1 / 30

Malicious Software & Virus Dissection 101: Understanding Network Security Threats

This course explores the various types of malicious software and viruses, their impact on network security, and methods to dissect and mitigate them. Topics include viruses, backdoors, trojan horses, victim attacker hijack, coordinated attacks, and the characteristics and phases of viruses.

travisr
Download Presentation

Malicious Software & Virus Dissection 101: Understanding Network Security Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 490-002/590-001 Network Security Part 1 of Malicious Software & Virus Dissection 101 (as a part of CS) Department of Computer Science Southern Illinois University Edwardsville Fall, 2019 Dr. Hiroshi Fujinoki E-mail: hfujino@siue.edu Virus_Part1/001

  2. Malicious Code CS 490-002/590-001 Network Security • Any program code that does some harm to: - Your network host computer (any damage to your data or hardware) - The network your host belongs to (depleting Tx bandwidth to the Internet) - Any other network and hosts owned by someone else (including the public domain in the Internet) Virus_Part1/002

  3. Back doors CS 490-002/590-001 Network Security • Secret entry point into a program that allows someone that is aware at the back door to gain access without going through the usual access procedure. • Back doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for back doors. - For testing - For fixing bugs - For monitoring (trouble shooting) • A. K. A., “trap doors” Virus_Part1/003

  4. Trojan Horses The one that is running most of the time To avoid being detected Always go to OS Trigger “Hardware-interrupt” Application processes can’t hook on the interrupt Win ‘9x does not have this design CS 490-002/590-001 Network Security • Programs that are disguised as something benign, or authorized to do some harm to your host, network or other networks. • Pretends itself to be a legitimate system file • Win-NT kernel login process CTRL-ALT-Delete Virus_Part1/004

  5. Victim Attacker Internet CS 490-002/590-001 Network Security Bots • = Hijacked servers and/or hosts • Programs that are running in a victim’s network host to do what they are supposed to do, but take your commands and execute them on behalf of you. • In many cases, an attacked host can not identify bots and legitimate clients • More difficult to identify the real attacker behind the bots • A. K. A., “zombies” Virus_Part1/005

  6. Coordinated attacks Victim Attacker Hijack Internet CS 490-002/590-001 Network Security Bots • = Hijacked servers and/or hosts • Programs that are running in a victim’s network host to do what they are supposed to do, but take your commands and execute them on behalf of you. • In many cases, an attacked host can not identify bots and legitimate clients • More difficult to identify the real attacker behind the bots • A. K. A., “zombies” Virus_Part1/006

  7. Viruses Computer Virus Biological Virus CS 490-002/590-001 Network Security • A piece of program codes that is similar (and behave similarly) to biological viruses in computers Consists of DNA or RNA strand surrounded by protein shell to bond to host cell Consists of a set of instructions stored in a host program No life outside of host cell No life outside of host program Replicates when a virus intrudes a host cell Replicates when host program is executed Copies infect other cells Copies infect other files Virus_Part1/007

  8. Viruses Replicate itself and parasite Computer Virus Trojan horses Triggers: Triggers: Same as viruses Same as Trojan horses Activities: Activities: Same as viruses Same as Trojan horses Need for a host: Need for a host: Copies infect other cells: Copies infect other files: Main characteristic: Main characteristic: CS 490-002/590-001 Network Security • Same as (or quite similar to) Trojan horse, with two significant differences: Always Not necessarily Yes No Replication Pretend a legitimate Virus_Part1/008

  9. Viruses CS 490-002/590-001 Network Security • Four phases: dormant phase, propagation phase, triggering phase and execution phase • Different types of viruses: polymorphic viruses, boot sector viruses, stealth viruses, and macro viruses (These categories are not orthogonal to each other) e.g., A boot sector virus can be a stealth or polymorphic Some combinations are impossible. • Three components: concealer, replicator and bomb Virus_Part1/009

  10. Viruses Execution (Bomb) Trigger Dormant Propagation Infection  Dormant Phase:  Propagation Phase:  Trigger Phase: CS 490-002/590-001 Network Security • Four phases: dormant phase, propagation phase, triggering phase and execution phase Background (stealth phases) The virus is infected and stays within a host program, but does not do (execute) anything. • Avoid linkage between infection and destruction Before the virus perform any destructive action, it first tries to spread itself to other hosts Activating “bomb” in the virus. Many triggers exist. Virus_Part1/010

  11. Viruses Dormant Phase - Date and/or time - Disk access (to specific sectors) - Activation of other processes (other network applications) Why are these “special” to viruses? CS 490-002/590-001 Network Security • Four phases: dormant phase, propagation phase, triggering phase and execution phase • The virus is idle but will be activated by some events (= trigger) sometime later. • Virus can be in disk (as a part of the infected file) or hidden thread running in the memory (memory-resident dormancy) • Triggers: - Virus scanner (Friday 13th) Virus_Part1/010

  12. Viruses - Directory traversal - E-mail log - Look up local ARP cache - Port scanning - Look up local routing table Propagation Phase CS 490-002/590-001 Network Security • The virus places an identical copy of itself to other program (any “executable”) or certain area in the disk (MBR) • Some viruses come with “fast search” algorithms to maximize speed of spread Virus_Part1/011

  13. CS 490-002/590-001 Network Security NIST NVD (National Vulnerability Database)  Monthly reports for known vulnerabilities Virus_Part1/011 CVSS (Common Vulnerability Scoring System)

  14. Viruses Triggering Phase CS 490-002/590-001 Network Security • The phase that makes a transition from the dormant phase to the execution phase. • The virus is activated by a certain trigger and its state changed from “dormant” to “active”. • The virus is put in the memory, gets ready for execution and passes the program control (= processor) to the virus. Virus_Part1/012

