Ch 3.2 Malicious Code - Malware
Appended Viruses
A program virus attaches itself to a program; then, whenever the program is run, the virus is activated. This kind of attachment is usually easy to design and implement. most viruses attach in this manner
encrypting viruses
A simple variety of polymorphic virus uses encryption under various keys to make the stored form of the virus different his type of virus must contain three distinct parts: a decryption key the (encrypted) object code of the virus and the (unencrypted) object code of the decryption routine.
Transmission Patterns
A virus is effective only if it has some means of transmission from one location to another. As we have already seen, viruses can travel during the boot process by attaching to an executable file or traveling within data files. The travel itself occurs during execution of an already infected program. Since a virus can execute any instructions a program can, virus travel is not confined to any single medium or execution pattern
Polymorphic Viruses
A virus that can change its appearance
Execution Patterns
A virus writer may want a virus to do several things at the same time, namely, spread infection, avoid detection, and cause harm. Unfortunately, many of these behaviors are perfectly normal and might otherwise go undetected. Most virus writers seek to avoid detection for themselves and their creations. Because a disk's boot sector is not visible to normal operations (for example, the contents of the boot sector do not show on a directory listing), many virus writers hide their code there.
Zero day attack
Active malware exploiting a product vulnerability for which the manufacturer has no countermeasure available
Burying virus in program to reactivate
Burying the code among other system routines and placing the code on the list of programs started at computer startup are current techniques to ensure that a piece of malware is reactivated
One-Time Execution (Implanting)
Malicious code often executes a one-time process to transmit or receive and install the infection. Quick and not obvious
Concealing malware infection
Malware writers usually intend that their code persist, so they write the code in a way that resists attempts to eradicate it. Hide the file in a lower-level directory, Replace (retaining the name of) a noncritical system file. Hide copies of the executable in different locations on different systems so no single eradication procedure can work. Modify the system registry so that the malware is always executed or malware detection is disabled.
Harm to Users
Most malicious code harm occurs to the infected computer's data. Here are some real-world examples of malice. • Hiding the cursor. • Displaying text or an image on the screen.
Categories of malicious code
Nondestructive. Examples of behavior are sending a funny message or flashing an image on the screen, often simply to show the author's capability. This category would also include virus hoaxes, messages falsely warning of a piece of malicious code, apparently to cause receivers to panic and forward the message to contacts, thus spreading the panic. Destructive This type of code corrupts files, deletes files, damages software, or executes commands to cause hardware stress or breakage with no apparent motive other than to harm the recipient. Commercial or criminal intent An infection of this type tries to take over the recipient's computer, installing code to allow a remote agent to cause the computer to perform actions on the agent's signal or to forward sensitive data to the agent.
Spread of viruses
SETUP program to download new program calls other programs which may call one containing a virus, activating the virus. Attached File to an email or embedded in a file, virus writer attempts to convince the victim to open the viral object, which executes it, to perform functions Document Viruses Autorun -a feature of operating systems that causes the automatic execution of code based on name or placement
Introduction of Malicious Code
The easiest way for malicious code to gain access to a system is to be introduced by a user, a system owner, an administrator, or other authorized agent.
Why is the boot sector appealing place for virus?
The virus gains control early in the boot process, before most detection tools are active, so that it can avoid, or at least complicate, detection The files in the boot area are crucial parts of the operating system. Consequently, the operating system makes them "invisible" by not showing them as part of a normal listing of stored files, thereby preventing their deletion. Thus, the virus code is not readily noticed by users.
Memory-Resident Viruses
Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running. Each time the resident code runs, the virus does too. Once activated, the virus can look for and infect uninfected carriers.
Harm from Malicious Code
Viruses and other malicious code can cause essentially unlimited harm Because malware runs under the authority of the user, it can do anything the user can do.
Trojan horse example
a login script that solicits a user's identification and password, passes the identification information on to the rest of the system for login processing, but also retains a copy of the information for later, malicious use.
Virus
a program that can replicate itself and pass on malicious code to other non-malicious programs by modifying them code with malicious purpose; intended to spread
Bot
a program that performs a repetitive task on a network
Worm
a program that spreads copies of itself through a network
Propagation
a virus can be rather small, its code can be "hidden" inside other larger and more complicated programs
Viruses That Surround a Program
a virus that runs the original program but has control before and after its execution. If the virus is stored on disk, its presence will be given away by its file name, or its size will affect the amount of space used on the disk. The virus writer might arrange for the virus to attach itself to the program that constructs the listing of files on the disk. If the virus regains control after the listing program has generated the listing but before the listing is displayed or printed, the virus could eliminate its entry from the listing and falsify space counts so that it appears not to exist
Difference between worm and virus
a worm operates through networks, and a virus can spread through any medium (but usually uses a copied program or data files) worm spreads copies of itself as a stand-alone program, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs.
zero-day exploit
attack before availability of the control
Stealth
avoiding detection during installation, while executing, or even at rest in storage Most viruses maintain stealth by concealing their action, not announcing their presence, and disguising their appearance
Memory-Resident
code that remains in memory instead of terminating and disappearing after execution
Four aspects of malicious code infections
harm—how they affect users and systems • transmission and propagation—how they are transmitted and replicate, and how they cause further transmission • activation—how they gain control and install themselves so that they can reactivate • stealth—how they hide to avoid detection
Transient virus
has a life that depends on the life of the host; the virus runs when its attached program executes and terminates when its attached program ends
Boot Sector Viruses
hide in the boot sectors of a disk, where the operating system accesses them every time is restarted
Nature of malicious code
how they can spread, what harm they can cause, and how they can be controlled
Malware Toolkits
let novice attackers probe for many vulnerabilities at the press of a button.
Resident virus
locates itself in memory; it can then remain active or be activated as a stand-alone program, even after its attached program ends
Trojan horse
malicious code that, in addition to its primary effect, has a second, nonobvious, malicious effect
How Malicious Code Gains Control
o gain control of processing, malicious code such as a virus (V) has to be invoked instead of the target (T). Essentially, the virus either has to seem to be T, saying effectively "I am T," or the virus has to push T out of the way and become a substitute for T, saying effectively "Call me instead of T." A more blatant virus can simply say "invoke me [you fool]." the virus can assume T's name by replacing (or joining to) T's code in a file structure; this invocation technique is most appropriate for ordinary programs the virus can overwrite T in storage (simply replacing the copy of T in storage, for example) the virus can change the pointers in the file table so that the virus is located instead of T whenever T is accessed through the file system the virus can supplant T by altering the sequence that would have invoked T to now invoke the virus V; this invocation can replace parts of the resident operating system by modifying pointers to those resident parts
Steganography
permits data to be hidden in large, complex, redundant data sets.
Boot sector attacks
the assailant changes the pointer to the next part of the operating system to load
Malicious code (malware)
the general name for programs or program parts planted by an agent with malicious intent to cause unanticipated or undesired effects
Multipartite form of virus
they install themselves in several pieces in distinct locations, sometimes to carry out different objectives
Integrated Viruses and Replacements
virus replaces some of its target, integrating itself into the original code of the target the virus writer has to know the exact structure of the original program to know where to insert which pieces of the virus
Qualities of malware writer may build into it
• The malicious code is hard to detect. • The malicious code is not easily destroyed or deactivated. • The malicious code spreads infection widely. • The malicious code can reinfect its home program or other programs. • The malicious code is easy to create. • The malicious code is machine independent and operating system independent.
