16 Virus Part II
Hiteishi Diwanji
Virus Signatures :
- Each of virus characteristics yields a pattern, called a signature.
- The virus’s signature is important for creating a program, called a virus scanner, that can automatically detect and, in some cases, remove viruses.
Code red worm:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucdb3%u7801%u9090%u6858
%ucbd3%u7801%u9090
%u9090%u8190%u00c3%u0003%ub00%u531b%u53ff
%u0078%u0000%u00=a
HTTP/1.0
Storage patterns:
- The attached virus piece is invariant, so that the start of the virus code becomes a detectable signature.
- The attached piece is always located at the same position relative to its attached file.
- For example, the virus might always be at the beginning, 400 bytes from the top, or at the bottom of the infected file.
- the virus code sits at the top of the program, and the entire virus does its malicious duty before the normal code is invoked.
- In other cases, the virus infection consists of only a handful of instructions that point or jump to other, more detailed instructions elsewhere.
- For example, the infected code may consist of condition testing and a jump or call to a separate virus module.
- In either case, the code to which control is transferred will also have a recognizable pattern.
- l A virus may attach itself to a file, in which case the file’s size grows. Or the virus may obliterate all or part of the underlying program, in which case the program’s size does not change but the program’s functioning will be impaired.
- l The virus writer chooses one of these detectable effects.
- l The virus scanner can use a code or checksum to detect changes to a file. It can also look for suspicious patterns, such as a JUMP instruction as the first instruction of a system program (in case the virus has positioned itself at the bottom of the file but wants to be executed first)
Execution Patterns:
A virus writer may want a virus to do several things at the same time, namely,
- l spread infection,
- l avoid detection,
- l cause harm.
Virus effect | How it is caused | |
Attach to executable | Modify file directory | |
program | Write to executable program file | |
Attach to data or | Modify directory | |
control file | Rewrite data | |
Append to data | ||
Append data to self | ||
Remain in memory handler address table | Load self in nontransient memory area | Intercept interrupt by modifying interrupt |
Transmission Patterns:
- l A virus can arrive on a diskette or from a network connection, travel during its host’s execution to a hard disk boot sector, reemerge next time the host computer is booted, and remain in memory to infect other diskettes as they are accessed.
Polymorphic Viruses:
- Example – virus always begins with the string 47F0F00E08 (in hexadecimal) and has string 00113FFF located at word 12
- Less probability that other virus may have the same signature.
- For longer signatures, the probability of a correct match increases.
- If the virus scanner will always look for those strings, then the clever virus writer can change the strings to be in those positions.
- The virus could have two alternative but equivalent beginning words; after being installed, the virus will choose one of the two words for its initial word. Then, a virus scanner would have to look for both patterns.
- A virus that can change its appearance is called a polymorphic virus.
- (Poly means “many” and morph means “form”.)
- To prevent detection virus will want either a large or an unlimited number of forms So virus scanner cannot search it.
- A polymorphic virus has to randomly reposition all parts of itself and randomly change all fixed data.
- Instead of containing the fixed (searchable) string “HA! INFECTED BY A VIRUS,” a polymorphic virus has to change the pattern.
- virus writer can create enough different appearances to fool simple virus scanners.
- scanner writers refine their signature definitions by knowing virus writer tricks.
Sophisticated polymorphic virus:
- randomly intersperses harmless instructions throughout its code.
- Puts “extra” instructions, such as – addition of zero to a number, movement of a data value to its own location , a jump to the next instruction which are difficult to locate and make it more difficult to locate an invariant signature.
Encrypting viruses:
- polymorphic virus uses encryption under various keys to make the stored form of the virus different.
- This type of virus must contain three distinct parts: a decryption key,the (encrypted) object code of the virus, and the (unencrypted) object code of the decryption routine.
The Source of Viruses:
• Since a virus can be rather small, its code can be “hidden” inside other larger and more complicated programs.
Prevention of Virus Infection:
• to prevent the infection of a virus is not to share executable code with an infected source.
• On PCs, a .exe extension suggests that the file was executable.
• a word processor may have commands within the document file, these commands, called macros, make it easy for the user to do complex or repetitive things.
• spreadsheets, presentation slides, and other office- or business-related files can contain code or scripts that can be executed in various ways—and thereby harbor viruses
Approach of virus writer:
• A .doc extension is a Word document, the true document type is hidden in a field at the start of the file.
• a Word document with a .ppt (Power-Point) or having any other extension, the operating system will try to open the associated application but, if that fails, the system will switch to the application of the hidden file type.
• The virus writer creates an executable file, names it with an inappropriate extension, and sends it to the victim, describing it is as a picture or a necessary code add-in or something else desirable.
• The unwitting recipient opens the file, executes the malicious code.
• Executable code has been hidden in files containing large data sets, such as pictures or read-only documents.
• These bits of viral code are not easily detected by virus scanners and certainly not by the human eye.
• For example, In a file containing a photograph; if every sixteenth bit is part of a command string that can be executed, then the virus is very difficult to detect.
Precautions against virus:
• Assume that any outside source is infected.
Several techniques for building a reasonably safe community for electronic contact:
• Use only commercial software acquired from reliable, well-established vendors.
• Test all new software on an isolated computer.
• Open attachments only when you know them to be safe.
• Make a recoverable system image and store it safely.
• Make and retain backup copies of executable system files
• Use virus detectors (often called virus scanners) regularly and update them daily.
- Truths and Misconceptions About Viruses:
- Viruses can infect only Microsoft Windows systems. – False
- Viruses can modify “hidden” or “read only” files. True
- Viruses can appear only in data files, or only in Word documents, or only in programs. False.
- Viruses spread only on disks or only in e-mail. False.
- Viruses cannot remain in memory after a complete power off/power on reboot. True.
- Viruses cannot infect hardware. True.
- Viruses can be malevolent, benign, or benevolent. True.
First Example of Malicious Code: The Brain Virus
- The so-called Brain virus was given its name because it changes the label of any disk it attacks to the word “BRAIN.”
- This virus first locates itself in upper memory and then executes a system call to reset the upper memory bound below itself, so that it is not disturbed as it works.
- It traps interrupt number 19 (disk read) by resetting the interrupt address table to point to it and then sets the address for interrupt number 6 (unused) to the former address of the interrupt 19.
- the virus screens disk read calls, handling any that would read the boot sector (passing back the original boot contents that were moved to one of the bad sectors); other disk calls go to the normal disk read handler, through interrupt 6.
How does it spread?
- The Brain virus positions itself in the boot sector and in six other sectors of the disk.
- One of the six sectors will contain the original boot code, moved there from the original boot sector, while two others contain the remaining code of the virus.
- The remaining three sectors contain a duplicate of the others.
- The virus marks these six sectors “faulty” so that the operating system will not try to use them. (With low-level calls, you can force the disk drive to read from what the operating system has marked as bad sectors.)
- The virus allows the boot process to continue.
- Once established in memory, the virus intercepts disk read requests for the disk drive under attack.
- With each read, the virus reads the disk boot sector and inspects the fifth and sixth bytes for the hexadecimal value 1234 (its signature).
- If it finds that value, it concludes the disk is infected; if not, it infects the disk.
you can view video on Virus Part II |
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org