Executable program Virus Virus Virus Uninfected program Virus at start of

Executable program virus virus virus uninfected

This preview shows page 19 - 23 out of 33 pages.

Executable program Virus Virus Virus Uninfected program Virus at start of program Virus at end of program Virus in program’s free spaces Chapter 9: Security 38 CMPS 111, UC Santa Cruz Viruses infecting the operating system Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Syscall traps Operating system Virus Disk vector Clock vector Kbd vector Virus has captured interrupt & trap vectors OS retakes keyboard vector Virus notices, recaptures keyboard
20 Chapter 9: Security 39 CMPS 111, UC Santa Cruz How do viruses spread? square6 Virus placed where likely to be copied square6 Popular download site square6 Photo site square6 When copied square6 Infects programs on hard drive, floppy square6 May try to spread over LAN or WAN square6 Attach to innocent looking email square6 When it runs, use mailing list to replicate square6 May mutate slightly so recipients don’t get suspicious Chapter 9: Security 40 CMPS 111, UC Santa Cruz Hiding a virus in a file square6 Start with an uninfected program square6 Add the virus to the end of the program square6 Problem: file size changes square6 Solution: compression square6 Compressed infected program square6 Decompressor: for running executable square6 Compressor: for compressing newly infected binaries square6 Lots of free space (if needed) square6 Problem (for virus writer): virus easy to recognize Executable program Header Executable program Header Compressed executable program Header Virus Virus Decompressor Compressor Unused
21 Chapter 9: Security 41 CMPS 111, UC Santa Cruz Using encryption to hide a virus square6 Hide virus by encrypting it square6 Vary the key in each file square6 Virus “code” varies in each infected file square6 Problem: lots of common code still in the clear square6 Compress / decompress square6 Encrypt / decrypt square6 Even better: leave only decryptor and key in the clear square6 Less constant per virus square6 Use polymorphic code (more in a bit) to hide even this Compressed executable program Header Virus Decompressor Compressor Unused Compressed executable program Header Virus Decompressor Compressor Unused Compressed executable program Header Key Encryptor Decryptor Virus Decompressor Compressor Unused Key Encryptor Decryptor Chapter 9: Security 42 CMPS 111, UC Santa Cruz Polymorphic viruses square6 All of these code seqences do the same thing square6 All of them are very different in machine code square6 Use “snippets” combined in random ways to hide code
22 Chapter 9: Security 43 CMPS 111, UC Santa Cruz How can viruses be foiled? square6 Integrity checkers square6 Verify one-way function (hash) of program binary square6 Problem: what if the virus changes that, too?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture