Virus Primer Malware n Classifications of Malware The

  • Slides: 39
Download presentation
Virus Primer

Virus Primer

Malware n Classifications of Malware The Classic Virus n Worms n Trojans n Other

Malware n Classifications of Malware The Classic Virus n Worms n Trojans n Other forms of Malware n n n Annoyances Identifying Threats Virus Naming Conventions Combating Malware

Concept of Malware n n Blanket industry term used to describe the variety of

Concept of Malware n n Blanket industry term used to describe the variety of "malicious software" that is in circulation around the world Includes: n n n Viruses Worms Trojans computer "bombs" other forms of intentionally destructive software non destructive software pranks

The Classic Virus n n A self replicating computer program that can "infect" other

The Classic Virus n n A self replicating computer program that can "infect" other computer programs May cause no damage Successful viruses try to stay undetected and replicate themselves as much as possible before actually delivering their final payload Newer forms of malware that spread rapidly via e-mail and the internet may be configured to disable its host system immediately to prevent the user from warning the people on their contact list not to open the e-mail that triggered their infection

Components of a Virus n n n Method of Infection Trigger Payload/Warhead

Components of a Virus n n n Method of Infection Trigger Payload/Warhead

Method of Infection n n Infecting the boot sector Modifying an existing program or

Method of Infection n n Infecting the boot sector Modifying an existing program or lines of code Inserting itself into Microsoft Office documents Attaching itself to network resources

Trigger n n The component of a virus that launches its payload (if it

Trigger n n The component of a virus that launches its payload (if it has one) Examples: n n n a specific date or time an action by the user (opening a file) a sequence of events or keystrokes a repetition of events Trigger delay n n Longer: more opportunity to spread Too long: risk of detection

Payload/Warhead n n n The final component A screen message that taunts the user

Payload/Warhead n n n The final component A screen message that taunts the user Destructive package scrambles data n deletes files n creates backdoors into systems n causes system crashes n

Types of Viruses n n n n Armored Boot Sector Companion (Spawning) File Infecting/Parasitic

Types of Viruses n n n n Armored Boot Sector Companion (Spawning) File Infecting/Parasitic Germ Intended Latent Macro and scripting Multi-partite Polymorphic Proof of concept Retrovirus Stealth Sparse Infectors

Armored Virus n A virus which has been "hardened" to make disassembly of its

Armored Virus n A virus which has been "hardened" to make disassembly of its source code or reverse engineering by antivirus analysts more difficult.

Boot Sector Virus n n n Common when floppy disks were the primary method

Boot Sector Virus n n n Common when floppy disks were the primary method for sharing files Infects the master boot record (MBR) of a floppy disk Spreads to a users hard drive Will attempt to infect every floppy disk that is inserted Continue spreading until it’s discovered

Companion (Spawning) Viruses n n Companion viruses take advantage of a quirk in MS

Companion (Spawning) Viruses n n Companion viruses take advantage of a quirk in MS DOS based operating systems, and use malicious files with. COM extension, instead of actually infecting . EXE or executable files Operating system "fills in" the extension for you and executes any. COM file before using it's equivalent. EXE

File Infecting/Parasitic Viruses n n Infects programs files such as those with. EXE, .

File Infecting/Parasitic Viruses n n Infects programs files such as those with. EXE, . SYS, . PRG, . BAT, and other extensions Virus writers may insert code at either the beginning or the end of a program so that it is launched whenever the program is executed Overwrite code in an executable to avoid changing the size of the original file and hopefully escape detection Cavity viruses attempt to use the "empty space" in a program to modify and infect the file without breaking its functionality or changing the file size

Germ n The first initial programmed form of a virus (generation zero).

Germ n The first initial programmed form of a virus (generation zero).

Intended n n Written to be viruses but don't actually replicate Contrary to the

Intended n n Written to be viruses but don't actually replicate Contrary to the popular myth, many virus writers are rank amateurs as well as some of the worst coders in the world. Their attempts at virus writing are often dismal failures and they don't receive much press.

