SlideShare a Scribd company logo
1 of 34
Download to read offline
Introduction to Malware 
Techniques, Classification, and 
Defenses 
Dr. Engin Kirda
Malware (Malicious Code)
The type of threat… 
• … Is often not too easy to determine 
– Even given these loose definitions of malware types 
– A threat might be hybrid 
• e.g., a Trojan might also be spyware at the same time 
• A worm might propagate over the network by having Trojan 
functionality 
• A blended threat is when a virus exploits a technical 
vulnerability to propagate itself 
• I left out one malware category, can you name this 
category? ;) 
– Botnets!  More on this in later lectures 
3 
www.lastline.com
Naming 
• As malware spreads, the main concern is to catch it 
– A second concern is to give it a name 
– Naming is important for companies because of marketing 
reasons 
– There is no central naming authority 
– A piece of malware often has different names, depending on 
who is detecting it 
– Will there be standardization soon? 
• Probably not – too much malware 
• Malware might change fast so naming standards are difficult to 
establish 
4 
www.lastline.com
Naming 
• Here is a case of the same malware instance as 
name by different vendors… 
Bagle.C 
Email-worm.Win32.Bagle.c 
W32/Bagle.c@MM 
W32.Beagle.C@mm 
WORM.BAGLE.C 
Worm.Bagle.A3 
5 
www.lastline.com
Malware Authorship 
• People whose machines have been infected… 
– May have more colorful terms to describe person who 
created malware 
– e.g., a*$$!*!!! ;) 
– Common terms are malware author, malware writer, and 
virus writer 
• There is a distinction made between writing and 
distributing 
– Based on our terminology before, is writing malware 
hacking? 
– Yes and no… malware attacks are largely automated, 
whereas hacking tends to be more manual 
6 
www.lastline.com
Viruses 
• A virus has three components 
– Infection mechanism 
• How a virus spreads 
• The exact means through which virus spreads is called… 
• An infection vector 
• What if a virus infects in multiple ways? 
• multipartite 
– Trigger 
• Deciding whether to deliver or not 
– Payload 
• What the virus does 
7 
www.lastline.com
Viruses 
• In pseudo code, a virus would like look this 
def virus: 
infect() 
if trigger() is true: 
payload() 
Question: Remember, this is a virus. What does 
the infection function do? 
8 
www.lastline.com
Viruses 
• Generally, k targets may be infected each time the 
infection routine is run 
def infect: 
repeat k times: 
target = select_target() 
if no target: 
return 
infect_code(target) 
Question: What is the tricky part of the code here? 
 select_target() – virus does not want to infect 
code multiple times 
9 
www.lastline.com
Virus Classification by Target 
• A popular way to classify viruses is by looking at what 
they try to infect 
– We will first look at three classes of viruses: boot-sector 
viruses, executable file infectors, and data file infectors (i.e., 
called macro viruses) 
Question: Who can tell me what these types of 
viruses are? 
10 
www.lastline.com
Boot Sequence 
• Boot sequence on most machines typically goes 
through these steps 
1.) Power on 
2.) ROM-based instructions run, performing a self-test, device 
detection, and initialization. The boot device is identified and 
boot block read from it 
3.) After boot block is loaded, control is transferred to loaded 
code  primary boot 
4.) The loaded code loads a larger, more sophisticated code 
that understands file structure, and transfers control  
secondary boot 
11 
www.lastline.com
Boot-Sector Infector 
• A virus that infects by copying itself to the boot block 
– Question: What happens to the original boot block? 
– The issue with moving the boot block is that disk space 
needs to be allocated, and much code is needed 
– Hence, many viruses tended to copy the block to the same 
location (e.g., Stoned and Michelangelo) 
– Question: What is the problem with that? 
[Aycock06] 
12 
www.lastline.com
Boot-Sector Infector 
• In general, infecting boot sector is strategically sound 
