Viruses
Virus type
Stealth virus
- Virus takes active steps to conceal infection from antivirus
- 📝 Characteristic behaviors
- Restores original file timestamp
- Intercepts system calls to play back original information of file to e.g.
- change system libraries to hide its existence from antiviruses
- run the rootkit
Tunneling virus
- Backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers
- Avoids monitoring
- Kernel software protected in other OS
- Legacy, was only possible in MS-DOS
Logic Bomb virus
- Not self-replicating, zero population growth, possibly parasitic
- Consists of
- Payload
- An action to be performed
- Trigger
- Boolean condition to be executed
- E.g. if Bob is not getting paid then delete the cloudarchitecture.io website
Polymorphic virus
- 📝 Modifies their payload to avoid signature detection
- Mutates its payload and usually encrypts it.
- Can hide file changes against simple checksums
Metamorphic virus
- Viruses that can reprogram/rewrite itself.
- In polymorphic virus, the mutation engine is always the same while payload is mutated, metamorphic virus can also mutate its own mutation engine.
- Usually
- Inserts dead code
- Reshapes the expressions
- Reorders instructions
- Encrypts program code
- Modifies the program control structure
- E.g. Win32/Simile and Zmist
Macro virus
- Changes or creates new macro for MS Office products
- 📝 Macros
- Code that is part of documents.
- Used extensively in MS Office Tools
- Written in or translated to Visual Basic for Applications (VBA) code
- Macro language: a programming language which is embedded inside a software application
- Protective strategies
- Later versions of MS Office have security levels for execution of macros
- Level high only executes signed macros
- MS Office provides warnings when files contain macros
- Later versions of MS Office have security levels for execution of macros
- E.g. Concept, first macro virus for Microsoft Word (1995-1997)
- Infects Word's global document-template
NORMAL.DOT
- Creates
PayLoad
andFileSaveAs
macros - Infects all documents saved with the Save As command
- Infects Word's global document-template
- E.g. Laroux, first macro virus for Microsoft Excel (1996)
- Consists of
auto_open
andcheck_files
auto_open
executes whenever an infected spreadsheet is opened, followed bycheck_files
- Virus looks for
PERSONAL.XLS
- Virus contains no malicious payload
- Consists of
File infectors
- Virus infects executables
Appending virus
- At the end
- To get control
- Save original instruction in code
- Replace by jump to viral code
- Execute virus
- Restore original instruction and jump to them
- or run original instruction at saved location followed by jump to the rest of the code
Overwriting file virus
- 📝 Also known as cavity virus or spacefiller virus
- 📝 Houses itself in target files without altering their size.
- Virus gets control in normal execution of file
- Placement Strategies
- Place virus in superfluous data
- Place virus in file slack or unused allocated file space
- Stash overwritten contents in a companion file
- Compress (parts of) the original file, decompress
- E.g. Lehigh (an early DOS virus)
Inserting virus
- Move target code out of way
- Intersperse small pieces of virus with infected file
Companion virus
- Virus gets executed before infected file
- Infected file barely changed
- Examples
- Change name of target file
- Copy
notepad.exe
tonotepad.exp
- Virus is in new
notepad.exe
, which callsnotepad.exp
- Copy
- Virus placed earlier in search path
notepad.exe
in a different directory than realnotepad.exe
notepad.com
is executed beforenotepad.exe
- Use Windows registry to change association for
.exe
files - Change interpreter in ELF files
- Typically the run-time linker, but now virus
- Associate icon of target with virus
- Change name of target file
Boot sector infectors
- Contains code that runs when a system starts up.
- Also known as boot sector virus
- 📝 Copies itself into the MBR or VBR on hard disk
- Typically after making copy of MBR in a "safe location"
- Extinct in the wild
- Floppies are rarely used to boot, disabling the propagation mechanism
- OS prevent writing to a disk's boot sector without proper authorization
- BIOS can enable boot block protection
- E.g. Michelangelo (1991)
- Moves original boot sector to safe location
- Infects all floppy disks inserted into computer
- Payload: overwrites file system with zeroes
- E.g. Stoned Virus (1988)
- Infects 360KB diskettes and MBR
- Many variants
- Payload: Shows "Your PC is now stoned!"
Boot record types
- Volume Boot Record
- First sector of an unpartitioned storage device
- First sector of an individual partition
- Master Boot Record
- First sector of data storage device that has been partitioned
Booting
- Bootstrap loader
- Loads software to start OS
- Multi-stage bootstrap loader
- Boot sequence on IBM-PC
- Runs instruction at memory location F000:FFF0 of BIOS
- Jumps to execution of BIOS startup program
- Executes Power-On Self-Test (POST)
- Checks, initializes devices
- Goes through preconfigured list of devices
- If it finds bootable device, loads, and executes boot sector
- Assume MBR on hard drive
- MBR contains address of bootable partition
- Load boot sector of bootable partition
- Boot sector moves OS kernel into memory and starts it
Multipartite viruses
- Also known as hybrid virus
- 📝 Combines file infectors and boot record infectors
- Re-infects a system repeatedly
- In order for it to be eradicated, the whole virus has to be removed from the system
- E.g. Ghostball, first multipartite virus (1989)
- Infects both executable .COM-files and boot sectors.
Other virus types
- Camouflage virus: Disguise as legit files.
- Network: Spreads via network shares.
- Shell virus
- Like boot sector but wrapped around application code, and run on application start.
- Sparse infector
- Only fire when a specific condition is met
- E.g. a virus which infects only the 20th time a file is executed.