Lecture 8: More on viruses and detectionprevention strategies

1
Lecture 8 More on viruses and detection/preventio
n strategies

• We will cover
• additional types of virus
• Virus detection strategies
• string matching
• heuristic scanning
• activity monitoring
• integrity checking
• Generic Decryption
• Virus prevention strategies
• Reading - Pfleeger, chapter 3

2
Document virus

• Modern documents consist of a file formatted
  according to a well defined structure that
  contains data, but also control code that control
  attributes of the data and instructions that the
  document creation/manipulation program can carry
  out on behalf of the document/user - normally
  called macros - they are instructions that are
  effectively interpreted by the document
  processing program e.g. word or excel

3

• Macro can do anything that document processing
  program has permissions to do e.g. modify any
  documents owned by user of a given type and
  possibly any files owned by user on system
• for convenience of user document macros can
  include start-up macros that run automatically
  when a document is opened by document processing
  program
• thus auto-run macros present a perfect
  opportunity for the development of viruses

4

• most common form of virus these days, because
  e-mail provides excellent distribution mechanism
  (some e-mail system prevent distribution of
  anything that is directly executable), but cannot
  prevent documents being distributed - that would
  be an interference with the proper use of
  computer system worse than many viruses

5
Memory resident virus

• memory resident virus - virus piggybacks off host
  file until it runs, then it copies itself into
  memory and stays resident in memory as a
  stand-alone program running from time to time -
  possibly intercepting certain types of interrupts
  and running whenever a given interrupt occurs
  e.g. on disk accesses

6
Boot sector virus

• At computer start-up OS has to be loaded in
• normally a fixed sector on primary storage medium
  e.g. hard disk contains a piece of code that is
  part of OS called bootstrap loader - the fixed
  sector contains some code that initiates loading
  of the OS code from hard disk into memory of
  computer, etc. It actually takes more space than
  one sector, so sectors it resides on are chained
  - one sector pointing to next in chain - so boot
  sector virus is a virus that inserts itself
  either into boot-up code itself, or as a sector
  in chain of sectors of the boot

7

• classic boot sector virus will make itself memory
  resident on boot-up and replicates by infecting
  the boot sectors of removable and writeable
  storage media e.g. floppy disks, but also Zip
  disks, etc.
• Classic boot sector virus not common these days -
  as speed of spreading of virus is very slow virus
  writers prefer faster distribution mechanisms
  e.g. e-mail
• However, some modern viruses - multipartite
  viruses - are both file infector viruses and boot
  sector viruses - so virus will infect boot sector
  if it can, as well as other files and whenever
  computer boots up it makes itself memory resident
  and will infect files as well as boot sectors

8
Detection strategies

• Scanners - viruses with fixed signatures (static
  viruses) are easy to detect by a simple scanner
  that scans all the files the user specifies
  looking for patterns of bits that match the
  signature of a known virus - just needs user to
  keep up to date the signature lists that scanner
  uses
• encrypting virus with an invariant decryption
  engine - can be detected as for simple virus
• But does not work on polymorphic viruses - these
  need to be detected using heuristic detection
  techniques

9
Heuristic Virus detection

• in general heuristic techniques attempt to
  identify the presence of a virus by
• 1. Code examination - looking for abnormalities
• 2. Activity monitoring - looking for activity
  that is typical of a virus
• 3. Change examination - looking for evidence of
  suspicious or unauthorised changes to the system
• 4.Generic Decryption

10
Code examination

• A number of features that we looked at in the
  last lecture can be looked for in the code e.g.
• 1. Entry point to program code executes a long
  jump to some other part of code to begin
  execution
• 2. A polymorphic virus may be detected by looking
  for unusual usage of jumps within part of the
  code or an unusual prevalence of dummy
  instructions, etc.
• 3. Abnormal code localisation - normal code
  consists of an alternating sequence of a short
  burst of instructions followed by a call to some
  subroutine (method/function/procedure, etc),
  which normally exists in a quite separate region
  of memory from the calling code.

11

• 3. (cont.) The code execution sequence would
  exhibit execution of code in some local region of
  the host programs memory, followed by a jump to
  another region (a subroutine call), and then a
  jump back to the original region (return from the
  call), etc. Virus code is very different from
  this - code executes in one restricted region
  with no calling of subroutines in other regions -
  very suspicious.
• However, this is where the virus placement
  strategy in which the virus inserts its code
  into several different places within the host
  program has an advantage - in such a case virus
  code looks more normal as its execution sequence
  would move around the memory area of the host
  program.

