Viruses

1
Viruses
2
Taxonomy of Malicious Programs
Malicious programs
Needs host program
Independent
Viruses
Trojan Horses
Logic Bombs
Trap doors
Worm
Zombie
Replicate
3
Definitions

• Trap Doors (also called Back Doors) Holes in
  security of a system deliberately left in places
  by designers or maintainers for privileged
  accesses
• Example Some operating systems have privileged
  accounts for use by field service technicians or
  maintenance programmers. In Unix-style operating
  systems, root is the conventional name of the
  user who has all rights or permissions in all
  modes (single- or multi-user). Alternative names
  include baron and avatar on some Unix variants.
  BSD often provides a toor ("root" backwards)
  account in addition to a root account. The root
  user can make many changes an ordinary user
  cannot, such as changing the ownership of files
  and binding to ports numbered below 1024.

4
Definitions (cont.)

• Logic Bombs Code surreptitiously inserted into
  an application program or operating system to
  perform some destructive or security-compromising
  activity whenever specified conditions are met
• Example In 1998, Timothy Allen Lloyd, a former
  chief computer network program designer was
  sentenced to 41 months in prison for unleashing a
  10 million logic bomb" 20 days after his
  dismissal. The bomb deleted all the design and
  production programs of Omega Engineering Corp., a
  New Jersey-based manufacturer of high-tech
  measurement and control instruments used by NASA
  and the U.S. Navy.

5
Definitions (cont.)

• Trojan horse Malicious, security-breaking
  program disguised as something benign, such as a
  directory listing software, archiving software,
  game software, or software to find and destroy
  viruses
• A Trojan horse is similar to a back door
• Virus Program or piece of code that infects one
  or more other programs by modifying them
  modification includes a copy of virus program,
  which can then infect other programs
• Victim programs become Trojan horses
• Embedded virus is executed with the programs,
  propagating the "infection"
• Normally invisible to user

T1 ch19.2,19.3 T2 ch22.2, 22.3
6
Examples

• The Win95/Marburg virus got widespread
  circulation in August 1998, when it was included
  on the master CD of the popular MGM/EA PC CD-ROM
  game "Wargames".
• The CD contains one file infected by the Marburg
  virus \EREG\EREG32.EXE

7
Definitions (cont.)

• Worm Program that propagates and reproduces
  itself as it goes over a network
• Negative term, only crackers write worms
• Crackers a person who engages in illegal or
  unethical circumvention of computer security
  systems
• Zombie Process that has terminated (either
  killed or exited) and whose parent process has
  not yet received notification of its termination
• Exists as a process table entry
• Consumes no other resources

T1 ch19.4 T2 ch22.4
8
Structure of a Virus

• Viruses have the following parts
• "engine" - code that enables virus to propagate
• "payload" - set of instructions that defines the
  action (frequently destructive) which the virus
  performs. Not all viruses have payloads, and not
  all payloads cause harm
• Viruses need
• "host" - the particular hardware and software
  environment on which viruses can run
• "trigger" - the event that starts the virus
  running
• Eugene Kaspersky, Computer Viruses, Kaspersky
  Lab, Moscow, 2001
• http//www.viruslist.com/eng/viruslistbooks.html

9
Types of Viruses

• Boot Viruses (boot sector infector)
• Infect the boot sector of a floppy disk and the
  boot sector or Master Boot Record (MBR) of a hard
  disk
• Upon boot up, virus forces system to read into
  memory and pass control of the system to virus
  code, not to original loader routine code
• A resident virus in RAM will continue to infect
  the disk after formatting the disk unless the RAM
  is cleared

T1 ch19.3.1 T2 ch22.3.1
10
Types of Viruses (cont.)

• File Viruses
• Use OS file system in one way or another to
  propagate themselves
• No known OS is secure
• May infect files containing program source code,
  libraries or object modules

11
Types of Viruses (cont.)

• Macro Viruses
• May be written in macro-languages built into some
  data-processing systems, such as text editors,
  electronic spreadsheets.
• Most common in Microsoft Word, Microsoft Excel
  and Office due to their extensive use of
  macro-languages.

T1 ch19.3.8 T2 ch22.3.8
12
Types of Viruses (cont.)

• Polymorphic Viruses
• Change their own form each time it inserts itself
  into another program
• Can be of various kinds, such as boot, file or
  macro viruses.
• Cannot, or with great difficulty to be detected
  using so-called virus masks (use parts of
  non-changing virus specific code).
• Generated in two ways
• When encrypting main code of virus with
  non-constant encryption key uses random sets of
  decryption commands
• When engine of existing virus changes.

