Computer virusSpeaker : 蔡尚倫

Introduction Infection target Infection techniques

Outline

A malware Need permission( by accident ) to execute Will replicate, spread May have destruction

Computer virus - definition

Stealing hard disk space or CPU time Accessing private information Corrupting data Displaying political or humorous messages Spamming their contacts Logging their keystrokes

Purpose

• Tools, like language, tool kitsDesign

• Spread, how to extendReplication

• Active, what to do

Launch

• Evade, try not be foundDetection

Elimination

Lifetime of a virus

System sector Network Source code File Macro

Infection target

Two type of system sector: DBR (DOS Boot Record; DBS, DOS Boot sector) MBR (Master Boot Record; Partition sectors)

Booting process: Boot computer → BIOS → POST →DBR →MBR →

Boot Sector → OS Medium:

Floppy disk Bootable CD-ROM

System sector

Replicate by commands or protocols of network

Remote-controllable Results:

Degrade the performance of a network Disable critical devices Network connections Stealing personnel data

Network

Different compiler, different source code Make modifications to source code Rare

Source code

Executable file files with .BAT, .COM, .EXE, .BIN and so on

May be partially or completely overwritten Infected files can spread across the system ,

network

Files

Macro

Input sequence(short) map to output sequence(long)

A piece of code executes if a certain event occurs

Blur the line between executable files and data filesInfected document opened

Macros loaded

into memory

Auto macros

executed

Copy themselv

es to global

template

New documen

ts infected

Stealth Polymorphic Metamorphic Cavity Tunneling Camouflage Bootable CD-ROM

Infection techniques

Intercept requests Return a uninfected file Hide the modified file

Stealth

Anti-virus program

Infected file

OSRequest: Ask a file

Return another file

To confuse anti-virus programs Change characteristics with each infection

By Encryption/decryption module But keep the algorithm intact

Insert junk instructions Exchange independent instructions Change the start address

Polymorphic

Will reprogram itself Can translate into a temporary code Then converted back to normal code Avoid pattern recognition of anti-virus

program

Metamorphic

Virus (original)

Virus (temporary code )

Translate

Convert back

Mutate

Also known as space-fillers Maintain a constant file-size Overwrite empty part of a target file with its

code Limit on small number of host, it is hard to

write Means rare

Cavity

Null Null Null

Null Null Null

Null Null Null

Null Null Null

Null Null Null

Some info….

code code ….

code code …. code code ….

code code …. code code ….Some info….

Fill the empty partOriginal

fileInfected file

One way to detect virus is intercepting interrupts: Look for specific action that may signify the

presence of a virus Intercepting interrupt from the OS directly to

avoid anti-virus program use them

Tunneling

Normal Program• send interrupt requests

Anti-virus software• Intercepting the request and check it

Operation system• Give it the permission

Tunneling - cont’d

Infected program• Back trace to the directory of DOS and BIOS interrupt handlers

• Install itself beneath this interrupt handlers

• Contact with OS directly

Pretend itself as a normal program Usage of anti-virus program’s ignore logic Thanks to advanced virus detection, it’s rare

Camouflage

Through infected CD-ROM If system is booted by the CD-ROM, the hard

disk must be destroyed No anti-virus program can stop it

Bootable CD-ROM

Worms A special type of virus that can replicate itself

and use memory, but it cannot attach itself to other executable codes

Trojans A small destructive program that runs hidden

on an infected computer

Other malware

Characteristics Standalone malware Propagation for spread from machine to

machine Do not attach themselves to an existing

program Infection techniques

Aim at security failures Via network, usually with attachment of email

Worms

Gathering

information

• Location, port, configuration, identification

Infecting

target

• Send itself to the target machine

Payload

• Create back door, alter or destroy files, transmit psw..

• Any action other than spreading itself

Network

propagation

• Select the next target by choosing randomly or others

Worms - infecting phases

Characteristics Non-self-replicating Do not attach themselves into files or propagate

Infection techniques (always associated with network) with malicious programs or drive-by download Normally down by social engineering

Running Automatically run after being installed Hiding in background, and create a backdoor(s),

usually

Trojans

Destruction Password thievery Remote control Key logger DoS attack Zombie FTP Trojan

Trojans - purposes

Thanks for listening