Stephen S. Yau 1CSE 465-591, Fall 2006
VirusesViruses
Stephen S. Yau 2CSE 465-591, Fall 2006
Taxonomy of Malicious Taxonomy of Malicious ProgramsPrograms
Malicious programs
Needs host program Independent
VirusesTrojan HorsesLogic BombsTrap doors Worm Zombie
Replicate
Stephen S. Yau 3CSE 465-591, Fall 2006
DefinitionsDefinitions Trap Doors (also called Back Doors)Trap Doors (also called Back Doors)::
Holes in securityHoles in security of a system deliberately of a system deliberately left in places by designers or maintainers left in places by designers or maintainers for privileged accesses for privileged accesses Example: Some operating systems have privileged Example: Some operating systems have privileged
accounts for use by field service technicians or accounts for use by field service technicians or maintenance programmers. In Unix-style operating maintenance programmers. In Unix-style operating systems, systems, rootroot is the conventional name of the user is the conventional name of the user who has all rights or permissions in all modes (single- who has all rights or permissions in all modes (single- or multi-user). Alternative names include or multi-user). Alternative names include baronbaron and and avataravatar on some Unix variants. BSD often provides a on some Unix variants. BSD often provides a toortoor ("root" backwards) account in addition to a root ("root" backwards) account in addition to a root account. The root user can make many changes an account. The root user can make many changes an ordinary user cannot, such as changing the ownership ordinary user cannot, such as changing the ownership of files and binding to ports numbered below 1024.of files and binding to ports numbered below 1024.
Stephen S. Yau 4CSE 465-591, Fall 2006
Definitions Definitions (cont.)(cont.) Logic BombsLogic Bombs:: Code surreptitiously inserted into Code surreptitiously inserted into
an application program or operating system to an application program or operating system to perform some perform some destructive destructive or security- security-compromisingcompromising activity whenever specified activity whenever specified conditions are met conditions are met Example: In 1998, Example: In 1998, Timothy Allen Lloyd, a former chief Timothy Allen Lloyd, a former chief
computer network program designer was sentenced to computer network program designer was sentenced to 41 months in prison for unleashing a $10 million “logic 41 months in prison for unleashing a $10 million “logic bomb" 20 days after his dismissal. The “bomb” deleted bomb" 20 days after his dismissal. The “bomb” deleted all the design and production programs of Omega all the design and production programs of Omega Engineering Corp., a New Jersey-based manufacturer Engineering Corp., a New Jersey-based manufacturer of high-tech measurement and control instruments of high-tech measurement and control instruments used by NASA and the U.S. Navy. used by NASA and the U.S. Navy.
Stephen S. Yau 5CSE 465-591, Fall 2006
Definitions Definitions (cont.)(cont.)
Trojan horseTrojan horse:: Malicious, security-breaking Malicious, security-breaking program program disguiseddisguised as something benign, such as as something benign, such as a directory listing software, archiving software, a directory listing software, archiving software, game software, or software to find and destroy game software, or software to find and destroy virusesviruses A Trojan horse is similar to a back doorA Trojan horse is similar to a back door
VirusVirus:: Program or piece of code that Program or piece of code that infectsinfects one one or more other programs by modifying them; or more other programs by modifying them; modification includes a modification includes a copycopy of virus program, of virus program, which can then infect other programswhich can then infect other programs Victim programs become Trojan horses Victim programs become Trojan horses Embedded virus is executed with the programs, Embedded virus is executed with the programs,
propagating the "infection" propagating the "infection" Normally invisible to userNormally invisible to user
T1: ch19.2,19.3 T2: ch22.2, 22.3
Stephen S. Yau 6CSE 465-591, Fall 2006
ExamplesExamples The Win95/Marburg virus got widespread The Win95/Marburg virus got widespread
circulation in August 1998, when it was included circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC on the master CD of the popular MGM/EA PC CD-ROM game "Wargames". CD-ROM game "Wargames". The CD contains one file infected by the Marburg The CD contains one file infected by the Marburg
virus: \EREG\EREG32.EXE virus: \EREG\EREG32.EXE
Stephen S. Yau 7CSE 465-591, Fall 2006
DefinitionsDefinitions (cont.)(cont.) WormWorm:: Program that propagates and Program that propagates and
reproduces itself as it goes over a network reproduces itself as it goes over a network Negative term, only crackers write worms Negative term, only crackers write worms CrackersCrackers: : a person who engages in illegal or a person who engages in illegal or
