Virus, Trojans and Worms - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Virus, Trojans and Worms

Description:

Functions are mutually exclusive but programmers combine methods to create more powerful code. ... VX Heavens. http://vx.netlux.org/lib/aat00.html. Security ... – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 36
Provided by: theca5
Category:

less

Transcript and Presenter's Notes

Title: Virus, Trojans and Worms


1
Virus, Trojans and Worms
  • By Jesse Pyeatt

2
Introduction
  • Viruses, worms and Trojans can cause damage to
    computers.
  • Shows us how vulnerable computers are and how
    much we rely on them.
  • To prevent malicious code, it is necessary to
    understand how they work.

3
Malicious Code
  • Functions are mutually exclusive but programmers
    combine methods to create more powerful code.
  • Example Terrax.1069 resides in memory while
    renaming file names.

4
What are they?!?!?
5
Viruses
  • Virus (n.) Code written with the express
    intention of replicating itself. A virus attempts
    to spread from computer to computer by attaching
    itself to a host program. It may damage hardware,
    software, or information.

6
Worms
  • Worm (n.) A subclass of virus. A worm generally
    spreads without user action and distributes
    complete copies (possibly modified) of itself
    across networks. A worm can consume memory or
    network bandwidth, thus causing a computer to
    stop responding.
  • Because worms don't need to travel via a "host"
    program or file, they can also tunnel into your
    system and allow somebody else to take control of
    your computer remotely. Recent examples of worms
    included the Sasser worm and the Blaster worm.

7
Trojans
  • Trojan (n.) A computer program that appears to be
    useful but that actually does damage.
  • Trojans spread when people are lured into opening
    a program because they think it comes from a
    legitimate source.

8
Focus of presentation
  • The main focus on this presentation is the inner
    workings of a virus.
  • There will be a brief overview on worms and
    Trojans.

9
Viruses
10
7 kinds of viruses
  • Companion
  • Executable Program
  • Memory Resident
  • Boot Sector
  • Device Driver
  • Macro
  • Source Code

11
How does a virus work?
  • Virus is dropped in a program using a Dropper.
  • Software is installed onto a computer infecting
    target files.
  • Virus lies dormant until it is triggered by the
    user, and event or timer therefore, executing
    its Payload.

12
Companion Viruses
  • Not actually a virus
  • Understand execution
  • Program.com
  • Program.exe
  • Program.bat
  • Most programs today have extension .exe.

13
Related Attacks
  • Shortcut attacks
  • Changes target of shortcut to point to virus
  • Hide extension attacks
  • Windows hides file extensions as default setting.
  • Program.jpg.exe
  • Appears as program.jpg

14
Executable Program Viruses
  • Overwriting
  • Overwrites executable program with itself
  • Parasitic
  • Attaches itself to other programs but allows
    original function.
  • Cavity
  • Hides itself in unused portions of segments (512
    Bytes). Exploits internal fragmentation.

15
Encryption, Compression
  • Some viruses even compress the virus, encrypt the
    compressed virus along with the compressor,
    de-compressor and encryptor.
  • It then pads out the unused memory with 0s to
    maintain the original size of the executable.

16
Memory Resident Viruses
  • Hides
  • at top of memory
  • Among interrupt vectors.
  • Can alter RAM bitmap to avoid being overwritten.
  • Captures trap or interrupt vector
  • Saves address to scratch variable
  • Executes its own address
  • Invokes real system call by jumping to saved trap
    address.

17
Boot Sector Viruses
  • Copies true boot sector to safe place on disk
  • Overwrites MBR to execute its own code.
  • When finished, jumps to true boot sector and
    boots up the computer.
  • Such viruses are very common.

18
Details
  • Computer boots, virus loads into main memory.
  • Machine in kernel mode, MMU off and no antivirus
    programs running. (exceptions. windows SP2)
  • Boots operating machine but stays in memory

19
Control?
  • Must gain control again after boot.
  • Drivers load one at a time which creates a window
    for the virus.
  • It captures all interrupt vectors it can. If
    the vector is overwritten,
  • the virus just
  • overwrites it again.
  • The virus stores all the interrupts and keeps the
    system calls for itself

20
Additional
  • Microsofts fdisk skips first track on disk.
  • Good Place to hide on windows machines.
  • Can also disguise itself as bad sectors.
  • If root directory is large and fixed, can hide at
    end.

