Malware — viruses and worms

Ungraded Quiz

• What is the difference between a virus and a worm?
• What are some common ways to detect malware?
• What is your current strategy for backing up your important files?

Key Concepts

Malware

• important to study past examples, even if fixed, to understand past mistakes
• malware: “software intentionally designed or deployed to have effects contrary to the best interests of one or more users”
• know ways malware gets onto a device
• malware is hard to detect
• reduce risk of malware using code signing, anti-virus programs
• tension between easy-to-update software and malware — if we never installed programs, and installing programs was impossible/disabled, then we could eliminate this problem (except for any flaws in the system code that are exploitable)

Viruses and worms

• virus: a program that can infect other programs or files by modifying them to include a possibly evolved copy of itself
  • propagates with help from users — e.g. inserting a USB drive or clicking an email attachment
  • often will check if it has already infected a file
• worm
  • propagates automatically
  • spreads across machines over networks
  • exploit software vulnerabilities
• generic structure
  • dormancy
  • propagation
  • trigger condition
  • payload
• see Table 7.1, page 186

Propagation

• spread by email is a significant vector
• see Figure 7.1, page 188 for how viruses place code in an executable file
• understand why scripts (shell scripts or Python scripts) cause fewer problems for code injection by an attacker
• Modern data files contain embedded scripts, so opening them can trigger a virus

Well-known viruses

• the Brain virus
  • understand what the boot sector is and why this can play a role in virus propagation
  • the Brain virus was accidental
• CIH Chernobyl virus
  • caused hardware damage!
  • could overwrite the BIOS
  • clever trick — writing into empty space in files, splitting across multiple files, so hard to detect since it doesn’t change file length
  • importance of backing up information

Undecidability

• Proof that it is undecidable for a single program to detect all viruses — understand the proof
• see below for more resources

Malware detection

• Detection by using signatures — a sequence of bytes that identify it
  • tested against databases of legitimate software to ensure no false matches
  • protects only against known malware
• Detection by using hashes of known good programs to ensure they don’t change
• Detection by behavioral signatures

Extra resources

• take a look at Google Scholar search for phishing

• Inside the Slammer worm

• How to Teach the Undecidability of Malware Detection Problem and Halting Problem

• a more formal proof of the undecidability of malware detection is given by Cohen

• Undecidable Problems in Malware Analysis

  • in other words, CS 252 actually is an important class :-)