virus_ trojan and worms

7/29/2019 Virus_ Trojan and Worms

http://slidepdf.com/reader/full/virus-trojan-and-worms 1/22

Viruses, Trojan Horses, and

Worms

Oct 20121



Propagation of malicious code

Malicious indicates the potential to do damage.

Usually classified by the type of propagation.

Sometimes classified by

Platforms and mechanisms it requires to run

E.g. macro viruses.

Virus/Trojan/worm may not actually cause damages.

Introduction

Oct 20122



Viruses

Program or piece of code that will reproduce

itself.

Sometimes perform a particular action.

Definition from RFC 1135

A virus is a piece of code that inserts itself into ahost, including operating systems, to propagate. It

cannot run independently. It requires that its host

program be run to activate it. Oct 20123



Worm

A worm is similar to a virus, but it does not

locally reproduce.

Propagates between systems only.

Definition from RFC 1135

A worm is a program that can run independently,will consume the resources of its host from within

in order to maintain itself and can propagate a

complete working version of itself on to othermachines.

Oct 20124



Macro Virus

Sometimes considered worms.

Require a host program to process/run it in

order for it to execute.

Often written in VBA (Visual Basic for

Application) for Word, Access, Excel,PowerPoint, and outlook etc.

E.g. Melissa

Oct 20125



Trojan Horses

Code disguised as benign programs, but behave in an

unexpected, usually malicious manner.

User needs to be convinced to accept/run them. E.g. Pokemon worm, which will display animated pictures of

bouncing Pikachu on your screen while it e-mails itself to

everyone in your address book and prepares to delete everyfiles.

Oct 20126



The Trojan horses initially appears as

an e-mail with the title "Pikachu

Pokemon" and the English message

"Pikachu is your friend”.

The above picture is what the users see when executing

pokemon.exe (its attachment). What they don’t see is the

application e-mailing itself and deleting files from the system.

Oct 20127



Anatomy of a Virus

Two primary components

Propagation mechanism

Payload

Propagation

Method by which the virus spreads itself.

Old days: single PC, transferred to other hosts by

ways of floppy diskettes.

Nowadays: internet. Oct 20128



Types of Propagation

Parasitic

Propagates by being a parasite on other files.

Attaching itself in some manner that still leaves the original file

usable.

.com and .exe files of MS-DOS

Macro virus

Boot sector infectors

Copy themselves to the bootable portion of the hard (or floppy)

disk.

The virus gain control when the system is booted.Oct 20129



Normal boot procedure

It first goes through its usual POST

Power On Self Test

BIOS (Basic Input/ Output System) does what is referred to aas bootstrap

Checking for a valid bootable disk

For a hard drive to be bootable, it must contain a Master

Boot Record (MBR). Chuck of code that lies at the beginning of the hard drive.

Understand the partition table.

Oct 201210



The MBR code will look for a particular partition that is

marked bootable (MSDOS fdisk: active), and then transfer

control to the code.

This code is known as the boot sector.

Viruses have two opportunities to take control.

Insert themselves into the MBR position

They can gain control under all situations

At the expense of having to deal with reading and booting via

the partition table.

Oct 201211



Insert themselves into the boot sector of a partition

Boot sector viruses tend to take the existing MBR or

boot sector code, relocate it elsewhere, and theninsert themselves into the record.

When the system boots, they can do their things, and

then transfer control to the relocated code that theyreplaced.

Oct 201212



Multi-partite

Refers to viruses that can use multiple means ofinfection, such as

MBR

Boot sector Parasitic

Oct 201213



Payload

Refers to what the virus does (besides propagation)

once executed.

Do nothing

Do cute things

Malicious damage such as delete your partition table.

Some viruses have a particular trigger.

Date

Number of successful infections

Oct 201214



Smart viruses usually use infrequent trigger so

that they have ample time to ensure they have

properly propagated, before alerting the users.

Oct 201215



Example: Melissa

Melissa works by infecting the

Document_Open() macro of Microsoft word.

Run immediately when the user opens the

word files.Private Sub document_open()

On Error Resume Next

Oct 201216



Example: .com Virus

A .com virus may be divided into three parts.

Replicator

Concealer

Bomb (payload)

Oct 201217



Replicator

Spread the virus.

Copy rest of the code at the end.

The uninfected file The virus code

Oct 201218



Copy small portion of its code to the beginning of

the file.

Copy the second part of itself to the end of the file.

What do V1 and V2 do?

V1 transfers control of the program to V2. Oct 201219



Bomb

Does all things to annoy the user.

Some possible bombs

System slowdown

Easily handled by trapping an interrupt and causing a delay when

it activates.

File deletion.

Message Display.

Killing/Replacing the partition table or boot sector of the hard

drive.

Oct 201220



Anti-virus Techniques

Integrity/behavioral Checkers

Use good OS

Use virus scanner on computer and email-

server.

Use virus scanner Do not open attachments to emails.

Frequent backups.Oct 201221



Reference

Kevin L. Poulsen, "Hack Proofing Your

Network: Internet Tradecraft", Chapter 14,

p.383 – 405

Dark Angel’s Phunky Virus Writing Guide

http://www.sirkussystem.com/virus.html

Introduction

Installment II: the replicator

Oct 201222

virus_ trojan and worms

Documents