# Malicious Software

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:27

0
59
lượt xem
10

Mô tả tài liệu

Picture this - the trade press is all abuzz with warnings of a new killer virus, Child of Chernobyl. Recall that Chernobyl struck on April 26, 1999. In Korea alone, it affected as many as a million computers, causing more than $250 million in damages. The boss has just come down with a magazine article in hand and has told you to drop everything. Chủ đề: Bình luận(0) Lưu ## Nội dung Text: Malicious Software 1. Malicious Software Security Essentials The SANS Institute Encryption and Exploits - SANS ©2001 1 This course on Malicious Software is part of the SANS Security Essentials series. Picture this - the trade press is all abuzz with warnings of a new killer virus, Child of Chernobyl. Recall that Chernobyl struck on April 26, 1999. In Korea alone, it affected as many as a million computers, causing more than$250 million in damages. The boss has just come down with a magazine article in hand and has told you to drop everything. You have three days to ensure the organization is ready before “Child of Chernobyl” day. Is this real or a hoax? What do you do to find out? How do you meet the boss' demands to get anti-viral software installed and updated as needed? Stay tuned for answers to these questions and more… Of course this course isn’t going to solve all your problems if you suddenly get hit and have no plan of action or procedures in place. So you are going to need to apply what you learn here. 5-1
2. Objectives • Malicious code • Virus and hoax information • Virus types and methods • Organizational AV policy • Desktop anti-viral care and feeding Malicious Software - SANS ©2001 2 At the completion of this course, the student will be familiar with these core concepts of anti-viral protection. What is malicious software? How does it spread? What are some of the characteristics of viruses? What is the difference between a virus and a hoax? Where can I go to get more information on them? Does my organization have an anti-viral policy? What does it say? Is it up-to-date? What is anti-viral software? What is involved in the care and feeding of desktop anti-viral software? 5-2
3. Malicious Software (Malware) • Viruses • Worms • Trojan horses • Malicious applets • Majority Microsoft-specific Malicious Software - SANS ©2001 3 Malware is a generic term for a number of different types of malicious code - viruses, worms, Trojan horses, and malicious applets. First, we will define what these things are. A virus is a piece of parasitic code (or program) written specifically to execute on behalf of the user without the user's permission (or knowledge). It is parasitic in that it attaches itself to files (or boot sectors) and then replicates, causing the spread to continue. Some viruses do little more than replicate and serve as a nuisance; others can do serious damage, such as affecting programs or degrading system performance (the virus payload). Never assume that a virus is harmless and leave it intact. We will look at the various types of viruses in the slides to follow. A worm is a self-contained program (or set of programs), that is able to spread functional copies of itself to other computer systems (usually via a network). Host-computer worms are entirely contained on their host computer. Host-computer worms that delete from one host upon propagation to a new host are called rabbits - they ‘hop’ around a network. Some worms run in multiple parts on many hosts. These worms are called network worms. A network worm with one coordinating segment and many client sub-segments is termed an octopus! Note: Malicious code is called a worm when it requires no specific action on the part of the user to enable infection and propagation. It just spreads. If the code requires the user to open an email or load a screen saver or take some other action, then it is called a virus. Trojan horses are programs with an intended action that is not documented or revealed. Typically, Trojan horses masquerade as some other harmless or trusted program. A well-known Trojan horse is Back Orifice. Malicious applets are applets that attack the local system of a web surfer and involve denial of service, invasion of privacy, and annoyance. Malicious applets are distinguished from attack applets that exploit vulnerabilities in the implementation of the Java security model. It is interesting to note that of the 60,000 or so known viruses, worms etc., about 55,000 of them are Microsoft-specific (Gene Spafford). Care is needed here because this statistic does not mean that systems such as Linux, Unix, or Mac are immune - there are just less examples found here. We usually think of infection via the network and floppy disks, but CDROMs are notorious for hosting malware. Just think of the damage that could be done with a music CD. How about infecting a Windows system just because auto-run is enabled? 5-3
