Class 6
Class 6
60000
50000
40000
30000
20000
10000
0
1988 1990 1993 1999
1988: Less than 10 known viruses
1990: New virus found every day
1993: 10-30 new viruses per week
1999: 45,000 viruses and variants
Source: McAfee
Virus Operation
virus phases:
dormant – waiting on trigger event
propagation – replicating to programs/disks
triggering – by event to execute payload
execution – of payload
Propagation
Method by which the virus spreads itself.
Old days: single PC, transferred to other
hosts by ways of floppy diskettes.
Nowadays: Internet.
Structure of A Virus
Virus() {
infectExecutable();
if (triggered()) {
doDamage();
}
jump to main of infected program;
}
void infectExecutable() {
file = choose an uninfected executable file;
prepend V to file;
}
Cluster viruses
Change the DOS directory info so that directory
entries point to the virus code instead of the real
program
Even though every program on the disk may be
Variable Viruses
Polymorphic viruses
Change with each infection
• Executables virus code changing (macros: var name,
line spacing, etc.)
• Control flow permutations (rearrange code with goto’s)
Attempt to defeat scanners
Virus writing tool kits have been created to
"simplify" creation of new viruses
Current tool kits create viruses that can be
detected easily with existing scanner
technology
But just a matter of time …
Virus Detection/Evasion
Look for changes in Compression of virus
size and target code
Check time stamp on Modify time stamp to
file original
Look for bad behavior Do bad thing
False alarm prone insidiously
Look for patterns Change patterns –
(byte streams) in polymorphism
virus code that are Rearrange data in the
unique file
Look for changes in Disable anti-virus
file checksum programs
More on Virus Detection
Scanning
Depend on prior knowledge of a virus
Check programs before execution
Need to be regularly updated
Integrity Checking
Read entire disk and record integrity data that
acts as a signature for the files and system
sectors
Use cryptographic computation technique
instead of simple checksum
More on Virus Detection
Interception
Monitoring for system-level routines that perform
destructive acts
Good for detecting logic bomb and Trojan horse
Cannot depend entirely upon behavior monitors
as they are easily bypassed.
Combination of all three techniques can
detect most viruses
Virus Recovery
Extricate the virus from the infected file to
leave the original behind
Remove the redirection to the virus code
Recover the file from backup
Delete the files and move on with life
History of Viruses
First Wild Viruses Apple I/II/III: 1981
Three viruses for the Apple machines
emerged in 1981
Boot sector viruses
Floppies of that time had the disk operating
system (DOS) on them by default
Wrote it without malice
First PC Virus: Pakistani Brain Virus
(1986)
Written by Pakistani brothers to protect their
copyright
Claim: infect only machines that had an
unlicensed copy of their software
Boot sector, memory resident
Printed
Payload
Carrier
Worm Overview
Target
Discovery
• Port Scanning
• Sequential: working through an address block
• Random
•Target Lists
• Externally generated through Meta servers
• Internal target list
• Passive worms
External Target Lists:
Metaserver Worms
Many systems use a "metaserver", a
server for information about other
Metaserver
servers
Games: Use as a matchmaker for local
Server Server
servers
Google: Query google to find web servers
Windows Active Directory: Maintains the Server Server
"Network Neighborhood"
Worm can leverage these services Server Server
Construct a query to find new targets
Each new victim also constructs queries Server Server
• Creates a divide-and-conquer infection
strategy
Original strategy, not yet seen
How Fast Are
Metaserver Worms?
Game Metaserver: Use to attack a small population
(eg, all Half-Life servers)
~1 minute to infect all targets
Google: Use to enhance a scanning web worm
Each worm conducts initial queries to find URLs
100%
80%
Percent Infected
60% No Acceleration
40%
Metaserver Acceleration
20%
0%
0 1 2 3 4 5 6
Time (Hours)
Internal Target Lists:
Topological Information
Look for local information to find new
targets
URLs on disk and in caches
Mail addresses
.ssh/known_hosts