– The virus is loaded before any AV software 
– BSIs used to be rare, but now, new malware that has boot-sector 
functionality has been introduced (i.e., stoned bootkit) 
– Question: Suppose that you were creating a protection 
technique against boot sector infectors, what would your 
solution be? ;) 
• Many BIOS instances have a boot block protection that can be 
enabled 
• Authorization is required 
13 
www.lastline.com
File Infectors 
• Operating systems have a notion of files that are 
executable 
– In a broader sense, executable files may also include files 
that can be run by a command-line user “shell” 
– A file infector infects files that are executable (e.g., including 
batch files and shell scripts) – binary files are the most 
popular 
– Two main issues 
1.) Where is the virus placed? 
2.) How is the virus executed when the infected file is run? 
14 
www.lastline.com
Insertion: Beginning of the File 
• Older, simple executable file formats (e.g., .COM in 
MSDOS) would treat the entire file as code and data 
– The entire file would be loaded into memory and execution 
would jump to the beginning 
[Aycock06] 
15 
www.lastline.com
Insertion: End of the File 
• Question: What is easier, appending to the end or to 
the beginning of a file? 
• How does the virus get control? 
– The original instructions in the code can be saved 
(somewhere) and replaced by a jump to viral code. After 
execution, virus transfers control back to infected code. The 
code can be run in new location, or may be restored 
– Many executable file formats specify a start location. Virus 
may change this, store the original value, and jump to it after 
it’s done 
16 
www.lastline.com
Insertion: End of the File 
[Aycock06] 
17 
www.lastline.com
Insertion: Overwritten into File 
• In this strategy, the virus would overwrite parts of the 
original executable 
– Advantage: The file size does not change 
• Of course, overwriting could break the original 
infected file 
• Possibilities 
– Overwrite repeated values, and restore them after execution 
– Move parts of file to innocent looking file (e.g., JPG) 
– Sometimes, executables are “padded” and there is unused 
space 
– Compress the original code, and decompress it later 
• In any case, virus has to be small 
18 
www.lastline.com
Insertion: Companion Virus 
• Companion virus 
– installs a COM file (the virus) for every EXE file found 
– idea is simple: DOS runs COM files before EXE 
– virus will stay memory resident and execute the original file 
– Question: What do you think of this infection strategy? 
 easy to find and eliminate 
19 
www.lastline.com
Insertion: NTFS ADS Viruses 
• NTFS contains a system called Alternate Data Streams (ADS) 
– sometimes used by viruses 
– original intention of ADS is to store meta information with file 
e.g., has it been downloaded from the Internet? 
echo ‘Hello World’ > test.txt 
echo ‘This is Hidden’ > test.txt:hidden.txt 
nodepad test.txt:hidden.txt 
• Stream we have created is completely invisible 
– most commands do not work on ADSs (e.g., deleting). 
– Explorer and dir will not show the file 
– viruses can make use of ADS to hide code, data, temporary files 
– tool called streams.exe from Sysinternals.com is useful for finding 
such streams 
20 
www.lastline.com
Insertion: Integration 
• Code Integration 
– merge virus code with program 
– requires disassembly of target 
• difficult task on x86 machines 
– W95/Zmist is a classic example for this technique 
21 
www.lastline.com
Fast and Slow Infectors 
• A fast infector infects any file accessed 
– purpose of fast infection is to ride on the back of anti-virus software 
– infect files as they are being checked 
– can be defeated if the scanner is started from a floppy 
• A slow infector only infects files as they are created or modified 
– purpose of slow infection is to attempt to defeat integrity checking 
– piggyback on top of the process which legitimately changes a file 
– if integrity checker has a scanning component, virus can be caught 
22 
www.lastline.com
Tunneling and Camouflage Viruses 
