Professional Documents
Culture Documents
Viruses: Classification and Prevention: Mike Morain
Viruses: Classification and Prevention: Mike Morain
Classification
and Prevention
Mike Morain
Basic Lecture Structure
• History of malware
• Nature and operation of
malware
• Discuss means of
identification, removal, and
prevention
• Virtualization in malware
A Brief History
• John Von Neumann
o 1949 - Developed the first “self-replicating automata”
• Veith Risak
o 1972 - Wrote the first self-reproducing program for a
SIEMENS 4004/35 computer
• Phases
o Dormant Phase
o Propagation Phase
o Triggering Phase
o Executing Phase
Example: MyDoom Worm
• Infection Mechanism
o E-mail attachment executable disguised as an image,
document, etc.
• Trigger
o Opening the email attachment
• Payload
o 1. TCP Backdoor on port 3127 by overwriting local DLLs
and running as a child process of Windows Explorer
o 2. Launched a DDoS attack against the Caldera
International (software company) on 1st of February,
2004
Infection Mechanism
• The means by which a virus spreads
• Early on, this was done via floppy drives, etc., but now
Internet makes this far more easy.
• Attach to common downloads, music, videos,
software, screensavers etc.
• Spread through emails as attachments
• Spread on thumb drives (Pentagon example)
• Infection vectors vary, payloads stay relatively
constant
• There are many other infection mechanisms: PDF
files, infected image files, visiting infected web pages,
office macros, etc.
Trigger
• The mechanism by which the payload is activated.
• For simply malicious viruses, this is often the simple
act of opening the infected file
• For more devious or surreptitious viruses, like trojan
horses, backdoors, or botnet infections, the trigger
usually has to do with the intended purpose:
o DDoS: Triggered by time/date to attack on, or by the controllers directly
o Credit/Bank fraud: Activated when the user visits as bank site, etc.
• Trojans
o back doors, keyloggers
o Searching for personal of financial information
Ex: MS “Removal” Tool
MS Removal Tool (cont.)
• Infection Mechanism
o ActiveX Remote installation
o ActiveX Data Objects tied to Wiindows APIs
• Trigger
o Begins execution on install
• Payload
o Hijacks various OS process calls
o Changes web proxy
Combatting Malware
• Prevention
o Ideal solution
o This requires detection during the propagation phase.
• What do we do today?
Modern Antivirus
Software
• 1st Generation: simple scanners
o Require signatures to detect the behavior of
known viruses
o Look at program length often and alert the
administrators if anything has change
o No so good for zero-day attacks
Tripwire
http://original.jamesthornton.com/redhat/linux/9/Reference-
Guide/figs/tripwire/tripwire.png
Modern Antivirus
Software
• 2nd Generation: heuristics
scanners
o Don’t really rely on the signatures as
much, but use “rules of recognition”
o They look for odd behavior, or code
fragments that are often associated with
viruses, but again, they don’t have
specific signatures of every virus it can
handle
o Example of behavior: PyKeyLogger
Pykeylogger
Pykeylogger
• Uses the SetWindowsHookEx API in
Win32
o Specifically the WH_KEYBOARD and WH_KEYBOARD_LL
http://www.sunbeltsoftware.com/developer/VIPRE-Desktop-SDK/
Conclusions
• Digital immune systems are the way of the
future
• Virtualization allows them to be
implemented locally on a small scale
• Still benefit from honeypots that security
companies run to catch all the viruses
going around.
• OS integration is key