unethical circumvention of computer security unethical circumvention of computer security systemssystems
ZombieZombie:: Process that has terminated (either Process that has terminated (either killed or exited) and whose parent process has killed or exited) and whose parent process has not yetnot yet received notification of its termination received notification of its termination Exists as a process table entry Exists as a process table entry Consumes no other resourcesConsumes no other resources
T1: ch19.4 T2: ch22.4
Stephen S. Yau 8CSE 465-591, Fall 2006
Structure of a VirusStructure of a Virus Viruses have the following parts:Viruses have the following parts:
""engineengine" - code that enables virus to propagate " - code that enables virus to propagate ""payloadpayload" - set of instructions that defines the " - set of instructions that defines the
action (frequently destructive) which the virus action (frequently destructive) which the virus performs. Not all viruses have payloads, and performs. Not all viruses have payloads, and not all payloads cause harmnot all payloads cause harm
Viruses need: Viruses need: ""hosthost" - the particular hardware and software " - the particular hardware and software
environment on which viruses can run environment on which viruses can run ""triggertrigger" - the event that starts the virus " - the event that starts the virus
runningrunningEugene Kaspersky, “Computer Viruses”, Kaspersky Lab, Moscow, 2001
http://www.viruslist.com/eng/viruslistbooks.htmlhttp://www.viruslist.com/eng/viruslistbooks.html
Stephen S. Yau 9CSE 465-591, Fall 2006
Types of VirusesTypes of Viruses Boot Viruses Boot Viruses (boot sector infector)(boot sector infector)
Infect the boot sector of a floppy disk Infect the boot sector of a floppy disk and the boot sector or Master Boot and the boot sector or Master Boot Record (MBR) of a hard diskRecord (MBR) of a hard disk
Upon boot up, virus Upon boot up, virus forcesforces system to system to read into memory and pass control of read into memory and pass control of the system to virus code, not to the system to virus code, not to original loader routine code original loader routine code
A A residentresident virus in RAM will continue virus in RAM will continue to infect the disk after formatting the to infect the disk after formatting the disk unless the RAM is cleareddisk unless the RAM is clearedT1:
ch19.3.1 T2: ch22.3.1
Stephen S. Yau 10CSE 465-591, Fall 2006
Types of Viruses Types of Viruses (cont.)(cont.)
File VirusesFile Viruses Use OS file system in one way or Use OS file system in one way or
another to propagate themselvesanother to propagate themselves No known OS is secureNo known OS is secure May infect files containing program May infect files containing program
source code, libraries or object modulessource code, libraries or object modules
Stephen S. Yau 11CSE 465-591, Fall 2006
Types of Viruses Types of Viruses (cont.)(cont.)
Macro VirusesMacro Viruses May be written in macro-languages May be written in macro-languages
built into some data-processing built into some data-processing systems, such as text editors, electronic systems, such as text editors, electronic spreadsheets.spreadsheets.
Most common in Microsoft Word, Most common in Microsoft Word, Microsoft Excel and Office due to their Microsoft Excel and Office due to their extensive use of macro-languages.extensive use of macro-languages.T1:
ch19.3.8 T2: ch22.3.8
Stephen S. Yau 12CSE 465-591, Fall 2006
Types of Viruses Types of Viruses (cont.)(cont.)
Polymorphic VirusesPolymorphic Viruses Change their own form each time it inserts Change their own form each time it inserts
itself into another program; itself into another program; Can be of various kinds, such as boot, file or Can be of various kinds, such as boot, file or
macro viruses.macro viruses. Cannot, or with great difficulty to be detectedCannot, or with great difficulty to be detected
using so-called using so-called virus masksvirus masks (use parts of non- (use parts of non-changing virus specific code). changing virus specific code).
Generated in two ways:Generated in two ways: When encrypting main code of virus with When encrypting main code of virus with
non-constant encryption key uses random non-constant encryption key uses random sets of decryption commandssets of decryption commands
When engine of existing virus changes. When engine of existing virus changes. T1: ch19.3.7 T2: ch22.3.7
Stephen S. Yau 13CSE 465-591, Fall 2006
Types of Viruses Types of Viruses (cont.)(cont.)
Stealth VirusesStealth Viruses Cover/hide their presence in the Cover/hide their presence in the
system system Can take the form of an existing Can take the form of an existing
file formatfile format Can reside inside a frequently Can reside inside a frequently
used applicationused application
T1: ch19.3.5 T2: ch22.3.5
Stephen S. Yau 14CSE 465-591, Fall 2006
Types of Viruses Types of Viruses (cont.)(cont.)