• To minimize the probability of its being discovered, 
a virus could use a number of different techniques 
• A tunneling virus attempts to bypass antivirus programs 
– idea is to follow the interrupt chain back down to basic 
operating system or BIOS interrupt handlers 
– install virus there 
– virus is “underneath” everything – including the checking program 
• In the past, possible for a virus to spoof a scanner by 
camouflaging itself to look like something the scanner was 
programmed to ignore 
– false alarms of scanners make “ignore” rules necessary 
23 
www.lastline.com
Sparse Infectors and Armored Viruses 
• Sparse infector 
– infect every nth time a file is executed 
– infect files only with a certain name 
• Armored virus 
– aims to make disassembly difficult 
– exploits fact that x86 code is hard to disassemble 
– Whale (early virus), made extensive use of such techniques 
– manual disassembly is almost always possible but takes 
more time and is not automated 
24 
www.lastline.com
Macro Viruses 
• Many modern applications support macro languages 
– Microsoft Word, Excel, Outlook 
– macro language is powerful 
– embedded macros automatically executed on load 
– mail app. with Word as an editor 
– mail app. with Internet Explorer 
to render HTML 
25 
www.lastline.com
Macro Viruses 
• In the past, when a macro-containing document was 
loaded by application, the macro was run 
automatically 
– Clearly, not a good idea 
– The macro virus received control 
Question: When was the first macro virus created? ;) 
Actually, in 1989, before macro viruses became mainstream 
in 1995 
Why? 
Probably because Microsoft products became very popular + 
Internet 
26 
www.lastline.com
Macro Viruses: Concept In Action 
[Aycock06] 
27 
www.lastline.com
Classification by Concealment 
Strategy 
• No concealment 
– Easy to write, but of course, easy to detect 
• Encryption 
– The virus “encrypts” a part of its body (or all of it) for 
concealment 
– Infection, trigger, payload 
– Virus encryption is rather obfuscation than classic encryption 
– When body is encrypted, body does not run – it has to be 
decrypted before 
– decryptor loop decrypts the body and transfers control to it 
• Question: What are the properties of the decryptor? 
28 
www.lastline.com
Encrypted Virus 
[Aycock06] 
29 
www.lastline.com
How is the Encryption Done? 
• Question: What would you do? ;) 
– Simple encryption: no key is used, just basic parameterless 
operations, incrementing, decrementing, bitwise rotations, 
arithmetic negation and NOT 
30 
www.lastline.com
How is the Encryption Done? 
• Static encryption key 
– A static, constant key is used for encryption which doesn’t 
change 
• Variable encryption key 
– Key changes 
31 
www.lastline.com
How is the Encryption Done? 
• Substitution cipher 
– Lookup tables which map byte value between encrypted and 
decrypted forms 
– e.g., 256-byte arrays, initialized so that encrypt[j]=k and 
decrypt[k]=j 
32 
www.lastline.com
How is the Encryption Done? 
• Strong encryption (i.e., strong crypto algorithms like 
RSA) 
– In the past, this would have required a lot of code. However, 
now, quite a bit of code already exists in libraries 
• The main weakness in the discussed encryption 
schemes? 
– The body of the virus is encrypted in the same way. It does 
not change across infections 
– Question: Solution? 
– Answer: You choose a random key, and update the 
decryptor loop 
33 
www.lastline.com
Stealth 
• A stealth virus is a virus that actively takes steps to 
conceal the infection itself, not just the virus body 
– We already discussed some stealth techniques. 
– Question: What kind of stealth / hiding techniques can you 
think of? 
1.) Restore original timestamp 
2.) Store all original information (e.g., contents, file size, 
timestamp, etc.), and replay it when requested 
Classic technique for doing this  Intercept I/O calls 
• Note that stealth techniques are similar to rootkits. 
Rootkit, originally created as toolkits for compromised 
machines 
34 
www.lastline.com

