NET 311 Information Security Networks and Communication Department Lecture 6: Malicious Software : Viruses (Chapter 21)
lecture contents: Malicious Software Viruses Types Phases countermeasures 11-Nov-18 Networks and Communication Department
Viruses and Other Malicious Content computer viruses have got a lot of publicity . one of a family of malicious software . effects usually obvious. have figured in news reports, fiction, movies (often exaggerated) getting more attention than deserve are a concern though 11-Nov-18 Networks and Communication Department
Malicious Software 11-Nov-18 Networks and Communication Department
Malicious Software 11-Nov-18 Networks and Communication Department Zombie: Program activated on an infected machine that is activated to launch attacks on other machines. 11-Nov-18 Networks and Communication Department
11-Nov-18 Networks and Communication Department
Viruses Computer virus is a piece of software that infects programs by modifying them to include a copy of the virus. * so it executes secretly when host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs that is allowed by the privileges of the current user. Most viruses carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems. 7
Virus damage Usually, viruses do not do anything useful for their author; they are just pranks. Viruses range from the mildly annoying to the downright destructive. Steal personal information Delete files Steal software serial number 8
Virus damage Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files or attempt to destroy files. Some viruses cause unintended damage. Even benign viruses cause significant damage by occupying disk space and main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them.
Targets of viruses Some viruses affect individual programs; therefore, there can be a copy of the virus in every program on the computer . Other viruses affect the operating system; therefore, there can be a copy of the virus on every computer disk. Some viruses are platform-dependent: they can work only within one particular operating system (of these viruses, 99% are oriented against the PC platform). Other viruses are platform-independent: these are macro viruses, working within a cross-platform environment (e.g. MS Word 10
A lesson Viruses cannot spread unless you run an infected program or open an infected document . Therefore, the good news is that a virus does not spread without human action to move it along, such as sharing a file or sending an e-mail.
Ways of attaching a virus to a program Overwriting Appending For example, let us assume that a file with a program contains only executable instructions, and all these instructions are executed in order.
Before infecting An infected program is executed A program to be infected
Overwriting An infected program is executed A program to be infected
Appending
Overwriting vs appending If the virus overwrites the program, the program stops working, and the user will notice that immediately. If the virus appends itself to the program, the length of the program changes, and this is easy to check.
Example: Melissa Year: 1999 Melissa is a macro virus living in MS Word documents. Any hardware platform and operating system that supports these applications can be infected so It can spread on both PC and Mac platforms. Macro viruses are easily spread. A very common method is by electronic mail. Melissa is an e-mail virus. 1-The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package. 2-The virus does local damage on the user’s system. The virus uses the Visual Basic scripting language supported by the e-mail package. 11-Nov-18 Networks and Communication Department
Example: Stealth Stealth is a bomber aircraft which radars cannot discover. Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software . Thus, the entire virus, not just a payload is hidden. One example of a stealth virus was : a virus that uses compression so that the infected program is exactly the same length as an uninfected version. Far more sophisticated techniques are possible. For example, a virus can place intercept logic in disk I/O routines, so that when there is an attempt to read suspected portions of the disk using these routines, the virus will present back the original, uninfected program . Thus, stealth is not a term that applies to a virus as such but, rather, refers to a technique used by a virus to evade detection.
Stealth virus 1- A stealth virus infects both files and the operating system. 2- If you view or edit the infected file, it looks uninfected. 3- If you execute the infected file, it works as infected. 11-Nov-18 Networks and Communication Department
Polymorphic viruses creates copies during replication that are functionally equivalent but have distinctly different bit patterns. A polymorphic virus changes its code every time when it infects a program. Therefore, it is more difficult to find it. For example, a polymorphic virus can distribute its code inside the original program.
