Malicious CodeMalicious Code

By Diana PengBy Diana Peng

What is Malicious Code?What is Malicious Code?

Unanticipated or undesired effects in Unanticipated or undesired effects in programs/program parts, caused by an programs/program parts, caused by an agent with damaging intentionsagent with damaging intentions

Uses our everyday programs as a Uses our everyday programs as a vessel to access and change data vessel to access and change data storedstored

VirusesViruses WormsWorms Trojan HorsesTrojan Horses

Unpredictable BehaviorUnpredictable Behavior

Behaves in the same manner as any Behaves in the same manner as any other programother program

Has the ability to stop running Has the ability to stop running programs, generating a sound, programs, generating a sound, erasing stored data, etc. erasing stored data, etc.

Has the ability to remain dormant Has the ability to remain dormant until some event triggers the code to until some event triggers the code to actact

History of Malicious CodeHistory of Malicious Code

1981 Elk Cloner – spread on Apple II floppy 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from disks (containing the OS) originating from Texas A&M:Texas A&M:

It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!

1983 – Fred Cohen 1983 – Fred Cohen Computer Viruses – Theory Computer Viruses – Theory and Experiments and Experiments

1986 Brain –1986 Brain – 2 Pakistani brothers 2 Pakistani brothers analyzing the boot sector of a floppy disk, analyzing the boot sector of a floppy disk, develop a method to infect it. Spread develop a method to infect it. Spread quickly and widely on MS-DOS PC system. quickly and widely on MS-DOS PC system.

History (History (contcont.).)

1987 IBM Christmas Worm – fast 1987 IBM Christmas Worm – fast spreading 500,000 replication per hourspreading 500,000 replication per hour

1988 MacMag – Hypercard stack virus1988 MacMag – Hypercard stack virus Scores – 1Scores – 1stst major Mac major Mac

outbreakoutbreak 1991 Tequila – polymorphic, originated 1991 Tequila – polymorphic, originated

in Switzerland and changed itself to in Switzerland and changed itself to avoid detectionavoid detection

More recently – Love Letter(2000), More recently – Love Letter(2000), Blaster and SoBig(2003)Blaster and SoBig(2003)

DefinitionsDefinitions

Virus – a program that can pass on Virus – a program that can pass on malicious code to other nonmalicious malicious code to other nonmalicious programs by modifying the themprograms by modifying the them

1. Transient – life is dependent on 1. Transient – life is dependent on hosthost

2. Resident – stores itself in memory 2. Resident – stores itself in memory and acts as a stand-alone program and acts as a stand-alone program

Trojan Horse – contains obvious malicious Trojan Horse – contains obvious malicious intent and a 2intent and a 2ndnd unseen effect unseen effect

Definitions (cont.)Definitions (cont.)

Logic Bomb – “detonates” when a specified Logic Bomb – “detonates” when a specified condition occurscondition occurs

* Time Bomb – triggered by a time/date* Time Bomb – triggered by a time/date Trapdoor/Backdoor – allows one to access a Trapdoor/Backdoor – allows one to access a

protected program through an indirect protected program through an indirect methodmethod

Worm – program that replicates itself and Worm – program that replicates itself and spread those replications through a networkspread those replications through a network

* Rabbit – spreads w/out limits and tries * Rabbit – spreads w/out limits and tries toto exhaust the computer’s resources exhaust the computer’s resources

Virus QualitiesVirus Qualities

Easily createdEasily created Difficult to detectDifficult to detect Difficult to destroy or deactivateDifficult to destroy or deactivate Spreads intended infection widelySpreads intended infection widely Ability to re-infect original program Ability to re-infect original program

or other programsor other programs Machine and OS independentMachine and OS independent

Attaching VirusesAttaching Viruses

Must be executed in order to be Must be executed in order to be activatedactivated

Human intervention is key for initial Human intervention is key for initial activationactivation

Email attachmentsEmail attachments Once attached, the virus installs itself Once attached, the virus installs itself

on a permanent storage medium and on a permanent storage medium and on any/all executing programs in on any/all executing programs in memorymemory

Appended VirusesAppended Viruses

Most common attachment – easy to Most common attachment – easy to program and effectiveprogram and effective

Attaches to an existing program and is Attaches to an existing program and is activated whenever whenever the activated whenever whenever the program is runningprogram is running

Virus instructions execute 1Virus instructions execute 1stst, after the last , after the last virus instruction control is given back to virus instruction control is given back to the 1the 1stst program instruction program instruction

User is unaware of virus – original program User is unaware of virus – original program still runs the way it’s intendedstill runs the way it’s intended

Appended Virus (cont.)Appended Virus (cont.)

