Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.

Slides:



Advertisements
Similar presentations
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Advertisements

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Chapter 3 (Part 1) Network Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.
Unit 18 Data Security 1.
ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.
Definitions  Virus A small piece of software that attaches itself to a program on the computer. It can cause serious damage to your computer.  Worm.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
D. Beecroft Fremont High School VIRUSES.
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 What is a computer virus? Computer program Replicating Problematic "Event" Types Detection and prevention.
1 Higher Computing Topic 8: Supporting Software Updated
Information Technology Software. SYSTEM SOFTWARE.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
CSCE 522 Lecture 12 Program Security Malicious Code.
10/11/2015 Computer virus By Al-janabi Rana J 1. 10/11/2015 A computer virus is a computer program that can copy itself and infect a computer without.
Viruses, Trojans and Worms The commonest computer threats are viruses. Virus A virus is a computer program which changes the way in which the computer.
Chapter 5 Protecting Your PC from Viruses Prepared by: Khurram N. Shamsi.
Backup Procedure  To prevent against data loss, computer users should have backup procedures  A backup is a copy of information stored on a computer.
Week 6 - Wednesday.  What did we talk about last time?  Exam 1  Before that?  Program security  Non-malicious flaws.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Everything you wanted to know about Computer Viruses.
Computer Viruses Susan Rascati CS30 Section 11 George Washington University.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Name: Perpetual Ifeanyi Onyia Topic: Virus, Worms, & Trojan Horses.
For any query mail to or BITS Pilani Lecture # 1.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.
ITD 2323 Lesson 3 – Viruses and other Malicious Codes Prepared by Izwan Suhadak Ishak Lecturer FITM, UNISEL.
COMPUTER VIRUSES Class: Year 8 ‘A’ Date : 2 nd February 2009.
VIRUS.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
W elcome to our Presentation. Presentation Topic Virus.
NETWORK SECURITY Definitions and Preventions Toby Wilson.
1 Computer Virus and Antivirus A presentation by Sumon chakreborty Roll no-91/CSE/ Reg.no of
MALICIOUS SOFTWARE Rishu sihotra TE Computer
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.
COMPUTER VIRUSES ….! Presented by: BSCS-I Maheen Zofishan Saba Naz Numan Sheikh Javaria Munawar Aisha Fatima.
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
SYSTEM SECURITY & ANTIVIRUS Chapter - 4 1Dr. BALAMURUGAN MUTHURAMAN.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
COMPUTER VIRUSES. Definition Of a Computer Virus Computer Viruses Origin Types of Computer Viruses How Does Viruses Attack Computer. How Does a Viruses.
Computer Viruses Author: Alyse Allen.
CHAPTER 3 PROGRAM SECURITY.
computer virus infection & symptoms
WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Malicious Program and Protection
Presentation transcript:

Malicious Code By Diana Peng

What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions Uses our everyday programs as a vessel to access and change data stored Uses our everyday programs as a vessel to access and change data stored Viruses Viruses Worms Worms Trojan Horses Trojan Horses

Unpredictable Behavior Behaves in the same manner as any other program Behaves in the same manner as any other program Has the ability to stop running programs, generating a sound, erasing stored data, etc. Has the ability to stop running programs, generating a sound, erasing stored data, etc. Has the ability to remain dormant until some event triggers the code to act Has the ability to remain dormant until some event triggers the code to act

History of Malicious Code 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from Texas A&M: 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from Texas A&M: It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! 1983 – Fred Cohen Computer Viruses – Theory and Experiments 1983 – Fred Cohen Computer Viruses – Theory and Experiments 1986 Brain – 2 Pakistani brothers analyzing the boot sector of a floppy disk, develop a method to infect it. Spread quickly and widely on MS- DOS PC system Brain – 2 Pakistani brothers analyzing the boot sector of a floppy disk, develop a method to infect it. Spread quickly and widely on MS- DOS PC system.

History ( cont.) 1987 IBM Christmas Worm – fast spreading 500,000 replication per hour 1987 IBM Christmas Worm – fast spreading 500,000 replication per hour 1988 MacMag – Hypercard stack virus 1988 MacMag – Hypercard stack virus Scores – 1 st major Mac outbreak Scores – 1 st major Mac outbreak 1991 Tequila – polymorphic, originated in Switzerland and changed itself to avoid detection 1991 Tequila – polymorphic, originated in Switzerland and changed itself to avoid detection More recently – Love Letter(2000), Blaster and SoBig(2003) More recently – Love Letter(2000), Blaster and SoBig(2003)

Definitions Virus – a program that can pass on malicious code to other nonmalicious programs by modifying the them Virus – a program that can pass on malicious code to other nonmalicious programs by modifying the them 1. Transient – life is dependent on host 2. Resident – stores itself in memory and acts as a stand-alone program 2. Resident – stores itself in memory and acts as a stand-alone program Trojan Horse – contains obvious malicious intent and a 2 nd unseen effect Trojan Horse – contains obvious malicious intent and a 2 nd unseen effect

Definitions (cont.) Logic Bomb – “detonates” when a specified condition occurs Logic Bomb – “detonates” when a specified condition occurs * Time Bomb – triggered by a time/date * Time Bomb – triggered by a time/date Trapdoor/Backdoor – allows one to access a protected program through an indirect method Trapdoor/Backdoor – allows one to access a protected program through an indirect method Worm – program that replicates itself and spread those replications through a network Worm – program that replicates itself and spread those replications through a network * Rabbit – spreads w/out limits and tries to exhaust the computer’s resources * Rabbit – spreads w/out limits and tries to exhaust the computer’s resources