Viruses Phases During its lifetime, a typical virus goes through the following four phases: Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. 11-Nov-18 Networks and Communication Department
Viruses Phases 3-Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. 4- Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. 11-Nov-18 Networks and Communication Department
Viruses Structure A computer virus has three parts: • Infection mechanism: The means by which a virus spreads, enabling it to replicate .The mechanism is also referred to as the infection vector. • Trigger: The event or condition that determines when the payload is activated or delivered. • Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity. 11-Nov-18 Networks and Communication Department
Virus Structure when infected program invoked, executes virus code then original program code. A Simple Virus: The infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program may first seek out uninfected executable files and infect them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and an uninfected program. 11-Nov-18 Networks and Communication Department
Where do viruses come from? Global Access Networks and Email Email Conferences, File Servers, FTP and BBS Local Access Networks Pirated Software General Access Personal Computers A bulletin board system, or BBS, is a computer server running software that allows users to connect to the system using a terminal program. Once logged in, the user can perform functions such as uploading and downloading software and data 11-Nov-18 Networks and Communication Department
Virus Countermeasures The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place, or block the ability of a virus to modify any files containing executable code or macros . This goal is, in general, impossible to achieve. The next best approach is to be able to do the following: • Detection: Once the infection has occurred, determine that it has occurred and locate the virus. • Identification: Once detection has been achieved, identify the specific virus that has infected a program. • Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the virus cannot spread further. ** If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected file and reload a clean backup version. 11-Nov-18 Networks and Communication Department
Virus Countermeasures Purchasing software Use only commercial software acquired from reliable, well-established vendors with significant reputations Example: open-source software seems to be safe, but can be infected 11-Nov-18 Networks and Communication Department
Virus Countermeasures Keeping an eye on new software If possible, test all new software on an isolated computer and look for unexpected behavior Run an up-to-date antivirus program after installing new software Taking care with e-mail attachments Open attachments only when you know them to be safe . 11-Nov-18 Networks and Communication Department
Virus Countermeasures System recovery Make a system image and store it safely Make and retain backup copies of executable system files Data Recovery Back up all your work regularly and store backups safely This rule not only protects you against viruses but e.g. against computer theft 11-Nov-18 Networks and Communication Department
Virus Countermeasures Antivirus programs Antivirus programs are otherwise known as virus detectors or virus scanners Use them, and update them regularly Signature Simple virus detectors search files looking for a given signature in them. A signature is a piece of code typical of a particular virus. 11-Nov-18 Networks and Communication Department
Virus Countermeasures Data integrity checking Use validation and data integrity checking utilities. They check file information(check sums, sizes, attributes, last modification dates etc.). You should periodically compare such database information with actual hard drive contents, because any inconsistency might be a signal of presence of a Trojan horse or virus. Immunizers: With these programs, disk files are modified in such a way that the virus considers them already infected. 11-Nov-18 Networks and Communication Department
Digital Immune System 11-Nov-18 Networks and Communication Department A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present. The monitoring program forwards a copy of any program thought to be infected to an administrative machine within the organization. 2. The administrative machine encrypts the sample and sends it to a central virus analysis machine. 3. This machine creates an environment in which the infected program can be safely run for analysis . Techniques used for this purpose include emulation, or the creation of a protected environment within which the suspect program can be executed and monitored. The virus analysis machine then produces a prescription for identifying and removing the virus. 4. The resulting prescription is sent back to the administrative machine. 5. The administrative machine forwards the prescription to the infected client. 6. The prescription is also forwarded to other clients in the organization. 7. Subscribers around the world receive regular antivirus updates that protect them from the new virus. 11-Nov-18 Networks and Communication Department
Behavior-Blocking Software Figure 21.5 illustrates the operation of a behavior blocker. Behavior-blocking software runs on server and desktop computers and is instructed through policies set by the network administrator to let benign actions take place but to intercede when unauthorized or suspicious actions occur. The module blocks any suspicious software from executing. A blocker isolates the code in a sandbox, which restricts the code’s access to various OS resources and applications. The blocker then sends an alert. 11-Nov-18 Networks and Communication Department
References Cryptography and Network Security: Principles and practice’, William Stallings Fifth edition, 2011. Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 21 – “Malicious Software”. Lecture slides by Dr Alexei Vernitski, University of Essex , 2013 11-Nov-18 Networks and Communication Department