Latent Viruses n n Viruses that simply have not been executed A virus written

Latent Viruses n n Viruses that simply have not been executed A virus written for the Windows platform that was sent via e-mail to a Mac user (or stored on a UNIX server), is relatively benign to that system Antivirus scanners that check only for viruses native to those platforms may miss the file entirely If that file is shared and a Windows user attempts to open or execute it, the virus can rapidly become an active threat on your network

Macro and scripting viruses n n n Exploit the scripting functionality that Microsoft built

Macro and scripting viruses n n n Exploit the scripting functionality that Microsoft built into its Office productivity suite Small scripts imbedded into Word or Excel that allow routine tasks to be automated Once an infected file is launched, the macro replicates itself to all similar documents and spreads rapidly through the network

Multi-partite n n n Called dual infectors Use more than one mechanism to spread

Multi-partite n n n Called dual infectors Use more than one mechanism to spread themselves and infect other systems May infect both the data on a disk as well as the Master Boot Record

Polymorphic n n Definition based antivirus software identifies viruses by searching for small unique

Polymorphic n n Definition based antivirus software identifies viruses by searching for small unique strings of code (known as signatures) that only exist in known viruses A polymorphic virus alters its code and produces a functional variation of itself in the hope of escaping detection Easily detectable by most modern antivirus programs Polymorphism concept has also been used by modern email worms (such as Love. Bug) that use variable subject lines and filenames in order to foil attempts to block them at mail gateways

Proof of Concept Viruses n n n Usually created with an academic purpose rather

Proof of Concept Viruses n n n Usually created with an academic purpose rather than malicious intent A researcher may simply wish to prove a theoretical point about a vulnerability or method of attack In most cases, proof of concept viruses are confined to labs and never make it into the wild, although some malicious programmers may create variants based on the concept.

Retrovirus n A virus that attacks or disables antivirus programs.

Retrovirus n A virus that attacks or disables antivirus programs.

Stealth Viruses n n n Stealth is a technology, rather than an actual virus

Stealth Viruses n n n Stealth is a technology, rather than an actual virus type Stealth viruses attempt to hide themselves from antivirus programs, often by intercepting or trapping disk access requests Whenever an antivirus program attempts to read analyze infected files, the virus returns information that the original, uninfected program would have returned

Sparse Infectors n n Attempt to avoid detection by only infecting files intermittently There

Sparse Infectors n n Attempt to avoid detection by only infecting files intermittently There a number of mechanisms that are used to accomplish this, including counters and environmental variables such as date and time

Worms n n Computer programs that replicate themselves across network connections, without modifying or

Worms n n Computer programs that replicate themselves across network connections, without modifying or attaching themselves to a host program. Some experts consider worms as a special type of virus instead of giving them their own category, however the classifications that traditionally separate worms and viruses are beginning to blur

Trojans n n n Trojans are programs that claim to be one thing (usually

Trojans n n n Trojans are programs that claim to be one thing (usually appearing harmless), but carry an undesirable and often destructive payload Trojans are a delivery vehicle for other forms of malware and often rely on a bit of social engineering to trick a user into actually launching the program Despite warning computer users not to simply click on e-mail attachments (especially executables), the Trojan is still an effective tool for spreading malware

Other forms of Malware n There a number of non-replicating forms of malware that

Other forms of Malware n There a number of non-replicating forms of malware that are designed to: destroy or steal data n open backdoors into systems n disable networks n hijack remote systems n

DDo. S Agents n n A denial of service attack attempts to overwhelm a

DDo. S Agents n n A denial of service attack attempts to overwhelm a network or system resource in order to deny legitimate users access to that resource A distributed denial of service attack (DDo. S) utilizes hundreds or even thousands of computers Hackers "recruit" computer systems to help them in their attacks by sending out Trojan programs that install agents on the affected PC These agents lay relatively dormant until they receive further instructions from the hacker's computer (usually a very small bit of code), and then begin flooding the network (or a specific target) with garbage traffic.

Logic Bombs n n Waits for a specific trigger (such as a date or

Logic Bombs n n Waits for a specific trigger (such as a date or sequence of events) to launch For hackers and disgruntled employees, it is an effective way of delivering a destructive payload long after they've left and cleaned up their tracks In one famous case, an administrator buried a program on his company's server that checked for the existence of his user account. If his account was deleted or disabled, the program would launch and begin deleting files on servers across the network. Unfortunately, this type of logic bomb is usually a custom program or script that is difficult to detect and would not be identified by anti-virus software

Mines n n Malicious programs can be seeded onto a file server or placed

Mines n n Malicious programs can be seeded onto a file server or placed on innocent looking disks that are left lying about a server Usually custom programs written and spread by disgruntled employees or contractors with an axe to grind, and are almost impossible to defend against

