Embed Size (px)
DESCRIPTION
This is my presentation 1
Citation preview
1
Modern Computer Virology
The black art of breaking and defending malicious computing.
By M S D Perera
By M S D Perera
Introduction
• What is virology? • Then what is computer virology?• How it differ from conventional biological
virology?• History of computer virology.
By M S D Perera
Categories of Virology
• Worms.• Viruses.• Trojan Horses.• Malware.• Spyware.• Rabbits.• Other , malicious code but directly can’t categorize
under virology. [ ex-logic bombs, root-kits,shell-code, key loggers ,spammers/ floders.
By M S D Perera
Environment Of Virology• As biological virus can’t live without a host computer virus also can’t live without a
host or a proper environment. Like parasites need a host[a human] to live a computer virus also need a host[a computer to live]. • What makes environment heterogeneous or homogenous? * Computer Architecture [x86,x64, ARM,SunSolaris.. Etc etc],and CPU version. * Operating systems and software Environment. And their versions. for list of Operating systems refer: http://os-dev.org/ * File systems and file formats. for list of different file systems refer: * Network and media. Different internetworking and media exists today. For a example we can take internet as a popular network for spreading worms, and thumb drives as a popular media for spreading to viruses.
By M S D Perera
Media of Replication• So as I mentioned in my previous note a computer virus is a malicious
code that it have the ability to reclusively replicate itself within a one host, if it can automatically replicate itself to outside the hos it’s considered as a ‘worm’.
• Basic Three parts of a typical computer virus. * replication engine * bomb * polymorphic engine.• There are numerous ways that have been used by virus writers to
replicate. * using the boot sector [boot sector virus] * File inflection techniques. [win32,win64 executable files]. * scripts, macros and data file viruses.[explain why almost every file is guilty as same as executable files for viruses].
By M S D Perera
Boot Sector Virus• In x86 computer architecture a boot sector is 512 bytes long executable code. Every
computer physical storage medium have this boot sector called a master boot record and may exists alternative number of boot sectors as equal to it’s number of partitions.
• Some boot viruses are killing it’s host instantly and made host operating system unbootable. But some smart viruses spread the virus to other boot sectors of the accessible media and wait for the correct time to execute the bomb. It can be logically programmed by the virus writer. However in the second strategy the user should not notice any strange till the correct time and it should boot the OS as normal. To do that Boot sector viruses use different mechanisms. Following explains few.
* Relocate original bootsector to somewhere else and later load it to memory and execute it. * Relocate original bootsector at the end of the partition. * Change the PT entries of a particular partition and allow it to execute arbitrary code of sector [virus code] and finally let execute the original boot sector.
An Example boot sector virus source code:
By M S D Perera
Executable File Inflection Techniques• In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32
executable format and windows uses win32 PE and PE+ executable file formats. • Executable file is nothing more than a big data-structure which have following. * header. * sections In a typical executable file there are following sections. text[executable code] data [global variables and statistically initialized data] bss [dynamically initialized data] stack [defines the hardware stack for the executable]There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text session is also possible. Following are some different techniques that virus writers are using . * Overwriting Viruses. * Append last to the text section. * Viruses that inject it’s code to the padded aligned spaces between segments. * Random Inflection. * Viruses that hijack Entry points. * and many more unspecified wild techniques are used among the virus writer underground communities.An example Executable virus source code:
By M S D Perera
Summary• Introduction and history about viruses.• Environment and category.• Media of Replication.• Into about mechanisms about Boot sector viruses and executable viruses.
• In My next Presentation: More about Executable file internals. More about Win32 PE and PE+ executable file format. More about executable file inflection techniques which are used by the win32 viruses in the windowing platform. Thanks for the audience
By M S D Perera
