View
223
Download
0
Category
Tags:
Preview:
Citation preview
Computer Viruses
Preetha Annamalai
Niranjan Potnis
Outline
Computer Viruses – The Fundamentals
The Modus Operandi of a Virus
Virus Behavior and Symptoms
Virus Detection -The “Heuristic” Approach
A Sample Virus Code
What is a Computer Virus ?
A malicious piece of executable code written with not so noble intentions
Attaches itself to executable files
Loads into memory and then kicks off
Replication – a key operation
The Vulnerable Areas!
EXE and COM files.
Macros in Word.
System sectors on Hard disk / Floppy disk
Scripts for Internet /Email.
Virus Types
File Infectors .COM, .EXE files
Modify entry point of file
Execute self first
System Sector Viruses Sectors contain boot time executable code
Boot Sector, MBR
Relocate boot code
Virus Types
Macro Viruses infect data files execute on opening a document modify global macro template
Worms do not attach to host files/programs rapidly replicate over network can execute in a distributed fashion use up network bandwidth
Modus Operandi
Infection Phase
Attack Phase
Infection Phase
The spreading of the virus Based on specific trigger/executionTrigger condition – disk access/copying a file/a day or time. Intention is to spread as far as possible before detectionAct as TSR’s and can reside on any part of memory.
Attack Phase
Actual function is performed
Needs a trigger
Typical attacks –• Deleting files• Formats/damages disk• Slowing down the system
Use up system resources, damages disk
Optional phase : Viruses may infect but not attack (due to poorly written virus code)
Virus Symptoms
Change in length of .exe or .com files.
Change in the file date/time stamp
Change to interrupt vectors
Reassignment of system resources
Reduction in amount of memory normally shown
Virus Detection and Prevention
Anti-virus software
Two Approaches
Pattern Matching Approach
The “Heuristic Approach”
Conventional Pattern Matching Approach
Concept of “virus signature”
Look for virus byte sequence in a file to be scanned
Compare against a signature data file
Pattern match has to be literal
Problems – Detection of viruses not in data file
Data file has to be updated.
Viruses change the characteristic byte code from computer to computer
Heuristic Approach
“Speculation and Investigation”
Analyze program structure and behavior instead of looking for signature.
How about an analogy ?
Scan file for suspicious code
Does a file have virus-like characteristics ?
Using Heuristics Content Filtering
Like a “flexible” pattern matching approachKeep track of numerous ways to program virus like codeNeed additional criteria for detection
SandboxingRun suspicious code in protected space within the systemKeep track of operating system callsCompare them to a user defined policy
A Typical Heuristic scanner
Determines most likely location of the virus
Analyze program logic contained in that region
What are the computer instructions capable of doing ?
Catalog a programs behavior
Typical Heuristic Scanner
Many ways to write the same program
Example:
Routine to terminate itself and return to DOS prompt
• Simple Approach
• Roundabout Approach
Typical Heuristic Scanner
MACHINE LANGUAGE USER-READABLE BYTES INSTRUCTIONSExample 1:
B8 00 4C MOV AX,4C00
CD 21 INT 21Example 2:
B4 3C MOV AH,3C BB 00 00 MOV BX, 0000 88 D8 MOV AL,BL 80 C4 10 ADD AH,10 8E C3 MOV ES,BX
9C PUSH F 26 ES FF 1E 84 00 CALL FAR[0084]
Typical Heuristic Scanner
Maintain a database of byte sequencesAssociate each byte sequence with its functional behaviorCan use wildcards to match information that changes from virus to virus
Example-B8 ?? 4C CD 21 – Terminate Program(perm1)B4 4C CD 21 – Terminate Program(perm2)B8 02 3D BA ?? ?? CD 21 – Open file (perm1)BA ? ?? B8 02 3D CD 21 – Open file (perm2)
Heuristic Engine
Components of a Heuristic Scanner
Disassembler Heuristic Engine
Inference Engine
Emulator
Is Execution
Recommended?Program
Maintain set of registers
Scoring Formula
Some Virus Characteristics
Illicit writes to RAM
Undocumented Call
Hooks to standard interrupts
Calls to next instruction
Scoring Formula
Weight assigned to each virus characteristic depending on its strength
Net score assigned to file depending on the characteristics found and their count
Is Net-score higher than cut off value?
An Example Virus
The Michaelangelo Virus Code
Conclusion
Virus writers have too much time!
Heuristic approach is robust
Not totally reliable – subject to false positives and false negatives
Anti-virus software needs to be updated frequently
Recommended