Computer Viruses - PowerPoint PPT Presentation

About This Presentation
Title:

Computer Viruses

Description:

Computer Viruses Preetha Annamalai Niranjan Potnis Outline Computer Viruses The Fundamentals The Modus Operandi of a Virus Virus Behavior and Symptoms Virus ... – PowerPoint PPT presentation

Number of Views:136
Avg rating:3.0/5.0
Slides: 24
Provided by: csFsuEdu7
Learn more at: http://www.cs.fsu.edu
Category:
Tags: computer | viruses

less

Transcript and Presenter's Notes

Title: Computer Viruses


1
Computer Viruses
  • Preetha Annamalai
  • Niranjan Potnis

2
Outline
  • Computer Viruses The Fundamentals
  • The Modus Operandi of a Virus
  • Virus Behavior and Symptoms
  • Virus Detection -The Heuristic Approach
  • A Sample Virus Code

3
What is a Computer Virus ?
  • A malicious piece of executable code written with
    not so noble intentions
  • Attaches itself to executable files
  • Loads into memory and then kicks off
  • Replication a key operation

4
The Vulnerable Areas!
  • EXE and COM files.
  • Macros in Word.
  • System sectors on Hard disk / Floppy disk
  • Scripts for Internet /Email.

5
Virus Types
  • File Infectors
  • .COM, .EXE files
  • Modify entry point of file
  • Execute self first
  • System Sector Viruses
  • Sectors contain boot time executable code
  • Boot Sector, MBR
  • Relocate boot code

6
Virus Types
  • Macro Viruses
  • infect data files
  • execute on opening a document
  • modify global macro template
  • Worms
  • do not attach to host files/programs
  • rapidly replicate over network
  • can execute in a distributed fashion
  • use up network bandwidth

7
Modus Operandi
Infection Phase
Attack Phase
8
Infection Phase
  • The spreading of the virus
  • Based on specific trigger/execution
  • Trigger condition disk access/copying a file/a
    day or time.
  • Intention is to spread as far as possible
    before detection
  • Act as TSRs and can reside on any part of
    memory.

9
Attack Phase
  • Actual function is performed
  • Needs a trigger
  • Typical attacks
  • Deleting files
  • Formats/damages disk
  • Slowing down the system
  • Use up system resources, damages disk
  • Optional phase Viruses may infect but not
    attack
    (due to poorly
    written virus code)

10
Virus Symptoms
  • Change in length of .exe or .com files.
  • Change in the file date/time stamp
  • Change to interrupt vectors
  • Reassignment of system resources
  • Reduction in amount of memory normally shown

11
Virus Detection and Prevention
  • Anti-virus software
  • Two Approaches
  • Pattern Matching Approach
  • The Heuristic Approach

12
Conventional Pattern Matching Approach
  • Concept of virus signature
  • Look for virus byte sequence in a file to be
    scanned
  • Compare against a signature data file
  • Pattern match has to be literal
  • Problems
  • Detection of viruses not in data file
  • Data file has to be updated.
  • Viruses change the characteristic byte code from
    computer to computer

13
Heuristic Approach
  • Speculation and Investigation
  • Analyze program structure and behavior instead
    of looking for signature.
  • How about an analogy ?
  • Scan file for suspicious code
  • Does a file have virus-like characteristics ?

14
Using Heuristics
  • Content Filtering
  • Like a flexible pattern matching approach
  • Keep track of numerous ways to program virus like
    code
  • Need additional criteria for detection
  • Sandboxing
  • Run suspicious code in protected space within the
    system
  • Keep track of operating system calls
  • Compare them to a user defined policy

15
A Typical Heuristic scanner
  • Determines most likely location of the virus
  • Analyze program logic contained in that region
  • What are the computer instructions capable of
    doing ?
  • Catalog a programs behavior

16
Typical Heuristic Scanner
  • Many ways to write the same program
  • Example
  • Routine to terminate itself and return to DOS
    prompt
  • Simple Approach
  • Roundabout Approach

17
Typical Heuristic Scanner
  • MACHINE LANGUAGE USER-READABLE
  • BYTES INSTRUCTIONS
  • Example 1
  • B8 00 4C MOV AX,4C00
  • CD 21 INT 21
  • Example 2
  • B4 3C MOV AH,3C
  • BB 00 00 MOV BX,
    0000
  • 88 D8
    MOV AL,BL
  • 80 C4 10
    ADD AH,10
  • 8E C3 MOV ES,BX
  • 9C PUSH F
  • 26 ES
  • FF 1E 84 00 CALL FAR0084

18
Typical Heuristic Scanner
  • Maintain a database of byte sequences
  • Associate each byte sequence with its functional
    behavior
  • Can use wildcards to match information that
    changes from virus to virus
  • Example-
  • B8 ?? 4C CD 21 Terminate Program(perm1)
  • B4 4C CD 21 Terminate Program(perm2)
  • B8 02 3D BA ?? ?? CD 21 Open file (perm1)
  • BA ? ?? B8 02 3D CD 21 Open file (perm2)

19
Components of a Heuristic Scanner
Maintain set of registers
Heuristic Engine
Heuristic Engine
Emulator
Disassembler
Program
Is Execution Recommended?
Inference Engine
Scoring Formula
20
Some Virus Characteristics
  • Illicit writes to RAM
  • Undocumented Call
  • Hooks to standard interrupts
  • Calls to next instruction

21
Scoring Formula
  • Weight assigned to each virus characteristic
    depending on its strength
  • Net score assigned to file depending on the
    characteristics found and their count
  • Is Net-score higher than cut off value?

22
An Example Virus
  • The Michaelangelo Virus Code

23
Conclusion
  • Virus writers have too much time!
  • Heuristic approach is robust
  • Not totally reliable subject to false positives
    and false negatives
  • Anti-virus software needs to be updated frequently
Write a Comment
User Comments (0)
About PowerShow.com