Memory Resident Viruses Memory Resident Viruses Also called Terminate and Stay Also called Terminate and Stay
Resident (TSR)Resident (TSR) Leaves copy of virus in system memory, Leaves copy of virus in system memory,
intercepts some events (such as file or intercepts some events (such as file or disk calls), and runs infecting routines disk calls), and runs infecting routines on files and disk sectors in processeson files and disk sectors in processes
Active not only when an infected Active not only when an infected program runs, but also after that program runs, but also after that program terminates program terminates
Stephen S. Yau 15CSE 465-591, Fall 2006
Types of Viruses (Cont.)Types of Viruses (Cont.)
Network VirusesNetwork Viruses Have characteristics of viruses and Have characteristics of viruses and
worms. worms. Make extensive use of network Make extensive use of network
protocols and the capabilities of protocols and the capabilities of local and global access networks to local and global access networks to multiply and transfer the virus’ multiply and transfer the virus’ code to a remote server or code to a remote server or workstation automatically workstation automatically
Sometimes called Sometimes called Network WormsNetwork Worms
Stephen S. Yau 16CSE 465-591, Fall 2006
Network Viruses vs. Network Viruses vs. WormsWorms
All network viruses are wormsAll network viruses are worms Not all worms are network virusesNot all worms are network viruses Worm can infect other computers for non-Worm can infect other computers for non-
malicious purpose.malicious purpose. Examples: Examples:
Worm can be used to install automatic Worm can be used to install automatic software updates across a very large software updates across a very large networknetwork
Worm can be used for spam e-mails Worm can be used for spam e-mails and disseminating announcements in a and disseminating announcements in a large organizationlarge organization
Stephen S. Yau 17CSE 465-591, Fall 2006
Virus Infecting Virus Infecting MechanismsMechanisms
Unlike a worm, a virus cannot Unlike a worm, a virus cannot infect other computers without infect other computers without assistance assistance
Propagated by interactions, such Propagated by interactions, such as humans trading programs with as humans trading programs with their friends their friends
Virus may do nothing, but Virus may do nothing, but propagate itself and then allow the propagate itself and then allow the program to run normally program to run normally
Stephen S. Yau 18CSE 465-591, Fall 2006
Nature of VirusesNature of Viruses
Four phases in lifetime of a Four phases in lifetime of a virus:virus: Dormant PhaseDormant Phase Propagation PhasePropagation Phase Triggering PhaseTriggering Phase Execution PhaseExecution Phase
Stephen S. Yau 19CSE 465-591, Fall 2006
Dormant PhaseDormant Phase
Virus is idleVirus is idle Eventually activated by some Eventually activated by some
conditions or events, such as conditions or events, such as System dateSystem date Presence of another program or filePresence of another program or file Current usage of disk space Current usage of disk space
exceeding some limitexceeding some limit Not all viruses have this phaseNot all viruses have this phase
Stephen S. Yau 20CSE 465-591, Fall 2006
Propagation PhasePropagation Phase
Virus places an identical copy Virus places an identical copy of itself on other programs or of itself on other programs or into certain system areas of into certain system areas of diskdisk
Each infected program Each infected program becomes a virus, which will becomes a virus, which will enter a propagation phaseenter a propagation phase
Stephen S. Yau 21CSE 465-591, Fall 2006
Triggering PhaseTriggering Phase
Virus is activated by an event Virus is activated by an event or condition to perform the or condition to perform the function for which it was function for which it was intendedintended
Can be caused by a variety of Can be caused by a variety of events or conditions. For events or conditions. For example, the number of times example, the number of times this copy of the virus has made this copy of the virus has made copies of itselfcopies of itself
Stephen S. Yau 22CSE 465-591, Fall 2006
Execution PhaseExecution Phase Virus function is performedVirus function is performed Virus function may be Virus function may be
Harmless, but annoyingHarmless, but annoyingExamples: A message on screen, Examples: A message on screen, distorted windows or harmless spamdistorted windows or harmless spam
HarmfulHarmfulExamples: Destruction of programs, Examples: Destruction of programs, files, or deleting important or files, or deleting important or sensitive datasensitive data
Stephen S. Yau 23CSE 465-591, Fall 2006
AntivirusAntivirus Antivirus Software:Antivirus Software: Programs to Programs to
detect and remove viruses detect and remove viruses Simplest: scans executable files and Simplest: scans executable files and