Password Stealers and Keystroke Loggers n n Programs that are written to capture a

Password Stealers and Keystroke Loggers n n Programs that are written to capture a users keystrokes, write the data to a log and then send the log to a remote location or e-mail address. Often difficult to locate, and may not be detected by anti-virus software

Parasite Software n n Some shareware, freeware, and adware programs are being packaged with

Parasite Software n n Some shareware, freeware, and adware programs are being packaged with additional software that can monitor your browsing habits, and even sell your unused CPU time and unused disk space to other vendors which in the process also consumes your network resources The legal tools that allow these vendors to do this are buried in the end user license agreement that no one actually reads

Remote Access Tools (RATs) n n Known as "backdoor agents" These tools give hackers

Remote Access Tools (RATs) n n Known as "backdoor agents" These tools give hackers a way into a trusted system that exists on a network

Unlicensed software n While not technically "malware" because it's not malicious by design, unlicensed

Unlicensed software n While not technically "malware" because it's not malicious by design, unlicensed or pirated software can cost your company $20, 000 per incident if your company is ever audited

Annoyances n n n False positives Hoaxes Hype Jokes and Pranks Mail Bombs

Annoyances n n n False positives Hoaxes Hype Jokes and Pranks Mail Bombs

Virus Naming Conventions n n n The process of identifying threats is complicated by

Virus Naming Conventions n n n The process of identifying threats is complicated by the lack of a formal standard for anti-virus and malware naming conventions In some cases the virus writer includes the name of the virus in the code itself (Code Red, Nimda) In other cases, antivirus vendors name the virus whatever they want without consulting each other, resulting in 4 or 5 different names for the same virus

CARO Standard n n In 1991 a group of researchers from the Computer Antivirus

CARO Standard n n In 1991 a group of researchers from the Computer Antivirus Researcher Organization (CARO) attempted to standardize antivirus naming conventions and produce a list of guidelines that have been adopted by many of the leading antivirus vendors The basic CARO formula for virus naming is Family_Name. Group_Name. Major_Variant. Minor _Variant[: Modifier]

CARO Standard (cont) n Prefix - The prefix helps to quickly identify what type

CARO Standard (cont) n Prefix - The prefix helps to quickly identify what type of virus or malware it is. A sample of commonly used prefixes include: n n n n W 95 Viruses written for Windows 95 W 32 Viruses written for all 32 bit Windows Platforms WNTViruses written for Windows NT/2000 Linux. Viruses written for the Linux Platform WMWord Macro Viruses. These may include version numbers such a W 97 M for Word 97 XMExcel Macro Viruses. These may include version numbers such a X 97 M for Excel 97 PPTPower. Point Viruses. AMMicrosoft Access Viruses. These may include version numbers such a A 97 M for Access 97 VBSViruses utilizing Visual Basic Script JAVAJava Viruses Trojan programs, sometimes abbreviated as TROJ Worm. A Worm. The prefix I-Worm is used to denote Internet Worms JOKEA joke or prank

CARO Standard (cont) n n n n Family Name - Represents the family to

CARO Standard (cont) n n n n Family Name - Represents the family to which the virus belongs based on the structural similarities of the virus, but sometimes a formal definition of a family is impossible. It may also be found in the code itself, essentially giving the author the chance to name the virus. Group Name - A subcategory of family, but is rarely used. Major Variant - Almost always a number, which is the infective length of the virus (if known) Minor Variant - Small variants of an existing virus, usually having the same infective length and structure. The minor variant is usually identified by a single letter (A, B, C, etc. ) : Modifier - Modifiers are used to describe polymorphic viruses, and are identified by which polymorphic engine they use. If more than one polymorphic engine is used, the definition may include more than one modifier. Suffix - Suffixes are used to describe specific how the virus spreads, such as e-mail or mass mailers which are abbreviated @M and @MM Examples: n W 32. Nimda. [email protected], W 32. Klez. [email protected]

Combating Malware n n n n n Hire a full time antivirus administrator Subscribe

Combating Malware n n n n n Hire a full time antivirus administrator Subscribe to antivirus vendors e-mail lists Establish a single point of contact Install e-mail filtering Establish strict e-mail policies Internet policies Lock down your workstations Secure your servers Update systems for security vulnerabilities Use a multi-tiered approach with AV software Don't rely on Antivirus software alone Scan proactively Backup aggressively Monitor your power users Monitor your laptop users Secure your wireless networks Educate your users Educate management