Download - Virus Lecture Noetes
-
8/3/2019 Virus Lecture Noetes
1/18
1L6
COIS/FRSC 2750H
Computer Crime and Forensics
Fall 2011
Malware: Viruses, Worms etc.
Edited by Brian HircockFall 2010
2L6
Reference Material
Primary sources of information contained in these slides are:
Taylor, R.W. et al, Digital Crime and Digital Terrorism(2006)
Jones, R., Internet Forensics(2006)
Volonino, L. et al, Computer Forensics: Principles and Practices(2007)
Wang, W., Steal This Computer Book 4.0: What they wont tellyou about the internet(2006)
-
8/3/2019 Virus Lecture Noetes
2/18
3L6
First malware? - ANSI Bomb
In the DOS days, computers booted up by calling a program calledANSI.SYS
Device driver
However, you can remap the keys on the keyboard from this file
Allow you to make shortcuts, macros
But you could do things like have the computer erase whatever filethe user was working on every time they pressed say e
Or even worse plant a bomb
Every time the user presses a certain key say c or C, thecomputer tries to reformat hard drive
Before doing this the computer asks the user whether they really
want to do this So you reprogram the keyboard so that N = Y and n = y
Another precursor would be Core Wars in the 1960s
4L6
Viral Infections
Used to spread through use floppy disks or BBS
Now theyre primarily spread through Internet via
Email
Email attachments
Downloadable files
Web pages
Newsgroups
Peer to peer transfers
Instant messaging
And so on
-
8/3/2019 Virus Lecture Noetes
3/18
5L6
Cost
Survey of government, private industry and universities showed that85% had a virus/worm problem in the last year
Average virus outbreak took approximately 20 person days torecover and cost the company $10,000 (median) and $100,000(average)
Types of damage include
Triggering disruptive events
Bogging down email and network servers
Deleting or modifying files
Accessing and sharing private information
System degradation
Compromised security Damage to software and hardware
6L6
How many viruses/worms are there?
Active viral programs are said to be in the wild
Wildness is a measure of the extent to which the virus is spreading
Number of viruses in the wild changes daily
You can see the current wild list at http://www.wildlist.org/WildList/
Preliminary results from Symantechttp://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
In 2009, 75% of all enterprises experienced some form of cyberattack
Symantec created 2,895,802 new malicious code signatures in2009 (thats over 7,300 a day), a 71 percent increase over 2008
the 2009 figure represents 51 percent of all malicious codesignatures ever created by Symantec.
2010 Report from Sophos
-
8/3/2019 Virus Lecture Noetes
4/18
7L6
Malware
Well take a quick look at
Viruses
Worms Trojan Horses
Adware and Spyware
Blended Threats
8L6
Viruses
Overused term that has lost some of its original meaning
Often used now as a synonym for malware
Including viruses, worms, trojans etc.
By definition a virus exists only to replicate itself
Much like biological virus
Need other files or resources to run and replicate themselves
Harm often caused by bodys (computer's) reaction to virus, notby virus itself
Four primary environments
File virus
Boot virus
Macro virus
Network virus
-
8/3/2019 Virus Lecture Noetes
5/18
9L6
File Virus
Use operating system (like Windows) to propagate
Can infect any type of executable file
Overwrite file with own code Easy to detect system stops working
3 main types of these
Parasite
Latch onto file (before, after or in middle of executable) andleave it operational
Companion
Clone target file so that virus runs rather than the .exe
Link virus
Modify fields of file system so that operating system runsvirus rather than intended file
10L6
Boot Virus
Attacks the boot sector of system, master boot record or change thesystem pointer to an active boot sector
After power on and hardware tests, system loader routine reads firstsector of boot record and passes control to the virus
Rather than operating system starting, the virus runs
-
8/3/2019 Virus Lecture Noetes
6/18
11L6
Macro Virus
Takes advantage of macro language built into programs like MSOffice
Transfer themselves from one file to another and from one computerto another via file attachments or shared files
When file is opened program calls infected macro and virus is run
Can take control when user clicks on say File/Open, or File/Save oreven when the user presses a certain key on the keyboard
If using MS Word, can save itself as part of NORMAL.DOT file
Then every .doc file is infected
12L6
Network Virus
Make use of network protocols
Can transfer its code to a remote workstation or network
Can run own code or push users to run code on remote machines
Generally a companion type of virus
Do not alter existing files
Infiltrate computer memory from network
Calculate and record network addresses of other computers
Send copies of themselves to other computers
-
8/3/2019 Virus Lecture Noetes
7/18
13L6
Starting Unauthorized Programs
14L6
How anti-virus software works
Antivirus program detect viruses 2 ways
Recognize the signature
A unique string of bits, or the binary pattern, of a virus.
