Malicious Software and Security Programming - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Malicious Software and Security Programming

Description:

Skoudis, E, Malware: Fighting Malicious Code, Prentice Hall, 2003, ISBN: 0131014056 ... must have the following code components ... Optionally payload code ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 39
Provided by: martin159
Category:

less

Transcript and Presenter's Notes

Title: Malicious Software and Security Programming


1
Malicious Software and Security Programming
  • Teaching team
  • Martin Slade (module leader), room K356, phone
    353554, e-mail M.Slade_at_staffs.ac.uk
  • David Hodgkiss, room K217, phone 353447,
    e-mail D.D.Hodgkiss_at_staffs.ac.uk
  • Bob Shaw, room K235, phone 353771, e-mail
    R.Shaw_at_staffs.ac.uk

2
Classes
  • Classes
  • 2 lectures 1 tutorial/practical per week -
    tutorial/practicals start next week
  • 2 Tutorial/practical classes timetabled - Monday
    10am K111, Monday 1pm K111
  • choose an appropriate class, turn up and sign up
    for it

3
Slides and module information
  • For now
  • PowerPoint versions of lecture slides, the
    tutorial/practical questions and example answers
    will be made available on my web site at
  • www.soc.staffs.ac.uk/mss1/
  • I will try and put lecture slides will be put on
    the web page the day before the lecture not a
    promise
  • Also information about assessments (at an
    appropriate time), announcements, and other
    information about the module will appear on the
    web page from time to time

4
  • Later
  • module will appear on Blackboard
  • Blackboard.staffs.ac.uk/
  • Information that appears on Web site will appear
    on Blackboard

5
Learning outcomes
  • 1. Explain the principles and concepts that
    underpin malicious software and software based
    attacks.
  • 2. Specify, design and implement an exemplar
    component that might form part of a defensive
    strategy.
  • 3. Critically evaluate various techniques used in
    the defence of computer systems against malicious
    software and software based attacks.

6
Assessment
  • Assignment (50) - researching about and writing
    an anti-virus component - learning outcomes 2 3
  • Exam (50) - 2 hours long - learning outcomes 1
    3

7
Study time guide
  • Module has a total of 150 hours allocated to it
    as
  • 36 hours for lectures/tutorials 2 hours for
    exam
  • Giving 112 hours left over to be organised by
    you, example breakdown
  • 26 hours revision for exam
  • 50 hours work on assignment
  • 36 hours for tutorial preparation and weekly
    reading 3 hours of reading and advance review
    of tutorial material per week - less on this will
    require more on the others

8
Textbooks
  • No single definitive textbook has been identified
    but the following cover elements of the module
  • Skoudis, E, Malware Fighting Malicious Code,
    Prentice Hall, 2003, ISBN 0131014056
  • Skoudis, E, Counter Hack A Step by Step Guide to
    Computer Attacks and Effective Defences, Prentice
    Hall, 2001, ISBN 0130332739
  • Whittaker, J, Thompson,H, How to Break Software
    Security, Addison Wesley, 2003, ISBN 0321194330
  • Szor, P, The Art of Computer Virus Research and
    Defense, Addison Wesley, 2005, ISBN 0321304543
  • Reference will be made to other books/articles as
    relevant

9
Professional and ethical considerations
  • Given the nature of the module it is important
    that you are aware of a number of disclaimers
    relative to the content of the module
  • 1. It is not the aim of the module to teach you
    how to write malicious software or how to hack
    into systems
  • 2. All examples of security or software
    weaknesses will be those already in the public
    domain for which the relevant security patches
    are available

10
  • 3. However in order to understand how to protect
    systems against such attacks we appreciate that
    it is necessary to have a good understanding of
    how those attacks are constructed and proceed
  • 4. Virus specific disclaimers
  • a) We will examine code segments of real viruses,
    however, you will not be given any complete code
    listings.

11
  • b) This means that if you were to use the
    information we give you to write a virus it could
    only be as a result of a deliberate act on your
    part to write the linking code between any code
    segments we might give you, and compile it and
    release it
  • 5. You need to be constantly aware that some of
    the topics we will be teaching you about concern
    activity which is illegal and thus you need to be
    fully aware of the seriousness of any
    consequences if you decide to engage in some of
    the activities we may describe

12
Brief Outline
  • I will cover viruses and anti-virus strategies
  • Bob Shaw will cover hacking and defences against
    hacking
  • Dave Hodgkiss will cover secure programming
    practices

13
Lecture 1
  • In this lecture and lecture 2 we will be looking
    at
  • 1. Simple definition of a virus
  • 2. The components of a simple DOS based
    executable file infector.

