Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.

Published bySarah Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions."— Presentation transcript:

1 Malicious Code By Diana Peng

2 What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions Uses our everyday programs as a vessel to access and change data stored Uses our everyday programs as a vessel to access and change data stored Viruses Viruses Worms Worms Trojan Horses Trojan Horses

3 Unpredictable Behavior Behaves in the same manner as any other program Behaves in the same manner as any other program Has the ability to stop running programs, generating a sound, erasing stored data, etc. Has the ability to stop running programs, generating a sound, erasing stored data, etc. Has the ability to remain dormant until some event triggers the code to act Has the ability to remain dormant until some event triggers the code to act

4 History of Malicious Code 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from Texas A&M: 1981 Elk Cloner – spread on Apple II floppy disks (containing the OS) originating from Texas A&M: It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! 1983 – Fred Cohen Computer Viruses – Theory and Experiments 1983 – Fred Cohen Computer Viruses – Theory and Experiments 1986 Brain – 2 Pakistani brothers analyzing the boot sector of a floppy disk, develop a method to infect it. Spread quickly and widely on MS- DOS PC system. 1986 Brain – 2 Pakistani brothers analyzing the boot sector of a floppy disk, develop a method to infect it. Spread quickly and widely on MS- DOS PC system.

5 History ( cont.) 1987 IBM Christmas Worm – fast spreading 500,000 replication per hour 1987 IBM Christmas Worm – fast spreading 500,000 replication per hour 1988 MacMag – Hypercard stack virus 1988 MacMag – Hypercard stack virus Scores – 1 st major Mac outbreak Scores – 1 st major Mac outbreak 1991 Tequila – polymorphic, originated in Switzerland and changed itself to avoid detection 1991 Tequila – polymorphic, originated in Switzerland and changed itself to avoid detection More recently – Love Letter(2000), Blaster and SoBig(2003) More recently – Love Letter(2000), Blaster and SoBig(2003)

6 Definitions Virus – a program that can pass on malicious code to other nonmalicious programs by modifying the them Virus – a program that can pass on malicious code to other nonmalicious programs by modifying the them 1. Transient – life is dependent on host 2. Resident – stores itself in memory and acts as a stand-alone program 2. Resident – stores itself in memory and acts as a stand-alone program Trojan Horse – contains obvious malicious intent and a 2 nd unseen effect Trojan Horse – contains obvious malicious intent and a 2 nd unseen effect

7 Definitions (cont.) Logic Bomb – “detonates” when a specified condition occurs Logic Bomb – “detonates” when a specified condition occurs * Time Bomb – triggered by a time/date * Time Bomb – triggered by a time/date Trapdoor/Backdoor – allows one to access a protected program through an indirect method Trapdoor/Backdoor – allows one to access a protected program through an indirect method Worm – program that replicates itself and spread those replications through a network Worm – program that replicates itself and spread those replications through a network * Rabbit – spreads w/out limits and tries to exhaust the computer’s resources * Rabbit – spreads w/out limits and tries to exhaust the computer’s resources

8 Virus Qualities Easily created Easily created Difficult to detect Difficult to detect Difficult to destroy or deactivate Difficult to destroy or deactivate Spreads intended infection widely Spreads intended infection widely Ability to re-infect original program or other programs Ability to re-infect original program or other programs Machine and OS independent Machine and OS independent

9 Attaching Viruses Must be executed in order to be activated Must be executed in order to be activated Human intervention is key for initial activation Human intervention is key for initial activation Email attachments Email attachments Once attached, the virus installs itself on a permanent storage medium and on any/all executing programs in memory Once attached, the virus installs itself on a permanent storage medium and on any/all executing programs in memory

10 Appended Viruses Most common attachment – easy to program and effective Most common attachment – easy to program and effective Attaches to an existing program and is activated whenever whenever the program is running Attaches to an existing program and is activated whenever whenever the program is running Virus instructions execute 1 st, after the last virus instruction control is given back to the 1 st program instruction Virus instructions execute 1 st, after the last virus instruction control is given back to the 1 st program instruction User is unaware of virus – original program still runs the way it’s intended User is unaware of virus – original program still runs the way it’s intended

11 Appended Virus (cont.) Program Virus +=

12 Surrounding Viruses To avoid detection on the disk, the virus will attach itself to the program constructing the listing of files on the disk To avoid detection on the disk, the virus will attach itself to the program constructing the listing of files on the disk The virus has control after the listing program is generated and before it is displayed to delete itself from the listing The virus has control after the listing program is generated and before it is displayed to delete itself from the listing

