Viruses:

Classification
and Prevention
Mike Morain
 Basic Lecture Structure
• History of malware
• Nature and operation of
malware
• Discuss means of
identification, removal, and
prevention
• Virtualization in malware
 A Brief History
• John Von Neumann
o 1949 - Developed the first “self-replicating automata”

• Veith Risak
o 1972 - Wrote the first self-reproducing program for a
SIEMENS 4004/35 computer

• 1980 - Jurgen Kraus

o Wrote a paper which put forward the idea that computer
programs could act and behave like biological viruses

• 1984 - Fred Cohen

o Coined the term “virus” in his paper “Computer Viruses –
Theory and Experiments”
 Creeper
• First controlled virus
• Developed by Bob Thomas released
on ARPANET in 1971for the TENEX
OS
• Behaved more like a modern worm
o Would replicate itself onto machines around the NET,
and display the message “I’m the creeper, catch me if
you can!”
o Would begin to print a file, pause, find a network system,
and transfer
o Relatively harmless. More a proof-of-concept than
anything. Actually removed itself if it found another
copy, then moved on.
 The Elk Cloner
• First virus to be released outside a single
lab. First “uncontrolled” computer virus.
(Skentra, ‘81)
• Practical joke: spread via a floppy disk
game, infected the host’s boot sector
• The target OS: Apple DOS 3.3
• Relatively benign
o Would print a poem on the target computer’s screen

• From a recent NBC interview:

o "I guess if you had to pick between being known for this and
not being known for anything, I'd rather be known for this. But
it's an odd placeholder for (all that) I've done."
 Malware Today
• Not so benign
• Motivations:
o Creating zombie machines for botnets
(DDoS attacks, etc.)
o Identity theft and impersonation
o Monetary gains (credit card fraud, bank
fraud, etc.)
o Many other nefarious goals
 Types of Viruses
• Boot Sector
• File
• Macro
• Encrypted
• Stealth
• Polymorphic
• Metamorphic
• Worms
 A Structural Breakdown
• Infection Mechanism
• Trigger
• Payload

• Phases
o Dormant Phase
o Propagation Phase
o Triggering Phase
o Executing Phase
Example: MyDoom Worm
• Infection Mechanism
o E-mail attachment executable disguised as an image,
document, etc.

• Trigger
o Opening the email attachment

• Payload
o 1. TCP Backdoor on port 3127 by overwriting local DLLs
and running as a child process of Windows Explorer
o 2. Launched a DDoS attack against the Caldera
International (software company) on 1st of February,
2004
 Infection Mechanism
• The means by which a virus spreads
• Early on, this was done via floppy drives, etc., but now
Internet makes this far more easy.
• Attach to common downloads, music, videos,
software, screensavers etc.
• Spread through emails as attachments
• Spread on thumb drives (Pentagon example)
• Infection vectors vary, payloads stay relatively
constant
• There are many other infection mechanisms: PDF
files, infected image files, visiting infected web pages,
office macros, etc.
 Trigger
• The mechanism by which the payload is activated.
• For simply malicious viruses, this is often the simple
act of opening the infected file
• For more devious or surreptitious viruses, like trojan
horses, backdoors, or botnet infections, the trigger
usually has to do with the intended purpose:
o DDoS: Triggered by time/date to attack on, or by the controllers directly
o Credit/Bank fraud: Activated when the user visits as bank site, etc.

• The trigger is almost always related to the infection

mechanism; the code needs to be executed
somehow.
 Payload
• This is the intended action of the virus
• Goals relatively constant
• Malicious code (format hard drive,
delete important files – old school)
• Botnets
o DDoS, hosting phishing sites, etc.

• Trojans
o back doors, keyloggers
o Searching for personal of financial information
Ex: MS “Removal” Tool
 MS Removal Tool (cont.)
• Infection Mechanism
o ActiveX Remote installation
o ActiveX Data Objects tied to Wiindows APIs

• Trigger
o Begins execution on install

• Payload
o Hijacks various OS process calls
o Changes web proxy
 Combatting Malware
• Prevention
o Ideal solution
o This requires detection during the propagation phase.

• Detection, Identification, and Removal

o Theoretically, much harder than prevention
• The Malware may have spread already, so many
files/machines will have to be checked and cleaned.
• Removal requires knowing what it is, how it spread etc.

• What do we do today?
 Modern Antivirus
Software
• 1st Generation: simple scanners
o Require signatures to detect the behavior of
known viruses
o Look at program length often and alert the
administrators if anything has change
o No so good for zero-day attacks
 Tripwire

http://original.jamesthornton.com/redhat/linux/9/Reference-
Guide/figs/tripwire/tripwire.png
 Modern Antivirus
Software
• 2nd Generation: heuristics
scanners
o Don’t really rely on the signatures as
much, but use “rules of recognition”
o They look for odd behavior, or code
fragments that are often associated with
viruses, but again, they don’t have
specific signatures of every virus it can
handle
o Example of behavior: PyKeyLogger
Pykeylogger
 Pykeylogger
• Uses the SetWindowsHookEx API in
Win32
o Specifically the WH_KEYBOARD and WH_KEYBOARD_LL

• Commonly used APIs, but not in

background.
• Simple heuristic rule:
o In general, don’t allow keyboard strokes to be captured
in the background
 Modern Antivirus Software
(cont.)
• 3rd Generation: activity traps
o More like the anomaly detection scheme, where this
program just combs memory and looks for actions that
are a threat to security rather than structures in the
program code in memory
o This has the distinct advantage of being able to prevent
actions proactively rather than be responding
retroactively.