14
  • We will look at the code for the DOS file
    infector virus in almost complete detail. I want
    to take all the mystery out of how a virus
    actually works, so you can see it just as another
    program. They may be potentially dangerous
    programs, but understanding in detail how they
    work helps you understand the strengths and
    weaknesses of anti-virus protection mechanisms.

15
  • There are 2 general approaches to discussing
    virus technology
  • 1. Non-disclosure approach - information about
    viruses should absolutely not be made available
    to anyone except those privileged to work at an
    anti-virus software company (and a few academic
    researchers). You might be allowed to know some
    trivial details about how viruses work but it
    gives you little real understanding.
  • 2. Disclosure approach information about how
    viruses operate is fully given and explained.
    This enables you to understand their strengths
    and weaknesses and also properly understand and
    appreciate how to protect against them.

16
Simple definition
  • A virus is code that reproduces itself,
    independently of any users/operating system
    consent, by being associated in some way with
    programs in a computer system such that the
    execution of those programs is exploited to
    facilitate the reproduction of the virus
  • Usually the virus contains some form of code
    whose function has nothing to do with
    reproduction a payload but not essential to
    it being a virus
  • This non-reproductive function is usually of a
    destructive nature, but may be beneficial

17
Fundamental structure
  • All viruses must have the following code
    components
  • search code to find suitable carrier mechanism
    (files, boot sector, etc) to infect
  • copy code to make a copy of itself in the
    carrier mechanism
  • protection code normally just to try and
    prevent the copy from being detected, but
    sometimes can be aggressive and directly attack
    threats
  • Optionally payload code

18
  • Viruses are generally written in the machine
    language of the carrier mechanism
  • So for viruses that infect executable code or
    boot sectors, then this is assembly language
  • For viruses that infect interpreted code (macro
    and scripting viruses) then that is the
    interpreted language (which is the machine
    language of the virtual machine of the
    interpreter for the macro or scripting language)

19
Executable code viruses
  • high level languages (including C) were designed
    with a view to producing stand-alone programs or
    modules that would be linked together to form a
    stand-alone program
  • they thus make assumptions about the nature of
    the code that is being written that is too
    restrictive for a virus writer

20
  • such viruses must be written so that they can
    effectively dynamically link a copy of itself
    into an executable program with limited
    information about the internal structure of the
    program being infected and without any portion of
    the executable code having references to the
    virus code which the virus has to construct for
    itself within the infected code
  • so most of the code for executable viruses you
    will see will be written in assembly language
  • I do not expect/assume familiarity with assembly
    language as I will explain everything as I go
    along (though it will help)
  • The assembly language syntax I will use is that
    of NASM as this is the assembly language
    version covered in level 2

21
Simple .COM file infector
  • Simplest of executable file infectors
  • Infects COM executables simplest executable
    file format
  • Assumes DOS environment - I know not much used
    today but it is simplest environment and thus
    easiest to start with
  • On disk COM file is simply the binary image of
    the program i.e. binary machine code instructions
    and initialised data

22
DOS program loading
  • When DOS loads a COM program for execution it
    first allocates 64K segment of memory. It then
    sets up a Program Segment Prefix (PSP). This
    occupies the first 256 bytes of the memory
    segment.
  • The PSP contains a variety of fields that a
    program might use. Of importance to us is the
    default DTA (Data Transfer Area). When a program
    is invoked it contains the command line arguments
    for that program. It is also the place where
    information about files from search operations
    are placed.

23
  • The default DTA resides in the PSP, but note DOS
    can be told to treat other areas of memory within
    the program segment as the DTA
  • DOS places the program code from the COM file
    immediately following the PSP starting at offset
    100H (offset from start of memory segment that
    has been allocated to program)
  • The top of the memory segment allocated to the
    program is reserved for the stack. The stack
    pointer points to the current top of the stack
    and the stack grows downwards.

24
  • DOS pushes 0 onto the stack at locations FFFEHex
    and FFFFHex -
  • DOS then initiates execution of the program by
    jumping to 100H in the program segment (jumps to
    first instruction of the COM program

25
COM program after loading
26
  • In the following you must assume that a virus is
    executing and the following actions are those
    which it must do in order to reproduce itself

27
Gaining initial control
  • In order to gain control of execution a virus
    must substitute its first instruction for the
    start of the current program at 100Hex
  • To do this the virus can
  • 1. Simply overwrite the program code from 100Hex
    onwards with the copy of itself. This is an
    overwriting virus. It is simple to write and thus
    short, but it destroys the original programs
    code and thus it means that the presence of virus
    can easily be detected.

