THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] - نسخه متنی

Peter Szor

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

  • Acknowledgments

    Contact Information

    Part I. STRATEGIES OF THE ATTACKER

    Chapter 1. Introduction to the Games of Nature

    Section 1.1. Early Models of Self-Replicating Structures

    Section 1.2. Genesis of Computer Viruses

    Section 1.3. Automated Replicating Code: The Theory and Definition of Computer Viruses

    References

    Chapter 2. The Fascination of Malicious Code Analysis

    Section 2.1. Common Patterns of Virus Research

    Section 2.2. Antivirus Defense Development

    Section 2.3. Terminology of Malicious Programs

    Section 2.4. Other Categories

    Section 2.5. Computer Malware Naming Scheme

    Section 2.6. Annotated List of Officially Recognized Platform Names

    References

    Chapter 3. Malicious Code Environments

    Section 3.1. Computer Architecture Dependency

    Section 3.2. CPU Dependency

    Section 3.3. Operating System Dependency

    Section 3.4. Operating System Version Dependency

    Section 3.5. File System Dependency

    Section 3.6. File Format Dependency

    Section 3.7. Interpreted Environment Dependency

    Section 3.8. Vulnerability Dependency

    Section 3.9. Date and Time Dependency

    Section 3.10. JIT Dependency: Microsoft .NET Viruses

    Section 3.11. Archive Format Dependency

    Section 3.12. File Format Dependency Based on Extension

    Section 3.13. Network Protocol Dependency

    Section 3.14. Source Code Dependency

    Section 3.15. Resource Dependency on Mac and Palm Platforms

    Section 3.16. Host Size Dependency

    Section 3.17. Debugger Dependency

    Section 3.18. Compiler and Linker Dependency

    Section 3.19. Device Translator Layer Dependency

    Section 3.20. Embedded Object Insertion Dependency

    Section 3.21. Self-Contained Environment Dependency

    Section 3.22. Multipartite Viruses

    Section 3.23. Conclusion

    References

    Chapter 4. Classification of Infection Strategies

    Section 4.1. Boot Viruses

    Section 4.2. File Infection Techniques

    Section 4.3. An In-Depth Look at Win32 Viruses

    Section 4.4. Conclusion

    References

    Chapter 5. Classification of In-Memory Strategies

    Section 5.1. Direct-Action Viruses

    Section 5.2. Memory-Resident Viruses

    Section 5.3. Temporary Memory-Resident Viruses

    Section 5.4. Swapping Viruses

    Section 5.5. Viruses in Processes (in User Mode)

    Section 5.6. Viruses in Kernel Mode (Windows 9x/Me)

    Section 5.7. Viruses in Kernel Mode (Windows NT/2000/XP)

