Malicious Software and Security Programming

1
Malicious Software and Security Programming

• Teaching team
• Martin Slade (module leader), room K356, phone
  353554, e-mail M.Slade_at_staffs.ac.uk
• David Hodgkiss, room K217, phone 353447,
  e-mail D.D.Hodgkiss_at_staffs.ac.uk
• Bob Shaw, room K235, phone 353771, e-mail
  R.Shaw_at_staffs.ac.uk

2
Classes

• Classes
• 2 lectures 1 tutorial/practical per week -
  tutorial/practicals start next week
• 2 Tutorial/practical classes timetabled - Monday
  10am K111, Monday 1pm K111
• choose an appropriate class, turn up and sign up
  for it

3
Slides and module information

• For now
• PowerPoint versions of lecture slides, the
  tutorial/practical questions and example answers
  will be made available on my web site at
• www.soc.staffs.ac.uk/mss1/
• I will try and put lecture slides will be put on
  the web page the day before the lecture not a
  promise
• Also information about assessments (at an
  appropriate time), announcements, and other
  information about the module will appear on the
  web page from time to time

4

• Later
• module will appear on Blackboard
• Blackboard.staffs.ac.uk/
• Information that appears on Web site will appear
  on Blackboard

5
Learning outcomes

• 1. Explain the principles and concepts that
  underpin malicious software and software based
  attacks.
• 2. Specify, design and implement an exemplar
  component that might form part of a defensive
  strategy.
• 3. Critically evaluate various techniques used in
  the defence of computer systems against malicious
  software and software based attacks.

6
Assessment

• Assignment (50) - researching about and writing
  an anti-virus component - learning outcomes 2 3
• Exam (50) - 2 hours long - learning outcomes 1
  3

7
Study time guide

• Module has a total of 150 hours allocated to it
  as
• 36 hours for lectures/tutorials 2 hours for
  exam
• Giving 112 hours left over to be organised by
  you, example breakdown
• 26 hours revision for exam
• 50 hours work on assignment
• 36 hours for tutorial preparation and weekly
  reading 3 hours of reading and advance review
  of tutorial material per week - less on this will
  require more on the others

8
Textbooks

• No single definitive textbook has been identified
  but the following cover elements of the module
• Skoudis, E, Malware Fighting Malicious Code,
  Prentice Hall, 2003, ISBN 0131014056
• Skoudis, E, Counter Hack A Step by Step Guide to
  Computer Attacks and Effective Defences, Prentice
  Hall, 2001, ISBN 0130332739
• Whittaker, J, Thompson,H, How to Break Software
  Security, Addison Wesley, 2003, ISBN 0321194330
• Szor, P, The Art of Computer Virus Research and
  Defense, Addison Wesley, 2005, ISBN 0321304543
• Reference will be made to other books/articles as
  relevant

9
Professional and ethical considerations

• Given the nature of the module it is important
  that you are aware of a number of disclaimers
  relative to the content of the module
• 1. It is not the aim of the module to teach you
  how to write malicious software or how to hack
  into systems
• 2. All examples of security or software
  weaknesses will be those already in the public
  domain for which the relevant security patches
  are available

10

• 3. However in order to understand how to protect
  systems against such attacks we appreciate that
  it is necessary to have a good understanding of
  how those attacks are constructed and proceed
• 4. Virus specific disclaimers
• a) We will examine code segments of real viruses,
  however, you will not be given any complete code
  listings.

11

• b) This means that if you were to use the
  information we give you to write a virus it could
  only be as a result of a deliberate act on your
  part to write the linking code between any code
  segments we might give you, and compile it and
  release it
• 5. You need to be constantly aware that some of
  the topics we will be teaching you about concern
  activity which is illegal and thus you need to be
  fully aware of the seriousness of any
  consequences if you decide to engage in some of
  the activities we may describe

12
Brief Outline

• I will cover viruses and anti-virus strategies
• Bob Shaw will cover hacking and defences against
  hacking
• Dave Hodgkiss will cover secure programming
  practices

13
Lecture 1

• In this lecture and lecture 2 we will be looking
  at
• 1. Simple definition of a virus
• 2. The components of a simple DOS based
  executable file infector.

14

• We will look at the code for the DOS file
  infector virus in almost complete detail. I want
  to take all the mystery out of how a virus
  actually works, so you can see it just as another
  program. They may be potentially dangerous
  programs, but understanding in detail how they
  work helps you understand the strengths and
  weaknesses of anti-virus protection mechanisms.

