virus_ trojan and worms
TRANSCRIPT
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 1/22
Viruses, Trojan Horses, and
Worms
Oct 20121
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 2/22
Propagation of malicious code
Malicious indicates the potential to do damage.
Usually classified by the type of propagation.
Sometimes classified by
Platforms and mechanisms it requires to run
E.g. macro viruses.
Virus/Trojan/worm may not actually cause damages.
Introduction
Oct 20122
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 3/22
Viruses
Program or piece of code that will reproduce
itself.
Sometimes perform a particular action.
Definition from RFC 1135
A virus is a piece of code that inserts itself into ahost, including operating systems, to propagate. It
cannot run independently. It requires that its host
program be run to activate it. Oct 20123
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 4/22
Worm
A worm is similar to a virus, but it does not
locally reproduce.
Propagates between systems only.
Definition from RFC 1135
A worm is a program that can run independently,will consume the resources of its host from within
in order to maintain itself and can propagate a
complete working version of itself on to othermachines.
Oct 20124
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 5/22
Macro Virus
Sometimes considered worms.
Require a host program to process/run it in
order for it to execute.
Often written in VBA (Visual Basic for
Application) for Word, Access, Excel,PowerPoint, and outlook etc.
E.g. Melissa
Oct 20125
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 6/22
Trojan Horses
Code disguised as benign programs, but behave in an
unexpected, usually malicious manner.
User needs to be convinced to accept/run them. E.g. Pokemon worm, which will display animated pictures of
bouncing Pikachu on your screen while it e-mails itself to
everyone in your address book and prepares to delete everyfiles.
Oct 20126
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 7/22
The Trojan horses initially appears as
an e-mail with the title "Pikachu
Pokemon" and the English message
"Pikachu is your friend”.
The above picture is what the users see when executing
pokemon.exe (its attachment). What they don’t see is the
application e-mailing itself and deleting files from the system.
Oct 20127
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 8/22
Anatomy of a Virus
Two primary components
Propagation mechanism
Payload
Propagation
Method by which the virus spreads itself.
Old days: single PC, transferred to other hosts by
ways of floppy diskettes.
Nowadays: internet. Oct 20128
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 9/22
Types of Propagation
Parasitic
Propagates by being a parasite on other files.
Attaching itself in some manner that still leaves the original file
usable.
.com and .exe files of MS-DOS
Macro virus
Boot sector infectors
Copy themselves to the bootable portion of the hard (or floppy)
disk.
The virus gain control when the system is booted.Oct 20129
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 10/22
Normal boot procedure
It first goes through its usual POST
Power On Self Test
BIOS (Basic Input/ Output System) does what is referred to aas bootstrap
Checking for a valid bootable disk
For a hard drive to be bootable, it must contain a Master
Boot Record (MBR). Chuck of code that lies at the beginning of the hard drive.
Understand the partition table.
Oct 201210
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 11/22
The MBR code will look for a particular partition that is
marked bootable (MSDOS fdisk: active), and then transfer
control to the code.
This code is known as the boot sector.
Viruses have two opportunities to take control.
Insert themselves into the MBR position
They can gain control under all situations
At the expense of having to deal with reading and booting via
the partition table.
Oct 201211
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 12/22
Insert themselves into the boot sector of a partition
Boot sector viruses tend to take the existing MBR or
boot sector code, relocate it elsewhere, and theninsert themselves into the record.
When the system boots, they can do their things, and
then transfer control to the relocated code that theyreplaced.
Oct 201212
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 13/22
Multi-partite
Refers to viruses that can use multiple means ofinfection, such as
MBR
Boot sector Parasitic
Oct 201213
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 14/22
Payload
Refers to what the virus does (besides propagation)
once executed.
Do nothing
Do cute things
Malicious damage such as delete your partition table.
Some viruses have a particular trigger.
Date
Number of successful infections
Oct 201214
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 15/22
Smart viruses usually use infrequent trigger so
that they have ample time to ensure they have
properly propagated, before alerting the users.
Oct 201215
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 16/22
Example: Melissa
Melissa works by infecting the
Document_Open() macro of Microsoft word.
Run immediately when the user opens the
word files.Private Sub document_open()
On Error Resume Next
Oct 201216
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 17/22
Example: .com Virus
A .com virus may be divided into three parts.
Replicator
Concealer
Bomb (payload)
Oct 201217
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 18/22
Replicator
Spread the virus.
Copy rest of the code at the end.
The uninfected file The virus code
Oct 201218
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 19/22
Copy small portion of its code to the beginning of
the file.
Copy the second part of itself to the end of the file.
What do V1 and V2 do?
V1 transfers control of the program to V2. Oct 201219
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 20/22
Bomb
Does all things to annoy the user.
Some possible bombs
System slowdown
Easily handled by trapping an interrupt and causing a delay when
it activates.
File deletion.
Message Display.
Killing/Replacing the partition table or boot sector of the hard
drive.
Oct 201220
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 21/22
Anti-virus Techniques
Integrity/behavioral Checkers
Use good OS
Use virus scanner on computer and email-
server.
Use virus scanner Do not open attachments to emails.
Frequent backups.Oct 201221
7/29/2019 Virus_ Trojan and Worms
http://slidepdf.com/reader/full/virus-trojan-and-worms 22/22
Reference
Kevin L. Poulsen, "Hack Proofing Your
Network: Internet Tradecraft", Chapter 14,
p.383 – 405
Dark Angel’s Phunky Virus Writing Guide
http://www.sirkussystem.com/virus.html
Introduction
Installment II: the replicator
Oct 201222