Program

Program

Virus

Virus+ =

Surrounding VirusesSurrounding Viruses

To avoid detection on the disk, the To avoid detection on the disk, the virus will attach itself to the program virus will attach itself to the program constructing the listing of files on the constructing the listing of files on the diskdisk

The virus has control after the listing The virus has control after the listing program is generated and before it is program is generated and before it is displayed to delete itself from the displayed to delete itself from the listing listing

Surrounding Virus (cont.)Surrounding Virus (cont.)

ProgramProgramVirus

Virus

Virus

Integrated VirusesIntegrated Viruses

Virus will replace the program and Virus will replace the program and integrate itself into the original codeintegrate itself into the original code

Requires the creator of the virus to Requires the creator of the virus to know the original program in order to know the original program in order to insert pieces of the virus into it insert pieces of the virus into it

Replacement – the virus replaces the Replacement – the virus replaces the entire program with itself; user will entire program with itself; user will only see the performance of the virusonly see the performance of the virus

Integrated Viruses (cont.)Integrated Viruses (cont.)

Program ProgramVirus+ =

Document VirusDocument Virus

Implemented inside a formatted Implemented inside a formatted document (ex. Word document, document (ex. Word document, database, spreadsheet, etc.)database, spreadsheet, etc.)

Highly structured files containing Highly structured files containing both data and commandsboth data and commands

Command codes are a part of rich Command codes are a part of rich programming languageprogramming language

Gaining ControlGaining Control

The virus program must be activated in The virus program must be activated in place of the original programplace of the original program

Presents itself as the original programPresents itself as the original program Substitutes the original program by Substitutes the original program by

pushing the original one out of the waypushing the original one out of the way Overwriting - the virus replaces the Overwriting - the virus replaces the

original code in a file structureoriginal code in a file structure Pointer Changing - directs the file Pointer Changing - directs the file

system to itself and skips the original system to itself and skips the original codecode

One-Time ExecutionOne-Time Execution

Majority of viruses todayMajority of viruses today Activated and executed only once Activated and executed only once Email attachmentsEmail attachments

Boot Sector VirusesBoot Sector Viruses

Gains control early in the boot Gains control early in the boot process before detection tools are process before detection tools are active active

Boot area is crucial to the OS and is Boot area is crucial to the OS and is usually kept hidden from the user to usually kept hidden from the user to avoid modification/deletionavoid modification/deletion

Virus code is difficult to noticeVirus code is difficult to notice

Memory Resident VirusesMemory Resident Viruses

Resident code – code that is Resident code – code that is frequently used by the OS that has a frequently used by the OS that has a permanent space in memorypermanent space in memory

Resident code is activated many Resident code is activated many times and simultaneously activates times and simultaneously activates the virus each timethe virus each time

Ability to look for and infect Ability to look for and infect uninfected carriersuninfected carriers

Virus SignaturesVirus Signatures

Cannot be completely invisibleCannot be completely invisible Code is stored on computer and must be in Code is stored on computer and must be in

memory to executememory to execute Signature – the pattern the virus executes and Signature – the pattern the virus executes and

the method it uses to spreadthe method it uses to spread Virus Scanner Virus Scanner

– – detects virus signatures by searching detects virus signatures by searching memory memory

& long-term storage, and monitors execution& long-term storage, and monitors execution

– – must be kept up-to-date to be effectivemust be kept up-to-date to be effective

Storage PatternsStorage Patterns

Most viruses attach to programs Most viruses attach to programs stored on disks – file size growsstored on disks – file size grows

Attachment is usually invariant and Attachment is usually invariant and the start of the virus code is the start of the virus code is detectable (Appended Attachment)detectable (Appended Attachment)

JUMP instruction (Surrounding JUMP instruction (Surrounding Attachment) Attachment)

Execution PatternsExecution Patterns

Spread infectionSpread infection Avoid detection – Boot SectorAvoid detection – Boot Sector Cause harm – erasing files/disks, Cause harm – erasing files/disks,

preventing booting/writing to disk, preventing booting/writing to disk, shutting down, etc.shutting down, etc.

Transmission PatternsTransmission Patterns

Virus is only effective if it has the Virus is only effective if it has the ability to transmit itself from location ability to transmit itself from location to locationto location

Virus execution behaves just like any Virus execution behaves just like any other program execution and it’s other program execution and it’s form of transmission is not confined form of transmission is not confined to one medium.to one medium.