More Related Content

What's hot

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017  workshop 3 - presentationCcsit cyberlympics 2017  workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationNasir Bhutta
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 

What's hot (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systems
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysis
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017  workshop 3 - presentationCcsit cyberlympics 2017  workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentation
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by Default
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 

Similar to Introduction to Malware - Part 1

Similar to Introduction to Malware - Part 1 (20)

Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Thur Venture
Thur VentureThur Venture
Thur Venture
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Sangeetha Venture
Sangeetha VentureSangeetha Venture
Sangeetha Venture
 
Venture name Basics
Venture name BasicsVenture name Basics
Venture name Basics
 
Regression
RegressionRegression
Regression
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Viruses worms
Viruses wormsViruses worms
Viruses worms
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Viruses & worms
Viruses & wormsViruses & worms
Viruses & worms
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Ch14 security
Ch14   securityCh14   security
Ch14 security
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
Secure programming - Computer and Network Security
Secure programming - Computer and Network SecuritySecure programming - Computer and Network Security
Secure programming - Computer and Network Security
 

Recently uploaded

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Recently uploaded (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

Introduction to Malware - Part 1

  • 1. Introduction to Malware Techniques, Classification, and Defenses Dr. Engin Kirda
  • 3. The type of threat… • … Is often not too easy to determine – Even given these loose definitions of malware types – A threat might be hybrid • e.g., a Trojan might also be spyware at the same time • A worm might propagate over the network by having Trojan functionality • A blended threat is when a virus exploits a technical vulnerability to propagate itself • I left out one malware category, can you name this category? ;) – Botnets!  More on this in later lectures 3 www.lastline.com
  • 4. Naming • As malware spreads, the main concern is to catch it – A second concern is to give it a name – Naming is important for companies because of marketing reasons – There is no central naming authority – A piece of malware often has different names, depending on who is detecting it – Will there be standardization soon? • Probably not – too much malware • Malware might change fast so naming standards are difficult to establish 4 www.lastline.com
  • 5. Naming • Here is a case of the same malware instance as name by different vendors… Bagle.C Email-worm.Win32.Bagle.c W32/Bagle.c@MM W32.Beagle.C@mm WORM.BAGLE.C Worm.Bagle.A3 5 www.lastline.com
  • 6. Malware Authorship • People whose machines have been infected… – May have more colorful terms to describe person who created malware – e.g., a*$$!*!!! ;) – Common terms are malware author, malware writer, and virus writer • There is a distinction made between writing and distributing – Based on our terminology before, is writing malware hacking? – Yes and no… malware attacks are largely automated, whereas hacking tends to be more manual 6 www.lastline.com
  • 7. Viruses • A virus has three components – Infection mechanism • How a virus spreads • The exact means through which virus spreads is called… • An infection vector • What if a virus infects in multiple ways? • multipartite – Trigger • Deciding whether to deliver or not – Payload • What the virus does 7 www.lastline.com
  • 8. Viruses • In pseudo code, a virus would like look this def virus: infect() if trigger() is true: payload() Question: Remember, this is a virus. What does the infection function do? 8 www.lastline.com
  • 9. Viruses • Generally, k targets may be infected each time the infection routine is run def infect: repeat k times: target = select_target() if no target: return infect_code(target) Question: What is the tricky part of the code here?  select_target() – virus does not want to infect code multiple times 9 www.lastline.com
  • 10. Virus Classification by Target • A popular way to classify viruses is by looking at what they try to infect – We will first look at three classes of viruses: boot-sector viruses, executable file infectors, and data file infectors (i.e., called macro viruses) Question: Who can tell me what these types of viruses are? 10 www.lastline.com
  • 11. Boot Sequence • Boot sequence on most machines typically goes through these steps 1.) Power on 2.) ROM-based instructions run, performing a self-test, device detection, and initialization. The boot device is identified and boot block read from it 3.) After boot block is loaded, control is transferred to loaded code  primary boot 4.) The loaded code loads a larger, more sophisticated code that understands file structure, and transfers control  secondary boot 11 www.lastline.com
  • 12. Boot-Sector Infector • A virus that infects by copying itself to the boot block – Question: What happens to the original boot block? – The issue with moving the boot block is that disk space needs to be allocated, and much code is needed – Hence, many viruses tended to copy the block to the same location (e.g., Stoned and Michelangelo) – Question: What is the problem with that? [Aycock06] 12 www.lastline.com
  • 13. Boot-Sector Infector • In general, infecting boot sector is strategically sound – The virus is loaded before any AV software – BSIs used to be rare, but now, new malware that has boot-sector functionality has been introduced (i.e., stoned bootkit) – Question: Suppose that you were creating a protection technique against boot sector infectors, what would your solution be? ;) • Many BIOS instances have a boot block protection that can be enabled • Authorization is required 13 www.lastline.com
  • 14. File Infectors • Operating systems have a notion of files that are executable – In a broader sense, executable files may also include files that can be run by a command-line user “shell” – A file infector infects files that are executable (e.g., including batch files and shell scripts) – binary files are the most popular – Two main issues 1.) Where is the virus placed? 2.) How is the virus executed when the infected file is run? 14 www.lastline.com
  • 15. Insertion: Beginning of the File • Older, simple executable file formats (e.g., .COM in MSDOS) would treat the entire file as code and data – The entire file would be loaded into memory and execution would jump to the beginning [Aycock06] 15 www.lastline.com
