240 likes | 578 Views
Lecture # 1. BITS Pilani. Agenda. What is a Computer Virus? Similar Terms – Trapdoor or Backdoor, Logic Bomb, Rabbit, Trojan Horse, Trojan Mule, Spyware, Adware, Worm, Malware Classes of Virus Functional Elements of Virus. And God blessed them, saying " Be fruitful and multiply”.
E N D
Lecture # 1 BITS Pilani For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Agenda • What is a Computer Virus? • Similar Terms – Trapdoor or Backdoor, Logic Bomb, Rabbit, Trojan Horse, Trojan Mule, Spyware, Adware, Worm, Malware • Classes of Virus • Functional Elements of Virus For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
And God blessed them, saying "Be fruitful and multiply” For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
What is a Computer Virus? A self-replicating piece of executable computer code embedded within a host program. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Similar Terms • Trapdoor or Backdoor : Secret undocumented entry point into a program used to grant access without normal methods of access authentication. • Logic Bomb : A computer program that is triggered under certain conditions specific to the requirements set forth by the programmer of the logic bomb. • Rabbit : A program that consumes system resources by replicating itself. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Similar Terms Contd.. • Trojan Horse : An apparently useful program containing functions not intended by user or advertised in standard behavior. • Trojan Mule : A program which emulates some aspect of the system’s standard behavior such as login prompt with a view of collecting system passwords. • Spyware : A program that relays private information to distant computer. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Similar Terms Contd.. • Adware : Delivers advertising to user. • Worm : Independent program which replicates itself and send s copies from computer to computer across network connection. • Malware : MALicious softWARE. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus What they infect?How they infect? System Sector Virus Polymorphic Virus File Virus Fast and Slow Infector Macro Virus Sparse Infectors Companion Virus Armored Virus Cluster Virus Multipartite Virus Script Virus Stealth Virus Application Specific Virus Cavity (Spacefiller) Virus Tunneling Virus Camouflage Virus NTFS ADS Virus For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : What they infect • System Sector Virus : Infects floppy disk boot records or master boot records in hard disks & replaces the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it & thus takes control over the system. • File Virus : Infects executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : What they infect • Macro Virus : Infects the macros within a document or template. When word processing or spreadsheet document is opened, macro virus is activated and it infects the Normal template (Normal.dot) - a general purpose file that stores default document formatting settings. Every document opened refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers. • Companion Virus : Locates files with names ending in EXE and creates a matching file name ending in COM that contains the viral code. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : What they infect • Cluster Virus : Infects files by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When program is run, DOS first loads and executes the virus code, the virus then locates the actual program and executes it. • Script Virus : Written in a variety of scripting languages (VBS, JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linux command and service files, or form a part of multi-component viruses. Script viruses are able to infect other file formats, such as HTML, if the file format allows the execution of scripts. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : What they infect • Application-Specific Virus : Attaches itself to a specific file, rather than attacking any file of a given type. Makes use of a detailed knowledge of the files they attack to hide better than would be possible if they were able to infiltrate just any file. For example, they might hide in a data area inside the program rather than lengthening the file. However, in order to do that, the virus must know where the data area is located in the program, and that differs from program to program. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : How they infect • Polymorphic Virus : Changes their characteristics as they infect, each copy of the virus looks different than the other copies. • Fast infector :Infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. • Slow infector :Infects files when they are created or modified. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : How they infect • Sparse Infectors : To avoid detection don’t infect always. For e.g. a virus can infect every 20th time a file is executed. • Armored Virus : Overlaps other classes of viruses and thus makes disassembly difficult. • Multipartite Virus : A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : How they infect • Stealth Virus : Uses certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory. • Cavity (Spacefiller) Virus : Attempts to install itself in this empty space of program while not damaging the actual program itself. An advantage of this is that the virus then does not increase the length of the program and can avoid the need for some stealth techniques. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Classification of Virus : How they infect • Tunneling Virus : Attempts to bypass activity monitor anti-virus programs by following the interrupt chain back down to the basic DOS or BIOS interrupt handlers and then installing itself. • Camouflage Virus : Camouflages itself to look like something the scanner was programmed to ignore. • NTFS ADS Virus : Exploit the Alternate Data Streams of NTFS file system. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Functional Elements of Virus • Search Routine : Locates new files or new areas on disk which are worthwhile targets for infection. Determines how well the virus reproduces. • Copy Routine : Copies virus into the area which the search routine locates. • Anti Detection Routine : Tries to save the virus from being detected. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Functional Elements of Virus For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in
Before We Wrap Up.. • Disclaimer : NSF is not responsible to any damage caused by using any of the techniques explained in this presentation. For any query mail to f2002001@bits-pialni.ac.in or f2002601@bits-pilani.ac.in