• 4th Generation: full-featured scanners

o All of these tools combined and used simultaneously
 Modern Antivirus Software
(cont.)
• The differences:
o Older software scanned once a day, etc. Now they are
working constantly to prevent infection
o Norton, McAfee: all had original versions that did
scheduled scans or on-boot scans based on signatures
o Progress adds features as malware authors find exploits
• Commercial Examples
o Norton 2006 (13.0) introduced Internet Explorer and
host file protection
o Panda Antivirus is award winning
• Detects all strange behavior, very good anomaly
detection
• Balance between good and annoying
 Case Study: Microsoft
Security Essentials
• Microsoft has never really been
known for security prowess
• They’ve had some of the most
embarrassing mishaps when it comes
to security:
o A few years ago, they released a “Malicious Software
Removal Tool.”
o It actually got pretty good reviews, and the methodology
used was good
o Unfortunately for MS, it worked so well it removed
Internet Explorer as a potential security threat.
 MSE Example (cont.)
• Today’s solution: Microsoft Security
Essentials, and is being lauded as a very
well developed antivirus tool.
• It uses a combination of signature and
anomaly detection to fight infection.
• Advances in hardware and speed allow
constant protection to be done without
extremely noticeable overhead.
 MSE Example (cont.)
• It has (as do many other tools):
o Integration with the computer’s API calls
• For instance, when you open a folder with an
infected file, MSE does quick analysis on
those files, and will alert you if it’s obviously
infected, and does so without consuming too
many resources
• Also has the ability to scan every file for
every known signature of virus.
• Sandboxes programs that are behaving
suspiciously and alerts the user
 Further Advances in AV
• The advancement of viruses and
antiviruses is inseparably linked.
• Once the current threats are dealt with, it’s
hard to predict what virus makers will do
next, so it’s a tango back and forth.

• A huge flaw in even 4th Generation anti-

virus software is the inability to track and
detect polymorphic viruses
Digital Immune Systems
 Digital Immune Systems
• 1. A monitoring program on each PC uses
anomaly detection to analyze behavior, and
sends the suspicious activity to the admin
machine.
• 2. The admin machine encrypts the sample and
sends it to a “central virus analysis (CVA).”
• 3. The CVA creates a VM for running the infected
program, analyzes the behavior, and produces a
fix which is sent out to clients.
• 4. Subscribers world-wide receive the new
signatures and patches.
Digital Immune Systems
 Digital Immune Systems
• 1. A monitoring program on each PC uses
anomaly detection to analyze behavior, and
sends the suspicious activity to the admin
machine.
• 2. The admin machine encrypts the sample
and sends it to a “central virus analysis.”
• 3. The CVA creates a VM for running the infected
program, analyzes the behavior, and produces a
fix which is sent out to clients.
• 4. Subscribers world-wide receive the new
signatures and patches.
Digital Immune Systems
 Digital Immune Systems
• 1. A monitoring program on each PC uses anomaly
detection to analyze behavior, and sends the
suspicious activity to the admin machine.
• 2. The admin machine encrypts the sample and
sends it to a “central virus analysis.”
• 3. The CVA creates a VM for running the
infected program, analyzes the behavior, and
produces a fix which is sent out to clients.
• 4. Subscribers world-wide receive the new
signatures and patches.
Digital Immune Systems
 Digital Immune Systems
• 1. A monitoring program on each PC uses
anomaly detection to analyze behavior, and
sends the suspicious activity to the admin
machine.
• 2. The admin machine encrypts the sample and
sends it to a “central virus analysis.”
• 3. The CVA creates a VM for running the infected
program, analyzes the behavior, and produces a
fix which is sent out to clients.
• 4. Subscribers world-wide receive the new
signatures and patches.
Digital Immune Systems
 Generic Decryption
• Solves this problem by running code
through a fast “generic decryption”
scanner that:
o Has a CPU emulator that the suspicious code is allowed to be
executed on.
o The system looks for any commonly known
encryption/decryption behavior, since this is often how
polymorphic viruses change themselves.
o Also includes the signature scanner from other generations.
o Halts the code if it’s determined to be malicious, and
“quarantines” the original executable.
o Works a lot like TaintCheck

• The problem with this is that it requires a

lot of overhead.
 Virtualization in Anti-
virus
• Hardware advances – mainly speed of
processors, multiple cores, and more
memory – allow virtualization to be used
• Example: Sunbelt Software’s Vipre
Enterprise Malware Client
o Maintains a minimized, mimicked copy of the host system in a
sandbox of memory and allows suspect files to run free.
o Implementation utilizing the advancement of processor
virtualization and multi-core assignment minimizes the
overhead.
o The virtualization, along-side a proprietary “dynamic
translation” re-compiler is how this works so quickly and well
Sunbelt Vipre
Sunbelt Vipre
 Sunbelt Vipre

http://www.sunbeltsoftware.com/developer/VIPRE-Desktop-SDK/
 Conclusions
• Digital immune systems are the way of the
future
• Virtualization allows them to be
implemented locally on a small scale
• Still benefit from honeypots that security
companies run to catch all the viruses
going around.

• OS integration is key