Virus Qualities Easily created Easily created Difficult to detect Difficult to detect Difficult to destroy or deactivate Difficult to destroy or deactivate Spreads intended infection widely Spreads intended infection widely Ability to re-infect original program or other programs Ability to re-infect original program or other programs Machine and OS independent Machine and OS independent

Attaching Viruses Must be executed in order to be activated Must be executed in order to be activated Human intervention is key for initial activation Human intervention is key for initial activation attachments attachments Once attached, the virus installs itself on a permanent storage medium and on any/all executing programs in memory Once attached, the virus installs itself on a permanent storage medium and on any/all executing programs in memory

Appended Viruses Most common attachment – easy to program and effective Most common attachment – easy to program and effective Attaches to an existing program and is activated whenever whenever the program is running Attaches to an existing program and is activated whenever whenever the program is running Virus instructions execute 1 st, after the last virus instruction control is given back to the 1 st program instruction Virus instructions execute 1 st, after the last virus instruction control is given back to the 1 st program instruction User is unaware of virus – original program still runs the way it’s intended User is unaware of virus – original program still runs the way it’s intended

Appended Virus (cont.) Program Virus +=

Surrounding Viruses To avoid detection on the disk, the virus will attach itself to the program constructing the listing of files on the disk To avoid detection on the disk, the virus will attach itself to the program constructing the listing of files on the disk The virus has control after the listing program is generated and before it is displayed to delete itself from the listing The virus has control after the listing program is generated and before it is displayed to delete itself from the listing

Surrounding Virus (cont.) Program Virus

Integrated Viruses Virus will replace the program and integrate itself into the original code Virus will replace the program and integrate itself into the original code Requires the creator of the virus to know the original program in order to insert pieces of the virus into it Requires the creator of the virus to know the original program in order to insert pieces of the virus into it Replacement – the virus replaces the entire program with itself; user will only see the performance of the virus Replacement – the virus replaces the entire program with itself; user will only see the performance of the virus

Integrated Viruses (cont.) Program Virus +=

Document Virus Implemented inside a formatted document (ex. Word document, database, spreadsheet, etc.) Implemented inside a formatted document (ex. Word document, database, spreadsheet, etc.) Highly structured files containing both data and commands Highly structured files containing both data and commands Command codes are a part of rich programming language Command codes are a part of rich programming language

Gaining Control The virus program must be activated in place of the original program The virus program must be activated in place of the original program Presents itself as the original program Presents itself as the original program Substitutes the original program by pushing the original one out of the way Substitutes the original program by pushing the original one out of the way Overwriting - the virus replaces the original code in a file structure Overwriting - the virus replaces the original code in a file structure Pointer Changing - directs the file system to itself and skips the original code Pointer Changing - directs the file system to itself and skips the original code

One-Time Execution Majority of viruses today Majority of viruses today Activated and executed only once Activated and executed only once attachments attachments

Boot Sector Viruses Gains control early in the boot process before detection tools are active Gains control early in the boot process before detection tools are active Boot area is crucial to the OS and is usually kept hidden from the user to avoid modification/deletion Boot area is crucial to the OS and is usually kept hidden from the user to avoid modification/deletion Virus code is difficult to notice Virus code is difficult to notice

Memory Resident Viruses Resident code – code that is frequently used by the OS that has a permanent space in memory Resident code – code that is frequently used by the OS that has a permanent space in memory Resident code is activated many times and simultaneously activates the virus each time Resident code is activated many times and simultaneously activates the virus each time Ability to look for and infect uninfected carriers Ability to look for and infect uninfected carriers

Virus Signatures Cannot be completely invisible Cannot be completely invisible Code is stored on computer and must be in memory to execute Code is stored on computer and must be in memory to execute Signature – the pattern the virus executes and the method it uses to spread Signature – the pattern the virus executes and the method it uses to spread Virus Scanner Virus Scanner – detects virus signatures by searching memory – detects virus signatures by searching memory & long-term storage, and monitors execution & long-term storage, and monitors execution – must be kept up-to-date to be effective – must be kept up-to-date to be effective

Storage Patterns Most viruses attach to programs stored on disks – file size grows Most viruses attach to programs stored on disks – file size grows Attachment is usually invariant and the start of the virus code is detectable (Appended Attachment) Attachment is usually invariant and the start of the virus code is detectable (Appended Attachment) JUMP instruction (Surrounding Attachment) JUMP instruction (Surrounding Attachment)

Execution Patterns Spread infection Spread infection Avoid detection – Boot Sector Avoid detection – Boot Sector Cause harm – erasing files/disks, preventing booting/writing to disk, shutting down, etc. Cause harm – erasing files/disks, preventing booting/writing to disk, shutting down, etc.

Transmission Patterns Virus is only effective if it has the ability to transmit itself from location to location Virus is only effective if it has the ability to transmit itself from location to location Virus execution behaves just like any other program execution and it’s form of transmission is not confined to one medium. Virus execution behaves just like any other program execution and it’s form of transmission is not confined to one medium.