Malicious Code

1
Malicious Code
2
Program Flaws

• Taxonomy of flaws
• how (genesis)
• when (time)
• where (location)
• the flaw was introduced into the system

3
Security Flaws by Genesis

• Genesis
• Intentional
• Inadvertent

4
Intentional Genesis

• Malicious Trojan Horse, Trapdoor, Logic Bomb,
  covert channels
• Non-malicious

5
Inadvertent Genesis

• Validation error
• Domain error
• Serialization error
• Identification/authentication error
• Other error

6
Kinds of Malicious Codes

• Virus
• Rabbit (Bacteria)
• Worm
• Trojan horse
• Logic bomb (Time bomb)
• Trapdoor

7
Virus

• A program that attaches copies of itself into
  other programs
• Propagates and performs some unwanted function

8
Rabbit

• Program that consumes system resources by
  replicating itself
• Also known as bacteria
• The Trouble with Tribbles (Star Trek)

9
Worm

• A program that propagates copies of itself
  through the network
• Usually performs some unwanted function
• Does not attach to other programs

10
Trojan Horse

• Secret, undocumented routine embedded within a
  useful program
• Execution of the program results in execution of
  secret code.

11
Logic Bomb

• Logic embedded in a program that checks for a
  certain set of conditions to be present in the
  system
• When these conditions are present, some malicious
  code is executed
• Also known as time bomb

12
Trapdoor

• Secret, undocumented entry point into a program
• Used to grant access without normal methods of
  access authentication

13
Virus Lifecycle

1. Dormant phase the virus is idle
2. Propagation phase the virus places an identical
   copy of itself into other programs
3. Triggering phase virus is activated
4. Execution phase the function is performed

14
Virus Types

• Transient (parasitic) virus
• Memory resident virus
• Boot sector virus
• Stealth virus
• Polymorphic virus

15
Transient Virus

• Most common form.
• Attaches itself to a file
• Replicates when the infected program is executed

16
Memory Resident Virus

• Lodged in main memory as part of a resident
  system program
• May infect every program that executes

17
Boot Sector Virus

• Infects the boot record
• Spreads when system is booted
• Gains control of machine before the virus
  detection tools can act
• Very hard to notice
• Carrier files AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

18
Stealth Virus

• A form of virus explicitly designed to hide from
  detection by antivirus software

19
Polymorphic Virus

• Mutates with every infection
• Detection by the signature of the virus
  difficult

20
How Viruses Attach

• Append to file
• Surround file
• Integrate into file

21
Append to File


virus
virus
Original program
Original program
Virus appended to program
22
Surround the File


Virus-1
virus
Original program
Original program
Virus-2
Virus surrounding a program
23
Integrate into File


virus
Original program
Original program
Virus integrated into program
24
How Viruses Spread

• Executable code (exe)
• Data files
• Word documents
• Databases
• Presentations
• File sharing

25

• Assume that, if you can install or use it on your
  computer, it might have a virus

26
How Viruses Gain Control

• Virus V has to be invoked instead of target T.
• V overwrite T
• V changes pointers from T to V

27
High Risk Virus Properties

• Hard to detect
• Hard to destroy
• Spread infection widely
• Can re-infect
• Easy to create
• Machine independent

28
Preventing Virus Infections

• Prevention
• Good source of software installed
• Isolated testing phase
• Use virus detectors
• Limit damage
• Make bootable diskette
• Make and retain backup copies important resources

29
Antivirus Approaches

• Detection determine infection and locate the
  virus.
• Identification identify the specific virus.
• Removal remove the virus from all infected
  systems, so the disease cannot spread further.
• Recovery restore the system to its original
  state.

30
Virus Signatures

• Storage pattern
• Code always located at a specific address
• Increased file size
• Execution pattern
• Transmission pattern
• Polymorphic Viruses

31
Antivirus Programs

• Look for virus signatures
• Look for changes in file size
• Need to be updated regularly as new viruses
  appear
• Eliminate viruses found
• Attempt to undo virus damage

32
More on Worms

• Characteristics
• Phases
• Propagation

33
Worm Characteristics

• Self-replicating (like virus)
• Objective system penetration (intruder)

34
Worm Phases

• Dormancy
• Propagation
• Triggering
• Execution

35
Worm Propagation

• Searches for other systems to infect
• Establishes connection with remote system
• Copies itself to remote system
• Executes

36
Some Examples

• The Brain Virus
• The Internet Worm
• Code Red

37
The Brain Virus

• Changes label of infected disk to Brain
• Locates in upper memory and traps disk reads
• Upon read to boot sector takes over
• Marks its sectors faulty
• Looks for uninfected disks to infect

38
The Internet Worm

• Caused 6,000 installations to shut down or
  disconnect from the Internet
• Created by Robert T. Morris at Cornell
• Attacked Unix machines
• Found new machines by password guessing,
  exploiting finger, and using a trapdoor in
  sendmail
• Tried to remain undiscovered

39
Code Red

• Infected more than 250,000 machines in nine hours
  
• Attacked machines running Microsoft IIS software
• Spread to random or target IP addresses
• Dormant after infection phase

40
USC Security Measures

• Gamecock, September 3, 2004
• Smart Enforcer
• Checks for needed updates to OS (Microsoft) and
  antivirus programs (McAfee) before network access
  is allowed
• Why? Students do not always make needed updates

41
A Good Parasite/Virus

• Does not kill its host
• Lives off host resources
• Uses host resources to propagate itself
• May change host behavior
• May be dormant after infection phase
• May enter into a symbiotic relationship
• Many biological parallels