This document discusses different types of malicious code such as viruses, Trojan horses, logic bombs, and worms. It defines each type and provides examples. Viruses can attach to programs by appending code, surrounding code, or integrating with/replacing code. They gain control by overwriting targets or changing pointers. Common places for viruses include boot sectors, system files, and memory-resident programs. Viruses can be detected through their storage patterns, execution patterns, and transmission patterns. Prevention methods include using trusted software sources, testing new software in isolation, and regularly using virus detectors.

1. Lecture no.4
VirusandMalicious Code

2. MaliciousCode
►Malicious code can be a program or part of a program; a
programpartcanevenattachitselfto another(good)program
so that malicious effect occurs whenever the good program
runs.
►Malicious code can do anything other program can such as
writing a message on a computer screen, stopping a running
program,generatingasound orerasingastoredfile– malicious
codecaneven donothingatall.

3. MaliciousCode
So…..
► Whatisamaliciouscode?
► Howcanittakecontrolofasystem?
► Howcanitlodgeinasystem?
► Howdoesmaliciouscodespread?
► Howcanitberecognized?
► Howcanitbestopped?

4. MaliciousCode
Types of Malicious Code
► Virus – attachitselftoprogramandpropagatescopiesof itselftootherprograms.
► Trojan Horse – containunexpected,additionalfunctionality.
► Logic bomb – triggersactionwhenconditionoccur.
► Time bomb - triggersactionwhenspecifictimeoccur.
► Trapdoor – allowsunauthorizedaccesstofunctionality.
► Worm – propagatescopiesofitselfthroughnetwork.
► Rabbit – asavirusorwormreplicatesitselfwithoutlimittoexhaustresources.

5. Virus
► Avirus
Aprogramthatpassonmaliciouscodetoothernonmalicious(program)
bymodifyingthem.
Similartobiologicalvirus,itinfectshealthysubjects
Infectsaprogrambyattachingtheprogram
►Destroytheprogramorcoexistwithit.
►Agoodprogram,onceinfectedbecomesa carrierandinfectsother
program.
►Eithertransientorresident(standalone).

6. TrojanHorse
►TrojanHorse
Amaliciouscode,inadditiontoprimaryeffect,ithasamalicious effect.
Example 1: a login scripts that solicits a user’s identification and
password,passestheinfotothesystemforloggingprocessingandkeeps
a copyformalicious purpose.
Example2:acatcommandthatdisplaystextandsendsacopyofthe
texttosomewhereelse.

7. Trapdoor
► Trapdoor/backdoor
Afeatureinaprogrambywhichsomeonecanaccesstheprogram
usingspecialprivilege.
e.g.A
TMprovides990099toexecutesomething

8. Worm
►Worm
Spreadcopiesofitselfthroughanetwork.
Wormthroughnetworkandvirusthroughothermedium.
Spreaditselfasastand-aloneprogram.

9. Trapdoors
► Asecret,undocumentedentrypointintoamodulewhichallowsaspecializedaccess.
► Thetrapdoorisinsertedduringcodedevelopment
Testthemodules,allowaccessineventsoferror
► Trapdoorarevulnerabilitiesbecausetheyexposethesystemtomodificationduring
execution.
► Theprogrammerusuallyremovestrapdoorsduring programdevelopment.
Butsometimes,
becomes
forgettoremovethem
leavesthemintheprogramfortestingandmaintenanceorasacovertmeansofaccessto
theroutineafterit
anacceptedproductionprogram.

10. Trapdoors
► Itcanbeusedbyanyonewhodiscoversthetrapdoorby accidentorexhaustivetrials.
► Examplesoftrapdoorsinprogramdevelopmentwhichcanbeabused
Debugging/testingsoftwaremodulesusingdriversandstubsand debugcontrolsequences
Poorqualityprogram,e.guseofCASEstatementwhichcapturesall“defaults”
Unusedopcodesinhardwaredesignwhichcanbeexploitedtodo otherundocumentedthings
► Trapdoorsaregenerallydesirableinprogramdevelopment
auditorsintroducefictitioustransactionandtracetheeffect
importantforprogram maintenance

11. HowVirusesAttach?
(1) Appended Virus
Original
Progra
m
+ Virus code = Original
Progra
m
Viruscode

12. HowVirusesAttach?
(1) AppendedViruses
►Avirusattachesitselftoaprogram.
►Whenevertheprogramruns,thevirusis activated.
►Avirussimplyinsertsacopyofitselfintotheprogramfilebeforethe
firstexecutableinstruction,sothatallthevirusinstructionare
completelyexecutedandthenfollowedbytherealprogram
instruction.

13. HowVirusesAttach?
(2) Virusesthatsurrounda program
Virus code Original
Program
Virus code
(Part a)
Original
program
Virus code
(part b)
This kind of virus that runs the original program but has control
before and after its execution.

14. HowVirusesAttach?
(3) IntegratedVirusesandReplacement
Original
Program
+
Virus
Code =
Modified
program

15. HowVirusesAttach?
(3) IntegratedVirusesandReplacement
► Avirusmightreplacesomeofitstarget,integratingitselfintotheoriginalcodeof
thetarget.
► Finally,theviruscanreplacetheentiretarget,eithermimickingtheeffectofthe
targetorignoring theexpectedeffectofthetargetandperformingonlythe
viruseffect.

