Malicious Logic

1
Malicious Logic

• CSSE 490 Computer Security
• Mark Ardis, Rose-Hulman Institute
• March 25, 2004

2
Overview

• Trojan Horses
• Viruses
• Other Malicious Logic

3
Trojan Horses

• Overt effect intended
• Covert effect unexpected
• Propagating creates a copy of itself
• Example Unix login

4
Computer Viruses

• Definition A computer virus is a program that
  inserts itself into one or more files and then
  performs some (possibly null) action.

5
Boot Sector Infectors

• Inserts itself into boot sector of a disk
• Executes when disk is read
• Moves real boot sector to another location on disk

6
Executable Infectors

• Infects executable programs
• Places its code at beginning of executable
  segment
• Example Jerusalem Virus

7
Jerusalem Virus (1/3)

1. Puts 0E0H into register ax
2. Invokes DOS service interrupt
3. If high 8 bits of ax contain 03H, system is
   already infected quits and invokes original
   program
4. Otherwise, gets ready to trap calls to DOS
   service interrupt vector

8
Jerusalem Virus (2/3)

1. Check the year
2. If 1987 do nothing
3. Else, if not Friday the 13th sets up to respond
   to clock interrupts
4. Loads and executes original program
5. Stays in memory waiting for DOS service interrupt

9
Jerusalem Virus (3/3)

• If Friday the 13th and not 1987
• Sets flag in memory to be destructive will
  delete files instead of infecting them.
• Once in memory, all call to DOS service interrupt
  are checked
• Infects or deletes as per memory flag
• Preserves date and time of modification when
  infecting

10
Multipartite Viruses

• Can infect whether boot sectors or applications
• Has 2 parts, one for boot records, one for
  executable files

11
Terminate and Stay Resident (TSR) Viruses

• Stays active (resident) in memory after the
  application has terminated.
• Example Jerusalem Virus

12
Stealth Viruses

• Conceal the infection of files
• Intercept call to file access routines
• read requests disinfect as data is returned
• execute requests infected file is executed

13
Encrypted Viruses

• Enciphers all of the virus code except for a
  small decryption routine
• Prevents pattern-matching virus detectors from
  recognizing virus

14
Polymorphic Viruses

• Changes its form each time it inserts itself into
  another program
• May be used with encryption to change pattern of
  decryption routine

15
Macro Viruses

• Sequence of instructions that is interpreted
  rather than executed directly
• Example VB viruses

16
Computer Worms

• Program that copies itself from one computer to
  another
• Usual intent is to propagate without causing
  additional harm
• Example Internet Worm of 1988

17
Rabbits and Bacterium

• Program that absorbs all of some class of
  resource
• May not consume all resources, just all of a
  particular class

18
Logic Bombs

• Program that performs an action that violates the
  security policy when some external event occurs
• May be linked to termination of an employee