

Malicious Code

149 Views Download Presentation
Download Presentation

Malicious Code

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Malicious Code By Diana Peng

  2. What is Malicious Code? • Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions • Uses our everyday programs as a vessel to access and change data stored • Viruses • Worms • Trojan Horses

  3. Unpredictable Behavior • Behaves in the same manner as any other program • Has the ability to stop running programs, generating a sound, erasing stored data, etc. • Has the ability to remain dormant until some event triggers the code to act

  4. History of Malicious Code • 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from Texas A&M: It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! • 1983 – Fred Cohen Computer Viruses – Theory and Experiments • 1986 Brain –2 Pakistani brothers analyzing the boot sector of a floppy disk, develop a method to infect it. Spread quickly and widely on MS-DOS PC system.

  5. History (cont.) • 1987 IBM Christmas Worm – fast spreading 500,000 replication per hour • 1988 MacMag – Hypercard stack virus Scores – 1st major Mac outbreak • 1991 Tequila – polymorphic, originated in Switzerland and changed itself to avoid detection • More recently – Love Letter(2000), Blaster and SoBig(2003)

  6. Definitions • Virus – a program that can pass on malicious code to other nonmalicious programs by modifying the them 1. Transient – life is dependent on host 2. Resident – stores itself in memory and acts as a stand-alone program • Trojan Horse – contains obvious malicious intent and a 2nd unseen effect

  7. Definitions (cont.) • Logic Bomb – “detonates” when a specified condition occurs * Time Bomb – triggered by a time/date • Trapdoor/Backdoor – allows one to access a protected program through an indirect method • Worm – program that replicates itself and spread those replications through a network * Rabbit – spreads w/out limits and tries to exhaust the computer’s resources

  8. Virus Qualities • Easily created • Difficult to detect • Difficult to destroy or deactivate • Spreads intended infection widely • Ability to re-infect original program or other programs • Machine and OS independent

  9. Attaching Viruses • Must be executed in order to be activated • Human intervention is key for initial activation • Email attachments • Once attached, the virus installs itself on a permanent storage medium and on any/all executing programs in memory

  10. Appended Viruses • Most common attachment – easy to program and effective • Attaches to an existing program and is activated whenever whenever the program is running • Virus instructions execute 1st, after the last virus instruction control is given back to the 1st program instruction • User is unaware of virus – original program still runs the way it’s intended

  11. Appended Virus (cont.) Program Virus Program Virus + =

  12. Surrounding Viruses • To avoid detection on the disk, the virus will attach itself to the program constructing the listing of files on the disk • The virus has control after the listing program is generated and before it is displayed to delete itself from the listing

  13. Surrounding Virus (cont.) Virus Program Program Virus Virus

  14. Integrated Viruses • Virus will replace the program and integrate itself into the original code • Requires the creator of the virus to know the original program in order to insert pieces of the virus into it • Replacement – the virus replaces the entire program with itself; user will only see the performance of the virus

  15. Integrated Viruses (cont.) Program Program Virus + =

  16. Document Virus • Implemented inside a formatted document (ex. Word document, database, spreadsheet, etc.) • Highly structured files containing both data and commands • Command codes are a part of rich programming language

  17. Gaining Control • The virus program must be activated in place of the original program • Presents itself as the original program • Substitutes the original program by pushing the original one out of the way • Overwriting - the virus replaces the original code in a file structure • Pointer Changing - directs the file system to itself and skips the original code

  18. One-Time Execution • Majority of viruses today • Activated and executed only once • Email attachments

  19. Boot Sector Viruses • Gains control early in the boot process before detection tools are active • Boot area is crucial to the OS and is usually kept hidden from the user to avoid modification/deletion • Virus code is difficult to notice

  20. Memory Resident Viruses • Resident code – code that is frequently used by the OS that has a permanent space in memory • Resident code is activated many times and simultaneously activates the virus each time • Ability to look for and infect uninfected carriers

  21. Virus Signatures • Cannot be completely invisible • Code is stored on computer and must be in memory to execute • Signature – the pattern the virus executes and the method it uses to spread • Virus Scanner – detects virus signatures by searching memory & long-term storage, and monitors execution – must be kept up-to-date to be effective

  22. Storage Patterns • Most viruses attach to programs stored on disks – file size grows • Attachment is usually invariant and the start of the virus code is detectable (Appended Attachment) • JUMP instruction (Surrounding Attachment)

  23. Execution Patterns • Spread infection • Avoid detection – Boot Sector • Cause harm – erasing files/disks, preventing booting/writing to disk, shutting down, etc.

  24. Transmission Patterns • Virus is only effective if it has the ability to transmit itself from location to location • Virus execution behaves just like any other program execution and it’s form of transmission is not confined to one medium.