Virus and Malicious Code Chapter 5

Chapter 5Chapter 5
Virus and Malicious CodeVirus and Malicious Code

Malicious CodeMalicious Code
► Malicious code can be a program or part of aMalicious code can be a program or part of a
program; a program part can even attach itself toprogram; a program part can even attach itself to
another (good) program so that malicious effectanother (good) program so that malicious effect
occurs whenever the good program runs.occurs whenever the good program runs.
► Malicious code can do anything other program canMalicious code can do anything other program can
such as writing a message on a computer screen,such as writing a message on a computer screen,
stopping a running program, generating a soundstopping a running program, generating a sound
or erasing a stored file – malicious code can evenor erasing a stored file – malicious code can even
do nothing at all.do nothing at all.

So…..So…..
► What is a malicious code?What is a malicious code?
► How can it take control of a system?How can it take control of a system?
► How can it lodge in a system?How can it lodge in a system?
► How does malicious code spread?How does malicious code spread?
► How can it be recognized?How can it be recognized?
► How can it be stopped?How can it be stopped?

Types of Malicious Code
► Virus – attach itself to program and propagates copies of
itself to other programs.
► Trojan Horse – contain unexpected, additional
functionality.
► Logic bomb – triggers action when condition occur.
► Time bomb - triggers action when specific time occur.
► Trapdoor – allows unauthorized access to functionality.
► Worm – propagates copies of itself through network.
► Rabbit – as a virus or worm replicates itself without limit to
exhaust resources.

VirusVirus
► A virus
 A program that pass on malicious code to other
non malicious (program) by modifying them.
 Similar to biological virus, it infects healthy
subjects
 Infects a program by attaching the program
►Destroy the program or coexist with it.
►A good program, once infected becomes a
carrier and infects other program.
►Either transient or resident (stand alone).

Trojan HorseTrojan Horse
►Trojan Horse
 A malicious code, in addition to primary effect, it
has a malicious effect.
 Example 1: a login scripts that solicits a user’s
identification and password, passes the info to
the system for logging processing and keeps a
copy for malicious purpose.
 Example 2: a cat command that displays text
and sends a copy of the text to somewhere
else.

TrapdoorTrapdoor
► Trapdoor/ backdoor
 A feature in a program by which someone can
access the program using special privilege.
 e.g. ATM provides 990099 to execute
something

WormWorm
►Worm
 Spread copies of itself through a network.
 Worm through network and virus through other
medium.
 Spread itself as a stand-alone program.

Trapdoors
► A secret, undocumented entry point into a module which
allows a specialized access.
► The trapdoor is inserted during code development
 Test the modules, allow access in events of error
► Trapdoor are vulnerabilities because they expose the
system to modification during execution.
► The programmer usually removes trapdoors during
program development. But sometimes,
 forget to remove them
 leaves them in the program for testing and maintenance
 or as a covert means of access to the routine after it becomes
an accepted production program.

Trapdoors
► It can be used by anyone who discovers the trapdoor by
accident or exhaustive trials.
► Examples of trapdoors in program development which can
be abused
 Debugging/testing software modules using drivers and stubs and
debug control sequences
 Poor quality program, e.g use of CASE statement which captures
all “defaults”
 Unused opcodes in hardware design which can be exploited to do
other undocumented things
► Trapdoors are generally desirable in program development
 auditors introduce fictitious transaction and trace the effect
 important for program maintenance

How Viruses Attach?How Viruses Attach?
(1) Appended Virus
Original
Program
+ Virus code = Original
Program
Virus code

(1) Appended Viruses
►A virus attaches itself to a program.
►Whenever the program runs, the virus is
activated.
►A virus simply inserts a copy of itself into the
program file before the first executable
instruction, so that all the virus instruction
are completely executed and then followed
by the real program instruction.

(2) Viruses that surround a program(2) Viruses that surround a program
Virus code Original
Program
Virus code
(Part a)
Original
program
Virus code
(part b)
This kind of virus that runs the original program but has control
before and after its execution.

(3) Integrated Viruses and Replacement
Original
Program
+
Virus
Code =
Modified
program

(3) Integrated Viruses and Replacement
► A virus might replace some of its target,
integrating itself into the original code of the target.
► Finally, the virus can replace the entire target,
either mimicking the effect of the target or ignoring
the expected effect of the target and performing
only the virus effect.