13 Surrounding Virus (cont.) Program Virus

14 Integrated Viruses Virus will replace the program and integrate itself into the original code Virus will replace the program and integrate itself into the original code Requires the creator of the virus to know the original program in order to insert pieces of the virus into it Requires the creator of the virus to know the original program in order to insert pieces of the virus into it Replacement – the virus replaces the entire program with itself; user will only see the performance of the virus Replacement – the virus replaces the entire program with itself; user will only see the performance of the virus

15 Integrated Viruses (cont.) Program Virus +=

16 Document Virus Implemented inside a formatted document (ex. Word document, database, spreadsheet, etc.) Implemented inside a formatted document (ex. Word document, database, spreadsheet, etc.) Highly structured files containing both data and commands Highly structured files containing both data and commands Command codes are a part of rich programming language Command codes are a part of rich programming language

17 Gaining Control The virus program must be activated in place of the original program The virus program must be activated in place of the original program Presents itself as the original program Presents itself as the original program Substitutes the original program by pushing the original one out of the way Substitutes the original program by pushing the original one out of the way Overwriting - the virus replaces the original code in a file structure Overwriting - the virus replaces the original code in a file structure Pointer Changing - directs the file system to itself and skips the original code Pointer Changing - directs the file system to itself and skips the original code

18 One-Time Execution Majority of viruses today Majority of viruses today Activated and executed only once Activated and executed only once Email attachments Email attachments

19 Boot Sector Viruses Gains control early in the boot process before detection tools are active Gains control early in the boot process before detection tools are active Boot area is crucial to the OS and is usually kept hidden from the user to avoid modification/deletion Boot area is crucial to the OS and is usually kept hidden from the user to avoid modification/deletion Virus code is difficult to notice Virus code is difficult to notice

20 Memory Resident Viruses Resident code – code that is frequently used by the OS that has a permanent space in memory Resident code – code that is frequently used by the OS that has a permanent space in memory Resident code is activated many times and simultaneously activates the virus each time Resident code is activated many times and simultaneously activates the virus each time Ability to look for and infect uninfected carriers Ability to look for and infect uninfected carriers

21 Virus Signatures Cannot be completely invisible Cannot be completely invisible Code is stored on computer and must be in memory to execute Code is stored on computer and must be in memory to execute Signature – the pattern the virus executes and the method it uses to spread Signature – the pattern the virus executes and the method it uses to spread Virus Scanner Virus Scanner – detects virus signatures by searching memory – detects virus signatures by searching memory & long-term storage, and monitors execution & long-term storage, and monitors execution – must be kept up-to-date to be effective – must be kept up-to-date to be effective

22 Storage Patterns Most viruses attach to programs stored on disks – file size grows Most viruses attach to programs stored on disks – file size grows Attachment is usually invariant and the start of the virus code is detectable (Appended Attachment) Attachment is usually invariant and the start of the virus code is detectable (Appended Attachment) JUMP instruction (Surrounding Attachment) JUMP instruction (Surrounding Attachment)

23 Execution Patterns Spread infection Spread infection Avoid detection – Boot Sector Avoid detection – Boot Sector Cause harm – erasing files/disks, preventing booting/writing to disk, shutting down, etc. Cause harm – erasing files/disks, preventing booting/writing to disk, shutting down, etc.

24 Transmission Patterns Virus is only effective if it has the ability to transmit itself from location to location Virus is only effective if it has the ability to transmit itself from location to location Virus execution behaves just like any other program execution and it’s form of transmission is not confined to one medium. Virus execution behaves just like any other program execution and it’s form of transmission is not confined to one medium.

Download ppt "Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 5 Program Security  MModified by :Ahmad Al Ghoul  PPhiladelphia University.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Created by Dragon Lee May-2003. Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.

Created by Dragon Lee May Computer Virus What is computer virus? Computer virus refers to a program which damages computer systems and/or destroys.
Definitions  Virus A small piece of software that attaches itself to a program on the computer. It can cause serious damage to your computer.  Worm.

Definitions  Virus A small piece of software that attaches itself to a program on the computer. It can cause serious damage to your computer.  Worm.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.

Computer Viruses Preetha Annamalai Niranjan Potnis.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

Similar presentations

Ads by Google