1 / 23

Computer Viruses

Computer Viruses. Preetha Annamalai Niranjan Potnis. Outline. Computer Viruses – The Fundamentals The Modus Operandi of a Virus Virus Behavior and Symptoms Virus Detection -The “Heuristic” Approach A Sample Virus Code. What is a Computer Virus ?.

presley
Download Presentation

Computer Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Viruses Preetha Annamalai Niranjan Potnis

  2. Outline • Computer Viruses – The Fundamentals • The Modus Operandi of a Virus • Virus Behavior and Symptoms • Virus Detection -The “Heuristic” Approach • A Sample Virus Code

  3. What is a Computer Virus ? • A malicious piece of executable code written with not so noble intentions • Attaches itself to executable files • Loads into memory and then kicks off • Replication – a key operation

  4. The Vulnerable Areas! • EXE and COM files. • Macros in Word. • System sectors on Hard disk / Floppy disk • Scripts for Internet /Email.

  5. Virus Types • File Infectors • .COM, .EXE files • Modify entry point of file • Execute self first • System Sector Viruses • Sectors contain boot time executable code • Boot Sector, MBR • Relocate boot code

  6. Virus Types • Macro Viruses • infect data files • execute on opening a document • modify global macro template • Worms • do not attach to host files/programs • rapidly replicate over network • can execute in a distributed fashion • use up network bandwidth

  7. Modus Operandi Infection Phase Attack Phase

  8. Infection Phase • The spreading of the virus • Based on specific trigger/execution • Trigger condition – disk access/copying a file/a day or time. • Intention is to spread as far as possible before detection • Act as TSR’s and can reside on any part of memory.

  9. Attack Phase • Actual function is performed • Needs a trigger • Typical attacks – • Deleting files • Formats/damages disk • Slowing down the system • Use up system resources, damages disk • Optional phase : Viruses may infect but not attack (due to poorly written virus code)

  10. Virus Symptoms • Change in length of .exe or .com files. • Change in the file date/time stamp • Change to interrupt vectors • Reassignment of system resources • Reduction in amount of memory normally shown

  11. Virus Detection and Prevention • Anti-virus software • Two Approaches • Pattern Matching Approach • The “Heuristic Approach”

  12. Conventional Pattern Matching Approach • Concept of “virus signature” • Look for virus byte sequence in a file to be scanned • Compare against a signature data file • Pattern match has to be literal • Problems – • Detection of viruses not in data file • Data file has to be updated. • Viruses change the characteristic byte code from computer to computer

  13. Heuristic Approach • “Speculation and Investigation” • Analyze program structure and behavior instead of looking for signature. • How about an analogy ? • Scan file for suspicious code • Does a file have virus-like characteristics ?

  14. Using Heuristics • Content Filtering • Like a “flexible” pattern matching approach • Keep track of numerous ways to program virus like code • Need additional criteria for detection • Sandboxing • Run suspicious code in protected space within the system • Keep track of operating system calls • Compare them to a user defined policy

  15. A Typical Heuristic scanner • Determines most likely location of the virus • Analyze program logic contained in that region • What are the computer instructions capable of doing ? • Catalog a programs behavior

  16. Typical Heuristic Scanner • Many ways to write the same program • Example: Routine to terminate itself and return to DOS prompt • Simple Approach • Roundabout Approach

  17. Typical Heuristic Scanner MACHINE LANGUAGE USER-READABLE BYTES INSTRUCTIONS Example 1: B8 00 4C MOV AX,4C00 CD 21 INT 21 Example 2: B4 3C MOV AH,3C BB 00 00 MOV BX, 0000 88 D8 MOV AL,BL 80 C4 10 ADD AH,10 8E C3 MOV ES,BX 9C PUSH F 26 ES FF 1E 84 00 CALL FAR[0084]

  18. Typical Heuristic Scanner • Maintain a database of byte sequences • Associate each byte sequence with its functional behavior • Can use wildcards to match information that changes from virus to virus • Example- • B8 ?? 4C CD 21 – Terminate Program(perm1) • B4 4C CD 21 – Terminate Program(perm2) • B8 02 3D BA ?? ?? CD 21 – Open file (perm1) • BA ? ?? B8 02 3D CD 21 – Open file (perm2)

  19. Components of a Heuristic Scanner Maintain set of registers Heuristic Engine Heuristic Engine Emulator Program Disassembler Is Execution Recommended? Inference Engine Scoring Formula

  20. Some Virus Characteristics • Illicit writes to RAM • Undocumented Call • Hooks to standard interrupts • Calls to next instruction

  21. Scoring Formula • Weight assigned to each virus characteristic depending on its strength • Net score assigned to file depending on the characteristics found and their count • Is Net-score higher than cut off value?

  22. An Example Virus • The Michaelangelo Virus Code

  23. Conclusion • Virus writers have too much time! • Heuristic approach is robust • Not totally reliable – subject to false positives and false negatives • Anti-virus software needs to be updated frequently

More Related