Stub & debug – routine to inject data in and extract result from component being tested.
1. Chapter 5Chapter 5
Virus and Malicious CodeVirus and Malicious Code
2. Malicious CodeMalicious Code
► Malicious code can be a program or part of aMalicious code can be a program or part of a
program; a program part can even attach itself toprogram; a program part can even attach itself to
another (good) program so that malicious effectanother (good) program so that malicious effect
occurs whenever the good program runs.occurs whenever the good program runs.
► Malicious code can do anything other program canMalicious code can do anything other program can
such as writing a message on a computer screen,such as writing a message on a computer screen,
stopping a running program, generating a soundstopping a running program, generating a sound
or erasing a stored file – malicious code can evenor erasing a stored file – malicious code can even
do nothing at all.do nothing at all.
3. Malicious CodeMalicious Code
► What is a malicious code?What is a malicious code?
► How can it take control of a system?How can it take control of a system?
► How can it lodge in a system?How can it lodge in a system?
► How does malicious code spread?How does malicious code spread?
► How can it be recognized?How can it be recognized?
► How can it be stopped?How can it be stopped?
4. Malicious CodeMalicious Code
Types of Malicious Code
► Virus – attach itself to program and propagates copies of
itself to other programs.
► Trojan Horse – contain unexpected, additional
► Logic bomb – triggers action when condition occur.
► Time bomb - triggers action when specific time occur.
► Trapdoor – allows unauthorized access to functionality.
► Worm – propagates copies of itself through network.
► Rabbit – as a virus or worm replicates itself without limit to
► A virus
A program that pass on malicious code to other
non malicious (program) by modifying them.
Similar to biological virus, it infects healthy
Infects a program by attaching the program
►Destroy the program or coexist with it.
►A good program, once infected becomes a
carrier and infects other program.
►Either transient or resident (stand alone).
6. Trojan HorseTrojan Horse
A malicious code, in addition to primary effect, it
has a malicious effect.
Example 1: a login scripts that solicits a user’s
identification and password, passes the info to
the system for logging processing and keeps a
copy for malicious purpose.
Example 2: a cat command that displays text
and sends a copy of the text to somewhere
► Trapdoor/ backdoor
A feature in a program by which someone can
access the program using special privilege.
e.g. ATM provides 990099 to execute
Spread copies of itself through a network.
Worm through network and virus through other
Spread itself as a stand-alone program.
► A secret, undocumented entry point into a module which
allows a specialized access.
► The trapdoor is inserted during code development
Test the modules, allow access in events of error
► Trapdoor are vulnerabilities because they expose the
system to modification during execution.
► The programmer usually removes trapdoors during
program development. But sometimes,
forget to remove them
leaves them in the program for testing and maintenance
or as a covert means of access to the routine after it becomes
an accepted production program.
► It can be used by anyone who discovers the trapdoor by
accident or exhaustive trials.
► Examples of trapdoors in program development which can
Debugging/testing software modules using drivers and stubs and
debug control sequences
Poor quality program, e.g use of CASE statement which captures
Unused opcodes in hardware design which can be exploited to do
other undocumented things
► Trapdoors are generally desirable in program development
auditors introduce fictitious transaction and trace the effect
important for program maintenance
11. How Viruses Attach?How Viruses Attach?
(1) Appended Virus
+ Virus code = Original
12. How Viruses Attach?How Viruses Attach?
(1) Appended Viruses
►A virus attaches itself to a program.
►Whenever the program runs, the virus is
►A virus simply inserts a copy of itself into the
program file before the first executable
instruction, so that all the virus instruction
are completely executed and then followed
by the real program instruction.
13. How Viruses Attach?How Viruses Attach?
(2) Viruses that surround a program(2) Viruses that surround a program
Virus code Original
This kind of virus that runs the original program but has control
before and after its execution.
14. How Viruses Attach?How Viruses Attach?
(3) Integrated Viruses and Replacement
15. How Viruses Attach?How Viruses Attach?
(3) Integrated Viruses and Replacement
► A virus might replace some of its target,
integrating itself into the original code of the target.
► Finally, the virus can replace the entire target,
either mimicking the effect of the target or ignoring
the expected effect of the target and performing
only the virus effect.