16. HowVirusesGainControl?
(1) Overwriting Target
T T
File Directory
A) Overwriting
T
V
V
Disk storage
Before
After

17. HowVirusesGainControl?
(1) OverwritingTarget
► Thevirus(V)hastobeinvokedinsteadofthetarget(T).
► Thevirus(V)eitherhastobeseentobeT,saying effectively“I’mT”
► Orthevirus(V)hastopushToutofthewayand becomeasubstituteforT,
sayingeffectively“callmeinsteadofT”

18. HowVirusesGainControl?
(2) Changing Pointers
T T
B ) Changing Pointer
T
V
T
V
The virus change the pointers in the file table so that V is located
instead of T whenever T is accessed through the file system.

19. Homefor Viruses
Boot Sector Viruses
► Aspecialcaseofvirusattachment,butafairlyapopular one.
► Whenacomputerisstarted,controlstartwithafirmwarethatdetermineswhichhardware
componentsarepresent, testthemandtransfercontroltoOS.
► TheOSissoftwarestoredondisk.TheOShastostartwithcodethatcopiesitfromdiskto
memoryandtransfers controltoit,calledbootstrapload.
► Booting:Thefirmwarereadthebootsector(afixedlocationontheh/disk)toafixedlocation
onmemoryandjumptotheaddressthatcontainbootstrap loader.

20. Homefor Viruses
► TheloaderloadtheOStothememory.
► BootsectoronPCislessthan512byte
► Chainingisusedtosupportbig bootstrap
► Thismechanismcanbeutilizedbyvirusinstallation
► Viruswritercanbreakthechainandpointtotheviruscodeandreconnectthechainaftervirus
installation
► Theadvantage:virusgainscontrolearlyduringthebootprocess.
► Hidinginthebootareawhichisnotaccessiblebyusers.

21. Homefor Viruses
Bootstrap
loader
System
initialize
Bootstrap
loader
System
initialize
Virus code
Before Infection
After Infection
Boot Sector
Boot Sector
Other sectors
Other sectors

22. Homefor Viruses
Avirus can:
►
►
►
attachitselftothesystemfilesIO.SYSor MSDOS.SYS
attachitselftoanyotherprogramloaded becauseofanentryin
CONFIG.SYSorAUTOEXEC.BA
Tor
addanentrytoCONFIG>SYSor
AUTOEXEC.BA
Ttocauseittobe loaded
► Example:CIHvirus,BRAIN virus

23. Homefor Viruses
Memory-Resident Viruses
► SomepartofOSorprogramexecute,terminateand disappears,withtheirspacein
memorybeingavailablefor anythingexecutedlater.
► Frequentlyusedcoderemaininspecialmemoryandis called“residentcode”or
TSR.
► Viruswritersalsoliketoattachvirusestoresidentcodebecauseitisactivatedmanytimes
whilethemachineis running.
► Eachtimetheresidentcoderuns,thevirusdoestoo
► Onceactivated,theviruscanlookforandinfectuninfectedcarrier
► Virusmaytargettheuninfecteddiskette.

24. Homefor Viruses
Other Homes For Viruses
► Apopularhomeforvirusesisanapplicationprogram.
► WordProcessingandspreadsheethasamacrowhereusersmayrecordaseriesof
commandswithasingleinvocation
► Writermaycreateastartupmacrothatcontainsvirus
► Italsoembedsacopyofitselfindatafilessothattheinfectionspreadtoanyone
receivingit
► Librariesarealsoexcellentplacesforviruses.Becauseitis usedbymanyprogramandthus
thecodeinthemhas broadeffectandalsosharedbetween users

25. VirusSignature
►
►
►
Aviruscodecannotbecompletelyinvisible. Codemustbeinmemory
tobeexecuted.
Viruseshastheirowncharacteristic/behavior– signature
(1) Storagepattern- virusesthatattachtoprogramsthatarestoredondisks.
Theattachedviruspieceisinvariant,sothatthestartoftheviruscode
becomesa detectablesignature.
SmallportionbutJUMPtovirusmodule

26. VirusSignature
(2) ExecutionPattern
► Aviruswritermaywantavirustodoseveralthings:
spreadinfection
avoiddetection
causeharm-
Theharmthataviruscancauseisunlimited
►
►
►
►
►
Donothing
DisplaymessageonthescreenPlaymusic
Erasefile/entirediskPrevent
booting
Writingontheh/disk

27. VirusSignature
(3) Transmissionpattern
► Avirusalsohastohavesomemeansof transmissionfrom
onedisktoanother
► Virusescantravelduringthebootprocess,withan executablefile,orindata
files.
► Virusestravelduringexecutionofaninfectedprogram.
► Becauseaviruscanexecuteanyinstructiona programcan,virustravelis
notconfinedtoany singlemediumorexecutionpattern.

28. VirusSignature
(4)PolymorphicViruses
►Isavirusthatcanchangeitsappearance.
►“Poly”means“many”and“morph”means“form”.
►Toavoiddetection,noteverycopyofa polymorphicvirushas
todifferfromevery othercopy.

29. Preventing Virus
► Useonlycommercialsoftwareacquiredfromreliable,well
establishedvendors.
► Testallnewsoftwareonanisolatedcomputers.
► Makeabootablediskettesandstoreitsafely- writeprotectbefore
booting
► Makeandretainbackupcopiesofexecutablesystemfiles.
► Usevirusdetectors regularly.
► Don’ttrustanysourcefromoutsideuntilitsbeen testfirst.