4. Virus Types • File infectors / Program viruses – Direct action – Memory resident – Cluster or File system virus • Potential to spread over networks Malicious Software - SANS ©2001 4 Viruses are identified by the ways they infect computers. Usually, a virus falls into one of the following three categories: Program viruses, boot record infectors, or macro viruses. For the next few slides, we will focus on program viruses. A program virus gets activated when the program is executed (or run). The virus is loaded into the computer memory and then proceeds to wreak havoc. The results of the virus triggering may not be obvious immediately, as the virus may have a built-in delay (an event-triggered virus). First signs of infection can include files being saved with malformed or improper names. Program viruses are usually attached to files such as COM or EXE files, but can infect any executable or interpretable file - overlays, drivers, system files, or binary files. Examples also exist of viruses that infect C source code, such that the compiled executable is infected! Direct-action file infectors find one or more selected programs to infect each time the infected program is run. Resident viruses install to the system service area of RAM and infect new programs when they are run. Cluster viruses infect program files indirectly by modifying file system structures, such as the file allocation table. These viruses are loaded by the OS before the target program because the file system points to the virus first. Program file viruses need to be executed to activate and spread. As well as being run locally, users can run infected programs from servers, download and run infected files, or execute mail attachments. These viruses therefore have the potential to spread from program to program on a single host, and find their way to infect new programs on different hosts by being spread by network users. 5-4
5. COM Program Infectors COM program Prepended virus Appended virus START VIRUS 1 JUMP COM COM 4 2 5 END 6 VIRUS 3 Malicious Software - SANS ©2001 5 Now we’ll take a look at how program files are actually infected. COM file viruses attach themselves to their target in one of three ways - by prepending to the beginning, by appending to the end, or by overwriting part of the file. A prepending virus gains control when the first instruction of the infected COM file is executed. The virus runs and then passes control to the original program. Because of this, users may not notice anything different. An appending virus writes an instruction to jump at the first instruction in the file. This jump will take execution to the virus which later returns control to the COM program. Overwriting viruses simply write their code to the beginning of the file. These viruses therefore destroy the original program. More sophisticated overwriting viruses will make a copy of the portion that they overwrite, which can later be executed - all in an effort to remain covert. 5-5
7. Virus Types (2) • Boot record infectors – Floppy boot record (FBR) – Master boot record (MBR) – DOS boot sector (DBS or PBR) – No network spreading potential • Multipartite – Potential to spread over networks Malicious Software - SANS ©2001 7 The next virus we'll review is the boot infector. Every disk has a boot sector (regardless of whether or not it is actually bootable). When a computer is powered up, it looks for boot information according to a list provided by the computer BIOS. If any of the media in the drives specified in the BIOS list have a boot sector virus, the infection will get transferred to the boot drive. Once the infection is complete, the virus will get loaded into memory at startup. From there, the virus can be spread to every disk that is read after startup. Results of the infection can range from nuisance (if at all) to destruction of boot information, to a need for a complete format of the hard disk. Floppy disks contain a floppy boot record (FBR) which can harbor a virus. If a system is booted from such a floppy, the virus will load and infect the hard disk. Viruses on hard disks infect either the master boot record (MBR) or the Partition boot record (PBR) (sometimes called the DOS boot sector (DBS)). The MBR is the first place the BIOS looks when booting from a hard drive. If a virus is present, it can seize control of the hardware before the operating system even sees the light of day! PBR’s are executed after the bootstrap program in the MBR passes on control to the active partition. Operating system files that are present on a partition are loaded according to instructions in the PBR. Like the MBR infection, if a virus is present, it will be loaded before the operating system. Multipartite viruses are hybrids of boot infectors and program viruses. When executed as a program, boot sectors become infected, and vice versa - if multipartite-infected media are booted, program files get infected. Multipartite viruses provide a mechanism by which boot-sector viruses can get around on networks (they travel as program files). Boot-sector viruses cannot, on their own, infect across networks. This is because the network protocols do not support sector level operations. 5-7
8. Virus Types (3) • Macro viruses – Targets are data files (e.g. *.doc) – Written in ‘macro languages’ (e.g. Melissa macro virus) – Visual Basic Editor • High network spreading potential! Malicious Software - SANS ©2001 8 A macro virus is malicious code contained in a set of instructions that are included within an application, such as a word processor or spreadsheet. Unlike program viruses, which target executables, macro viruses target data files. Once the macro containing the infection is loaded onto your computer, it can infect other files (such as the normal.dot template for Microsoft Word) or cause itself to be propagated to other users automatically. A typical example is the Melissa macro. It caused a document containing the macro to be mailed electronically to other email users. The activated macro virus is limited only by the capabilities of the ‘macro language’ being used. Microsoft macros, written in Visual Basic, can access all host application features (e.g. Word) and many OS features (Windows). For example, in Word or Excel, try opening . This opens a Visual Basic session enabling complex macro design. Imagine the potential damage from commands such as open, kill (delete), or rmdir! Macro viruses can spread as email attachments. Users open an infected attachment, the virus reads the address book, and mails itself on. For this reason, macro viruses have a huge potential to spread over networks. 5-8