CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.

Slides:



Advertisements
Similar presentations
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Karlstad University Malware Ge Zhang Karlstad Univeristy.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Unit 18 Data Security 1.
Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Slide 1 Vitaly Shmatikov CS 378 Trojans and Viruses.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Chapter Nine Maintaining a Computer Part III: Malware.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
SCSC 455 Computer Security 2011 Spring Chapter 5 Malware.
Video Following is a video of what can happen if you don’t update your security settings! security.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
VIRUSES - Janhavi Naik. Overview Structure Classification Categories.
Structure Classifications &
1 Chapter 19: Malicious Software Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal, U of Kentucky)
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Viruses, Trojans and Worms The commonest computer threats are viruses. Virus A virus is a computer program which changes the way in which the computer.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.
For any query mail to or BITS Pilani Lecture # 1.
Telecommunications Networking II Lecture 41f Viruses and Worms.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Malicious Software.
VIRUS.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Chapter 19 – Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War,
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
METAMORPHIC VIRUS NGUYEN LE VAN.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
W elcome to our Presentation. Presentation Topic Virus.
NETWORK SECURITY Definitions and Preventions Toby Wilson.
MALICIOUS SOFTWARE Rishu sihotra TE Computer
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
COMPUTER VIRUSES ….! Presented by: BSCS-I Maheen Zofishan Saba Naz Numan Sheikh Javaria Munawar Aisha Fatima.
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
MALWARE.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.
Techniques, Tools, and Research Issues
computer virus infection & symptoms
Chap 10 Malicious Software.
Malware CJ
Chap 10 Malicious Software.
Malicious Program and Protection
Presentation transcript:

CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012

2 Acknowledgement  Lecture notes from the textbook  This lecture uses some contents from the lecture notes from:  Dr. Vitaly Shmatikov CS Network Security and PrivacyVitaly ShmatikovCS Network Security and Privacy

Virus Phases  Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detection.  Propagation phase. During this phase, the virus is replicating itself, infecting new files on new systems.  Triggering phase. In this phase, some logical condition causes the virus to move from a dormant or propagation phase to perform its intended action.  Action phase. In this phase, the virus performs the malicious action that it was designed to perform, called payload.  This action could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as deleting all essential files on the hard drive.

4 Viruses  Virus propagates by infecting other programs  Automatically creates copies of itself, but to propagate, a human has to run an infected program  Self-propagating malicious programs are usually called worms  Many propagation methods  Insert a copy into every executable (.COM,.EXE)  Insert a copy into boot sectors of disks  “Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC  Infect TSR (terminate-and-stay-resident) routines  By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

5 Virus Techniques  Macro viruses  A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel)  When infected document is opened, virus copies itself into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened)  Stealth techniques  Infect OS so that infected files appear normal  Used by rootkits (we’ll look at them later)  Mutate, encrypt parts of code with random key

6 Viruses in P2P Networks  Millions of users willingly download files  KaZaA: 2.5 million users in May 2006  Easy to insert an infected file into the network  Pretend to be an executable of a popular application  “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …  ICQ and Trillian seem to be the most popular names  Infected MP3 files are rare  Malware can open backdoor, steal confidential information, spread spam  70% of infected hosts already on DNS spam blacklists [Shin, Jung, Balakrishnan]

7 Prevalence of Viruses in KaZaA  2006 study of 500,000 KaZaA files  Look for 364 patterns associated with 71 viruses  Up to 22% of all KaZaA files infected  52 different viruses and Trojans  Another study found that 44% of all executable files on KaZaA contain malicious code  When searching for “ICQ” or “Trillian”, chances of hitting an infected file are over 70%  Some infected hosts are active for a long time  5% of infected hosts seen in February 2006 were still active in May 2006 [Shin, Jung, Balakrishnan]

8 Dangerous KaZaA Queries [Shin, Jung, Balakrishnan]

9 Stealth Techniques  Mutation: virus has multiple binary variants  Defeats naïve signature-based detection  Used by the most successful (i.e., widespread) viruses  Tanked: 62 variants, SdDrop: 14 variants  Aliasing: virus places its copies under different names into the infected host’s sharing folder  “ICQ Lite.exe”, “ICQ Pro 2003b.exe”, “MSN Messenger 5.2.exe” [Shin, Jung, Balakrishnan]

10 Propagation via Websites  Websites with popular content  Games: 60% of websites contain executable content, one-third contain at least one malicious executable  Celebrities, adult content, everything except news  Most popular sites with malicious content (Oct 2005)  Large variety of malware  But most of the observed programs are variants of the same few adware applications (e.g., WhenU) [Moshchuk et al.]

11 Malicious Functionality  Adware  Display unwanted pop-up ads  Browser hijackers  Modify home page, search tools, redirect URLs  Trojan downloaders  Download and install additional malware  Dialer (expensive toll numbers)  Keylogging [Moshchuk et al.]

12 Drive-By Downloads  Website “pushes” malicious executable to user’s browser with inline Javascript or pop-up window  Naïve user may click “Yes” in the dialog box  Can also install malicious software automatically by exploiting bugs in the user’s browser  1.5% of URLs crawled in the Moshchuk et al. study  Constant change  Many infectious sites exist only for a short time or change substantially from month to month  Many sites behave non-deterministically

Concealment  Encrypted virus  Decryption engine + encrypted body  Randomly generate encryption key +brute force decryption  Detection looks for decryption engine  Polymorphic virus  Encrypted virus with random variations of the decryption engine (e.g., padding code)  Detection using CPU emulator  Metamorphic virus  Different virus bodies  Approaches include code permutation and instruction replacement  Challenging to detect

14 Polymorphic Viruses  Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body  Relatively easy to detect because decryptor is constant  Polymorphic viruses: constantly create new random encryptions of the same virus body  Marburg (Win95), HPS (Win95), Coke (Win32)  Virus includes an engine for creating new keys and new encryptions of the virus body  Crypto (Win32) decrypts its body by brute-force key search to avoid explicit decryptor code  Decryptor can start with millions of NOPs to defeat emulation

15 Anti-Virus Technologies  Simple anti-virus scanners  Look for signatures (fragments of known virus code)  Heuristics for recognizing code associated with viruses  Polymorphic viruses often use decryption loops  Integrity checking to find modified files  Record file sizes, checksums, MACs (keyed hashes of contents)  Often used for rootkit detection (we’ll see TripWire later)  Generic decryption and emulation  Emulate CPU execution for a few hundred instructions, virus will eventually decrypt, can recognize known body  Does not work very well against mutating viruses and viruses not located near beginning of infected executable

16 Virus Detection by Emulation Virus body Randomly generates a new key and corresponding decryptor code Mutation A Decrypt and execute Mutation C Mutation B To detect an unknown mutation of a known virus, emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body

17 Metamorphic Viruses  Obvious next step: mutate the virus body, too!  Virus can carry its source code (which deliberately contains some useless junk) and recompile itself  Apparition virus (Win32)  Virus first looks for an installed compiler  Unix machines have C compilers installed by default  Virus changes junk in its source and recompiles itself  New binary mutation looks completely different!  Mutation is common in macro and script viruses  Macros/scripts are usually interpreted, not compiled

18 Obfuscation and Anti-Debugging  Common in worms, viruses, bots  Goal: prevent analysis of code and signature-based detection; foil reverse-engineering  Insert garbage opcodes and change control structure  Different code in each instance  Effect of code execution is the same, but difficult to detect by passive analysis  Packed binaries  Detect debuggers and virtual machines, terminate execution

19 Mutation / Obfuscation Techniques  Same code, different register names  Regswap (Win32)  Same code, different subroutine order  BadBoy (DOS), Ghost (Win32)  If n subroutines, then n! possible mutations  Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack  Zmorph (Win95)  Can be detected by emulation because the rebuilt body has a constant instruction sequence

20 Mutation Engines  Real Permutating Engine/RPME, ADMutate, etc.  Large set of obfuscating techniques  Instructions are reordered, branch conditions reversed  Jumps and NOPs inserted in random places  Garbage opcodes inserted in unreachable code areas  Instruction sequences replaced with other instructions that have the same effect, but different opcodes  Mutate SUB EAX, EAX into XOR EAX, EAX or PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP  There is no constant, recognizable virus body!

21 Example of Zperm Mutation  From Szor and Ferrie, “Hunting for Metamorphic”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.