28
  • 2. Place a copy of itself from 100Hex onwards and
    place the original code after it.
  • 3. Place a copy of itself after the end of the
    original code (the COM file image) in the area
    for uninitialised data/unused area, but swap the
    start of the original code with a jump to the
    start of the viruses code. After the virus has
    completed execution and before it initiates
    execution of the original program code the
    original code swapped for the jump instruction
    needs to be swapped back. This is the method we
    will look at in detail.

29
Infected COM file in memory
30
Outline of virus code
  • 1. Virus searches for a new file to infect
  • 2. If file is found virus appends its code to end
    of file
  • 3. Virus reads first few bytes of COM file and
    writes it back to file in a data area just above
    virus code
  • 4. Virus then writes jump to start of virus code
    to first few bytes of COM file image
  • 5. Virus then swaps back into first few bytes of
    the COM image of its code in memory, the original
    bytes, ready to transfer execution back to its
    own host program
  • 6. Virus then executes a return to host program
    code at 100Hex
  • In following diagram stages 1 6 are not depicted

31
Diagram of outline of infection
In memory being executed
On disk
FFFEHex
Stack area
First few bytes of COM file image 1 code
Copy of start of COM file image 2
2
Virus code
Virus code
154AHex
3
5
COM file image1
COM file image2
JMP 154AHex
0100Hex
4
PSP
JMP to start of virus code
0000Hex
32
Files and directories in DOS
  • In order to understand file search process we
    must remind ourselves about how DOS holds
    information about files and directories
  • File Allocation Table (FAT) forms a map of
    clusters on disk with space allocation to files
    being represented by sequence of index numbers of
    clusters of file
  • Directory is a file of 32 byte records with each
    record holding information about a file in that
    directory

33
  • Each record holds information such as name of
    file, date and time of last update, file size,
    type attribute and index of first cluster of file
    in FAT
  • File type attribute can be directory, hence file
    is a directory for a sub-directory
  • DOS provides services to its programs to
    manipulate files and directories via calls to
    Interrupt Service Routines (ISRs)
  • ISRs are accessed via a software interrupt (INT
    21H) with Ah register set with value that
    specifies type of service required and with
    various other registers set up with relevant
    parameter values required for specific service

34
Searching for files in DOS
  • DOS has 2 search functions
  • search first searches a given directory for any
    files matching a given specification
  • search next searches for next file in same
    directory that matches specification
  • Search first requires
  • 4EH in register AH
  • Attribute of files to be found (in register AL)
    whether hidden, system, directory files as well
    as normal files
  • Address (offset in segment) in DX of a 0
    terminated string with path or name of file but
    can use wildcard chars and ? so to find
    COM files requires a string to be defined like
  • COMFILE DB .COM,0

35
  • If successful (file found) then ISR returns with
    register AX having 0 in it and the DTA (Data
    Transfer Area) having information about file
    found specifically it has file attribute, time,
    date, size, name copied from directory record
    and information to be used by search next
    function telling it where to continue search from
    for next file matching criteria

36
  • So start of search routine would have code
  • FIND_FILE
  • note access to COMFILE here is a
    simplification - later
  • you will see that we will have to access this
    differently to
  • work properly
  • mov dx,COMFILE set offset of file string
  • mov AL,06H set up attribute value
  • mov AH,4EH specify search first ISR
  • int 21H call DOS to do it
  • FIND_LOOP
  • cmp AX,0 check if found candidate
    file
  • jne FIND_DONE if not jump to exit

37
search next
  • Having found a file that is a candidate for
    infection we next need to determine whether or
    not it is suitable for infection for now we
    will assume we have a subroutine FILE_OK which
    will check this for us and return with Z(ero)
    flag set to 1 if file OK and not set if not OK
  • So search first works for the first search, but
    for subsequent searches we need to use search
    next function in a loop
  • search first sets up the DTA with information
    about the search so the call to search next only
    needs to put the value 4FHex into register AH to
    tell DOS to perform the search next function

38
  • search next (as search first) returns file
    details in the DTA and 0 in AX if successful and
    non-zero if not (error code actually)
  • so to complete the code from before
  • previous code here
  • FIND_LOOP first 2 instructions from previous
    code
  • cmp AX,0 check if found candidate file
  • jne FIND_DONE if not jump to exit with Z
    flag0
  • call FILE_OK check if it is infectable
  • je FIND_DONE yes goto exit with Z
    flag1
  • mov AH,4FH no set up for search next
  • int 21H do search
  • jmp FIND_LOOP back to top of loop
  • FIND_DONE note using Z flag value to tell
  • ret calling code if found suitable file
Write a Comment
User Comments (0)
About PowerShow.com