Malicious Software: A Comprehensive Guide to Viruses, Worms, and Other Malware - Prof. Eun, Study notes of Computer Science

An in-depth exploration of malicious software, including viruses, worms, trojan horses, and other types of malware. Topics covered include taxonomy, terminology, virus phases, virus classes, and protection strategies. Henric johnson's article also discusses advanced antivirus techniques, such as trusted systems and multilevel security.

Typology: Study notes

Pre 2010

Uploaded on 09/17/2009

koofers-user-ixz-1
koofers-user-ixz-1 🇺🇸

10 documents

1 / 50

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Malicious Software
4/16/09
EJ Jung
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32

Partial preview of the text

Download Malicious Software: A Comprehensive Guide to Viruses, Worms, and Other Malware - Prof. Eun and more Study notes Computer Science in PDF only on Docsity!

Malicious Software

EJ Jung

Behavior-blocking software

! (from Networkworld.com)

Henric Johnson (^3)

Taxanomy of Malicious Programs

Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms Malicious Programs

Terminology

Malicious Programs

!! Trojan Horse : use program or command procedure that contains hidden code that when invoked performs some unwanted or harmful procedure. These may also be used for data destruction. !! Mobile Code : programs that can be shipped unchanged to a heterogeneous collection of platforms and execute identical semantics. 6

Malicious Programs

!! Viruses : software that can infect other programs by modifying them. The infection may be passed onto other programs. !!Virus has three parts: -Infection mechanism -Trigger -Payload 7

Virus Classifications

!!By Target -Boot Sector Infector -File Infector -Macro Virus !!By Concealment Strategy -Encrypted Virus -Stealth Virus -Polymorphic Virus -Metamorphic Virus 9

Viruses

!Virus propagates by infecting other programs

  • Automatically creates copies of itself, but to propagate, a human has to run an infected program - Self-propagating malicious programs are usually called worms !Viruses employ many propagation methods
  • Parasitic: insert a copy into every executable (.COM, .EXE)
  • Boot sector: insert a copy into boot sectors of disks
  • “Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC
  • Memory-resident: infect TSR (terminate-and-stay- resident) routines
  • By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

Henric Johnson (^11)

Virus Structure

Henric Johnson (^12)

A Compression Virus

Henric Johnson (^15)

Antivirus Approaches

1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

Anti-Virus Technologies

!Simple anti-virus scanners

  • Look for signatures (fragments of known viruses)
  • Heuristics for recognizing code associated with viruses
    • For example, polymorphic viruses often use decryption loops
  • Integrity checking to find modified files
    • Record file sizes, checksums, MACs (keyed hashes of contents) !Generic decryption and emulation scanners
  • Goal: detect polymorphic viruses with known body
  • Emulate CPU execution for a few hundred instructions, virus will eventually decrypt, can recognize known body
  • Does not work very well against metamorphic viruses and viruses not located near beginning of infected executable

Trusted Systems

!!One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology !!Properties of Trusted Systems

-! Protection of data and resources on the basis of levels of security (e.g. military) -! Users can be granted clearances to access certain categories of data Henric Johnson (^2)