OutlinesMobile Malcode OverviewMalicious SoftwareTrapdoors (Back doors)Logic BombTrojan HorseZombieSlide 8VirusesSlide 10Virus OperationAnatomy of a VirusStructure of A VirusVirus CompressionVirus Infectables I -- MacrosVirus Infectables (cont’d)Variable VirusesVirus Detection/EvasionMore on Virus DetectionSlide 20Virus RecoveryHistory of VirusesFirst Wild Viruses Apple I/II/III: 1981First PC Virus: Pakistani Brain Virus (1986)Destructive Virus: Chernobyl (1998)Early Macro Virus: Melissa (1999)Slide 27Worms+Slide 30External Target Lists: Metaserver WormsHow Fast Are Metaserver Worms?Internal Target Lists: Topological InformationHow Fast are Topological Worms?Passive WormsSlide 36Slide 37ActivationSlide 39Slide 40Slide 41Slide 42PayloadsSlide 44Slide 45Some Major WormsThe Spread of the Sapphire/Slammer SQL WormHow Fast was Slammer?Why Was Sapphire Fast: A Bandwidth-Limited ScannerBackup SlidesFred Cohen’s Work: 1983Early Mail Virus: Happy99 (1999)Morris WormOutlinesMobile malcode OverviewVirusesWormsMobile Malcode OverviewMalicious programs which spread from machine to machine without the consent of the owners/operators/usersWindows Automatic Update is (effectively) consensual Many strains possibleVirusesWormsCompromised Auto-updates•No user action required, very dangerousMalicious SoftwareTrapdoors (Back doors)Secret entry point into a programAllows those who know access bypassing usual security procedures, e.g., authenticationsHave been commonly used by developersA threat when left in production programs allowing exploited by attackersVery hard to block in O/SRequires good s/w development & updateLogic BombOne of oldest types of malicious softwareCode embedded in legitimate programActivated when specified conditions metE.g., presence/absence of some fileParticular date/timeParticular userParticular series of keystrokesWhen triggered typically damage systemModify/delete files/disksTrojan HorsePrograms that appear to have one function but actually perform another. Modern Trojan Horse: resemble a program that the user wishes to run6- usually superficially attractiveE.g., game, s/w upgrade etc When run performs some additional tasksAllows attacker to indirectly gain access they do not have directlyOften used to propagate a virus/worm or install a backdoorOr simply to destroy dataZombieProgram which secretly takes over another networked computerThen uses it to indirectly launch attacksOften used to launch distributed denial of service (DDoS) attacksExploits known flaws in network systemsOutlinesMobile malcode OverviewVirusesWormsDenial of Services AttacksVirusesDefinition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.On executionSearch for valid target files•Usually executable files•Often only infect uninfected filesInsert a copy into targeted files•When the target is executed, the virus starts runningOnly spread when contaminated files are moved from machine to machineMature defenses available1988: Less than 10 known viruses1990: New virus found every day1993: 10-30 new viruses per week1999: 45,000 viruses and variantsSource: McAfeeVirus Operationvirus phases:dormant – waiting on trigger eventpropagation – replicating to programs/diskstriggering – by event to execute payloadexecution – of payloaddetails usually machine/OS specificexploiting features/weaknessesAnatomy of a VirusTwo primary componentsPropagation mechanismPayloadPropagationMethod by which the virus spreads itself.Old days: single PC, transferred to other hosts by ways of floppy diskettes.Nowadays: Internet.Structure of A VirusVirus() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program;}void infectExecutable() { file = choose an uninfected executable file; prepend V to file; }void doDamage() { ... }int triggered() { return (some test? 1 : 0); }Virus CompressionVirus Infectables I -- MacrosUsually executable files: .com, .exe, .batMacro code attached to some data file Interpreted by program using fileE.g., Word/Excel macrosEspecially using auto command & command macrosCode is now platform independent Is a major source of new viral infectionsBlur distinction between data and program filesClassic trade-off: "ease of use" vs "security”Have improving security in Word etc Are no longer dominant virus threatVirus Infectables (cont’d)System sector virusesInfect control sectors on a disk•DOS boot sectors•Partition (MBR) sectorsSystem sector viruses spread easily via floppy disk infections Companion virusesCreate a .com files for each .exe filesDOS runs COM files before EXE files Relatively easy to find and eliminate Cluster virusesChange the DOS directory info so that directory entries point to the virus code instead of the real programEven though every program on the disk may be "infected“, there is only one copy of the virus on the diskVariable VirusesPolymorphic virusesChange with each infection•Executables virus code changing (macros: var name, line spacing, etc.)•Control flow permutations (rearrange code with goto’s)Attempt to defeat scannersVirus writing tool kits have been created to "simplify" creation of new virusesCurrent tool kits create viruses that can be detected easily with existing scanner technology But just a matter of time …Virus Detection/EvasionLook for changes in sizeCheck time stamp on fileLook for bad behaviorFalse alarm proneLook for patterns (byte streams) in virus code that are uniqueLook for changes in file checksumCompression of virus and target codeModify time stamp to originalDo bad thing insidiouslyChange patterns – polymorphismRearrange data in the fileDisable anti-virus programsMore on Virus DetectionScanningDepend on prior knowledge of a virus Check programs before executionNeed to be regularly updated Integrity Checking Read entire disk and record integrity data that acts as a signature for the files and system sectors Use cryptographic computation technique instead of simple checksumMore on Virus
View Full Document