280 likes | 562 Views
Computer Viruses. Preetha Annamalai Niranjan Potnis. Outline. Computer Viruses – The Fundamentals The Modus Operandi of a Virus Virus Behavior and Symptoms Virus Detection -The “Heuristic” Approach A Sample Virus Code. What is a Computer Virus ?.
E N D
Computer Viruses Preetha Annamalai Niranjan Potnis
Outline • Computer Viruses – The Fundamentals • The Modus Operandi of a Virus • Virus Behavior and Symptoms • Virus Detection -The “Heuristic” Approach • A Sample Virus Code
What is a Computer Virus ? • A malicious piece of executable code written with not so noble intentions • Attaches itself to executable files • Loads into memory and then kicks off • Replication – a key operation
The Vulnerable Areas! • EXE and COM files. • Macros in Word. • System sectors on Hard disk / Floppy disk • Scripts for Internet /Email.
Virus Types • File Infectors • .COM, .EXE files • Modify entry point of file • Execute self first • System Sector Viruses • Sectors contain boot time executable code • Boot Sector, MBR • Relocate boot code
Virus Types • Macro Viruses • infect data files • execute on opening a document • modify global macro template • Worms • do not attach to host files/programs • rapidly replicate over network • can execute in a distributed fashion • use up network bandwidth
Modus Operandi Infection Phase Attack Phase
Infection Phase • The spreading of the virus • Based on specific trigger/execution • Trigger condition – disk access/copying a file/a day or time. • Intention is to spread as far as possible before detection • Act as TSR’s and can reside on any part of memory.
Attack Phase • Actual function is performed • Needs a trigger • Typical attacks – • Deleting files • Formats/damages disk • Slowing down the system • Use up system resources, damages disk • Optional phase : Viruses may infect but not attack (due to poorly written virus code)
Virus Symptoms • Change in length of .exe or .com files. • Change in the file date/time stamp • Change to interrupt vectors • Reassignment of system resources • Reduction in amount of memory normally shown
Virus Detection and Prevention • Anti-virus software • Two Approaches • Pattern Matching Approach • The “Heuristic Approach”
Conventional Pattern Matching Approach • Concept of “virus signature” • Look for virus byte sequence in a file to be scanned • Compare against a signature data file • Pattern match has to be literal • Problems – • Detection of viruses not in data file • Data file has to be updated. • Viruses change the characteristic byte code from computer to computer
Heuristic Approach • “Speculation and Investigation” • Analyze program structure and behavior instead of looking for signature. • How about an analogy ? • Scan file for suspicious code • Does a file have virus-like characteristics ?
Using Heuristics • Content Filtering • Like a “flexible” pattern matching approach • Keep track of numerous ways to program virus like code • Need additional criteria for detection • Sandboxing • Run suspicious code in protected space within the system • Keep track of operating system calls • Compare them to a user defined policy
A Typical Heuristic scanner • Determines most likely location of the virus • Analyze program logic contained in that region • What are the computer instructions capable of doing ? • Catalog a programs behavior
Typical Heuristic Scanner • Many ways to write the same program • Example: Routine to terminate itself and return to DOS prompt • Simple Approach • Roundabout Approach
Typical Heuristic Scanner MACHINE LANGUAGE USER-READABLE BYTES INSTRUCTIONS Example 1: B8 00 4C MOV AX,4C00 CD 21 INT 21 Example 2: B4 3C MOV AH,3C BB 00 00 MOV BX, 0000 88 D8 MOV AL,BL 80 C4 10 ADD AH,10 8E C3 MOV ES,BX 9C PUSH F 26 ES FF 1E 84 00 CALL FAR[0084]
Typical Heuristic Scanner • Maintain a database of byte sequences • Associate each byte sequence with its functional behavior • Can use wildcards to match information that changes from virus to virus • Example- • B8 ?? 4C CD 21 – Terminate Program(perm1) • B4 4C CD 21 – Terminate Program(perm2) • B8 02 3D BA ?? ?? CD 21 – Open file (perm1) • BA ? ?? B8 02 3D CD 21 – Open file (perm2)
Components of a Heuristic Scanner Maintain set of registers Heuristic Engine Heuristic Engine Emulator Program Disassembler Is Execution Recommended? Inference Engine Scoring Formula
Some Virus Characteristics • Illicit writes to RAM • Undocumented Call • Hooks to standard interrupts • Calls to next instruction
Scoring Formula • Weight assigned to each virus characteristic depending on its strength • Net score assigned to file depending on the characteristics found and their count • Is Net-score higher than cut off value?
An Example Virus • The Michaelangelo Virus Code
Conclusion • Virus writers have too much time! • Heuristic approach is robust • Not totally reliable – subject to false positives and false negatives • Anti-virus software needs to be updated frequently