slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Malicious Code PowerPoint Presentation
Download Presentation
Malicious Code

Malicious Code

206 Vues Download Presentation
Télécharger la présentation

Malicious Code

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Malicious Code CS 419: Computer Information Security Kati Reiland Wed. March 5, 2003

  2. What I’ll Cover • Short Timeline of Malicious Code • Definition of Malicious Code • Closer Look at Viruses and Worms • A Specific Look at the LoveBug Virus

  3. Timeline • 1949:John Von Neumann researches the theory of self-replicating programs • 1960:AT&T introduces the first commercial modem • 1969:AT&T develop UNIX, the first multitasking operating system and launch ARPANET. • 1979:Xerox researchers implement a “worm” that searches the network for idle processors.

  4. Timeline • 1983:“Virus” is first used to describe software that affects other programs by modifying themselves to include a copy of the software. • 1988:Robert Morris creates a worm that attacks ARPANET, disabling over 6,000 computers by flooding their memory with copies of itself. • 1991:Symantec releases the first version of Norton Anti-virus, it is still the #1 PC security product. • 1995:Microsoft releases Windows 95.

  5. Timeline • 1999:The “Melissa” virus infects thousands of computers. • 2000:The “I Love You” virus infects millions of computers in 24 hours.The author was a Filipino student; The Philippines have no laws against hacking or other computer crimes, so he goes without punishment. European Union’s global “Cybercrime Treaty” is created. • 2001:The Code Red worm infects Windows NT and 2000 servers causing $2 billion in damages. • 2001:Nimda attacks using 5 different methods of infecting systems and replicating itself.

  6. Timeline • 2002:“Melissa” author David L Smith is sentenced to 20 months in federal prison. • 2003:The “Sapphire Slammer” worm infects thousands of computers in 3 hours.

  7. Also called “Malware” Generally, “any unwanted, uninvited, potentially dangerous program or set of programs”.(2002, Norman Book on Computer Viruses) General Categories Virus A program that replicates itself infecting boot sectors, programs, or data files. Worm A program that has the ability to spread. Trojan Horse/Backdoors A program that looks to be a useful or benign file/program. Denial-of-Service Software that doesn’t harm the host but uses the host to disrupt other networked computers. Malicious Code

  8. Hacking Tools • Assists the author in the creation of a virus/worm. Does not cause any harm by itself. • Bugs/Logic Bombs/Time Bombs • Malfunctions within otherwise useable code. • Hoax • Generally a chain letter by email advising the removal of a needed system file. Does not actually replicate but “cons” the person to send it on believing that they are doing good. • A combination of any or all of the above • Most malicious code falls into this category • Ex. “ILoveYou” virus

  9. Why are these a security risk? • Data Loss (viruses, worms) • Downtime • Loss of Confidentiality (stolen data)

  10. Viruses and Worms • Types: • Binary File Viruses/Worms • Ex. W95/CIH otherwise known as “Chernobyl” • Binary Stream Worms • Ex. Code Red • Script File Viruses/Worms • Ex. ILoveYou • Macro Viruses • Ex. Melissa • Boot Viruses • Ex. AntiWin • Multipartite Viruses • Ex. Civil Security Stats, 2002

  11. Binary File Virus • A virus that attaches it’s code to a useable program file. • Six basic ways of attaching itself: companion, link, overwrite, insert, prepend and append. • Companion • Usually done by creating a file in the same folder as the program.exe. • Link • Changes the workings of the file system so the program name will then refer to the virus instead of the program. • Overwrite • Insert • Prepend • Append

  12. Script File Viruses • Viruses that are pure text instructions that are interpreted by some associated program. • Examples of scripts: • Visual Basic Script • Many of Microsoft’s programs and OS functions can be manipulated, thus highly used • JavaScript • Doesn't affect the file system, so there are not many viruses using this. • Jscript • Not as often used as VBS, but just as dangerous • DOS BAT Language / UNIX Shell Script • Allows command line commands on DOS / UNIX machines (respectively) without actually typing the commands • IRC Scripts • Scripts support the automatic sending of files to other members. • Many others

  13. Macro Viruses • Take advantage of the many applications that contain/use macro programming languages • WordBasic (early versions of MS Word) • Visual Basic for Applications (VBA) • Can be used to control almost anything on a Windows computer • The first set of viruses that affect the reliability of the information in data files. • Sometimes used to create and/or execute other traditional viruses. • Highly dangerous. • As newer versions of Microsoft products are introduced, so were new versions of VBA, thus older viruses could not affect newer versions of the product.

  14. Boot Viruses • Viruses that infect System Boot Sectors (SBS) and Master Boot Sectors (MBS). • MBS vs. SBS • Floppy disks have only an SBS. • THE BOOT PROCESS • BIOS (Basic Input/Output System) • POST (Power On Self Test) • Attempts to boot from floppy • Loads OS • A boot virus generally infects the SBS of a floppy disk and when the attempt to boot is made, the virus goes to memory and runs active, infecting the system areas of the hard drive. • Up until a couple of years ago, boot viruses were the most common viruses.

  15. ILoveYou: The Love Letter Virus • May 4-8, 2000: CERT announces over 500,000 reported PCs infected. • Most commonly through an email attachment (LOVE-LETTER-FOR-YOU.txt.vbs) but also through IRC, Windows file sharing, and USENET news. • Overwrites all files with the extensions of *.vbs, *.vbe, *.doc, *.txt, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg, *.jpeg, *.mp3, *.mp2 and others with a copy of itself and changes the file extension but keeps the file name.

  16. VBS/ILOVEYOU: “LoveBug” • Any up-to-date anti-virus product should catch it. • Disable Windows Scripting Host and IE’s Active Scripting, though this disables other functionalities also. • There are currently 82 known variants to the original.(Symantec Corp.) • Some variants attempt to download a password-stealing trojan from a webpage.

  17. What it does • Sets the Windows Scripting Host timeout to zero • Attempts to send out an email with Microsoft Outlook. • Subject: ILOVEYOU • Body: kindly check the attached LOVELETTER coming from me” • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs • Searches all network and local drives for a variety of the previously listed file extensions. • Overwrites these files with a copy of itself

  18. What it does, cont. • Places a file (a copy of itself) in the Windows System Directory • May be named mskernel32.vbs, win32dll.vbs, or love-letter-for-you.txt.vbs • Changes IE Homepage to a url beginning with • If mIRC is installed, it will overwrite the script.ini file. • Attempts to create an HTML file with the VBS script embedded.

  19. References About Viruses. Panda Software. Anti-virus round-up (January-June 2000). Sophos Antivirus. July 2000. Antivirus Software Ratings. Consumer Reports. June 2002. CERT Love Letter Advisory. Computer Virus Timeline. Cyberspace Invaders. Consumer Reports. June 2002. History of Computer Viruses. Discovery Channel. Kaliciak, Paul. ILOVEYOU Email Virus Floods Internet. Discovery Channel. Kaspersky, Eugene. Computer Viruses. McAfee Antivirus. Norman Book of Computer Viruses. Norman ASA. Oct 2001. Sophos Antivirus. Stupid Virus Tricks. Comsumer Reports. June 2002. Symantec Corporation. Virus Encyclopedia. Virus Related Statistics.