Virus signature is like a fingerprint in that it can be used to
detect and identify specific viruses. Compare files against database of known signatures
Cannot detect new viruses because their signature isnt indatabase
Need to get new virus to analyze
By its behaviour
Called heuristic analysis
Notices virus trying to infect another file
-
8/3/2019 Virus Lecture Noetes
8/18
15L6
Infection Methods
Direct Infection
Simplest method
Every time user opens infected file or runs infected program
virus spreads These are easy to detect
Fast Infection
Virus infects every file accessed by infected program
If the infected program is your virus checker, itll infect every filein your system when you run a scan
Slow Infection
Virus only infects newly created files or files modified by alegitimate program
Harder to detect Files are only accessed by legitimate programs like windows
explorer
16L6
Sparse Infection
Spreads slowly and unpredictably
RAM resident Infection
Buries itself in RAM and any program or file opened is infected
Spread by boot sector viruses
-
8/3/2019 Virus Lecture Noetes
9/18
17L6
Ways to avoid detection
Stealth
Viruses are usually detected when they change the size, timeand date stamps of infected files
A stealth virus will try to avoid making these changes to infectedfiles
Boot sector viruses are always stealth viruses
Like call forwarding
When you boot the system the virus starts, then thevirus loads a copy of the real boot sector
Polymorphism
Changes its signature every time it infects a file
But it still must keep a small signature so the same file doesntkeep getting infected over and over
Anti-virus developers can find these small signature withtime
One reason why you need to keep updating your virusdatabase
18L6
Retaliators
Attack anti-virus programs
Either
Modify anti-virus program so that it cant detect the virus
Infect the anti-virus program itself
Can be a race to see which finds the other first
-
8/3/2019 Virus Lecture Noetes
10/18
19L6
Worms
Piece of software that copies itself somewhere else
Term taken from book Shockwave Rider(in book a tapeworm is aself-replicating piece of code
Stand alone program
It does not attach itself to or modify other files
Unlike a virus
Makes copies of itself from one drive to another or copies itselfusing email or another transport mechanism
Can move very quickly
Code Red Worm in 2001 infected over 250,000 machines in 9hours
20L6
Worms cont
Some worms may have built in DoS attacks, Web Site defacements,or some other surprise
Just their propagation is in effect a DoS attack because of their drainon resources
Scan traffic May crash routers
Overload networks
Tie up computer processing capability
-
8/3/2019 Virus Lecture Noetes
11/18
21L6
How worms spread
Spread through always on Internet connections
4 common ways to spread
Email Worm searches for address book of email program and mails
itself to everyone
May be described as a graphic file, electronic greetingcard, or text file (MyDoom worm)
People are more likely to open these emails because theycome from known people
Once opened, the worm searches for that computersaddress book and so on
22L6
IRC channels or instant messaging services
IRC networks are groups of chatrooms
Worm sends an enticing message to everyone in chat room
If downloaded, the worm spreads
Internet worms Scans other computers for open ports
Or like the Santy worm they use a search engine
Searched for people using the PHP Bulletin Board
Dont waste time trying to infect computers that wonthelp it spread (like computers running Mac OS X)
Malicious web pages
Use ActiveX controls to pass worm onto visitors to web site
Only effective on computers running Windows and usingIE
Firefox and Opera dont allow ActiveX to run
-
8/3/2019 Virus Lecture Noetes
12/18
23L6
Trojan Horse
An unauthorized program contained within a legitimate program thatperforms functions unknown to user
Usually wait for a trigger event to occur date, message etc.
Can
Open back doors to system
Allow someone to take control of computer
Destroy files
Send emails
Display messages
24L6
How do you get a Trojan Horse?
Email attachments
Chat rooms
File sharing
Physical access to machine
Web browser
Port scanners to find open ports to install code themselves
User is infected without doing anything
Can be used by people other than the creator of the code
Can sell lists of infected computers
-
8/3/2019 Virus Lecture Noetes
13/18
25L6
Remote Control Trojans
Self contained program waiting for commands issued from remoteuser
Local user doesnt know what the computer is doing
Most have auto start capabilities so the program starts whenevercomputer is booted
Can join code to something like explorer.exe or modify systemfiles or Windows Registry
Has a server part and client part
When user unwittingly runs Trojan, it becomes server
Attacker then uses client to connect to the machine
26L6
Backdoor Sub Seven Trojan
According to SANS, popular and widely used
Trojan with multiple parts
First is the Sub Seven server
Allows attacker to connect to computer
Editserver part
Defines characteristics of infection
Modify server, auto start techniques, alter victims system
Determines whether to notify attacker when computer isonline
Port redirector and port scanner
To find new targets
Can do things like turn monitor on/off, open close CD drive, reverse
mouse buttons, record images from attached video camera, recordscreen shots
-
8/3/2019 Virus Lecture Noetes
14/18
27L6
Types of Trojan Horses
Remote Access Trojans (RAT)
Allow attackers to do more on machine than person sitting atmachine
Allow for access to files, passwords, etc.