  15. Viruses Execution Phase If a virus uses 100% CPU cycles, for example, the risk of being detected usually becomes high. Propagation first, then execute CS 490-002/590-001 Network Security • The virus is activated by a certain trigger and its state changed from “dormant” to “active”. • As a part of “bomb”, the activated virus does the harm(s) it intends to. • Most of the viruses balance the amount of work between “propagation” and “execution (bomb)”. Virus_Part1/013

  16. Virus internal structure File Header Program body (set of instructions) Executable Virus Code Disk (or some storage) CS 490-002/590-001 Network Security • Viruses require a host program - They can’t exist as themselves • Viruses infect program files (any “executable” and source code) • Program files in disk (or any storage) • Viruses infect program body Virus_Part1/014

  17. Virus internal structure (2) Transfer Virus Code Body Virus Code CS 490-002/590-001 Network Security • Hook and divert program execution to virus body and after virus finish running, it resumes to the normal execution of a host program. • The core of a virus Virus_Part1/015

  18. Virus internal structure (3) Transfer Body Concealer Replicator Bomb Virus Code CS 490-002/590-001 Network Security • Hide a virus from virus scanner • Copy it self and infect another file • Codes that give harm to the infected system Virus_Part1/016

  19. These procedures executed all in background (2) Check if it is already infected (3) If it is already infected, go back to (1) (4) Infect the file Procedure for virus infection (5) If infect enough, quit Propagation Phase (6) Otherwise, go back to (1) Restore the host program and resume to it Your host program starts CS 490-002/590-001 Network Security (1) Find a file to infect (combined with directory traversal) Virus_Part1/017

  20. Infection mechanism by replicator Virus code N bytes Uninfected file 0 N bytes Program Control Transfer (create PCT) Program Body M bytes (N + M) N bytes (overwrite) CS 490-002/590-001 Network Security Virus_Part1/018

  21. Infection mechanism by replicator Virus code 0 N bytes K bytes M bytes N bytes N bytes Uninfected file K bytes Save the infected file to disk (or storage device) Infected file CS 490-002/590-001 Network Security Program Control Transfer (N + M) (2N + M) (2N + M + K) Virus_Part1/019

  22. Infection mechanism by replicator Execution Starts Program Control Transfer Virus-infected Executable file Replicator Main Memory CS 490-002/590-001 Network Security • The host program does not start due to the PCT planted by the virus Concealer Bomb Virus_Part1/020

  23. Infection mechanism by replicator L1 L1 Uninfected file Main Memory Disk (or storage) CS 490-002/590-001 Network Security • Save the file attribute and change them to “all clear” (Read Only  Writable) • Save the file last updated timestamp • Close the file • Open it in READ/WRITE mode • Save L1 and copy it at the end of L2 • Overwrite L1 by PCT Virus_Part1/021

  24. Infection mechanism by replicator Concealer Replicator Bomb Main Memory Infected file CS 490-002/590-001 Network Security • Save the file attribute and change them to “all clear” (Read Only  Writable) • Save the file last updated timestamp Program Control Transfer • Close the file • Open it in READ/WRITE mode • Save L1 and copy it at the end of L2 • Overwrite L1 by PCT • Attach virus at the end of the new L1 • Save the infected file back to disk • Restore the file attribute • Restore the last updated timestamp Disk (or storage) Virus_Part1/022

  25. Infection mechanism by replicator Execution Starts • Overwrite its PCT by the saved top instructions of the host program (overwrite PCT) Virus-infected Executable file Concealer Replicator Bomb Main Memory CS 490-002/590-001 Network Security Virus_Part1/023

  26. Infection mechanism by replicator (2) Once “bomb” of this virus has been executed (and completed), try to delete itself as much as possible Execution Starts (3) Resume program control back to the top of the host program Virus-infected Executable file Concealer Replicator Bomb Main Memory CS 490-002/590-001 Network Security Virus_Part1/024

  27. Infection mechanism by concealer Infected file Program Control Transfer Concealer Replicator Uninfected file Main Memory CS 490-002/590-001 Network Security • The concealor is called by replicator • Repliactor finds an uninfected file in the the disk and bring it to the main memory • Replicator sets up the four-component structure (in memory) and then call the concealor and calls concealer. Bomb Virus_Part1/025

  28. Infection mechanism by concealer Infected file Concealer encrypts bomb code Uninfected file Main Memory CS 490-002/590-001 Network Security • The concealor is called by replicator • Repliactor finds an infected file in the the disk and bring it to the main memory Program Control Transfer • Replicator sets up the four-component structure (in memory) and then call the concealor and calls concealer • Concelaor scrambles virus code and write it back to the disk. Concealer Replicator Bomb Virus_Part1/026

  29. Infection mechanism by concealer Infected file Infected file Program Control Transfer Infected file Concealer Replicator Bomb De-Encrypt replicator and bomb Main Memory CS 490-002/590-001 Network Security • When the new infected file is executed next time, the file is first loaded to memory then executed. • PCT lets the process jump to the replicator but the core (bomb) of the virus is still encrypted. • The replicator calls the concealer to decryp the virus core (bomb) Virus_Part1/027

  30. Infection mechanism by concealer Infected file Infected file Program Control Transfer Infected file Concealer Replicator Bomb De-Encrypt replicator and bomb Main Memory CS 490-002/590-001 Network Security • When the new infected file is executed next time, the file is first loaded to memory then executed. • PCT lets the process jump to the replicator but the core (bomb) of the virus is still encrypted. • The replicator calls the concealer to decryp the virus core (bomb) Virus_Part1/028

More Related