boot blocks for a list of known viruses boot blocks for a list of known viruses Others: constantly active, attempting to Others: constantly active, attempting to
detect the actions of general classes of detect the actions of general classes of viruses viruses
Includes a regular update service Includes a regular update service allowing antivirus software to keep up allowing antivirus software to keep up with latest viruses as they are releasedwith latest viruses as they are released
Stephen S. Yau 24CSE 465-591, Fall 2006
Antivirus TerminologyAntivirus Terminology False Positive: False Positive: Uninfected object (file, sector or Uninfected object (file, sector or
system memory) triggers the antivirus program system memory) triggers the antivirus program False Negative:False Negative: Infected object arrives undetected Infected object arrives undetected On-demand Scanning:On-demand Scanning: Virus scan starts upon user Virus scan starts upon user
request request Antivirus program remains inactive until a user invokes it Antivirus program remains inactive until a user invokes it
from a command line, batch file or system schedulerfrom a command line, batch file or system scheduler On-the-fly Scanning:On-the-fly Scanning: All objects processed in any All objects processed in any
way (opened, closed, created, read from or written to, way (opened, closed, created, read from or written to, etc.) are being constantly checked for viruses etc.) are being constantly checked for viruses Antivirus program is always active, memory resident and Antivirus program is always active, memory resident and
checking objects without user requestchecking objects without user request
Stephen S. Yau 25CSE 465-591, Fall 2006
Generations of AntivirusGenerations of Antivirus First:First: Simple scanners Simple scanners
Require aRequire a virus signaturevirus signature to identify a virus to identify a virus Virus signatureVirus signature is a unique string or a binary is a unique string or a binary
pattern of a virus, used to detect and pattern of a virus, used to detect and identify specific viruses. E.g. “identify specific viruses. E.g. “Istanbul-turkey”.”.
Limited to detection of known virusesLimited to detection of known viruses
Second:Second: Heuristic scanners Heuristic scanners Uses heuristic rules to search for probable Uses heuristic rules to search for probable
virus infectionvirus infection Looking for Looking for fragmentsfragments of code that are of code that are
often associated with virusesoften associated with viruses
Stephen S. Yau 26CSE 465-591, Fall 2006
Generations of Antivirus Generations of Antivirus (cont.)(cont.)
Third:Third: Activity traps Activity traps Identify virus by the Identify virus by the virus’ actionsvirus’ actions
(trap malicious activities) rather (trap malicious activities) rather than the structure in an infected than the structure in an infected programprogram
No need to develop signatures and No need to develop signatures and heuristics for wide variety of virusesheuristics for wide variety of viruses
Need to identify set of actions that Need to identify set of actions that indicates an infection is being indicates an infection is being attempted and then to interveneattempted and then to intervene
Stephen S. Yau 27CSE 465-591, Fall 2006
Generations of Antivirus Generations of Antivirus (cont.)(cont.)
Fourth:Fourth: Full-featured protection Full-featured protection Packages consisting of a variety of Packages consisting of a variety of
antivirus techniques used togetherantivirus techniques used together Include scanning and activity trap Include scanning and activity trap
componentscomponents Access control capability limits ability of Access control capability limits ability of
viruses to penetrate a systemviruses to penetrate a system Limits ability of a virus to update files Limits ability of a virus to update files
and prevents from spreading an infectionand prevents from spreading an infection
Stephen S. Yau 28CSE 465-591, Fall 2006
Virus PreventionVirus Prevention
Install latest antivirus updatesInstall latest antivirus updates Institution-wide licenses for Institution-wide licenses for
antivirus softwareantivirus software Protect passwords for accessProtect passwords for access Do not open suspicious e-mailsDo not open suspicious e-mails Protect network through firewallsProtect network through firewalls Implement a virus-prevention Implement a virus-prevention
policy for an organizationpolicy for an organization
Stephen S. Yau 29CSE 465-591, Fall 2006
ReferencesReferences
Matt Bishop, Matt Bishop, Introduction to Introduction to Computer SecurityComputer Security, Addison-Wesley, , Addison-Wesley, 2004, ISBN: 03212474422004, ISBN: 0321247442
Matt Bishop, Matt Bishop, Computer Security: Art Computer Security: Art and Scienceand Science, Addison- Wesley, 2002, , Addison- Wesley, 2002, ISBN: 0201440997ISBN: 0201440997