16. How Viruses Gain Control?How Viruses Gain Control?
(1) Overwriting Target
17. How Viruses Gain Control?How Viruses Gain Control?
(1) Overwriting Target
► The virus (V) has to be invoked instead of the
► The virus (V) either has to be seen to be T, saying
effectively “I’m T”
► Or the virus (V) has to push T out of the way and
become a substitute for T, saying effectively “call
me instead of T”
18. How Viruses Gain Control?How Viruses Gain Control?
(2) Changing Pointers
B ) Changing Pointer
The virus change the pointers in the file table so that V is located
instead of T whenever T is accessed through the file system.
19. Home for VirusesHome for Viruses
Boot Sector Viruses
► A special case of virus attachment, but a fairly a popular
► When a computer is started, control start with a firmware
that determines which hardware components are present,
test them and transfer control to OS.
► The OS is software stored on disk. The OS has to start
with code that copies it from disk to memory and transfers
control to it, called bootstrap load.
► Booting: The firmware read the boot sector( a fixed location
on the h/disk) to a fixed location on memory and jump to
the address that contain bootstrap loader.
20. Home for VirusesHome for Viruses
► The loader load the OS to the memory.
► Boot sector on PC is less than 512 byte
► Chaining is used to support big bootstrap
► This mechanism can be utilized by virus installation
► Virus writer can break the chain and point to the virus code
and reconnect the chain after virus installation
► The advantage: virus gains control early during the boot
► Hiding in the boot area which is not accessible by users.
21. Home for VirusesHome for Viruses
22. Home for VirusesHome for Viruses
A virus can:
► attach itself to the system files IO.SYS or
► attach itself to any other program loaded
because of an entry in CONFIG.SYS or
► add an entry to CONFIG>SYS or
AUTOEXEC.BAT to cause it to be
► Example: CIH virus, BRAIN virus
23. Home for VirusesHome for Viruses
► Some part of OS or program execute, terminate and
disappears, with their space in memory being available for
anything executed later.
► Frequently used code remain in special memory and is
called “resident code” or TSR.
► Virus writers also like to attach viruses to resident code
because it is activated many times while the machine is
► Each time the resident code runs, the virus does too
► Once activated, the virus can look for and infect uninfected
► Virus may target the uninfected diskette.
24. Home for VirusesHome for Viruses
Other Homes For Viruses
► A popular home for viruses is an application program.
► Word Processing and spreadsheet has a macro where
users may record a series of commands with a single
► Writer may create a startup macro that contains virus
► It also embeds a copy of itself in data files so that the
infection spread to anyone receiving it
► Libraries are also excellent places for viruses. Because it is
used by many program and thus the code in them has
broad effect and also shared between users
25. Virus SignatureVirus Signature
► A virus code cannot be completely invisible.
► Code must be in memory to be executed.
► Viruses has their own characteristic/behavior –
(1) Storage pattern - viruses that attach to programs
that are stored on disks.
The attached virus piece is invariant, so that
the start of the virus code becomes a
Small portion but JUMP to virus module
26. Virus SignatureVirus Signature
(2) Execution Pattern
► A virus writer may want a virus to do several things:
cause harm -
The harm that a virus can cause is unlimited
► Do nothing
► Display message on the screen
► Play music
► Erase file/entire disk
► Prevent booting
► Writing on the h/disk
27. Virus SignatureVirus Signature
(3) Transmission pattern
► A virus also has to have some means of
transmission from one disk to another
► Viruses can travel during the boot process, with an
executable file, or in data files.
► Viruses travel during execution of an infected
► Because a virus can execute any instruction a
program can, virus travel is not confined to any
single medium or execution pattern.
28. Virus SignatureVirus Signature
(4) Polymorphic Viruses
►Is a virus that can change its appearance.
►“Poly” means “many” and “morph” means
►To avoid detection, not every copy of a
polymorphic virus has to differ from every
29. Preventing VirusPreventing Virus
► Use only commercial software acquired from
reliable, well established vendors.
► Test all new software on an isolated computers.
► Make a bootable diskettes and store it safely -
write protect before booting
► Make and retain backup copies of executable
► Use virus detectors regularly.
► Don’t trust any source from outside until its been