15

• There are 2 general approaches to discussing
  virus technology
• 1. Non-disclosure approach - information about
  viruses should absolutely not be made available
  to anyone except those privileged to work at an
  anti-virus software company (and a few academic
  researchers). You might be allowed to know some
  trivial details about how viruses work but it
  gives you little real understanding.
• 2. Disclosure approach information about how
  viruses operate is fully given and explained.
  This enables you to understand their strengths
  and weaknesses and also properly understand and
  appreciate how to protect against them.

16
Simple definition

• A virus is code that reproduces itself,
  independently of any users/operating system
  consent, by being associated in some way with
  programs in a computer system such that the
  execution of those programs is exploited to
  facilitate the reproduction of the virus
• Usually the virus contains some form of code
  whose function has nothing to do with
  reproduction a payload but not essential to
  it being a virus
• This non-reproductive function is usually of a
  destructive nature, but may be beneficial

17
Fundamental structure

• All viruses must have the following code
  components
• search code to find suitable carrier mechanism
  (files, boot sector, etc) to infect
• copy code to make a copy of itself in the
  carrier mechanism
• protection code normally just to try and
  prevent the copy from being detected, but
  sometimes can be aggressive and directly attack
  threats
• Optionally payload code

18

• Viruses are generally written in the machine
  language of the carrier mechanism
• So for viruses that infect executable code or
  boot sectors, then this is assembly language
• For viruses that infect interpreted code (macro
  and scripting viruses) then that is the
  interpreted language (which is the machine
  language of the virtual machine of the
  interpreter for the macro or scripting language)

19
Executable code viruses

• high level languages (including C) were designed
  with a view to producing stand-alone programs or
  modules that would be linked together to form a
  stand-alone program
• they thus make assumptions about the nature of
  the code that is being written that is too
  restrictive for a virus writer

20

• such viruses must be written so that they can
  effectively dynamically link a copy of itself
  into an executable program with limited
  information about the internal structure of the
  program being infected and without any portion of
  the executable code having references to the
  virus code which the virus has to construct for
  itself within the infected code
• so most of the code for executable viruses you
  will see will be written in assembly language
• I do not expect/assume familiarity with assembly
  language as I will explain everything as I go
  along (though it will help)
• The assembly language syntax I will use is that
  of NASM as this is the assembly language
  version covered in level 2

21
Simple .COM file infector

• Simplest of executable file infectors
• Infects COM executables simplest executable
  file format
• Assumes DOS environment - I know not much used
  today but it is simplest environment and thus
  easiest to start with
• On disk COM file is simply the binary image of
  the program i.e. binary machine code instructions
  and initialised data

22
DOS program loading

• When DOS loads a COM program for execution it
  first allocates 64K segment of memory. It then
  sets up a Program Segment Prefix (PSP). This
  occupies the first 256 bytes of the memory
  segment.
• The PSP contains a variety of fields that a
  program might use. Of importance to us is the
  default DTA (Data Transfer Area). When a program
  is invoked it contains the command line arguments
  for that program. It is also the place where
  information about files from search operations
  are placed.

23

• The default DTA resides in the PSP, but note DOS
  can be told to treat other areas of memory within
  the program segment as the DTA
• DOS places the program code from the COM file
  immediately following the PSP starting at offset
  100H (offset from start of memory segment that
  has been allocated to program)
• The top of the memory segment allocated to the
  program is reserved for the stack. The stack
  pointer points to the current top of the stack
  and the stack grows downwards.

24

• DOS pushes 0 onto the stack at locations FFFEHex
  and FFFFHex -
• DOS then initiates execution of the program by
  jumping to 100H in the program segment (jumps to
  first instruction of the COM program

25
COM program after loading
26

• In the following you must assume that a virus is
  executing and the following actions are those
  which it must do in order to reproduce itself

27
Gaining initial control

• In order to gain control of execution a virus
  must substitute its first instruction for the
  start of the current program at 100Hex
• To do this the virus can
• 1. Simply overwrite the program code from 100Hex
  onwards with the copy of itself. This is an
  overwriting virus. It is simple to write and thus
  short, but it destroys the original programs
  code and thus it means that the presence of virus
  can easily be detected.

