1 1 A program that attaches itself to another !executable (a host program) Whenever the host program is executed, virus code is ran and it can make a copy of itself and infect other executables found in your memory or hard drive Viruses can do any damage they want on your computer 2 Viruses don’t break into your computer – they !are invited by you o They cannot spread unless you run infected application or click on infected attachment o Early viruses spread onto different applications on your computer o Contemporary viruses spread as attachments through E-mail, they will mail themselves to people from your addressbook Worms break into your computer using some vulnerability, install malicious code and move on to other machines o You don’t have to do anything to make them spread 3 Viruses attach themselves to other executables o For example, a Word template or a PowerPoint presentation o They can infect any executable Trojans claim to be other executables but instead contain malicious code o For example, a cool new game is advertised on the Web site but it also contains malicious code o Trojan code will not spread to other programs on your machine, it will simply gain access and do malicious stuff 4 File infectors o Attach to executable files or source code o Direct action – selects and infects several programs each time host program is run o Resident – load themselves into memory whenever a host program is run and then remain in memory infecting any other executable that is executed System (boot-sector) infectors o Infect some system area on disk, load themselves on boot and then remain memory-resident Hybrid o Infect both files and boot sectors 5 File system (cluster) o Modify directory table entries so that virus code is loaded and executed before the host program o Host program is not altered, only directory table is Kernel o Target specific features of system files such as location on disk, calling convention etc. 62 Stealth o Like rootkits o Hide the fact that they have infected the system by modifying replies to system queries o Must be resident o Can only be detected if we boot the system from clean bootable floppy or CD Polymorphic o Change virus code to avoid signature detection o Encrypt themselves with variable key – decryption code is always the same o Use different encryption schemes 7 Fast infectors o Infect not only those files that are executed but also those that are merely opened (e.g. by a virus scanner) Slow infectors o Only infect modified or newly created files – fools integrity checkers Sparse infectors o Infect infrequently (e.g. each 10th file) to avoid detection 8 Companions o Creates new file with similar name as the host program o When host program is called, virus is executed instead o Virus calls host program in the end o This fools integrity checkers that only look at existing files 9 Cavities o Overwrites part of the host program that is filled with a constant o Does not increase the length of host program and preserves functionality Tunneling o Some viruses modify interrupt vectors o Tunneling viruses call interrupt handlers directly 10 You receive infected E-mail attachment You download infected code Your thumb drive gets infected 11 Wipe your hard drive Modify or delete files Steal files Spread further They frequently delay any malicious actions until they have spread sufficiently 123 Changes in file sizes or checksums Unaccounted resource consumption Changes of interrupt vectors Best detection would be to analyze all files on your system for modifications – impractical 13 Activity monitoring systems (anomaly detect.) o Look for virus-like activity such as attempts to reformat disk o May generate false positives Scanners (signature detection) o Look for patterns in virus code Use database of known virus signatures Detect polymorphic variations o Sometimes they use heuristics to detect !new virus signatures o Most scanners also include disinfection code 14 Integrity checkers o Remember file hashes o Detect file modifications 15 Usually resident Sometimes can even be added to boot sector to detect boot sector viruses Some virus detection systems will prohibit access to external drives unless they have been scanned before 16 Defines non-writable areas of the disk !for executable files Sounds alarm and/or requires password in order to modify these areas Might be annoying and generate false alarms 17 Identify which files have been modified o Virus scanners will do this Restore last known good copy of these files !from your backup It is not necessary to re-format the disk Some virus scanners can disinfect files – remove the virus code 184 Yes, but it will never be executed because data files do not contain executable code Virus can be hidden in .gif and .jpeg files using steganography but it has to be extracted and run by an executable 19 No, virus contains OS specific code o You may receive virus on another OS !but it won’t run and therefore won’t spread o How about worms? 20 Yes but it’s harder o Mainframe computers have write protections among users so virus can only infect user A’s files o However if user A sends his file to user B then B’s files also get infected o If virus is places in shared area then all user’s files may get infected o Mainframe computers are generally better maintained and it is hard to write a good mainframe virus – only a few exist so far 21 Add an integrity-checking code to every file so that it checks whether it is infected every time it is run If the file is infected virus will be executed first It can also fiddle with integrity-checking code and disable it Ineffective against companion viruses 22 They spread beyond our control – there is no way to stop the spread of a virus that you release It is hard to distinguish between viruses and benign code They eat resources They may do malicious things They may disable self-checking programs They may infect cyber-physical systems and
View Full Document