290 likes | 459 Views
Viruses. Taxonomy of Malicious Programs. Malicious programs. Needs host program. Independent. Trap doors. Logic Bombs. Trojan Horses. Viruses. Worm. Zombie. Replicate. Definitions.
E N D
Viruses CSE 465-591, Fall 2006
Taxonomy of Malicious Programs Malicious programs Needs host program Independent Trap doors Logic Bombs Trojan Horses Viruses Worm Zombie Replicate CSE 465-591, Fall 2006
Definitions • Trap Doors (also called Back Doors):Holes in security of a system deliberately left in places by designers or maintainers for privileged accesses • Example: Some operating systems have privileged accounts for use by field service technicians or maintenance programmers. In Unix-style operating systems, root is the conventional name of the user who has all rights or permissions in all modes (single- or multi-user). Alternative names include baron and avatar on some Unix variants. BSD often provides a toor ("root" backwards) account in addition to a root account. The root user can make many changes an ordinary user cannot, such as changing the ownership of files and binding to ports numbered below 1024. CSE 465-591, Fall 2006
Definitions (cont.) • Logic Bombs:Code surreptitiously inserted into an application program or operating system to perform some destructive or security-compromising activity whenever specified conditions are met • Example: In 1998, Timothy Allen Lloyd, a former chief computer network program designer was sentenced to 41 months in prison for unleashing a $10 million “logic bomb" 20 days after his dismissal. The “bomb” deleted all the design and production programs of Omega Engineering Corp., a New Jersey-based manufacturer of high-tech measurement and control instruments used by NASA and the U.S. Navy. CSE 465-591, Fall 2006
Definitions (cont.) • Trojan horse:Malicious, security-breaking program disguised as something benign, such as a directory listing software, archiving software, game software, or software to find and destroy viruses • A Trojan horse is similar to a back door • Virus:Program or piece of code that infects one or more other programs by modifying them; modification includes a copy of virus program, which can then infect other programs • Victim programs become Trojan horses • Embedded virus is executed with the programs, propagating the "infection" • Normally invisible to user T1: ch19.2,19.3 T2: ch22.2, 22.3 CSE 465-591, Fall 2006
Examples • The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames". • The CD contains one file infected by the Marburg virus: \EREG\EREG32.EXE CSE 465-591, Fall 2006
Definitions(cont.) • Worm:Program that propagates and reproduces itself as it goes over a network • Negative term, only crackers write worms • Crackers: a person who engages in illegal or unethical circumvention of computer security systems • Zombie:Process that has terminated (either killed or exited) and whose parent process has not yetreceived notification of its termination • Exists as a process table entry • Consumes no other resources T1: ch19.4 T2: ch22.4 CSE 465-591, Fall 2006
Structure of a Virus • Viruses have the following parts: • "engine" - code that enables virus to propagate • "payload" - set of instructions that defines the action (frequently destructive) which the virus performs. Not all viruses have payloads, and not all payloads cause harm • Viruses need: • "host" - the particular hardware and software environment on which viruses can run • "trigger" - the event that starts the virus running Eugene Kaspersky, “Computer Viruses”, Kaspersky Lab, Moscow, 2001 http://www.viruslist.com/eng/viruslistbooks.html CSE 465-591, Fall 2006
Types of Viruses • Boot Viruses (boot sector infector) • Infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard disk • Upon boot up, virus forces system to read into memory and pass control of the system to virus code, not to original loader routine code • A resident virus in RAM will continue to infect the disk after formatting the disk unless the RAM is cleared T1: ch19.3.1 T2: ch22.3.1 CSE 465-591, Fall 2006
Types of Viruses (cont.) • File Viruses • Use OS file system in one way or another to propagate themselves • No known OS is secure • May infect files containing program source code, libraries or object modules CSE 465-591, Fall 2006
Types of Viruses (cont.) • Macro Viruses • May be written in macro-languages built into some data-processing systems, such as text editors, electronic spreadsheets. • Most common in Microsoft Word, Microsoft Excel and Office due to their extensive use of macro-languages. T1: ch19.3.8 T2: ch22.3.8 CSE 465-591, Fall 2006
Types of Viruses (cont.) • Polymorphic Viruses • Change their own form each time it inserts itself into another program; • Can be of various kinds, such as boot, file or macro viruses. • Cannot, or with great difficulty to be detected using so-called virus masks (use parts of non-changing virus specific code). • Generated in two ways: • When encrypting main code of virus with non-constant encryption key uses random sets of decryption commands • When engine of existing virus changes. T1: ch19.3.7 T2: ch22.3.7 CSE 465-591, Fall 2006
Types of Viruses (cont.) • Stealth Viruses • Cover/hide their presence in the system • Can take the form of an existing file format • Can reside inside a frequently used application T1: ch19.3.5 T2: ch22.3.5 CSE 465-591, Fall 2006
