1

1

 A program that attaches itself to another executable (a host program)

 Whenever the host program is executed, virus code is ran and it can make a copy of itself and infect other executables found in your memory or hard drive

 Viruses can do any damage they want on your computer

2

 Viruses don’t break into your computer – they are invited by you o  They cannot spread unless you run infected

application or click on infected attachment o  Early viruses spread onto different applications on

your computer o  Contemporary viruses spread as attachments

through E-mail, they will mail themselves to people from your addressbook

 Worms break into your computer using some vulnerability, install malicious code and move on to other machines o  You don’t have to do anything to make them spread

3

 Viruses attach themselves to other executables o  For example, a Word template or a PowerPoint

presentation o  They can infect any executable

 Trojans claim to be other executables but instead contain malicious code o  For example, a cool new game is advertised on the

Web site but it also contains malicious code o  Trojan code will not spread to other programs on

your machine, it will simply gain access and do malicious stuff

4

 File infectors o  Attach to executable files or source code o  Direct action – selects and infects several

programs each time host program is run o  Resident – load themselves into memory whenever

a host program is run and then remain in memory infecting any other executable that is executed

 System (boot-sector) infectors o  Infect some system area on disk, load themselves

on boot and then remain memory-resident  Hybrid

o  Infect both files and boot sectors

5

 File system (cluster) o  Modify directory table entries so that virus code is

loaded and executed before the host program o  Host program is not altered, only directory table is

 Kernel o  Target specific features of system files such as

location on disk, calling convention etc.

6

2

 Stealth o  Like rootkits o  Hide the fact that they have infected the system

by modifying replies to system queries o  Must be resident o  Can only be detected if we boot the system from

clean bootable floppy or CD  Polymorphic

o  Change virus code to avoid signature detection o  Encrypt themselves with variable key – decryption

code is always the same o  Use different encryption schemes

7

 Fast infectors o  Infect not only those files that are executed but also

those that are merely opened (e.g. by a virus scanner)

 Slow infectors o  Only infect modified or newly created files – fools

integrity checkers  Sparse infectors

o  Infect infrequently (e.g. each 10th file) to avoid detection

8

 Companions o  Creates new file with similar name as the host

program o  When host program is called, virus is executed

instead o  Virus calls host program in the end o  This fools integrity checkers that only look at

existing files

9

 Cavities o  Overwrites part of the host program that is filled

with a constant o  Does not increase the length of host program and

preserves functionality  Tunneling

o  Some viruses modify interrupt vectors o  Tunneling viruses call interrupt handlers directly

10

 You receive infected E-mail attachment  You download infected code  Your thumb drive gets infected

11

 Wipe your hard drive  Modify or delete files  Steal files  Spread further

They frequently delay any malicious actions until they have spread sufficiently

12

3

 Changes in file sizes or checksums  Unaccounted resource consumption  Changes of interrupt vectors  Best detection would be to analyze all files on

your system for modifications – impractical

13

 Activity monitoring systems (anomaly detect.) o Look for virus-like activity such as attempts to reformat disk

o May generate false positives  Scanners (signature detection)

o Look for patterns in virus code   Use database of known virus signatures   Detect polymorphic variations

o Sometimes they use heuristics to detect new virus signatures

o Most scanners also include disinfection code

14

 Integrity checkers o Remember file hashes o Detect file modifications

15

 Usually resident  Sometimes can even be added to boot sector

to detect boot sector viruses  Some virus detection systems will prohibit

access to external drives unless they have been scanned before

16

 Defines non-writable areas of the disk for executable files

 Sounds alarm and/or requires password in order to modify these areas

 Might be annoying and generate false alarms

17

 Identify which files have been modified o Virus scanners will do this

 Restore last known good copy of these files from your backup

 It is not necessary to re-format the disk  Some virus scanners can disinfect files –

remove the virus code

18

4

 Yes, but it will never be executed because data files do not contain executable code

 Virus can be hidden in .gif and .jpeg files using steganography but it has to be extracted and run by an executable

19

 No, virus contains OS specific code o You may receive virus on another OS but it won’t run and therefore won’t spread

o How about worms?

20

 Yes but it’s harder o Mainframe computers have write protections among users so virus can only infect user A’s files

o However if user A sends his file to user B then B’s files also get infected

o If virus is places in shared area then all user’s files may get infected

o Mainframe computers are generally better maintained and it is hard to write a good mainframe virus – only a few exist so far

21

 Add an integrity-checking code to every file so that it checks whether it is infected every time it is run

 If the file is infected virus will be executed first  It can also fiddle with integrity-checking code

and disable it  Ineffective against companion viruses

22

 They spread beyond our control – there is no way to stop the spread of a virus that you release

 It is hard to distinguish between viruses and benign code

 They eat resources  They may do malicious things  They may disable self-checking programs  They may infect cyber-physical systems and

do irreparable damage

23

 People have toyed with the idea of useful viruses but this has not been accepted o  Virus idea simply seems to dangerous o  Good virus code may be buggy and thus vulnerable o  Good virus could ask for permission to infect the system – imagine this scenario on a hospital computer o  Bad virus code could be attached to a good virus to slip detection o  Legal issues might arise o  People don’t like the idea that someone takes control over their computer

24

5

 Detect viruses and fix infected files  Compress files and decompress them at run

time  Encrypt hard drive and require user password

for decryption  Maintain machines, e.g. delete temporary files

– come by invitation  People haven’t been able to come up with a

controlled way to plant a good virus o  Asking for acceptance wastes (maybe precious) time o  Checking for invitation wastes resources

 People haven’t come up with a compelling use of a good virus

25

 A program that: o  Scans network for vulnerable machines o  Breaks into machines by exploiting the vulnerability o  Installs some piece of malicious code – backdoor,

DDoS tool o  Moves on

 Unlike viruses o  Worms don’t need any user action to spread – they

spread silently and on their own o  Worms don’t attach themselves onto other programs

– they exist as a separate code in memory  Sometimes you may not even know your

machine has been infected by a worm

26

 They spread extremely fast  They are silent  Once they are out, they cannot be recalled  They usually install malicious code  They clog the network

27

 Robert Morris, a PhD student at Cornell, was interested in network security

 He created the first worm with a goal to have a program live on the Internet in Nov. 1988 o  Worm was supposed only to spread, fairly slowly o  It was supposed to take just a little bit of resources

so not to draw attention to itself o  But things went wrong …

 Worm was supposed to avoid duplicate copies by asking a computer whether it is infected o  To avoid false “yes” answers, it was programmed to

duplicate itself every 7th time it received “yes” answer o  This turned out to be too much

28

 It exploited four vulnerabilities to break in o  A bug in sendmail o  A bug in finger deamon o  A trusted hosts feature (/etc/.rhosts) o  Password guessing

 Worm was replicating at a much faster rate than anticipated

 At that time Internet was small and homogeneous (SUN and VAX workstations running BSD UNIX)

 It infected around 6,000 computers, one tenth of then-Internet, in a day

29

 People quickly devised patches and distributed them (Internet was small then)

 A week later all systems were patched and worm code was removed from most of them

 No lasting damage was caused  Robert Morris paid $10,000 fine, was placed

on probation and did some community work  Worm exposed not only vulnerabilities in

UNIX but moreover in Internet organization  Users didn’t know who to contact and report

infection or where to look for patches

30

6

 In response to Morris Worm DARPA formed CERT (Computer Emergency Response Team) in November 1988 o  Users report incidents and get help in handling them

from CERT o  CERT publishes security advisory notes informing

users of new vulnerabilities that need to be patched and how to patch them

o  CERT facilitates security discussions and advocates better system management practices

31