1 / 29

Viruses

Viruses. Taxonomy of Malicious Programs. Malicious programs. Needs host program. Independent. Trap doors. Logic Bombs. Trojan Horses. Viruses. Worm. Zombie. Replicate. Definitions.

ulfah
Download Presentation

Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses CSE 465-591, Fall 2006

  2. Taxonomy of Malicious Programs Malicious programs Needs host program Independent Trap doors Logic Bombs Trojan Horses Viruses Worm Zombie Replicate CSE 465-591, Fall 2006

  3. Definitions • Trap Doors (also called Back Doors):Holes in security of a system deliberately left in places by designers or maintainers for privileged accesses • Example: Some operating systems have privileged accounts for use by field service technicians or maintenance programmers. In Unix-style operating systems, root is the conventional name of the user who has all rights or permissions in all modes (single- or multi-user). Alternative names include baron and avatar on some Unix variants. BSD often provides a toor ("root" backwards) account in addition to a root account. The root user can make many changes an ordinary user cannot, such as changing the ownership of files and binding to ports numbered below 1024. CSE 465-591, Fall 2006

  4. Definitions (cont.) • Logic Bombs:Code surreptitiously inserted into an application program or operating system to perform some destructive or security-compromising activity whenever specified conditions are met • Example: In 1998, Timothy Allen Lloyd, a former chief computer network program designer was sentenced to 41 months in prison for unleashing a $10 million “logic bomb" 20 days after his dismissal. The “bomb” deleted all the design and production programs of Omega Engineering Corp., a New Jersey-based manufacturer of high-tech measurement and control instruments used by NASA and the U.S. Navy. CSE 465-591, Fall 2006

  5. Definitions (cont.) • Trojan horse:Malicious, security-breaking program disguised as something benign, such as a directory listing software, archiving software, game software, or software to find and destroy viruses • A Trojan horse is similar to a back door • Virus:Program or piece of code that infects one or more other programs by modifying them; modification includes a copy of virus program, which can then infect other programs • Victim programs become Trojan horses • Embedded virus is executed with the programs, propagating the "infection" • Normally invisible to user T1: ch19.2,19.3 T2: ch22.2, 22.3 CSE 465-591, Fall 2006

  6. Examples • The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames". • The CD contains one file infected by the Marburg virus: \EREG\EREG32.EXE CSE 465-591, Fall 2006

  7. Definitions(cont.) • Worm:Program that propagates and reproduces itself as it goes over a network • Negative term, only crackers write worms • Crackers: a person who engages in illegal or unethical circumvention of computer security systems • Zombie:Process that has terminated (either killed or exited) and whose parent process has not yetreceived notification of its termination • Exists as a process table entry • Consumes no other resources T1: ch19.4 T2: ch22.4 CSE 465-591, Fall 2006

  8. Structure of a Virus • Viruses have the following parts: • "engine" - code that enables virus to propagate • "payload" - set of instructions that defines the action (frequently destructive) which the virus performs. Not all viruses have payloads, and not all payloads cause harm • Viruses need: • "host" - the particular hardware and software environment on which viruses can run • "trigger" - the event that starts the virus running Eugene Kaspersky, “Computer Viruses”, Kaspersky Lab, Moscow, 2001 http://www.viruslist.com/eng/viruslistbooks.html CSE 465-591, Fall 2006

  9. Types of Viruses • Boot Viruses (boot sector infector) • Infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard disk • Upon boot up, virus forces system to read into memory and pass control of the system to virus code, not to original loader routine code • A resident virus in RAM will continue to infect the disk after formatting the disk unless the RAM is cleared T1: ch19.3.1 T2: ch22.3.1 CSE 465-591, Fall 2006

  10. Types of Viruses (cont.) • File Viruses • Use OS file system in one way or another to propagate themselves • No known OS is secure • May infect files containing program source code, libraries or object modules CSE 465-591, Fall 2006

  11. Types of Viruses (cont.) • Macro Viruses • May be written in macro-languages built into some data-processing systems, such as text editors, electronic spreadsheets. • Most common in Microsoft Word, Microsoft Excel and Office due to their extensive use of macro-languages. T1: ch19.3.8 T2: ch22.3.8 CSE 465-591, Fall 2006

  12. Types of Viruses (cont.) • Polymorphic Viruses • Change their own form each time it inserts itself into another program; • Can be of various kinds, such as boot, file or macro viruses. • Cannot, or with great difficulty to be detected using so-called virus masks (use parts of non-changing virus specific code). • Generated in two ways: • When encrypting main code of virus with non-constant encryption key uses random sets of decryption commands • When engine of existing virus changes. T1: ch19.3.7 T2: ch22.3.7 CSE 465-591, Fall 2006

