Chapter04_Malware-Malicious_Software_1

Stuxnet 震网

target:a top secret Iranian nuclear facility

Stuxnet showed, for the first time, that a cyber attack could cause significant physical damage to a facility. 

Malware

programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior

Classfication

propagation

• Virus: human-assisted propagation (e.g., open email attachment)
• Worm: automatic propagation without human assistance

concealment

• Trojan: provides desirable functionality but hides malicious operation
• Rootkit: modifies operating system to hide its existence

Insider Attack 预留漏洞,内部攻击

a security breach that is caused or facilitated by someone who is a part of the very organization that controls or builds the asset that should be protected.

In the case of malware, an insider attack refers to a security hole that is created in a software system by one of its programmers.

Backdoor(trapdoor)

a hidden feature or command in a program that allows a user to perform actions he or she would not normally be allowed to do.

Debugging backdoor

Some backdoors are put into programs for debugging purposes.to provide a bypass mechanism in the case of an emergency problem of users.

Deliberate Backdoors

Easter Eggs

• Software may include hidden features that can be accessed similarly to backdoors, known as Easter eggs.
• Harmless.

Logic Bomb

A logic bomb is a program that performs a malicious action as a result of a certain logic condition.

Usually something the insider can affect once he is no longer an insider

The Y2K(Year 2000) Problem

Omega engineering Logic Bomb

July,31,1996 Tim Lloyd, millions of dollars in damages

Defenses against insidet attacks

1. Avoid single points of failure.
   • Let no one person be the only one to create backups or manage critical systems.
2. Use code walk-throughs.
   • Have each programmer present his/her source code to another programmer, identify any missing conditions or undetected logic errors, line by line.
3. Use archiving and reporting tools.
   • Software engineering tools, such as automatic documentation generators of documenting insider attacks.
4. Limit authority and permissions.
   • Least privilege principle
5. Physically secure critical systems.
   • Locked rooms, with redundant HVAC and power systems, and protected against flood and fire.
6. Monitor employee behavior.
   • Especially on the lookout for disgruntled system administrators and programmers.
7. Control software installations.
   • Limit new software installations

virus

computer code that can replicate itself by modifying other files or programs to insert code that is capable of further replication.

requires some type of user assistance

Viruses Phase

1. dormant phase
2. propagation phase
3. triggering phase
   1. The virus is activated to perform the function for which it was intended.
4. execution phase

Common Virus Type

1. Boot Sector Infectors
   • Boot sector is the part of a disk used to bootstrap the system or mount a disk,inserts itself into the boot sector of a disk
   • Example:Brain Virus
     • Moves disk interrupt vector (location 0x13) to location 0x6d and sets disk interrupt location to invoke Brain virus.
     • If value 0x1234 in word at location 0x4 of new disk, boot continues normally. If not, disk is infected
     • Infection sometimes overwrite some sectors, thus the sometimes destructive nature of the Brain virus
2. Executable Infectors
   • Executable infector: virus that infects executable programs.Viruses prepends or appends itself to executable
   • Example: Jerusalem Virus(Oct 1,1987, one of the oldest viruses),considerably slowed down the machine. A person could identify the virus but noticing two lines on the monitor.
     • if a Friday the 13th and year is not 1987, virus sets flag in memory to delete files instead of infecting them
     • In memory, virus checks all calls to DOS service interrupt, looking for files to be executed
     • Virus checks file name, and deletes file if destruct bit set (except for COMMAND.COM file)
     • Virus checks last five bytes of file.
       • If string MsDos, file is infected
       • If not, virus checks whether name of file ends in E or M, in which case virus infects it (assuming its a COM or EXE file)
   • Example: CIH virus
     • CIH and Chernobyl(1998,Taiwan)
     • Trigger: April 26th or the 26th of any month (depending on virus version)
       • Overwrote data on the HDD of the infected PC
       • Overwrite the BIOS of the infected computer, thus preventing boot-up
3. Multipartite Viruses 多重感染病毒
   • Virus that can infect either boot sectors or applications
   • Virus typically has two parts, one for each type.
   • First Multipartite viruses: Ghostball, by Fridrik Skulason,Oct 1989
   • 
4. TSR Viruses Terminate and Stay Resident Viruses 终止常驻病毒
   • stays active (resident) in memory after application (or bootstrapping or disk mounting) has terminated.
   • Example:Barin, Jerusalem
   • Non TSR viruses execute only when host application is executed
5. Stealth Viruses 秘密病毒
   • conceal the infection of files
   • Intercept calls to the OS that access files
     • If call is for file attributes, original (uninfected) file attributes returned
     • If call is to read file, uninfected version is returned
     • If call is to execute file, infected file is executed
6. Encrypted Viruses 加密病毒
   • Virus that enciphers all of the virus code except for a small decryption routine
   • Anti-virus software looks for known sequences of code,To fight this, some viruses encipher most of code, leaving only small decryption routine and random cryptographic key in clear
7. Polymorphic Viruses 多态病毒
   • A virus that changes its form each time it inserts itself into another program
   • used to hide decryption code
   • Considered an encrypted virus

8. Macro Viruses 宏病毒

   - A virus that it composed of a sequence of instructions that is interpreted rather than executed directly 用宏语言写的病毒

   - Example: Melissa Virus 影响Word97,98,VB语言书写,March 26,1999

   - If launched, the macro virus will attempt to start Microsoft Outlook to send copies of the infected document via email to up to 50 people in Outlook’s address book as an attachment. 
   - copies itself into the Normal template so that any files that are opened are infected
   - Then invokes mail program and sends copies to names in address book
   

   • Example:The Love Bug
     • The virus is circulating through email and affecting many customers. If run, the virus could overwrite .jpg, .mp3, and other file types, and attempt to send a copy of itself to everyone in the recipient's address book.
     • The e-mail containing the virus typically carries a subject line of "ILOVEYOU". Inside the mail is a short message saying "Kindly check the attached LOVELETTER coming from me" and an attachment named LOVE-LETTER-FOR-YOU.txt.vbs.
   • Panda Burning Incense Virus 熊猫烧香 Li Jun,2006,2007,China
     • Once a computer was infected, the desktop icon of every executable file, such as Microsoft Corp.'s Word, would change into a picture of a panda holding three incense .
     • The virus spread through a variety of ways, and also has the game to steal user account, QQ accounts and other functions.

   Virus Countermeasures

   • detection
   • identification
   • removal

   Anti-Virus Evolution

   first-generation Signature scanner

   • scanner requires a virus signature to identify a virus.
   • The virus may contain "wildcards" but has essentially the same structure and bit pattern in all copies.
   • Such signature-specific scanners are limited to the detection of known viruses.

   second-generation heuristics

   • scanner uses heuristic rules to search for probable virus infection, e.g to look for fragments of code that are often associated with viruses..
   • Another second-generation approach is integrity checking, using a hash function rather than a simpler checksum.

   Third-generation Identify Actions

   • programs are memory-resident programs that identify a virus by its actions rather than structure in an infected program.
   • These have the advantage that it is not necessary to develop signatures / heuristics, but only to identify the small set of actions indicating an infection is attempted and then intervene.

   Fourth-generation combination package

   • packages consisting of a variety of antivirus techniques used in conjunction.
   • These include scanning and activity trap components.
   • In addition, such a package includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection.

   Trojan

   a malware program that appears to perform some useful task, but which also does something with negative consequences

9. A Trojan horse can be deliberately attached to otherwise useful software by a cracker

10. or it can be spread by tricking users into believing that it is a useful program
11. Trojans currently have largest infection potential