How Viruses Gain Control?How Viruses Gain Control?
(1) Overwriting Target
T T
File Directory
A) Overwriting
T
V
V
Disk storage
Before
After

(1) Overwriting Target
► The virus (V) has to be invoked instead of the
target (T).
► The virus (V) either has to be seen to be T, saying
effectively “I’m T”
► Or the virus (V) has to push T out of the way and
become a substitute for T, saying effectively “call
me instead of T”

(2) Changing Pointers
T T
B ) Changing Pointer
T
V
T
V
The virus change the pointers in the file table so that V is located
instead of T whenever T is accessed through the file system.

Home for VirusesHome for Viruses
Boot Sector Viruses
► A special case of virus attachment, but a fairly a popular
one.
► When a computer is started, control start with a firmware
that determines which hardware components are present,
test them and transfer control to OS.
► The OS is software stored on disk. The OS has to start
with code that copies it from disk to memory and transfers
control to it, called bootstrap load.
► Booting: The firmware read the boot sector( a fixed location
on the h/disk) to a fixed location on memory and jump to
the address that contain bootstrap loader.

► The loader load the OS to the memory.
► Boot sector on PC is less than 512 byte
► Chaining is used to support big bootstrap
► This mechanism can be utilized by virus installation
► Virus writer can break the chain and point to the virus code
and reconnect the chain after virus installation
► The advantage: virus gains control early during the boot
process.
► Hiding in the boot area which is not accessible by users.

Bootstrap
loader
System
initialize
Bootstrap
loaderSystem
initialize
Virus code
Before Infection
After Infection
Boot Sector
Boot Sector
Other sectors
Other sectors

A virus can:
► attach itself to the system files IO.SYS or
MSDOS.SYS
► attach itself to any other program loaded
because of an entry in CONFIG.SYS or
AUTOEXEC.BAT or
► add an entry to CONFIG>SYS or
AUTOEXEC.BAT to cause it to be
loaded
► Example: CIH virus, BRAIN virus

Memory-Resident Viruses
► Some part of OS or program execute, terminate and
disappears, with their space in memory being available for
anything executed later.
► Frequently used code remain in special memory and is
called “resident code” or TSR.
► Virus writers also like to attach viruses to resident code
because it is activated many times while the machine is
running.
► Each time the resident code runs, the virus does too
► Once activated, the virus can look for and infect uninfected
carrier
► Virus may target the uninfected diskette.

Other Homes For Viruses
► A popular home for viruses is an application program.
► Word Processing and spreadsheet has a macro where
users may record a series of commands with a single
invocation
► Writer may create a startup macro that contains virus
► It also embeds a copy of itself in data files so that the
infection spread to anyone receiving it
► Libraries are also excellent places for viruses. Because it is
used by many program and thus the code in them has
broad effect and also shared between users

Virus SignatureVirus Signature
► A virus code cannot be completely invisible.
► Code must be in memory to be executed.
► Viruses has their own characteristic/behavior –
signature
(1) Storage pattern - viruses that attach to programs
that are stored on disks.
 The attached virus piece is invariant, so that
the start of the virus code becomes a
detectable signature.
 Small portion but JUMP to virus module

(2) Execution Pattern
► A virus writer may want a virus to do several things:
 spread infection
 avoid detection
 cause harm -
The harm that a virus can cause is unlimited
► Do nothing
► Display message on the screen
► Play music
► Erase file/entire disk
► Prevent booting
► Writing on the h/disk

(3) Transmission pattern
► A virus also has to have some means of
transmission from one disk to another
► Viruses can travel during the boot process, with an
executable file, or in data files.
► Viruses travel during execution of an infected
program.
► Because a virus can execute any instruction a
program can, virus travel is not confined to any
single medium or execution pattern.

(4) Polymorphic Viruses
►Is a virus that can change its appearance.
►“Poly” means “many” and “morph” means
“form”.
►To avoid detection, not every copy of a
polymorphic virus has to differ from every
other copy.

Preventing VirusPreventing Virus
► Use only commercial software acquired from
reliable, well established vendors.
► Test all new software on an isolated computers.
► Make a bootable diskettes and store it safely -
write protect before booting
► Make and retain backup copies of executable
system files.
► Use virus detectors regularly.
► Don’t trust any source from outside until its been
test first.

Virus and Malicious Code Chapter 5

More Related Content

What's hot

Similar to Virus and Malicious Code Chapter 5

More from AfiqEfendy Zaen

Recently uploaded

Virus and Malicious Code Chapter 5

Editor's Notes