Server and client part
Servers tend to be large programs (often a MB or more)
Can use a back door to send server file
Or use a binder program to join RAT to real program(typically game demos or trial versions)
Password Sending Trojans
Steals cached passwords and emails them to attacker
28L6
Keyloggers
Capture key strokes and email them to attacker periodically
Some have on or off line option
Destructive
Destroy and delete files Can work like a logic bomb becomes active when certainconditions are met
DoS or Mail Bomb Trojan
Infect as many machines as possible and then have all machinesbombard target with non-filterable emails
Proxy/Wingate Trojan
Turn victims computer into a zombie
Can be used by attacker or whole world for illegal activities
Software Detection Killers
Attacks anti-virus/firewall programs Then attacker has free access to machine
-
8/3/2019 Virus Lecture Noetes
15/18
29L6
To avoid worms and Trojan Horses
Eventually your computer will be attacked by one of these
Need to detect and remove them and to prevent them from comingback
Use an antivirus program free is OK For protection from RATs get a dedicated anti-Trojan Horse
program
Like Bo Clean, The Cleaner, Hacker Eliminator, TrojanHunter
Need a firewall to block ports
Download all operating system updates
Consider not using popular software (Windows and Office)
Use Linux, BSD, Macs, OpenOffice
Dont use Windows Outlook or Outlook Express for email
Use Thunderbird, Pegasus Mail or Eudora If you must use IRC, use Visual IRC, XIRCON or X-CHAT
Disable Microsoft IM (Instant Messenger)
30L6
Adware and Spyware
Usually delivered in email attachments, downloaded as part ofanother piece of software, or downloaded from a web site (possiblyas a cookie)
Adware does things like
Redirects startup pages on your Internet browser Makes changes to browser
Replaces search functions within browser
Generates pop-up ads
Spyware are programs that send information over the Internet to theprogrammers for marketing purposes without notification to the user
Browsing habits
Hardware and software in the system
Often downloaded as part of other functional software
-
8/3/2019 Virus Lecture Noetes
16/18
31L6
Read the EULA
Often take advantage of fact that most users do not read the EndUser License Agreement (EULA)
Or they make text so convoluted no one knows what it means
Often very difficult to remove adware or spyware as program oftenmakes complex changes to computer system
Sometimes have to reformat hard drive and reinstall operatingsystem
32L6
Avoiding Adware and Spyware
If possible dont use Windows
Most malicious code written against Windows
Use a safe browser
Firefox or Opera or even better use VMWare Player and Browser
Appliance Creates a virtual computer in memory that runs Firefox under
Ubuntu Linux
Install a firewall
Monitor your startup programs
System Mechanic, Process Guard, MalWhere and StartupManager display a list of startup programs
Run anti spyware programs
Problem is that spyware developers are making deals with antispyware companies
-
8/3/2019 Virus Lecture Noetes
17/18
33L6
Blended Threats
Combine viruses, worms, Trojan Horses and other malicious code
Effective because most security products cannot prevent the attack
Just advise user after the fact Sometimes better to shut down network if theres an imminent threat
and wait for patches and detection routines
34L6
Why do people write viruses?
Why take the time to write and test code that will be destructive andharmful to someone that they dont know?
Several possible reasons
In the early days it was often for fun
A challenge of the writers skill
Viruses tended to be annoying, not destructive E.g. stoned virus
For notoriety
Increased reputation in underground virus community
To get a job
Virus writers are often hired by Internet security companies
As part of your job
Governments, terrorist groups, corporations are all capableof hiring virus writers to attack enemies
Because they can and they most often get away with it
-
8/3/2019 Virus Lecture Noetes
18/18
35L6
Virus Hoaxes
Can be as costly or more costly than real viruses
Time wasted trying to detect or remove virus e.g. Teddy BearHoax http://www.hoax-slayer.com/teddy-bear-virus-hoax.html
Virus hoaxes: Contain a warning message about a virus
Usually from an individual or company, but not cited source
Warn not to read or download virus preaches salvation bydeletion
Describe the virus as having horrific powers
Usually many words in caps and exclamation marks
Urge the reader to forward the email
Seek credibility by citing a credible source
Claim the source says the virus is bad or has them worried Use baseless technical jargon