28

• 2. Place a copy of itself from 100Hex onwards and
  place the original code after it.
• 3. Place a copy of itself after the end of the
  original code (the COM file image) in the area
  for uninitialised data/unused area, but swap the
  start of the original code with a jump to the
  start of the viruses code. After the virus has
  completed execution and before it initiates
  execution of the original program code the
  original code swapped for the jump instruction
  needs to be swapped back. This is the method we
  will look at in detail.

29
Infected COM file in memory
30
Outline of virus code

• 1. Virus searches for a new file to infect
• 2. If file is found virus appends its code to end
  of file
• 3. Virus reads first few bytes of COM file and
  writes it back to file in a data area just above
  virus code
• 4. Virus then writes jump to start of virus code
  to first few bytes of COM file image
• 5. Virus then swaps back into first few bytes of
  the COM image of its code in memory, the original
  bytes, ready to transfer execution back to its
  own host program
• 6. Virus then executes a return to host program
  code at 100Hex
• In following diagram stages 1 6 are not depicted

31
Diagram of outline of infection
In memory being executed
On disk
FFFEHex
Stack area
First few bytes of COM file image 1 code
Copy of start of COM file image 2
2
Virus code
Virus code
154AHex
3
5
COM file image1
COM file image2
JMP 154AHex
0100Hex
4
PSP
JMP to start of virus code
0000Hex
32
Files and directories in DOS

• In order to understand file search process we
  must remind ourselves about how DOS holds
  information about files and directories
• File Allocation Table (FAT) forms a map of
  clusters on disk with space allocation to files
  being represented by sequence of index numbers of
  clusters of file
• Directory is a file of 32 byte records with each
  record holding information about a file in that
  directory

33

• Each record holds information such as name of
  file, date and time of last update, file size,
  type attribute and index of first cluster of file
  in FAT
• File type attribute can be directory, hence file
  is a directory for a sub-directory
• DOS provides services to its programs to
  manipulate files and directories via calls to
  Interrupt Service Routines (ISRs)
• ISRs are accessed via a software interrupt (INT
  21H) with Ah register set with value that
  specifies type of service required and with
  various other registers set up with relevant
  parameter values required for specific service

34
Searching for files in DOS

• DOS has 2 search functions
• search first searches a given directory for any
  files matching a given specification
• search next searches for next file in same
  directory that matches specification
• Search first requires
• 4EH in register AH
• Attribute of files to be found (in register AL)
  whether hidden, system, directory files as well
  as normal files
• Address (offset in segment) in DX of a 0
  terminated string with path or name of file but
  can use wildcard chars and ? so to find
  COM files requires a string to be defined like
• COMFILE DB .COM,0

35

• If successful (file found) then ISR returns with
  register AX having 0 in it and the DTA (Data
  Transfer Area) having information about file
  found specifically it has file attribute, time,
  date, size, name copied from directory record
  and information to be used by search next
  function telling it where to continue search from
  for next file matching criteria

36

• So start of search routine would have code
• FIND_FILE
• note access to COMFILE here is a
  simplification - later
• you will see that we will have to access this
  differently to
• work properly
• mov dx,COMFILE set offset of file string
• mov AL,06H set up attribute value
• mov AH,4EH specify search first ISR
• int 21H call DOS to do it
• FIND_LOOP
• cmp AX,0 check if found candidate
  file
• jne FIND_DONE if not jump to exit

37
search next

• Having found a file that is a candidate for
  infection we next need to determine whether or
  not it is suitable for infection for now we
  will assume we have a subroutine FILE_OK which
  will check this for us and return with Z(ero)
  flag set to 1 if file OK and not set if not OK
• So search first works for the first search, but
  for subsequent searches we need to use search
  next function in a loop
• search first sets up the DTA with information
  about the search so the call to search next only
  needs to put the value 4FHex into register AH to
  tell DOS to perform the search next function

38

• search next (as search first) returns file
  details in the DTA and 0 in AX if successful and
  non-zero if not (error code actually)
• so to complete the code from before
• previous code here
• FIND_LOOP first 2 instructions from previous
  code
• cmp AX,0 check if found candidate file
• jne FIND_DONE if not jump to exit with Z
  flag0
• call FILE_OK check if it is infectable
• je FIND_DONE yes goto exit with Z
  flag1
• mov AH,4FH no set up for search next
• int 21H do search
• jmp FIND_LOOP back to top of loop
• FIND_DONE note using Z flag value to tell
• ret calling code if found suitable file