![Auto start
• Folder auto-start : C:Documents and Settings[user_name]Start
MenuProgramsStartup
• Win.ini : run=[backdoor]" or
"load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Wininit
• Config.sys](https://image.slidesharecdn.com/10-malware-230214170157-62471673/85/10-malware-ppt-26-320.jpg)
10-malware.ppt
- 1. Malware CS155 Spring 2009 Elie Bursztein
- 2. Welcome to the zoo • What malware are • How do they infect hosts • How do they hide • How do they propagate • Zoo visit ! • How to detect them • Worms
- 3. What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.
- 4. What it is good for ? • Steal personal information • Delete files • Click fraud • Steal software serial numbers • Use your computer as relay
- 5. A recent illustration • Christians On Facebook • Leader hacked on march 2009 • Post Islamic message • Lost >10 000 members
- 6. The Malware Zoo • Virus • Backdoor • Trojan horse • Rootkit • Scareware • Adware • Worm
- 7. What is a Virus ? a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983
- 8. Some Virus Type • Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) • Methamorpic : Change after each infection
- 9. What is a trojan A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia
- 10. What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine Symantec
- 11. What is a worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.
- 12. Almost 30 years of Malware From Malware fighting m
- 13. History • 1981 First reported virus : Elk Cloner (Apple 2) • 1983 Virus get defined • 1986 First PC virus MS DOS • 1988 First worm : Morris worm • 1990 First polymorphic virus • 1998 First Java virus • 1998 Back orifice • 1999 Melissa virus • 1999 Zombie concept • 1999 Knark rootkit • 2000 love bug Melissa spread by email and share Knark rootkit made by creed demonstrate the first ideas love bug vb script that abused a weakness in outlook Kernl intrusion by optyx gui and efficent hidding mechanims
- 14. Number of malware signatures Symantec report 2009
- 15. Malware Repartition Panda Q1 report 2009
- 17. Outline • What malware are • How do they infect hosts • How do they propagate • Zoo visit ! • How to detect them • Worms
- 18. What to Infect • Executable • Interpreted file • Kernel • Service • MBR • Hypervisor
- 25. Packer functionalities • Compress • Encrypt • Randomize (polymorphism) • Anti-debug technique (int / fake jmp) • Add-junk • Anti-VM • Virtualization
- 26. Auto start • Folder auto-start : C:Documents and Settings[user_name]Start MenuProgramsStartup • Win.ini : run=[backdoor]" or "load=[backdoor]". • System.ini : shell=”myexplorer.exe” • Wininit • Config.sys
- 27. Auto start cont. • Assign know extension (.doc) to the malware • Add a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun • Add a task in the task scheduler • Run as service
- 28. Unix autostart • Init.d • /etc/rc.local • .login .xsession • crontab • crontab -e • /etc/crontab
- 29. Macro virus • Use the builtin script engine • Example of call back used (word) • AutoExec() • AutoClose() • AutoOpen() • AutoNew()
- 30. Document based malware • MS Office • Open Office • Acrobat
Editor's Notes
- #27: more like autoexec.bat etc