21
Device Driver Viruses
  • Drivers are basically executable programs loaded
    every time the computer boots up.
  • Are ran in kernel mode giving the virus a chance
    to capture a system call trap vector.
  • If a driver is infected, the virus will be run
    every time the computer restarts.
  • This would be ideal for a virus, however,
    extremely difficult to do.

22
Macro Viruses
  • Used to group several commands to a keystroke.
  • Attach to menu items.
  • Use Visual Basic, a complete programming
    language.
  • Arbitrary program, capable of deleting files.
  • Attaches itself to open file and executes when a
    person opens the document.

23
Growing Problem
  • Implementation is not as complicated as other
    viruses.
  • Takes less skill to write code.
  • Propagation through email.
  • People ignore macro warnings.

24
Source Code Viruses
  • Very portable.
  • In a nutshell, find .c file, add
  • include ltvirus.hgt
  • and insert the function call
  • run_virus()
  • The program must parsed in order to find a place
    that syntactically allows function calls.
  • Would not make sense to place
  • After a Return call.
  • In a comment.
  • Inside a loop (may get noticed to easily.)
  • As the string to a printf function.
  • This is assuming the code is installed on the
    computer.
  • If not, the full source must be include as an
    initialized character string such as a 32-bit
    hexadecimal integer

25
Polymorphic Virus
  • X(ABc-4)
  • Stage one
  • MOV A,R1
  • ADD B,R1
  • ADD C,R1
  • SUB 4,R1

26
Stage 2
  • MOV A,R1
  • NOP
  • ADD B,R1
  • NOP
  • ADD C,R1
  • NOP
  • SUB 4,R1
  • NOP
  • MOV R1,X
  • Engine adds in unnecessary lines called NOPs.

27
Stage 3
  • MOV A,R1
  • ADD 0,R1
  • ADD B,R1
  • OR R1,R1
  • ADD C,R1
  • SHL 0,R1
  • SUB 4,R1
  • JMP .1
  • MOV R1,X
  • The NOPs are exchanged with code that does not
    change the outcome of the program.

28
Stage 4
  • MOV A,R1
  • OR R1,R1
  • ADD B,R1
  • MOV R1,R5
  • ADD C,R1
  • SHL R1,0
  • SUB 4,R1
  • ADD R5, R5
  • MOV R1,X
  • MOV R5,Y
  • Another mutation that is logically the same

29
Stage 5
  • MOV A,R1
  • TST R1
  • ADD C,R1
  • MOV R1,R5
  • ADD B,R1
  • CMP R2,R5
  • SUB 4,R1
  • JMP .1
  • MOV R1,X
  • MOV R5,Y
  • This final code is the equivalent as the code on
    the first stage.
  • This is very typical of a polymorphic virus and
    derives this code using a mutation engine.

30
Worms Trojans
  • Target
  • Propagation
  • Activation
  • Payload
  • bootstrapping

31
Recent Viruses
  • W32.Myfip.T
  • Backdoor.Staprew
  • Backdoor.Ranky.T
  • Trojan.Lodmedud
  • PWSteal.Botuk
  • SymbOS.Dampig.A
  • W32.Zellome_at_m

32
Conclusion
  • We have a general understanding on how a virus
    works.
  • What have we learned?
  • Hackers have way too much time on their hands.
  • Not all malicious code is bad.
  • Brain (Pakistani)
  • CRClean (anti Code Red)
  • Most common virus are memory resident and macros
    (recently).

33
References
  • Tanenbaum, Andrew S. Modern Operating Systems
    Prentice-Hall, Inc 2001
  • Dennings, Peter J. Computers Under Attack ACM
    Press, New York, NY. 1990
  • What are viruses, worms, and Trojans?
  • http//www.microsoft.com/athome/security/viruses/v
    irus101.mspx
  • How Computer Viruses Work
  • http//www.howstuffworks.com/virus.htm
  • VX Heavens
  • http//vx.netlux.org/lib/aat00.html
  • Security Response
  • http//www.sarc.com/
  • Images
  • http//www.businessblogconsulting.com/images/troja
    ns.gif
  • http//www.leave-me-alone.com/images/pe00222_.gif
  • http//www.quarella.co.uk/img/virus.gif
  • http//worms.puissance-nintendo.com/jeux/worms/ima
    ges/general/04.jpg
  • http//www.geocities.com/vanfunwall2/Game/Misc/Wor
    ms.JPG

34
QUESTIONS????
35
THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com