T1 ch19.3.7 T2 ch22.3.7
13
Types of Viruses (cont.)

• Stealth Viruses
• Cover/hide their presence in the system
• Can take the form of an existing file format
• Can reside inside a frequently used application

T1 ch19.3.5 T2 ch22.3.5
14
Types of Viruses (cont.)

• Memory Resident Viruses
• Also called Terminate and Stay Resident (TSR)
• Leaves copy of virus in system memory, intercepts
  some events (such as file or disk calls), and
  runs infecting routines on files and disk sectors
  in processes
• Active not only when an infected program runs,
  but also after that program terminates

15
Types of Viruses (Cont.)

• Network Viruses
• Have characteristics of viruses and worms.
• Make extensive use of network protocols and the
  capabilities of local and global access networks
  to multiply and transfer the virus code to a
  remote server or workstation automatically
• Sometimes called Network Worms

16
Network Viruses vs. Worms

• All network viruses are worms
• Not all worms are network viruses
• Worm can infect other computers for non-malicious
  purpose.
• Examples
• Worm can be used to install automatic software
  updates across a very large network
• Worm can be used for spam e-mails and
  disseminating announcements in a large
  organization

17
Virus Infecting Mechanisms

• Unlike a worm, a virus cannot infect other
  computers without assistance
• Propagated by interactions, such as humans
  trading programs with their friends
• Virus may do nothing, but propagate itself and
  then allow the program to run normally

18
Nature of Viruses

• Four phases in lifetime of a virus
• Dormant Phase
• Propagation Phase
• Triggering Phase
• Execution Phase

19
Dormant Phase

• Virus is idle
• Eventually activated by some conditions or
  events, such as
• System date
• Presence of another program or file
• Current usage of disk space exceeding some limit
• Not all viruses have this phase

20
Propagation Phase

• Virus places an identical copy of itself on other
  programs or into certain system areas of disk
• Each infected program becomes a virus, which will
  enter a propagation phase

21
Triggering Phase

• Virus is activated by an event or condition to
  perform the function for which it was intended
• Can be caused by a variety of events or
  conditions. For example, the number of times this
  copy of the virus has made copies of itself

22
Execution Phase

• Virus function is performed
• Virus function may be
• Harmless, but annoying
• Examples A message on screen, distorted windows
  or harmless spam
• Harmful
• Examples Destruction of programs, files, or
  deleting important or sensitive data

23
Antivirus

• Antivirus Software Programs to detect and remove
  viruses
• Simplest scans executable files and boot blocks
  for a list of known viruses
• Others constantly active, attempting to detect
  the actions of general classes of viruses
• Includes a regular update service allowing
  antivirus software to keep up with latest viruses
  as they are released

24
Antivirus Terminology

• False Positive Uninfected object (file, sector
  or system memory) triggers the antivirus program
• False Negative Infected object arrives
  undetected
• On-demand Scanning Virus scan starts upon user
  request
• Antivirus program remains inactive until a user
  invokes it from a command line, batch file or
  system scheduler
• On-the-fly Scanning All objects processed in any
  way (opened, closed, created, read from or
  written to, etc.) are being constantly checked
  for viruses
• Antivirus program is always active, memory
  resident and checking objects without user request

25
Generations of Antivirus

• First Simple scanners
• Require a virus signature to identify a virus
• Virus signature is a unique string or a binary
  pattern of a virus, used to detect and identify
  specific viruses. E.g. Istanbul-turkey.
• Limited to detection of known viruses
• Second Heuristic scanners
• Uses heuristic rules to search for probable virus
  infection
• Looking for fragments of code that are often
  associated with viruses

26
Generations of Antivirus (cont.)

• Third Activity traps
• Identify virus by the virus actions (trap
  malicious activities) rather than the structure
  in an infected program
• No need to develop signatures and heuristics for
  wide variety of viruses
• Need to identify set of actions that indicates an
  infection is being attempted and then to intervene

27
Generations of Antivirus (cont.)

• Fourth Full-featured protection
• Packages consisting of a variety of antivirus
  techniques used together
• Include scanning and activity trap components
• Access control capability limits ability of
  viruses to penetrate a system
• Limits ability of a virus to update files and
  prevents from spreading an infection

28
Virus Prevention

• Install latest antivirus updates
• Institution-wide licenses for antivirus software
• Protect passwords for access
• Do not open suspicious e-mails
• Protect network through firewalls
• Implement a virus-prevention policy for an
  organization

29
References

• Matt Bishop, Introduction to Computer Security,
  Addison-Wesley, 2004, ISBN 0321247442
• Matt Bishop, Computer Security Art and Science,
  Addison- Wesley, 2002, ISBN 0201440997