1 / 22

PIS Unit 5- Virus Intro

PIS Unit 5- Virus Intro. Sanjay Rawat Sanjay_r@vnrvjiet.in. Computer Virus. A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, i.e. It can reproduce!

francis-burnett
Download Presentation

PIS Unit 5- Virus Intro

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PISUnit 5- Virus Intro Sanjay Rawat Sanjay_r@vnrvjiet.in PIS Unit5 sanjay Rawat

  2. Computer Virus • A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, i.e. It can reproduce! • Virus does not have to be necessarily destructive! i.e. • However, in this class, we’ll assume the destructive virus. PIS Unit5 sanjay Rawat

  3. A Destructive virus • Malicious software with infection. Hi.. I am deadly Blonde email virus. Please delete all your files and forward this email to your friends.. Thanks for co-operation.. PIS Unit5 sanjay Rawat

  4. Cohen’s virus • Modeled by mathematician Dr. Fred Cohen in 1984. • A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself. • What about companion virus? • "A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself." PIS Unit5 sanjay Rawat

  5. Cohen’s Virus PIS Unit5 sanjay Rawat

  6. Virus structure program V := {1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; gotonext;} next:} PIS Unit5 sanjay Rawat

  7. Generic virus operation • virus phases: • dormant (optional)– waiting on trigger event • propagation – replicating to programs/disks • triggering – by event to execute payload • execution – of payload PIS Unit5 sanjay Rawat

  8. General types of Viruses • parasitic virus • A typical virus that infects a executable • memory-resident virus • program that leaves at least a portion of itself in memory after it terminates and waits for a particular event to take place before it 'activates' again. • Allocate some memory that will NOT be deallocated after the virus terminates. This is necessary so that the virus will not be overwritten. • Copy the virus to the allocated memory. • Set up a method in which the virus will eventually be activated, generally by hooking BIOS or DOS interrupts. PIS Unit5 sanjay Rawat

  9. Types conti… • boot sector virus • The boot sector is the first section that contains software loaded onto your computer. • This program resides on a disk in some partition. • When a computer is switched on, the hardware automatically locates and runs the boot sector program. This program then loads the rest of the operating system into memory. • A boot sector virus infects computers by modifying the contents of the boot sector program. It replaces the legitimate contents with its own infected version PIS Unit5 sanjay Rawat

  10. Types conti.. • Encrypted virus • Has two parts: body and encryption/decryption module • different key may be used to encrypt • Decryption engine remains same! • polymorphic virus • Like encryption virus, but decryption module is also changed! Also the encryption algo! • So, whole virus looks new. PIS Unit5 sanjay Rawat

  11. Types conti… • metamorphic virus • The whole virus is rewritten completely • Metamorphic engine is part of the virus. • Normally have large file size. • Macro virus • is a virus that is written in a macrolanguage: a language built into a software application such as a word processor. • OS independent, application dependent. E.g. Melissa PIS Unit5 sanjay Rawat

  12. Worms • Virus like characteristics, except it replicates itself. (so, different from email virus!) • For propagation, it scans network (its vehicle) • Electronic mail facility • Remote execution capability • Remote login capability • Examples: Morris, Code Red etc. PIS Unit5 sanjay Rawat

  13. Chronological appearances • BRAIN.A (1986) • Omega (1991) • Michelangelo (1992) • Concept(infects file, 1995) • Laroux (changes excel sheets slowly 1996) • Happy99 (email worm, 1998) • Melissa (macro+email) • Nimda (admin, Win netshare, 2001) PIS Unit5 sanjay Rawat

  14. Conti.. • Code Red (internet worm, IIS server, 2001) • Sasser • Slammer (MS SQL, 2003) • Fizzer (money oriented) • Conficker(A|B|C|D|E) (MS windows vulnerabilities, 2008) PIS Unit5 sanjay Rawat

  15. Protection from virus- Theoretical results • Undecidability problem: no single algorithm for yes-no for all inputs. • Halting problem (Alan Turing): “Given a description of an arbitrary computer program, decide whether the program finishes running or continues to run forever” • No single general algorithm exits to solve halting problem. PIS Unit5 sanjay Rawat

  16. Theoretical results • Rice Theorem: any non-trivial property of the partial function that is implemented by a program is undecidable. PIS Unit5 sanjay Rawat

  17. Chess et. al. results (an undetectable virus) • A viral set is a maximal set of programs Vs.t.for every pair of programs p and q in V, p eventually produces q, and q eventually produces p. • a computer virus is a viral set V. • a program p is said to be an instance of, or to be infected with ,a virus V precisely when p is a member of the viral set V PIS Unit5 sanjay Rawat

  18. Chess et. al. results (an undetectable virus) • A program which is an instance of some virus is said to spread whenever it produces another instance of that virus. • The simplest virus is a viral set that contains exactly one program. • Larger sets represent polymorphic viruses, which have a number of different possible forms, all of which eventually produce all the others. PIS Unit5 sanjay Rawat

  19. Virus Countermeasure • Typical Anti-Virus steps: • Detection • Identification/classification • Removal • Generations of AV • First generation: simple scanners (string match) • Second generation: heuristic scanners (specific rules, behavior analysis) • Third generation: activity traps (memory monitoring) • Fourth generation: full-featured protection (combination of above) PIS Unit5 sanjay Rawat

  20. Digital Immune System • Owned by Symantec, developed by IBM in 1995. • The objective was to automate the process of virus analysis and signature creation. • Provision for manual analysis. • Involves sample collection from clients. PIS Unit5 sanjay Rawat

  21. DIS conti… PIS Unit5 sanjay Rawat

  22. DIS conti… • Steve R. White, Morton Swimmer, Edward J. Pring, William C. Arnold, David M. Chess, and John F. Morar , "Anatomy of a Commercial-Grade Immune System," Virus Bulletin Conference, 1999, pp. 203228. • Jeffrey O. Kephart and William C. Arnold , "Automatic Extraction of Computer Virus Signatures," Virus Bulletin Conference, 1994, pp. 178-184. PIS Unit5 sanjay Rawat

More Related