View
302
Download
2
Category
Preview:
Citation preview
Computer virusSpeaker : 蔡尚倫
Introduction Infection target Infection techniques
Outline
A malware Need permission( by accident ) to execute Will replicate, spread May have destruction
Computer virus - definition
Stealing hard disk space or CPU time Accessing private information Corrupting data Displaying political or humorous messages Spamming their contacts Logging their keystrokes
Purpose
• Tools, like language, tool kitsDesign
• Spread, how to extendReplication
• Active, what to do
Launch
• Evade, try not be foundDetection
Elimination
Lifetime of a virus
System sector Network Source code File Macro
Infection target
Two type of system sector: DBR (DOS Boot Record; DBS, DOS Boot sector) MBR (Master Boot Record; Partition sectors)
Booting process: Boot computer → BIOS → POST →DBR →MBR →
Boot Sector → OS Medium:
Floppy disk Bootable CD-ROM
System sector
Replicate by commands or protocols of network
Remote-controllable Results:
Degrade the performance of a network Disable critical devices Network connections Stealing personnel data
Network
Different compiler, different source code Make modifications to source code Rare
Source code
Executable file files with .BAT, .COM, .EXE, .BIN and so on
May be partially or completely overwritten Infected files can spread across the system ,
network
Files
Macro
Input sequence(short) map to output sequence(long)
A piece of code executes if a certain event occurs
Blur the line between executable files and data filesInfected document opened
Macros loaded
into memory
Auto macros
executed
Copy themselv
es to global
template
New documen
ts infected
Stealth Polymorphic Metamorphic Cavity Tunneling Camouflage Bootable CD-ROM
Infection techniques
Intercept requests Return a uninfected file Hide the modified file
Stealth
Anti-virus program
Infected file
OSRequest: Ask a file
Return another file
To confuse anti-virus programs Change characteristics with each infection
By Encryption/decryption module But keep the algorithm intact
Insert junk instructions Exchange independent instructions Change the start address
Polymorphic
Will reprogram itself Can translate into a temporary code Then converted back to normal code Avoid pattern recognition of anti-virus
program
Metamorphic
Virus (original)
Virus (temporary code )
Translate
Convert back
Mutate
Also known as space-fillers Maintain a constant file-size Overwrite empty part of a target file with its
code Limit on small number of host, it is hard to
write Means rare
Cavity
Null Null Null
Null Null Null
Null Null Null
Null Null Null
Null Null Null
Some info….
code code ….
code code …. code code ….
code code …. code code ….Some info….
Fill the empty partOriginal
fileInfected file
One way to detect virus is intercepting interrupts: Look for specific action that may signify the
presence of a virus Intercepting interrupt from the OS directly to
avoid anti-virus program use them
Tunneling
Normal Program• send interrupt requests
Anti-virus software• Intercepting the request and check it
Operation system• Give it the permission
Tunneling - cont’d
Infected program• Back trace to the directory of DOS and BIOS interrupt handlers
• Install itself beneath this interrupt handlers
• Contact with OS directly
Pretend itself as a normal program Usage of anti-virus program’s ignore logic Thanks to advanced virus detection, it’s rare
Camouflage
Through infected CD-ROM If system is booted by the CD-ROM, the hard
disk must be destroyed No anti-virus program can stop it
Bootable CD-ROM
Worms A special type of virus that can replicate itself
and use memory, but it cannot attach itself to other executable codes
Trojans A small destructive program that runs hidden
on an infected computer
Other malware
Characteristics Standalone malware Propagation for spread from machine to
machine Do not attach themselves to an existing
program Infection techniques
Aim at security failures Via network, usually with attachment of email
Worms
Gathering
information
• Location, port, configuration, identification
Infecting
target
• Send itself to the target machine
Payload
• Create back door, alter or destroy files, transmit psw..
• Any action other than spreading itself
Network
propagation
• Select the next target by choosing randomly or others
Worms - infecting phases
Characteristics Non-self-replicating Do not attach themselves into files or propagate
Infection techniques (always associated with network) with malicious programs or drive-by download Normally down by social engineering
Running Automatically run after being installed Hiding in background, and create a backdoor(s),
usually
Trojans
Destruction Password thievery Remote control Key logger DoS attack Zombie FTP Trojan
Trojans - purposes
Thanks for listening
Recommended