Lesson 3 – Viruses and other Malicious
Codes
Prepared by
Izwan Suhadak Ishak
Lecturer
FITM, UNISEL
Programs are seldom security threats
Programs operate on data, taking actions only when data and state changes trigger
Program are invisible, even what they are doing
Malicious people make programs serve as vehicle to access and change data
We don’t like the unexpected
Malicious codes (programs) behave in unexpected ways
INSTALL or SETUP command in a software does a lot of things: create files, delete files, rename files – hopefully they are doing the ‘right’ things
What can they do?
Write a message on the screen
Stop a running program
Generate a sound
Erase a file… and many others
Oh, and they can just WAIT!
Planted to lie dormant (at first!)
Undetected, UNTIL some event triggers
Triggering factors:
Time, date, interval
Event, condition, count, combination or random
Runs under user’s authority – without our knowledge!
Trapdoor
Malicious Program
Needs hosts program
Logic Bombs Trojan Horse Virus Zombie
Independent
Worms
REPLICATE
Malicious code or rogue program
General name of unanticipated or undesired effects in programs or parts, caused by an agent intent on damage
Eliminates unintentional errors
Excludes coincidence
Agent: writer of program or person who causes its distribution
Virus: program than can pass on malicious code to other nonmalicious programs by modifying them
Can be transient or resident
Transient: virus has a life that depends on host, start and ends when the host is running
Resident: locates itself in memory – can remain active or be activated as a stand-alone program
Trojan Horse: keeps some information for later malicious use
Logic Bomb: ‘detonates’ or goes off when a specified condition occurs
Time Bomb: logic bomb whose trigger is date or time
Trapdoor (aka Backdoor): a feature in a program where someone can access the program other than by the normal direct call.
Could be done intentionally or for maintenance purpose
Worm: spread copies of itself through network
Spread copies as a stand-alone program
Rabbit: self-replicates without bound
Intention is to exhaust computing resources
Code Type Characteristics
Virus Attaches itself to program and propagates copies of itself to other programs
Trojan Horse Contains unexpected, additional functionality
Logic Bomb Triggers action when condition occurs
Time Bomb Triggers action when specified time occurs
Trapdoor Allows unauthorized access to functionality
Worm
Rabbit
Propagates copies of itself through network
Replicates itself without limit to exhaust resource
Virus will start doing its dirty work or activated by being executed
E.g. during installation, virus could install itself on a harddisk, and also in any and all executing programs in memory
That’s the only time a virus needs human intervention, the rest, it can do it on its own
A more common mean of activation is as an attachment to an email message
Attachments usually have .exe, therefore NEVER
NEVER NEVER EVER open up an attachment of an email from unknown senders!!!! (or even known, you can never know..)
Also called: Slag Code
A programming code, inserted/embedded intentionally in a legitimate program, and it is set to execute (or
‘explode’) when certain conditions are met
Triggers action when specified time occurs
‘Explosion’, may be designed to erase files, delete files, shut down system, display messages, etc.
Example:
“Friday the 13th” – duplicated itself every Friday and 13th of the month to cause system shutdown
Millennium Time Bomb – design to take advantage of concern over
Y2K
A hidden code that performs unexpected or unauthorized actions
Main difference between trojan horse and virus is the inability of trojan horse to replicate itself
Example:
Change protection code of other user’s files
Used in a compiler to insert codes when certain programs are compiled, this is hard to detect
Collect passwords of a user
A program secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace the zombie’s creator
Used in DoS (denial-of-service) attacks, typically against targeted websites
Planted on hundreds of computers belonging to unsuspecting third parties. They are used to overload target by launching a lot of network traffic
E.g.: Trinoo is an attack tool released in late Dec ’99 that performs a distributed DoS attack
Virus
Code
Original
Program
+
Virus
Code
=
Original
Program
Physically
Virus
Code (Pt A)
Virus
Code
Original
Program
Original
Program
Virus
Code (Pt B)
Original
Program
+
Virus
Code
=
Modified
Program
Virus writer find these qualities appealing
It is hard to detect
It is not easily destroyed or deactivated
It spreads infection widely
It can reinfect its home program or other programs
It is easy to create
It is machine independent and operating system independent
Formerly a fairly popular type
Control begins when computer is started
Virus breaks the chain in the bootstrap loader and usually before any detection tools are active to avoid detection
Happens after booting is done
Happens usually when routine codes are executed, like interpreting keys pressed, codes that handle error condition, etc.
Virus writers attach viruses to these routine codes because it can just be done SO
MANY TIMES!!!
Application programs
Usually stored in macros
Libraries
A good place to stay ;)
Shared by many, can infect many too!
Other transmission media
Compilers, loaders, linkers, runtime monitors, runtime debuggers, even virus control programs!
Do not share executable code with an infected source
Use only commercial software acquired from reliable, wellestablished vendors
Test all new software on an isolated computer
Open attachments only when you know them to be safe
Make recoverable system image and store it safely
Make and retain backup copies of executable system files
Use virus detectors (or virus scanners) regularly and update them daily
Viruses can infect only Microsoft Windows system – FALSE!
Viruses can modify ‘hidden’ or ‘read-only’ files – TRUE!
Viruses can appear only in data files, or only in Word documents, or only in programs – FALSE!
Viruses spread only on disks or only in email –
FALSE!
Viruses cannot remain in memory after a complete power off/power on reboot – TRUE!
Viruses cannot infect hardware – TRUE!
Viruses can be malevolent (nasty!), benign (not bad), or benevolent (not bad too) – TRUE!
Trapdoor – undocumented entry point to a module
Inserted during code development, maybe to test on a module, to provide ‘hooks’ by which to connect future modifications or enhancements, or to allow access if module should fail in the future
Verdict: trapdoors allow a programmer access to a program once it is placed in production
Complex computing system are hard to develop and test
Programmers usually test module by module, called unit testing
Then all components are ‘added’ to make an integration testing
Programmers tend to bypass certain processes and add in additional codes to ‘make life easier’
Developers usually remove trapdoors (or the
‘additional codes’ made during testing phase
However, trapdoors can persist in production programs because programmers:
FORGET to remove them
Intentionally leave them in the program for testing
Intentionally leave them in the program for maintenance of the finished program, or
Intentionally leave them in the program as a covert
(hidden, secret) means of access to the component after it becomes an accepted part of a production system
Types of viruses
Boot viruses: These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus
Program viruses: These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade
Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila
Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale
Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud,
Virus 101
Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.
Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.
Bonne chance dans tes examens la semaine prochaine
Good Luck in your exams next week
See you next time