Download presentation
Presentation is loading. Please wait.
1
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004
2
2 Overview Trojan Horses Viruses Other Malicious Logic
3
3 Trojan Horses Overt effect: intended Covert effect: unexpected Propagating: creates a copy of itself Example: Unix login
4
4 Computer Viruses Definition: A computer virus is a program that inserts itself into one or more files and then performs some (possibly null) action.
5
5 Boot Sector Infectors Inserts itself into boot sector of a disk Executes when disk is read Moves real boot sector to another location on disk
6
6 Executable Infectors Infects executable programs Places its code at beginning of executable segment Example: Jerusalem Virus
7
7 Jerusalem Virus (1/3) 1.Puts 0E0H into register ax 2.Invokes DOS service interrupt 3.If high 8 bits of ax contain 03H, system is already infected: quits and invokes original program 4.Otherwise, gets ready to trap calls to DOS service interrupt vector
8
8 Jerusalem Virus (2/3) 5.Check the year 6.If 1987 do nothing 7.Else, if not Friday the 13th sets up to respond to clock interrupts 8.Loads and executes original program 9.Stays in memory waiting for DOS service interrupt
9
9 Jerusalem Virus (3/3) 10.If Friday the 13th and not 1987 11.Sets flag in memory to be destructive: will delete files instead of infecting them. 12.Once in memory, all call to DOS service interrupt are checked: Infects or deletes as per memory flag Infects or deletes as per memory flag Preserves date and time of modification when infecting Preserves date and time of modification when infecting
10
10 Multipartite Viruses Can infect whether boot sectors or applications Has 2 parts, one for boot records, one for executable files
11
11 Terminate and Stay Resident (TSR) Viruses Stays active (resident) in memory after the application has terminated. Example: Jerusalem Virus
12
12 Stealth Viruses Conceal the infection of files Intercept call to file access routines read requests: disinfect as data is returned read requests: disinfect as data is returned execute requests: infected file is executed execute requests: infected file is executed
13
13 Encrypted Viruses Enciphers all of the virus code except for a small decryption routine Prevents pattern-matching virus detectors from recognizing virus
14
14 Polymorphic Viruses Changes its form each time it inserts itself into another program May be used with encryption to change pattern of decryption routine
15
15 Macro Viruses Sequence of instructions that is interpreted rather than executed directly Example: VB viruses
16
16 Computer Worms Program that copies itself from one computer to another Usual intent is to propagate without causing additional harm Example: Internet Worm of 1988
17
17 Rabbits and Bacterium Program that absorbs all of some class of resource May not consume all resources, just all of a particular class
18
18 Logic Bombs Program that performs an action that violates the security policy when some external event occurs May be linked to termination of an employee
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.