Computer virus Speaker : 蔡尚倫

 Introduction  Infection target  Infection techniques Outline

 A malware  Need permission( by accident ) to execute  Will replicate, spread  May have destruction Computer virus - definition

 Stealing hard disk space or CPU time  Accessing private information  Corrupting data  Displaying political or humorous messages  Spamming their contacts  Logging their keystrokes Purpose

Tools, like language, tool kits Design Spread, how to extend Replication Active, what to do Launch Evade, try not be found Detection Elimination Lifetime of a virus

 System sector  Network  Source code  File  Macro Infection target

 Two type of system sector:  DBR (DOS Boot Record; DBS, DOS Boot sector)  MBR (Master Boot Record; Partition sectors)  Booting process:  Boot computer → BIOS → POST → DBR → MBR → Boot Sector → OS  Medium:  Floppy disk  Bootable CD-ROM System sector

 Replicate by commands or protocols of network  Remote-controllable  Results:  Degrade the performance of a network  Disable critical devices  Network connections  Stealing personnel data Network

 Different compiler, different source code  Make modifications to source code  Rare Source code

 Executable file  files with.BAT,.COM,.EXE,.BIN and so on  May be partially or completely overwritten  Infected files can spread across the system, network Files

Macro  Input sequence(short) map to output sequence(long)  A piece of code executes if a certain event occurs  Blur the line between executable files and data files

 Stealth  Polymorphic  Metamorphic  Cavity  Tunneling  Camouflage  Bootable CD-ROM Infection techniques

 Intercept requests  Return a uninfected file  Hide the modified file Stealth Anti-virus program Infected file OS Request: Ask a file Return another file

 To confuse anti-virus programs  Change characteristics with each infection  By Encryption/decryption module  But keep the algorithm intact  Insert junk instructions  Exchange independent instructions  Change the start address Polymorphic

 Will reprogram itself  Can translate into a temporary code  Then converted back to normal code  Avoid pattern recognition of anti-virus program Metamorphic Virus (original) Virus (temporary code ) Translate Convert back Mutate

 Also known as space-fillers  Maintain a constant file-size  Overwrite empty part of a target file with its code  Limit on small number of host, it is hard to write  Means rare Cavity Null Null Null Some info…. code code ….code code ….code code …. Some info…. Fill the empty part Original fileInfected file

 One way to detect virus is intercepting interrupts:  Look for specific action that may signify the presence of a virus  Intercepting interrupt from the OS directly to avoid anti-virus program use them Tunneling

Normal Program send interrupt requests Anti-virus software Intercepting the request and check it Operation system Give it the permission Tunneling - cont’d Infected program Back trace to the directory of DOS and BIOS interrupt handlers Install itself beneath this interrupt handlers Contact with OS directly

 Pretend itself as a normal program  Usage of anti-virus program’s ignore logic  Thanks to advanced virus detection, it’s rare Camouflage

 Through infected CD-ROM  If system is booted by the CD-ROM, the hard disk must be destroyed  No anti-virus program can stop it Bootable CD-ROM

 Worms  A special type of virus that can replicate itself and use memory, but it cannot attach itself to other executable codes  Trojans  A small destructive program that runs hidden on an infected computer Other malware

 Characteristics  Standalone malware  Propagation for spread from machine to machine  Do not attach themselves to an existing program  Infection techniques  Aim at security failures  Via network, usually with attachment of Worms

Gathering information Location, port, configuration, identification Infecting target Send itself to the target machine Payload Create back door, alter or destroy files, transmit psw.. Any action other than spreading itself Network propagation Select the next target by choosing randomly or others Worms - infecting phases

 Characteristics  Non-self-replicating  Do not attach themselves into files or propagate  Infection techniques (always associated with network)  with malicious programs or drive-by download  Normally down by social engineering  Running  Automatically run after being installed  Hiding in background, and create a backdoor(s), usually Trojans

 Destruction  Password thievery  Remote control  Key logger  DoS attack  Zombie  FTP Trojan Trojans - purposes

Thanks for listening