file infection techniques file resident viruses
play

File Infection Techniques: File Resident Viruses CS 4440/7440 - PowerPoint PPT Presentation

Dec 10, 2022 •733 likes •1.06k views

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

  1. File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis & Defense Bill Harrison

  2. Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus Information Library: http://vil.nai.com/vil/default.aspx 2

  3. File Infection Techniques } Executable files (*.EXE, *.COM, *.BAT, etc.) are often the target of viruses } Executing an infected file usually triggers replication of the virus into other files } Executable file infection techniques can be categorized broadly by asking where the virus code is placed in the file 3

  4. Location: Beginning of the File } Henceforth, beginning always refers to the start of the executable code, which might follow a header area in some file formats } A virus can either preserve the original beginning of the file, or destroy it by overwriting } Destructiveness always reduces the stealthiness of the virus 4

  5. Beginning of the File with Destructive Overwrite } Two primary methods: } Replace *.exe file with virus *.exe } Overwrite only the beginning of a *.exe that is larger than the virus *.exe } Neither method is stealthy: } The *.exe has lost its functionality entirely, so the user notices that something is wrong } Anti-virus software finds a virus easily right at the beginning of the file } The first method often changes the file size, making it even less stealthy than the second method 5

  6. Beginning of the File with Destructive Overwrite Replacement } Two primary methods: Virus Code Program Code Overwriting Virus Code Program Code Program Code 6

  7. Beginning of the File with Destructive Overwrite cont ’ d. } The file size change was only significant for stealthy viruses when first-generation anti-virus software depended on keeping track of file sizes } Both kinds of overwriting viruses can only be repaired by restoring files from a backup } E.g. the LoveLetter mass mailer worm, after replicating by email, overwrote every file on the system that had one of 32 file extensions: *.c, *.cpp, *.mp3, *.vbs, etc. } It had already replicated to other systems, so it no longer tried to remain stealthy; a common design for worms 7

  8. Loveletter screenshot 8

  9. Random File Location with Destr. Overwrite } The Russian Omud virus, also called 8888, overwrote at a random location in the *.exe file. } Anti-virus software must now search the entire file to find it; } this defeated early anti-virus software } Control might transfer to the virus during execution of the *.exe, or it might not, or program might crash; stealth came at a price! Random Overwriting Program Code Virus Code Program Code 9

  10. Appending Viruses } A jump, or tricky jump, to the virus address is overwritten on the first few bytes of the executable } Virus code is appended to the file } Overwritten instructions are saved in the virus } When the virus is about to terminate, it executes the saved instructions and jumps back to the spot that followed them } Application program functionality is preserved (stealth) } So common among DOS .COM files that it was called the normal COM virus technique; } Vienna and Suicide are famous examples of this kind of virus 10

  11. Appending Viruses } The jump, or tricky jump, is easily spotted by anti-virus software } The file size has changed Tricky Jump JUMP Program Code Program Code Virus Code 11

  12. Appending Viruses } The stealth depends on } executing the original application successfully when the virus code has finished, AND } not spending too long in the virus code } In order to execute the application successfully, the virus often } copies the application code into a temporary file, then } calls system() or a similar function to execute the contents of that file } Must pass original command-line arguments! 12

  13. Multiple Techniques } Many viruses implement, in one virus, several of the techniques we have studied } 1991 DOS normal COM example: Phantom } Appending COM file infector (normal COM) } Memory resident: installs itself into high DOS memory, reduces available memory by about 2KB, monitors system activity and infects COM files as they are executed } Hooks interrupts 20h and 21h in order to intercept COM file executions } Existed in multiple variants with different messages 13

  14. Phantom Visual Payload Amazing that the payload and the replication only took 2KB! Tight ASM programming. 14

  15. Cavity Viruses } Virus creators often search for space within a file that is filled with zeroes or ASCII blanks } These spaces, or cavities , can be filled with virus code without changing the file size } A single cavity might be big enough for the whole virus, or the virus might be distributed into multiple small cavities, loaded into memory by the virus loader code at the head of the virus, connected by jump instructions (a fractionated cavity virus) } Still need to reach the start of the virus with a jump, or modify the PE entry point 15

  16. Cavity Viruses } Jump, or modified PE entry point, detectable by anti- virus software } Disinfection can be difficult (was the original cavity full of zeroes, or ASCII blanks?) Tricky Jump JUMP Program Code Program Code Cavity Virus Code 16

  17. Compressing Viruses } Application code is compressed } Virus code plus decompressor code fits into the space that was saved } Can keep the file size from changing } Might not even change the entry point! PE Header PE Header Entry Point field (EP) Entry Point field (EP) Virus Code + decompressor() Program Code Program Code 17

  18. Compressing Viruses cont ’ d. } How can a compressing virus be detected and disinfected? } The virus code might even be compressed, so that only the decompressor code is recognizable as normal code } However, a self-extracting archive would have a similar appearance and be quite legitimate } File size and entry point could be unchanged } Application behavior could be preserved 18

  19. Detecting a Compressing Virus } When a virus outbreak occurs, reports come in to major anti- virus software vendors from their customers } More expensive system scans than are normal for a background anti-virus program might reveal that known applications now have unintelligible executables Disassembly tools are used to examine the code, and 1. human intelligence is needed to find the decompressor code 1. A copy of the virus code can be decompressed using the 2. decompressor The virus design is then figured out by walk-throughs 3. 19

  20. Detecting a Compressing Virus cont ’ d. } Which other files on the system are targeted for infection can now be determined by examining the virus code } A code pattern is devised that describes unique instruction sequences in the decompressor code } The system is scanned to verify that this code pattern is not found in uninfected files } The virus code pattern database is updated, and customers download the update } More on pattern recognition shortly } How can such a file be disinfected? 20

  21. Disinfecting a Compressing Virus } With the virus and decompressor understood, the decompressor algorithm can be applied to the compressed application code } The virus code and decompressor are removed } The anti-virus software might maintain a database of cryptographic checksums for application executables } If the disinfected application now matches its stored checksums, success is declared } Otherwise, restore the file from backup 21

  22. Entry-Point Obscuring (EPO) Viruses } Anti-virus software closely examines PE file headers, entry points, and the initial code executed at the entry point } A stealthy virus must be designed to avoid changes to any of these locations } An EPO virus obscures its own entry point by finding a call instruction in the targeted PE file and “ hijacking ” the call so that the virus code is called instead 22

  23. EPO Viruses cont ’ d } A function call within the application becomes a call to the virus code. PE Header PE Header EP EP Program Code Program Code Call whatzit Call virus .reloc section Virus Code 23

  24. EPO Viruses cont ’ d } The virus code saves the registers in order to preserve the parameters that were being passed. Also saves the original call target address. } When the virus finishes executing, } it restores the registers and } does a jump back to the original call target } Q: How does a virus find a call to hijack? 24

  25. EPO Viruses cont ’ d } How can a virus find a function call? } The binary opcodes can be scanned. However, constant data in the code section can happen to have the same value as a call opcode } The most well-designed viruses examine the field that gives the target of the call. } What does the virus do with this field? } How does this help the virus? If it points to an address that looks like a function prologue (e.g. push ebp; mov esp,ebp ) then the virus proceeds to hijack the call 25

  26. EPO Viruses cont ’ d } How can a virus find a function call? } The binary opcodes can be scanned. However, constant data in the code section can happen to have the same value as a call opcode } The most well-designed viruses examine the field that gives the target of the call. } What does the virus do with this field? } How does this help the virus? } If target points to an address that looks like a function prologue (e.g. push ebp; mov esp,ebp ) then the virus proceeds to hijack the call 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
What if... There is no file with the name given to the File constructor: new File

What if... There is no file with the name given to the File constructor: new File

What if... There is no file with the name given to the File constructor: new File (IDontExist.txt); Throws FileNotFoundException 1 Handling Exceptions Call that throws the exception try { File f = new File (file.txt);

804 views • 8 slides
File Management What is a file? Elements of file management File organization

File Management What is a file? Elements of file management File organization

CPSC 410 / 611 : Operating Systems File Management File Management What is a file? Elements of file management File organization Directories File allocation What is a File? A file is a collection of data elements, grouped

817 views • 38 slides
CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems CPSC 410/611: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

186 views • 14 slides
The Road Ahead p2p file sharing techniques Downloading: Whole-file vs. chunks

The Road Ahead p2p file sharing techniques Downloading: Whole-file vs. chunks

CS 640: Introduction to Computer Networks Aditya Akella Lecture 24 - Peer-to-Peer The Road Ahead p2p file sharing techniques Downloading: Whole-file vs. chunks Searching Centralized index (Napster, etc.) Flooding

288 views • 10 slides
Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and Defense Reading } Start reading Chapter 4 of Szor 2 Virus Infection Techniques } We will survey common locations of virus infections: MBR (Master

727 views • 49 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/15/2017 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

352 views • 16 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/16/2018 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

373 views • 13 slides
CPSC 410/611: File Management What is a file? Elements of file management

CPSC 410/611: File Management What is a file? Elements of file management

CPSC 410 / 611 : Operating Systems File Management CPSC 410/611: File Management What is a file? Elements of file management File organization Directories File allocation Reading: Silberschatz,

546 views • 26 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
Implementation: Directory key ideas A file that contains a collection of mapping from file

Implementation: Directory key ideas A file that contains a collection of mapping from file

Implementation: Directory key ideas A file that contains a collection of mapping from file Directories name to file number file name file number Index structures /Users/lorenzo Documents 394 file number block Music 416 griso.jpg

288 views • 7 slides
File Management File Management File is a named collection of information The file

File Management File Management File is a named collection of information The file

File Management File Management File is a named collection of information The file manager administers the collection by: Storing the information a device Mapping the block storage to the logical view

461 views • 28 slides
What is a File? A file is a collection of data elements, grouped together for purpose of

What is a File? A file is a collection of data elements, grouped together for purpose of

CPSC-313: Introduction to Computer Systems UNIX I/O UNIX I/O Files and File Representation Basic operations: Reading / Writing Caching: File Open / Close Multiplexing: Select / Poll File Descriptors Reading: R&R,

391 views • 10 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
CS 241 Data Organization File IO April 12, 2018 File Pointers Opening a file returns a

CS 241 Data Organization File IO April 12, 2018 File Pointers Opening a file returns a

CS 241 Data Organization File IO April 12, 2018 File Pointers Opening a file returns a pointer to an object of type FILE This is a file pointer , also known as a stream . Default streams stdin , stdout , stderr are already open when

130 views • 8 slides
PHP include file 1 CS380 PHP Include File 2 Insert the content of one PHP file into another

PHP include file 1 CS380 PHP Include File 2 Insert the content of one PHP file into another

PHP include file 1 CS380 PHP Include File 2 Insert the content of one PHP file into another PHP file before the server executes it Use the include() generates a warning, but the script will continue execution require()

354 views • 31 slides
JavaScript Primer Arrays, Functions, Closures Arrays Arrays in JavaScript are a special type

JavaScript Primer Arrays, Functions, Closures Arrays Arrays in JavaScript are a special type

JavaScript Primer Arrays, Functions, Closures Arrays Arrays in JavaScript are a special type of object They work like regular object, except they have a length property Elements accessed using subscripting [index] syntax Length

554 views • 17 slides
ECE 2574: Data Structures and Algorithms - Stack ADT C. L. Wyatt Today we will defjne and use

ECE 2574: Data Structures and Algorithms - Stack ADT C. L. Wyatt Today we will defjne and use

ECE 2574: Data Structures and Algorithms - Stack ADT C. L. Wyatt Today we will defjne and use one of the most fundamental data structures in computing, a stack. Warmup Introduction to stacks Example: permutations Example: image

352 views • 33 slides
NetBeans JavaFX Composer in Action Creating Applications with Rich UI David Kaspar Software

NetBeans JavaFX Composer in Action Creating Applications with Rich UI David Kaspar Software

NetBeans JavaFX Composer in Action Creating Applications with Rich UI David Kaspar Software Engineer JavaOne|Oracle Develop NetBeans JavaFX Composer in Action Creating Applications with Rich UI Hands-on Lab: S313803 Introduction NetBeans

617 views • 46 slides
Software Engineering Large Practical: Android design principles and practice Stephen Gilmore (

Software Engineering Large Practical: Android design principles and practice Stephen Gilmore (

Software Engineering Large Practical: Android design principles and practice Stephen Gilmore ( Stephen.Gilmore@ed.ac.uk ) School of Informatics October 19, 2016 Contents Android design principles Material design Material design in

446 views • 28 slides
Lecture 23. Viruses and Secret Messages Remember sum.toy ? 0E starting address 0E: B001 R0

Lecture 23. Viruses and Secret Messages Remember sum.toy ? 0E starting address 0E: B001 R0

December 12, 1996 9:44 AM Lecture 23. Viruses and Secret Messages Remember sum.toy ? 0E starting address 0E: B001 R0 <- 01 R0 holds 1 0F: B10A R1 <- 0A R1 is n 10: B201 R2 <- 01 R2 is i 11: B300 R3 <- 00 R3 is sum 12:

412 views • 12 slides
Malware Overview Computer Security I CS461/ECE422 Spring 2012 Reading Material Chapter 6 of

Malware Overview Computer Security I CS461/ECE422 Spring 2012 Reading Material Chapter 6 of

Malware Overview Computer Security I CS461/ECE422 Spring 2012 Reading Material Chapter 6 of text Ken Thompson and Trojans http://cm.bell-labs.com/who/ken/trust.html Worm Anatomy and Model

848 views • 41 slides
Protection & Security Threat is potential security violation Attack is attempt to

Protection & Security Threat is potential security violation Attack is attempt to

CSE 421/521 - Operating Systems The Security Problem Fall 2011 Protecting your system resources, your files, identity, confidentiality, or privacy Lecture - XXVI Intruders (crackers) attempt to breach security Protection &

437 views • 5 slides
Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrcio Ceschin Marcus

1.12k views • 59 slides

More recommend