12
Activity monitoring

• In activity monitoring an anti-virus program is
  set-up to be resident in memory to
• monitor activity on the computer for the
  occurrence of the sorts of things viruses do (or
  have a list of actions that should not be allowed
  to happen without user explicit consent)
• interrupt/suspend execution of any programs that
  are doing something suspicious - on disallowed
  list
• warn user about suspicious program and its
  activity

13

• viruses do fairly standard things in order to
  create copies of themselves -e.g. the virus code
  must modify other executable code, so at some
  point it must open the target executable file
  with write permissions and then write to the
  file.
• Of course some programs will do this sort of
  thing legitimately e.g. A program that is
  updating (patching) some other code - such a
  patching program might thus mistakenly be
  identified as a possible virus
• this is the general problem with all heuristic
  virus detection methods they will give rise to
  false positives

14
Change examination

• As we have seen viruses can leave a trail of
  evidence behind them about the changes they have
  made to various files on the system - file size
  changes, modification date/times, etc.
• Thus a heuristic scanner can checkpoint
  information about various files on the system and
  examine them at a later date for tell-tale
  changes.
• Of course we have seen how a stealth virus will
  attempt to hide such changes
• more sophisticated change checking involves the
  use of hash values

15

• Integrity checking - checksums or hash values
  (message digests) from a hash function are
  computed for each file and appended to the file.
  If file changes then hash value will be incorrect
  for the file - so something has changed - it
  gives an indication of the presence of a virus (
  virus activity), although it does not identify
  the virus responsible
• However, as a virus counter-measure to this
  strategy - when virus infects a file, it may
  re-compute the hash value for file as it is with
  the additional bits from the copy of the virus -
  producing a hash value that is correct for the
  infected file

16

• to combat this we can encrypt the hash value
  before appending it to the file, then a virus
  (unless it can get the private key) cannot
  encrypt any replacement hash values using the
  correct key so it any new hash values would be
  wrong
• hash value is effectively acting as a digital
  signature for the files to authenticate that they
  have not been modified in an unauthorised manner

17
Generic Decryption

• One advanced strategy for detecting an encrypting
  polymorphic virus is to use Generic Decryption.
  The basic idea is to emulate the execution of the
  host program for the first 1000 instructions or
  so and then scan the file for the presence of
  known polymorphic viruses. The emulation provides
  a safe execution environment in which any
  polymorphic encrypting virus can decrypt itself,
  thus revealing the underlying code that can be
  scanned in a more conventional manner for a known
  signature.

18

• Generic Decryption requires 3 components
• 1. CPU/hardware emulator - interprets
  instructions changing emulated memory/hard disk
  accesses,etc.
• 2. Emulation control module - control such
  factors as how many instructions to emulate
  before interupting the interpretation and running
  the scanner
• 3. Virus signature scanner - normal scanner to
  look for signatures

19
Prevention strategies

• There are no real techniques which if implemented
  properly would prevent infection by a virus -
  various policies can be adopted which if the
  humans in an organisation obey the policies may
  reduce the likelihood of infection, but will not
  prevent it
• of course, it is not a good idea to rely on
  humans following policies as the main source of
  protection for your computer system

20

• Standard prevention policy
• 1. Only download or install software or open
  documents (input files to the system) from
  sources that are deemed trustworthy sources
  which you believe do not intend to try and
  deliberately cause damage to your system AND have
  a sufficiently secure system themselves as to
  make it unlikely that they will pass on a virus
• 2. Scan files that are inputs to the system
  whatever the source

21

• 3. Reduce usage/access rights for various
  activities and resources in the system,
• to prevent certain types of virus from running
  e.g. you can disable auto-running of document
  macros, disable script execution (JavaScript,
  etc) in various applications and ActiveX controls
• to make it more difficult for it to replicate
  e.g. you can disable auto-e-mailing
• to limit damage a virus might cause e.g. by use
  of activity monitoring (discussed earlier) with a
  list of actions that need explicit user consent
  before being executed

22

• Sandbox technique - this is where the program
  runs in some artificial environment - usually
  provided by a virtual machine - so any virus
  would run only on the virtual machine and could
  not access the real machine or its OS
• of course both reducing rights and sandboxing
  restrict the usability of the system - this
  reduction in the usefulness of the system might
  mean that maybe the virus writer wins after all -
  the inconvenience to users may not be caused by
  the virus directly, but caused by the security
  system that protects us from the virus

23
Removal and recovery

• After detection of a virus recovery from a virus
  infection is 2 fold
• 1. Removal (disinfection) of viruses from system
  -
• you can often remove a virus from infected files
  without damaging the files - because virus
  placement is prepended or appended to file or
  integration has not corrupted the original file
• deletion of infected files where virus cannot be
  separated from them
• 2. Recovery of files deleted or modified by
  action of the virus or deleted in disinfection
  process - so backups are an important part of any
  anti-virus strategy