Computer Viruses: from theory to applications (eBook)

Preface 7
Contents 15
List of Figures 21
List of Tables 23
Genesis and Theory of Computer Viruses 25
1 Introduction 27
2 The Formalization Foundations: from Turing to von Neumann (1936 – 1967) 31
2.1 Introduction 31
2.2 Turing Machines 32
2.2.1 Turing Machines and Recursive Functions 33
2.2.2 Universal Turing Machine 37
2.2.3 The Halting Problem and Decidability 39
2.2.4 Recursive Functions and Viruses 41
2.3 Self-reproducing Automata 43
2.3.1 The Mathematical Model of Von Neumann Automata 44
2.3.2 Von Neumann’s Self-reproducing Automaton 52
2.3.3 The Langton’s Self-reproducing Loop 55
3 F. Cohen and L. Adleman’s Formalization (1984 – 1989) 63
3.1 Introduction 63
3.2 Fred Cohen’s Formalization 65
3.3 Leonard Adleman’s Formalization 89
3.4 Conclusion 101
Exercises 102
Study Projects 104
4 Taxonomy, Techniques and Tools 105
4.1 Introduction 105
4.2 General Aspects of Computer Infection Programs 107
4.3 Non Self-reproducing Malware (Epeian) 122
4.4 How Do Viruses Operate? 127
4.5 Virus and Worms Classification 146
4.5.1 Viruses Nomenclature 146
4.6 Tools in Computer Virology 171
Exercises 173
5 Fighting Against Viruses 175
5.1 Introduction 175
5.2 Protecting Against Viral Infections 177
5.2.1 Antiviral Techniques 179
5.2.2 Assessing of the Cost of Viral Attacks 187
5.2.3 Computer Hygiene Rules 188
5.2.4 What To Do in Case of a Malware Attack 191
5.2.5 Conclusion 194
5.3 Legal Aspects Inherent to Computer Virology 196
5.3.1 The Current Situation 196
5.3.2 Evolution of The Legal Framework: The Law Dealing With 199
Learning Computer Viruses by Programming 203
6 Introduction 205
7 Computer Viruses in Interpreted Programming Language 209
7.1 Introduction 209
7.2 Design of a Shell Bash Virus under Linux 210
7.2.1 Fighting Overinfection 212
7.2.2 Anti-antiviral Fighting: Polymorphism 214
7.2.3 Increasing the 218
7.2.4 Including a Payload 220
7.3 Some Real-world Examples 221
7.4 Conclusion 227
Exercises 227
Study Projects 228
8 Companion Viruses 231
8.1 Introduction 231
8.2 The companion virus 234
8.2.1 Analysis of the Virus 235
8.2.2 Weaknesses and Flaws of the 243
8.3 Optimized and Stealth Versions of the Vcomp ex Virus 245
8.4 The Vcomp ex v3 Companion Virus 262
8.5 A Hybrid Companion Virus: the Virus Case 265
8.6 Conclusion 273
Exercises 273
Study Projects 277
9 Worms 281
9.1 Introduction 281
9.2 The Internet Worm 283
9.3 IIS Worm Code Analysis 290
9.4 Xanax Worm Code Source Analysis 310
9.5 Analysis of the UNIX.LoveLetter Worm 331
9.6 Conclusion 340
Exercises 341
Study Projects 343
Computer Viruses and Applications 345
10 Introduction 347
11 Computer Viruses and Applications 351
11.1 Introduction 351
11.2 The State of the Art 354
11.3 Fighting against Crime 364
11.4 Environmental Cryptographic Key Generation 366
11.5 Conclusion 371
Exercises 372
12 BIOS Viruses 373
12.1 Introduction 373
12.2 bios Structure and Working 375
12.3 vbios Virus Description 381
12.4 Installation of vbios 386
12.5 Future Prospects and Conclusion 388
13 Applied Cryptanalysis of Cipher Systems: The ymun20 Virus 391
13.1 Introduction 391
13.2 General Description of Both the Virus and the Attack 393
13.3 Detailed Analysis of the Virus 397
13.3.1 The Attack Context 397
13.3.2 The ymun20-V1 Virus 399
13.4 Conclusion 404
Study Project 404
Conclusion 407
14 Conclusion 409
References 415
Index 423

5 Fighting Against Viruses (p. 151-152)

5.1 Introduction

The purpose of this chapter is to make a survey of the di.erent techniques which are currently used to defend against viruses. These techniques, though efficient, do not remove all the risks but will at best limit them. That is the reason why it is illusive to solely base an antiviral protection policy on the use of an antivirus software, how e.cient it may be. We will present therefore the main computer "hygiene rules" which can be very e.ective when properly applied and judiciously combined with an antivirus software. Most of these rules are derived from the security models defined during the eighties.

The issue behind defense against viral infections (prevention, detection, eradication) is far more tricky to address and to deal with than it seems, beyond the theoretical results presented in Chapter 3. We will just consider these two following aspects, at least to illustrate our comments.

• The first aspect is the notion of protection. The latter is only valid with reference to a speci.c environment, speci.c tests or techniques... The theoretical complexity of viral detection compels us in practice to use probabilistic and statistical techniques which have their inherent error probalilities2. To make things clear, if the environment of reference and techniques change, the defense against viruses is bound to fail unless these new changes are taken into account. It is precisely this weakness that the virus writer will exploit. No single defense is best for all situations.

• The second aspect is to assess the reliability of antiviral techniques properly, beyond the error probabilities discussed in the last point. Let us consider the following accurate attack scenario: let us assume that my antiviral program detects the B variant of a given worm. To what extent shall I trust it? Will this antiviral program be able to detect a potential B variant, which is similar in every respect to the B variant (that it will detect as such) in which a logic bomb or a Trojan horse has been carefully hidden, in such a way that it will be installed before the worm is detected? Despite the fact that the disinfection has been successfully performed, this additional malware which has been installed and has evolved in an independent way before the eradication of its viral carrier may still be active and may have become indetectable (let us recall that its viral vector has been eradicated). Obviously, my antiviral program has done its job. The user now feels relieved, convinced that the danger is over. Let us examine the following scenario. Imagine an attacker wants to infect my computer. He is likely to choose a worm or virus that my antiviral software generally e.ciently detects and eradicates, but he will add a payload (for instance, after analysing my antiviral program) in a non discriminating way (the antiviral program will be unable to distinguish this version from the early one). Let us now consider the case of companies or public institutions, in which a targeted attack has been launched at two different levels. The antiviral program will simply detect the first level of the attack, but will fail to detect the second one. What is going on then? In fact, the antiviral program will act just as it was programmed. Certainty can only be gained from viral code analysis. Now this analysis is mostly performed at an early stage to update the product but in the absence of any good reason, this analysis is unlikely to be done again at a later stage. For instance, if the logic bomb of the attacker remained undetected, there are no grounds for performing such an analysis.