Download Viruses (and Worms)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Common cold wikipedia , lookup

Marburg virus disease wikipedia , lookup

Hepatitis B wikipedia , lookup

Norovirus wikipedia , lookup

West Nile fever wikipedia , lookup

Orthohantavirus wikipedia , lookup

Transcript 
Telecommunications Networking
II
Lecture 41f
Viruses and Worms
Viruses (and Worms)
references:
William Stallings-Cryptography and
Network Security Chapter 15.2
Viruses and Worms
• Virus: “A program that can “infect” other
programs by modifying them; the
modification includes a copy of the virus
program, which can then go on to infect
other programs” (ref: Stallings p504)
• Worm “Network worm programs use
network connections to pass from system to
system” (ref: Stalling p504)
Viruses and Worms
• Virus: extraneous executable code that
attaches itself to a file or an application, and
that can reproduce itself to infect other files
or applications
• Worm: a stand-alone executable program
that can replicate itself, and that can utilize
system resources to spread to multiple
systems
Simple Virus Structure (ref Stalling
p 506)
Program V:=
{goto main;
1234567;
subroutine infect executable :=
{loop:
file := get random executable file
if (first-line-of-file = 1234567)
then goto loop
else prepend V to file;}
main: main-program :=
{infect-executable;
goto next;}
next:
}
Viruses and Worms
• The simple virus (prior slide)
postpends or prepends a fixed executable
set of instructions to a file or application
• Changes the size of the file
Viruses and Worms
• If we know how long a file is supposed to
be, then we can detect the infection by
noting the mismatch between the length of
the infected file and the length of an uninfected file.
• However, it is relatively easy to defeat the
above detection method…e.g., by
compressing the original file
Compression Virus (Stalling p 507)
1. Compress next victim file
2. Prepend virus code to compressed victim file
…..
3. Execute virus code (infect new files, etc.)
4. Decompress current victim file file
5. Run, decompressed file
Viruses and Worms
• Parasite virus: Attaches itself to an
executable file; replicates and infects
another file when the executable file is
executed
• Memory-resident virus: lodges in main
memory and infects every program that
executes
• Boot sector virus:
Viruses and Worms
• Polymorphic virus: transforms (morphs)
itself every time it replicates..to avoid
detection of its signature
• Macro virus: infects documents (nonexecutable + macros) that are opened using
Microsoft Word or other Office
applications; and which can, iteratively,
infect other documents, delete files, etc.
Polymorphic Viruses
• Polymorphic viruses attempt to hide
themselves from virus signature detection
by changing (morphing) themselves every
time they replicate
Polymorphic Viruses
• Change with each new infection
• Are (for example) comprised of two parts
– A decryptor
– An encrypted virus file
• Both the decryptor and the encrypted file
change each time the virus replicates…so
that neither one has a fixed signature
Infected application
Decryptor
Encrypted virus
file
App. 1
How does it work1?
Infected app.
Decryptor
Executing
1
Decryptor
Encrypted virus
file
Virus version xyz
Mutator Engine
App. 1
App. 1
1. The decryptor executable will decrypt the encrypted virus file
How does it work2?
Decryptor
New Decryptor
Virus version
xyz
Mutator Engine
Virus version
xyz+1
Mutator Engine
App. 1
2
4
3
Decryptor
Encrypted
virus file
Decryptor
Encrypted
virus file
2. Virus1 finds the victim(App.2)
3. Mutator Engine creates a new Decryptor,
a new virus file, and encrypts the new
virus file
4. Virus2 is prepended to App. 2
App. 2
“The Black Baron’s” Tutorial
(http://www.pins.co.uk/upages/probertm/vx_poly.htm)
ultra-simple decryptor
MOV
MOV
SI,jumbled_data; Point to the jumbled data
CX,10 ; Ten bytes to decrypt
main_loop: XOR
BYTE PTR [SI],55 ; (unscramble) a byte
INC
SI ; Next byte
LOOP main_loop ; Loop for the 9 remaining bytes
In other words: encrypt by XOR’ing 55 with each byte of the
virus file; and decrypt by XOR’ing 55 again
“The Black Baron’s” Tutorial
Permuted ultra-simple decryptor
main_loop:
MOV CX,10
MOV SI,jumbled_data
XOR
BYTE PTR [SI],55
INC SI
LOOP main_loop
“The Black Baron’s” Tutorial
MOV
CX,10
NOP
NOP
MOV SI,jumbled_data
NOP
main_loop: NOP
NOP
XOR BYTE PTR [SI],55
NOP
INC SI
NOP
NOP
NOP
NOP
LOOP main_loop
NOP’s added
to Decryptor
“The Black Baron’s” Tutorial
MOV DX,10
;Real part of the decryptor!
MOV SI,1234
;junk
AND AX,[SI+1234]
;junk
Junk added to
CLD
;junk
Decrpytor
MOV DI,jumbled_data ;Real part of the decryptor!
TEST [SI+1234],BL
;junk
OR
AL,CL
;junk
main_loop: ADD
SI,SI
;junk instruction, real loop!
XOR AX,1234
;junk
XOR
BYTE PTR [DI],55 ;Real part of the decryptor!
SUB
SI,123
;junk
INC
DI
;Real part of the decryptor!
TEST DX,1234
;junk
AND AL,[BP+1234]
;junk
DEC
DX
;Real part of the decryptor!
NOP
;junk
XOR AX,DX
;junk
SBB AX,[SI+1234]
;junk
AND
DX,DX
;Real part of the decryptor!
JNZ
main_loop
;Real part of the decryptor!
Detecting Viruses
ref: Stalling pp 510-514
• Look for a known virus signature
• Heuristic methods: look for structures in a
file that look like they may be associated
with a virus (e.g., an decryption loop)
• Checksums (easily defeated using
compression and de-compression
techniques or by changing the checksum)
• Digital signatures
Virus Signature Detection
Example:
20,000 files to check
x
30,000 virus signatures to test against
= 600,000,000 tests to perform
@ 1 test per microsecond => 10 minutes to
perform the virus check
Heuristic
Intuitive: e.g., seems like it might work
Plausible: seems to make sense
Not proven: but, then again, its hard to say
how effective it will be
Example: Stock analysts present heuristic
arguments to support their predictions
Detecting Viruses
ref: Stalling pp 510-514
• Identify viruses by the actions they cause
• Pre-execute all programs in an emulator
(I.e., interpret the instructions one at a time,
under control of the virus detection engine)
to observe such things as decryption
processes and the signatures of decrypted
viruses
Related documents
Viruses - StantonAPBiology
Viruses - StantonAPBiology
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
Understanding viruses classwork
Understanding viruses classwork
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
Deardorff COBRE seminar 082913 (PDF)
Deardorff COBRE seminar 082913 (PDF)
Virus Textbook Assignment
Virus Textbook Assignment
Chapter 24- Viruses, section review answers
Chapter 24- Viruses, section review answers
Contagion Worksheet
Contagion Worksheet
Virus Flipbook
Virus Flipbook
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro