1 / 18

Malicious Logic

Malicious Logic. CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004. Overview. Trojan Horses Viruses Other Malicious Logic. Trojan Horses. Overt effect: intended Covert effect: unexpected Propagating: creates a copy of itself Example: Unix login.

abril
Télécharger la présentation

Malicious Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004

  2. Overview • Trojan Horses • Viruses • Other Malicious Logic

  3. Trojan Horses • Overt effect: intended • Covert effect: unexpected • Propagating: creates a copy of itself • Example: Unix login

  4. Computer Viruses • Definition: A computer virus is a program that inserts itself into one or more files and then performs some (possibly null) action.

  5. Boot Sector Infectors • Inserts itself into boot sector of a disk • Executes when disk is read • Moves real boot sector to another location on disk

  6. Executable Infectors • Infects executable programs • Places its code at beginning of executable segment • Example: Jerusalem Virus

  7. Jerusalem Virus (1/3) • Puts 0E0H into register ax • Invokes DOS service interrupt • If high 8 bits of ax contain 03H, system is already infected: quits and invokes original program • Otherwise, gets ready to trap calls to DOS service interrupt vector

  8. Jerusalem Virus (2/3) • Check the year • If 1987 do nothing • Else, if not Friday the 13th sets up to respond to clock interrupts • Loads and executes original program • Stays in memory waiting for DOS service interrupt

  9. Jerusalem Virus (3/3) • If Friday the 13th and not 1987 • Sets flag in memory to be destructive: will delete files instead of infecting them. • Once in memory, all call to DOS service interrupt are checked: • Infects or deletes as per memory flag • Preserves date and time of modification when infecting

  10. Multipartite Viruses • Can infect whether boot sectors or applications • Has 2 parts, one for boot records, one for executable files

  11. Terminate and Stay Resident (TSR) Viruses • Stays active (resident) in memory after the application has terminated. • Example: Jerusalem Virus

  12. Stealth Viruses • Conceal the infection of files • Intercept call to file access routines • read requests: disinfect as data is returned • execute requests: infected file is executed

  13. Encrypted Viruses • Enciphers all of the virus code except for a small decryption routine • Prevents pattern-matching virus detectors from recognizing virus

  14. Polymorphic Viruses • Changes its form each time it inserts itself into another program • May be used with encryption to change pattern of decryption routine

  15. Macro Viruses • Sequence of instructions that is interpreted rather than executed directly • Example: VB viruses

  16. Computer Worms • Program that copies itself from one computer to another • Usual intent is to propagate without causing additional harm • Example: Internet Worm of 1988

  17. Rabbits and Bacterium • Program that absorbs all of some class of resource • May not consume all resources, just all of a particular class

  18. Logic Bombs • Program that performs an action that violates the security policy when some external event occurs • May be linked to termination of an employee

More Related