Computer Viruses

Preetha Annamalai

Niranjan Potnis

Outline

Computer Viruses – The Fundamentals

The Modus Operandi of a Virus

Virus Behavior and Symptoms

Virus Detection -The “Heuristic” Approach

A Sample Virus Code

What is a Computer Virus ?

A malicious piece of executable code written with not so noble intentions

Attaches itself to executable files

Loads into memory and then kicks off

Replication – a key operation

The Vulnerable Areas!

EXE and COM files.

Macros in Word.

System sectors on Hard disk / Floppy disk

Scripts for Internet /Email.

Virus Types

File Infectors .COM, .EXE files

Modify entry point of file

Execute self first

System Sector Viruses Sectors contain boot time executable code

Boot Sector, MBR

Relocate boot code

Virus Types

Macro Viruses infect data files execute on opening a document modify global macro template

Worms do not attach to host files/programs rapidly replicate over network can execute in a distributed fashion use up network bandwidth

Modus Operandi

Infection Phase

Attack Phase

Infection Phase

The spreading of the virus Based on specific trigger/executionTrigger condition – disk access/copying a file/a day or time. Intention is to spread as far as possible before detectionAct as TSR’s and can reside on any part of memory.

Attack Phase

Actual function is performed

Needs a trigger

Typical attacks –• Deleting files• Formats/damages disk• Slowing down the system

Use up system resources, damages disk

Optional phase : Viruses may infect but not attack (due to poorly written virus code)

Virus Symptoms

Change in length of .exe or .com files.

Change in the file date/time stamp

Change to interrupt vectors

Reassignment of system resources

Reduction in amount of memory normally shown

Virus Detection and Prevention

Anti-virus software

Two Approaches

Pattern Matching Approach

The “Heuristic Approach”

Conventional Pattern Matching Approach

Concept of “virus signature”

Look for virus byte sequence in a file to be scanned

Compare against a signature data file

Pattern match has to be literal

Problems – Detection of viruses not in data file

Data file has to be updated.

Viruses change the characteristic byte code from computer to computer

Heuristic Approach

“Speculation and Investigation”

Analyze program structure and behavior instead of looking for signature.

How about an analogy ?

Scan file for suspicious code

Does a file have virus-like characteristics ?

Using Heuristics Content Filtering

Like a “flexible” pattern matching approachKeep track of numerous ways to program virus like codeNeed additional criteria for detection

SandboxingRun suspicious code in protected space within the systemKeep track of operating system callsCompare them to a user defined policy

A Typical Heuristic scanner

Determines most likely location of the virus

Analyze program logic contained in that region

What are the computer instructions capable of doing ?

Catalog a programs behavior

Typical Heuristic Scanner

Many ways to write the same program

Example:

Routine to terminate itself and return to DOS prompt

• Simple Approach

• Roundabout Approach

Typical Heuristic Scanner

MACHINE LANGUAGE USER-READABLE BYTES INSTRUCTIONSExample 1:

B8 00 4C MOV AX,4C00

CD 21 INT 21Example 2:

B4 3C MOV AH,3C BB 00 00 MOV BX, 0000 88 D8 MOV AL,BL 80 C4 10 ADD AH,10 8E C3 MOV ES,BX

9C PUSH F 26 ES FF 1E 84 00 CALL FAR[0084]

Typical Heuristic Scanner

Maintain a database of byte sequencesAssociate each byte sequence with its functional behaviorCan use wildcards to match information that changes from virus to virus

Example-B8 ?? 4C CD 21 – Terminate Program(perm1)B4 4C CD 21 – Terminate Program(perm2)B8 02 3D BA ?? ?? CD 21 – Open file (perm1)BA ? ?? B8 02 3D CD 21 – Open file (perm2)

Heuristic Engine

Components of a Heuristic Scanner

Disassembler Heuristic Engine

Inference Engine

Emulator

Is Execution

Recommended?Program

Maintain set of registers

Scoring Formula

Some Virus Characteristics

Illicit writes to RAM

Undocumented Call

Hooks to standard interrupts

Calls to next instruction

Scoring Formula

Weight assigned to each virus characteristic depending on its strength

Net score assigned to file depending on the characteristics found and their count

Is Net-score higher than cut off value?

An Example Virus

The Michaelangelo Virus Code

Conclusion

Virus writers have too much time!

Heuristic approach is robust

Not totally reliable – subject to false positives and false negatives

Anti-virus software needs to be updated frequently