Types of Viruses (cont.) • Memory Resident Viruses • Also called Terminate and Stay Resident (TSR) • Leaves copy of virus in system memory, intercepts some events (such as file or disk calls), and runs infecting routines on files and disk sectors in processes • Active not only when an infected program runs, but also after that program terminates CSE 465-591, Fall 2006
Types of Viruses (Cont.) • Network Viruses • Have characteristics of viruses and worms. • Make extensive use of network protocols and the capabilities of local and global access networks to multiply and transfer the virus’ code to a remote server or workstation automatically • Sometimes called Network Worms CSE 465-591, Fall 2006
Network Viruses vs. Worms • All network viruses are worms • Not all worms are network viruses • Worm can infect other computers for non-malicious purpose. • Examples: • Worm can be used to install automatic software updates across a very large network • Worm can be used for spam e-mails and disseminating announcements in a large organization CSE 465-591, Fall 2006
Virus Infecting Mechanisms • Unlike a worm, a virus cannot infect other computers without assistance • Propagated by interactions, such as humans trading programs with their friends • Virus may do nothing, but propagate itself and then allow the program to run normally CSE 465-591, Fall 2006
Nature of Viruses • Four phases in lifetime of a virus: • Dormant Phase • Propagation Phase • Triggering Phase • Execution Phase CSE 465-591, Fall 2006
Dormant Phase • Virus is idle • Eventually activated by some conditions or events, such as • System date • Presence of another program or file • Current usage of disk space exceeding some limit • Not all viruses have this phase CSE 465-591, Fall 2006
Propagation Phase • Virus places an identical copy of itself on other programs or into certain system areas of disk • Each infected program becomes a virus, which will enter a propagation phase CSE 465-591, Fall 2006
Triggering Phase • Virus is activated by an event or condition to perform the function for which it was intended • Can be caused by a variety of events or conditions. For example, the number of times this copy of the virus has made copies of itself CSE 465-591, Fall 2006
Execution Phase • Virus function is performed • Virus function may be • Harmless, but annoying • Examples: A message on screen, distorted windows or harmless spam • Harmful • Examples: Destruction of programs, files, or deleting important or sensitive data CSE 465-591, Fall 2006
Antivirus • Antivirus Software: Programs to detect and remove viruses • Simplest: scans executable files and boot blocks for a list of known viruses • Others: constantly active, attempting to detect the actions of general classes of viruses • Includes a regular update service allowing antivirus software to keep up with latest viruses as they are released CSE 465-591, Fall 2006
Antivirus Terminology • False Positive: Uninfected object (file, sector or system memory) triggers the antivirus program • False Negative: Infected object arrives undetected • On-demand Scanning: Virus scan starts upon user request • Antivirus program remains inactive until a user invokes it from a command line, batch file or system scheduler • On-the-fly Scanning: All objects processed in any way (opened, closed, created, read from or written to, etc.) are being constantly checked for viruses • Antivirus program is always active, memory resident and checking objects without user request CSE 465-591, Fall 2006
Generations of Antivirus • First: Simple scanners • Require avirus signature to identify a virus • Virus signature is a unique string or a binary pattern of a virus, used to detect and identify specific viruses. E.g. “Istanbul-turkey”. • Limited to detection of known viruses • Second: Heuristic scanners • Uses heuristic rules to search for probable virus infection • Looking for fragments of code that are often associated with viruses CSE 465-591, Fall 2006
Generations of Antivirus (cont.) • Third: Activity traps • Identify virus by the virus’ actions(trap malicious activities) rather than the structure in an infected program • No need to develop signatures and heuristics for wide variety of viruses • Need to identify set of actions that indicates an infection is being attempted and then to intervene CSE 465-591, Fall 2006
Generations of Antivirus (cont.) • Fourth: Full-featured protection • Packages consisting of a variety of antivirus techniques used together • Include scanning and activity trap components • Access control capability limits ability of viruses to penetrate a system • Limits ability of a virus to update files and prevents from spreading an infection CSE 465-591, Fall 2006
Virus Prevention • Install latest antivirus updates • Institution-wide licenses for antivirus software • Protect passwords for access • Do not open suspicious e-mails • Protect network through firewalls • Implement a virus-prevention policy for an organization CSE 465-591, Fall 2006
References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: 0321247442 • Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: 0201440997 CSE 465-591, Fall 2006