Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques...

Click here to load reader

download Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline

of 26

  • date post

    19-Jan-2016
  • Category

    Documents

  • view

    231
  • download

    2

Embed Size (px)

Transcript of Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques...

Computer virus

Computer virusSpeaker : Introduction Infection targetInfection techniques

Outline A malwareNeed permission( by accident ) to executeWill replicate, spreadMay have destructionComputer virus - definitionStealing hard disk space or CPU timeAccessing private informationCorrupting dataDisplaying political or humorous messagesSpamming their contactsLogging their keystrokes

PurposeLifetime of a virus5System sectorNetworkSource codeFile Macro

Infection targetTwo type of system sector:DBR (DOS Boot Record; DBS, DOS Boot sector) MBR (Master Boot Record; Partition sectors)Booting process:Boot computer BIOS POST DBR MBR Boot Sector OSMedium:Floppy diskBootable CD-ROM

System sectorBIOS POST Dos Boot Sector for floppy diskMaster Boot Sector for hard disk

7Replicate by commands or protocols of networkRemote-controllableResults:Degrade the performance of a networkDisable critical devices Network connectionsStealing personnel data

Network Different compiler, different source codeMake modifications tosource codeRare Source codeExecutable filefiles with .BAT, .COM, .EXE, .BIN and so onMay be partially or completely overwritten Infected files can spread across the system , networkFilesWin32.Sality.BK10MacroInput sequence(short) map to output sequence(long)A piece of code executes if a certain event occursBlur the line between executable files and data files

Macro1SAS SYSTEM23 For example: MS-Word

11StealthPolymorphicMetamorphic CavityTunnelingCamouflageBootable CD-ROMInfection techniquesIntercept requestsReturn a uninfected fileHide the modified fileStealthAnti-virus programInfected fileOSRequest: Ask a fileReturn another file13To confuse anti-virus programsChange characteristics with each infectionBy Encryption/decryption moduleBut keep the algorithm intactInsert junk instructionsExchange independent instructionsChange the start addressPolymorphicWill reprogram itselfCan translate into a temporary codeThen converted back to normal codeAvoid pattern recognition of anti-virus programMetamorphic TranslateConvert backMutateAlso known as space-fillers Maintain a constant file-sizeOverwrite empty part of a target file with its codeLimit on small number of host, it is hard to write Means rare

Cavity Null Null NullNull Null NullNull Null NullNull Null NullNull Null NullSome info.code code .code code . code code .code code . code code .Some info.Fill the empty partOriginal fileInfected fileCavity 16One way to detect virus is intercepting interrupts:Look for specific action that may signify the presence of a virusIntercepting interrupt from the OS directly to avoid anti-virus program use them

Tunneling Tunneling - contd Infected programBack trace to the directory of DOS and BIOS interrupt handlersInstall itself beneath this interrupt handlersContact with OS directly Pretend itself as a normal programUsage of anti-virus programs ignore logicThanks to advanced virus detection, its rareCamouflageThere is a possibility if non-infected files have code similar to that of the virus codes (a statistical probability). To avoid alarming wrong message and cause non-necessary panic, anti-virus program has a logic to ignore this kind of situations. It give virus writers the chance to camouflage its own virus as a normal program by using the characteristic that are use to ignore the situation. 19Through infected CD-ROMIf system is booted by the CD-ROM, the hard disk must be destroyedNo anti-virus program can stop itBootable CD-ROM WormsA special type of virus that can replicate itself and use memory, but it cannot attach itself to other executable codesTrojans A small destructive program that runs hidden on an infected computerOther malwareCharacteristics Standalone malwarePropagation for spread from machine to machineDo not attach themselves to an existing programInfection techniquesAim at security failures Via network, usually with attachment of email

Worms22Worms - infecting phases23CharacteristicsNon-self-replicatingDo not attach themselves into files or propagateInfection techniques (always associated with network) with malicious programs or drive-by downloadNormally down by social engineeringRunningAutomatically run after being installedHiding in background, and create a backdoor(s), usually

TrojansDrive-by download:Means two things, each concerning the unintended download of computer software from the internet:1. download which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or java applet)2. any download that happens without a persons knowledge, often a computer virus, spyware, malware, crimeware24DestructionPassword thieveryRemote controlKey loggerDoS attackZombieFTP Trojan

Trojans - purposesThanks for listening