  13. Types of Viruses (cont.) • Stealth Viruses • Cover/hide their presence in the system • Can take the form of an existing file format • Can reside inside a frequently used application T1: ch19.3.5 T2: ch22.3.5 CSE 465-591, Fall 2006

  14. Types of Viruses (cont.) • Memory Resident Viruses • Also called Terminate and Stay Resident (TSR) • Leaves copy of virus in system memory, intercepts some events (such as file or disk calls), and runs infecting routines on files and disk sectors in processes • Active not only when an infected program runs, but also after that program terminates CSE 465-591, Fall 2006

  15. Types of Viruses (Cont.) • Network Viruses • Have characteristics of viruses and worms. • Make extensive use of network protocols and the capabilities of local and global access networks to multiply and transfer the virus’ code to a remote server or workstation automatically • Sometimes called Network Worms CSE 465-591, Fall 2006

  16. Network Viruses vs. Worms • All network viruses are worms • Not all worms are network viruses • Worm can infect other computers for non-malicious purpose. • Examples: • Worm can be used to install automatic software updates across a very large network • Worm can be used for spam e-mails and disseminating announcements in a large organization CSE 465-591, Fall 2006

  17. Virus Infecting Mechanisms • Unlike a worm, a virus cannot infect other computers without assistance • Propagated by interactions, such as humans trading programs with their friends • Virus may do nothing, but propagate itself and then allow the program to run normally CSE 465-591, Fall 2006

  18. Nature of Viruses • Four phases in lifetime of a virus: • Dormant Phase • Propagation Phase • Triggering Phase • Execution Phase CSE 465-591, Fall 2006

  19. Dormant Phase • Virus is idle • Eventually activated by some conditions or events, such as • System date • Presence of another program or file • Current usage of disk space exceeding some limit • Not all viruses have this phase CSE 465-591, Fall 2006

  20. Propagation Phase • Virus places an identical copy of itself on other programs or into certain system areas of disk • Each infected program becomes a virus, which will enter a propagation phase CSE 465-591, Fall 2006

  21. Triggering Phase • Virus is activated by an event or condition to perform the function for which it was intended • Can be caused by a variety of events or conditions. For example, the number of times this copy of the virus has made copies of itself CSE 465-591, Fall 2006

  22. Execution Phase • Virus function is performed • Virus function may be • Harmless, but annoying • Examples: A message on screen, distorted windows or harmless spam • Harmful • Examples: Destruction of programs, files, or deleting important or sensitive data CSE 465-591, Fall 2006

  23. Antivirus • Antivirus Software: Programs to detect and remove viruses • Simplest: scans executable files and boot blocks for a list of known viruses • Others: constantly active, attempting to detect the actions of general classes of viruses • Includes a regular update service allowing antivirus software to keep up with latest viruses as they are released CSE 465-591, Fall 2006

  24. Antivirus Terminology • False Positive: Uninfected object (file, sector or system memory) triggers the antivirus program • False Negative: Infected object arrives undetected • On-demand Scanning: Virus scan starts upon user request • Antivirus program remains inactive until a user invokes it from a command line, batch file or system scheduler • On-the-fly Scanning: All objects processed in any way (opened, closed, created, read from or written to, etc.) are being constantly checked for viruses • Antivirus program is always active, memory resident and checking objects without user request CSE 465-591, Fall 2006

  25. Generations of Antivirus • First: Simple scanners • Require avirus signature to identify a virus • Virus signature is a unique string or a binary pattern of a virus, used to detect and identify specific viruses. E.g. “Istanbul-turkey”. • Limited to detection of known viruses • Second: Heuristic scanners • Uses heuristic rules to search for probable virus infection • Looking for fragments of code that are often associated with viruses CSE 465-591, Fall 2006

  26. Generations of Antivirus (cont.) • Third: Activity traps • Identify virus by the virus’ actions(trap malicious activities) rather than the structure in an infected program • No need to develop signatures and heuristics for wide variety of viruses • Need to identify set of actions that indicates an infection is being attempted and then to intervene CSE 465-591, Fall 2006

  27. Generations of Antivirus (cont.) • Fourth: Full-featured protection • Packages consisting of a variety of antivirus techniques used together • Include scanning and activity trap components • Access control capability limits ability of viruses to penetrate a system • Limits ability of a virus to update files and prevents from spreading an infection CSE 465-591, Fall 2006

  28. Virus Prevention • Install latest antivirus updates • Institution-wide licenses for antivirus software • Protect passwords for access • Do not open suspicious e-mails • Protect network through firewalls • Implement a virus-prevention policy for an organization CSE 465-591, Fall 2006

  29. References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: 0321247442 • Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: 0201440997 CSE 465-591, Fall 2006

More Related