01-06-2013, 04:15 PM
Malware: Viruses and Rootkits
Malware.ppt (Size: 3.6 MB / Downloads: 43)
Malware
Malicious code often masquerades as good software or attaches itself to good software
Some malicious programs need host programs
Trojan horses, logic bombs, viruses
Others can exist and propagate independently
Worms, automated viruses
Many infection vectors and propagation methods
Modern malware often combines trojan, rootkit, and worm functionality
Trojans
A Trojan horse is malicious code hidden in an apparently useful host program
When the host program is executed, trojan does something harmful or unwanted
User must be tricked into executing the host program
In 1995, a program distributed as PKZ300B.EXE looked like a new version of PKZIP… when executed, it formatted your hard drive
Old-style trojans did not replicate, but today many are spread by virus- and worm-like mechanisms
More Trojans
1987: Login program on NASA computers hacked by Chaos Computer Club, steals passwords
1999: Hacked login program at U. of Michigan steals 1534 passwords within 23 hours
2003: AOL employees tricked into accepting trojans via AIM, hackers get complete remote control over their machines via IRC
Also social engineering to steal passwords
2003: Badtrans worm installs a keystroke-logging trojan, sends log to one of 22 email accounts
First Virus: Creeper
Written in 1971 at BBN
Infected DEC PDP-10
machines running TENEX OS
Jumped from machine to machine over ARPANET
Copied its state over, tried to delete old copy
Payload: displayed a message
“I’m the creeper, catch me if you can!”
Later, Reaper was written to hunt down Creeper
Polymorphic Viruses
Encrypted viruses: constant decryptor followed by the encrypted virus body
Polymorphic viruses: constantly create new random encryptions of the same virus body
Virus includes an engine for creating new keys and new encryptions of the virus body
Decryptor code constant and can be detected
Historical note: “Crypto” virus decrypted its body by brute-force key search to avoid explicit decryptor code
Metamorphic Viruses
Obvious next step: mutate the virus body, too!
Apparition: early Win32 metamorphic virus
Carries its source code (contains useless junk)
Looks for compiler on infected machine
Changes junk in its source and recompiles itself
New binary copy looks different!
Mutation is common in macro and script viruses
Macros/scripts are usually interpreted, not compiled