  • 16. Insertion: End of the File • Question: What is easier, appending to the end or to the beginning of a file? • How does the virus get control? – The original instructions in the code can be saved (somewhere) and replaced by a jump to viral code. After execution, virus transfers control back to infected code. The code can be run in new location, or may be restored – Many executable file formats specify a start location. Virus may change this, store the original value, and jump to it after it’s done 16 www.lastline.com
  • 17. Insertion: End of the File [Aycock06] 17 www.lastline.com
  • 18. Insertion: Overwritten into File • In this strategy, the virus would overwrite parts of the original executable – Advantage: The file size does not change • Of course, overwriting could break the original infected file • Possibilities – Overwrite repeated values, and restore them after execution – Move parts of file to innocent looking file (e.g., JPG) – Sometimes, executables are “padded” and there is unused space – Compress the original code, and decompress it later • In any case, virus has to be small 18 www.lastline.com
  • 19. Insertion: Companion Virus • Companion virus – installs a COM file (the virus) for every EXE file found – idea is simple: DOS runs COM files before EXE – virus will stay memory resident and execute the original file – Question: What do you think of this infection strategy?  easy to find and eliminate 19 www.lastline.com
  • 20. Insertion: NTFS ADS Viruses • NTFS contains a system called Alternate Data Streams (ADS) – sometimes used by viruses – original intention of ADS is to store meta information with file e.g., has it been downloaded from the Internet? echo ‘Hello World’ > test.txt echo ‘This is Hidden’ > test.txt:hidden.txt nodepad test.txt:hidden.txt • Stream we have created is completely invisible – most commands do not work on ADSs (e.g., deleting). – Explorer and dir will not show the file – viruses can make use of ADS to hide code, data, temporary files – tool called streams.exe from Sysinternals.com is useful for finding such streams 20 www.lastline.com
  • 21. Insertion: Integration • Code Integration – merge virus code with program – requires disassembly of target • difficult task on x86 machines – W95/Zmist is a classic example for this technique 21 www.lastline.com
  • 22. Fast and Slow Infectors • A fast infector infects any file accessed – purpose of fast infection is to ride on the back of anti-virus software – infect files as they are being checked – can be defeated if the scanner is started from a floppy • A slow infector only infects files as they are created or modified – purpose of slow infection is to attempt to defeat integrity checking – piggyback on top of the process which legitimately changes a file – if integrity checker has a scanning component, virus can be caught 22 www.lastline.com
  • 23. Tunneling and Camouflage Viruses • To minimize the probability of its being discovered, a virus could use a number of different techniques • A tunneling virus attempts to bypass antivirus programs – idea is to follow the interrupt chain back down to basic operating system or BIOS interrupt handlers – install virus there – virus is “underneath” everything – including the checking program • In the past, possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore – false alarms of scanners make “ignore” rules necessary 23 www.lastline.com
  • 24. Sparse Infectors and Armored Viruses • Sparse infector – infect every nth time a file is executed – infect files only with a certain name • Armored virus – aims to make disassembly difficult – exploits fact that x86 code is hard to disassemble – Whale (early virus), made extensive use of such techniques – manual disassembly is almost always possible but takes more time and is not automated 24 www.lastline.com
  • 25. Macro Viruses • Many modern applications support macro languages – Microsoft Word, Excel, Outlook – macro language is powerful – embedded macros automatically executed on load – mail app. with Word as an editor – mail app. with Internet Explorer to render HTML 25 www.lastline.com
  • 26. Macro Viruses • In the past, when a macro-containing document was loaded by application, the macro was run automatically – Clearly, not a good idea – The macro virus received control Question: When was the first macro virus created? ;) Actually, in 1989, before macro viruses became mainstream in 1995 Why? Probably because Microsoft products became very popular + Internet 26 www.lastline.com
  • 27. Macro Viruses: Concept In Action [Aycock06] 27 www.lastline.com
  • 28. Classification by Concealment Strategy • No concealment – Easy to write, but of course, easy to detect • Encryption – The virus “encrypts” a part of its body (or all of it) for concealment – Infection, trigger, payload – Virus encryption is rather obfuscation than classic encryption – When body is encrypted, body does not run – it has to be decrypted before – decryptor loop decrypts the body and transfers control to it • Question: What are the properties of the decryptor? 28 www.lastline.com
  • 29. Encrypted Virus [Aycock06] 29 www.lastline.com
  • 30. How is the Encryption Done? • Question: What would you do? ;) – Simple encryption: no key is used, just basic parameterless operations, incrementing, decrementing, bitwise rotations, arithmetic negation and NOT 30 www.lastline.com
  • 31. How is the Encryption Done? • Static encryption key – A static, constant key is used for encryption which doesn’t change • Variable encryption key – Key changes 31 www.lastline.com
  • 32. How is the Encryption Done? • Substitution cipher – Lookup tables which map byte value between encrypted and decrypted forms – e.g., 256-byte arrays, initialized so that encrypt[j]=k and decrypt[k]=j 32 www.lastline.com
  • 33. How is the Encryption Done? • Strong encryption (i.e., strong crypto algorithms like RSA) – In the past, this would have required a lot of code. However, now, quite a bit of code already exists in libraries • The main weakness in the discussed encryption schemes? – The body of the virus is encrypted in the same way. It does not change across infections – Question: Solution? – Answer: You choose a random key, and update the decryptor loop 33 www.lastline.com
  • 34. Stealth • A stealth virus is a virus that actively takes steps to conceal the infection itself, not just the virus body – We already discussed some stealth techniques. – Question: What kind of stealth / hiding techniques can you think of? 1.) Restore original timestamp 2.) Store all original information (e.g., contents, file size, timestamp, etc.), and replay it when requested Classic technique for doing this  Intercept I/O calls • Note that stealth techniques are similar to rootkits. Rootkit, originally created as toolkits for compromised machines 34 www.lastline.com