    Section 5.8. In-Memory Injectors over Networks

    References

    Chapter 6. Basic Self-Protection Strategies

    Section 6.1. Tunneling Viruses

    Section 6.2. Armored Viruses

    Section 6.3. Aggressive Retroviruses

    References

    Chapter 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits

    Section 7.1. Introduction

    Section 7.2. Evolution of Code

    Section 7.3. Encrypted Viruses

    Section 7.4. Oligomorphic Viruses

    Section 7.5. Polymorphic Viruses

    Section 7.6. Metamorphic Viruses

    Section 7.7. Virus Construction Kits

    References

    Chapter 8. Classification According to Payload

    Section 8.1. No-Payload

    Section 8.2. Accidentally Destructive Payload

    Section 8.3. Nondestructive Payload

    Section 8.4. Somewhat Destructive Payload

    Section 8.5. Highly Destructive Payload

    Section 8.6. DoS (Denial of Service) Attacks

    Section 8.7. Data Stealers: Making Money with Viruses

    Section 8.8. Conclusion

    References

    Chapter 9. Strategies of Computer Worms

    Section 9.1. Introduction

    Section 9.2. The Generic Structure of Computer Worms

    Section 9.3. Target Locator

    Section 9.4. Infection Propagators

    Section 9.5. Common Worm Code Transfer and Execution Techniques

    Section 9.6. Update Strategies of Computer Worms

    Section 9.7. Remote Control via Signaling

    Section 9.8. Intentional and Accidental Interactions

    Section 9.9. Wireless Mobile Worms

    References

    Chapter 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks

    Section 10.1. Introduction

    Section 10.2. Background

    Section 10.3. Types of Vulnerabilities

    Section 10.4. Current and Previous Threats

    Section 10.5. Summary

    References

    Part II. STRATEGIES OF THE DEFENDER

    Chapter 11. Antivirus Defense Techniques

    Section 11.1. First-Generation Scanners

    Section 11.2. Second-Generation Scanners

    Section 11.3. Algorithmic Scanning Methods

    Section 11.4. Code Emulation

    Section 11.5. Metamorphic Virus Detection Examples

    Section 11.6. Heuristic Analysis of 32-Bit Windows Viruses

    Section 11.7. Heuristic Analysis Using Neural Networks

    Section 11.8. Regular and Generic Disinfection Methods

    Section 11.9. Inoculation

    Section 11.10. Access Control Systems

    Section 11.11. Integrity Checking

    Section 11.12. Behavior Blocking

    Section 11.13. Sand-Boxing

    Section 11.14. Conclusion

    References

    Chapter 12. Memory Scanning and Disinfection

    Section 12.1. Introduction

    Section 12.2. The Windows NT Virtual Memory System

    Section 12.3. Virtual Address Spaces

    Section 12.4. Memory Scanning in User Mode

    Section 12.5. Memory Scanning and Paging

    Section 12.6. Memory Disinfection

    Section 12.7. Memory Scanning in Kernel Mode

    Section 12.8. Possible Attacks Against Memory Scanning

    Section 12.9. Conclusion and Future Work

    References

    Chapter 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention

    Section 13.1. Introduction

    Section 13.2. Techniques to Block Buffer Overflow Attacks

    Section 13.3. Worm-Blocking Techniques

    Section 13.4. Possible Future Worm Attacks

    Section 13.5. Conclusion

    References

    Chapter 14. Network-Level Defense Strategies

    Section 14.1. Introduction

    Section 14.2. Using Router Access Lists

    Section 14.3. Firewall Protection

    Section 14.4. Network-Intrusion Detection Systems

    Section 14.5. Honeypot Systems

    Section 14.6. Counterattacks

    Section 14.7. Early Warning Systems

    Section 14.8. Worm Behavior Patterns on the Network

    Section 14.9. Conclusion

    References

    Chapter 15. Malicious Code Analysis Techniques

    Section 15.1. Your Personal Virus Analysis Laboratory

    Section 15.2. Information, Information, Information

    Section 15.3. Dedicated Virus Analysis on VMWARE

    Section 15.4. The Process of Computer Virus Analysis

    Section 15.5. Maintaining a Malicious Code Collection

    Section 15.6. Automated Analysis: The Digital Immune System

    References

    Chapter 16. Conclusion

    Further Reading

    Index

    •
    توضیحات
    افزودن یادداشت جدید











  • 9.5. Common Worm Code Transfer and Execution Techniques


    Computer worms also differ how they propagate the worm's code from one system to another. Most computer worms simply propagate their main body as an attachment in an e-mail. However, other types of worms utilize different methods, such as injected code and shellcode techniques in conjunction with exploit code, to attack another system.

    9.5.1. Executable CodeBased Attacks


    E-mail can be encoded in various ways, such as UU, BASE64 (MIME), and so on. However, the UU-encoded attachments are not very reliable over the Internet because UU uses some special characters whose interpretation depends on the context. Nowadays, most e-mail clients use MIME-encoded attachments by defaultand that is how most e-mail worms' SMTP client engines transfer themselves to new targets. Script e-mail worms usually send attachments encoded according to the settings of the e-mail client on the compromised system.

    9.5.2. Links to Web Sites or Web Proxies


    Computer worms also can send links to executables hosted elsewhere, such as a single Web site, a set of Web sites, or an FTP location. The actual message on IRC or in e-mail might not have any malicious content in it directlybut infects indirectly. One problem with this kind of attack is the possibility of an accidental DoS attack against the system that hosts the worm's code. Another potential pitfall is that the defender can easily contact Internet service providers to request they disconnect such sites, preventing further propagation of the computer worm.

    Tricky worms send links with the IP address of an already compromised system. First, the worm compromises a machine and opens a crude Web server on the system. Then it sends messages to other users, using the IP address of the machine with the port on which the worm itself is listening for a GET request. In this way, the worm attack becomes peer-to-peer, as Figure 9.8 illustrates. Such computer worms might be able to bypass content filtering easily if the content-filtering rule is based on attachment filtering.

    Figure 9.8. Tricky worms send links in e-mails instead of their own copy.

    MS03-032 bulletin) to download and execute the hosted worm executable on the target automatically.30 worm arrives on a new system, it acts as a crude local Web server on port 8180, hosting a Web page that instructs the user to download and run a program, which is the worm body itself. The worm tricks Instant Messenger users by sending them a link that looks like the following:


    FREE PORN: http://free:porn@192.168.0.1:8180

    where the IP address is the address of an infected system.

    9.5.3. HTML-Based Mail


    The e-mail can even b169 mail-based. Disablin171 support in your e-mail client reduces your chance of exposure to at least some of these threats, such as VBS/Bubbleboy. This worm is described in Chapter 10.

    9.5.4. Remote Login-Based Attacks


    On UNIX-like systems, commands such as rsh, rlogin, rcp, and rexec can be used directly by computer worms. Using such commands, worms can execute themselves on remote systems if the attacked system is not secured or if the password is guessed with a dictionary attack or similar method. Usually, such worms make a copy of their code directly to the remote system and execute themselves via the remote execution facilities.

    On Windows systems, worms like JS/Spida can take advantage of vulnerable Microsoft SQL servers. Spida scans for remote Microsoft SQL server systems on port 1433 and tries to execute itself remotely with the following assumptions:

    • The Microsoft SQL server runs in Administrative mode.

    • The "sa" Microsoft SQL server account has no password set.


    The worm takes advantage of the xp_cmdshell function to execute system commands to run the worm on the remote machine.

    9.5.5. Code Injection Attacks


    A more advanced attack requires exploitation of a target with direct code injection over the network. As traditional buffer overflows are getting more difficult to exploit, attackers are increasingly interested in exploiting server-side vulnerabilities related to a lack of input validation. For example, the Perl/Santy worm utilizes Google to find vulnerable Web sites and runs its own Perl script via a vulnerability in the phpBB bulletin board software. This worm successfully defaced tens of thousands of Web sites on December 21 of 2004. Depending on the thread model of the vulnerable target server, one of the following actions will happen:

    • A new thread is created at the start of the server.

    • A new thread is created upon each incoming request.


    Furthermore, depending on the context of the hijacked thread, the worm

    • Runs in SYSTEM context with high privileges.

    • Runs in the context of a user with either high or low privileges that the worm might be able to escalate.


    These preconditions are often reflected in the worm's operation. When, for example, W32/Slammer exploits a vulnerable Microsoft SQL server, the worm hijacks a thread that was executed at the start of the server. Thus the operations associated with the hijacked thread will be paralyzed because new incoming requests will not be resolved. In addition, the server process and the entire system is heavily overloaded because the worm never stops sending itself to new targets.Chapter 10 from the point of view of exploitation. Figure 9.9 illustrates this.

    Figure 9.9. A typical one-way code injection attack.

    [View full size image]

    In some cases, the injected code creates a new user account on the target that can be used by the attacker to log in to the system remotely.

    Another interesting example of a code injection attack is the W32/Lespaul@mm worm. This worm takes advantage of a vulnerability in Eudora 5 that can be exploited by sending a malformed boundary tag.

    Lespaul is a mass-mailer worm, but just like CodeRed or Slammer, it injects its code directly into the vulnerable Eudora 5 process. The worm does not send an attachment to the recipient; instead, it propagates itself as the mail body. It can appear in the Eudora mailbox as part of an e-mail message featuring an overly long header field; however, its code is never saved into a standalone executable at any point in order to be executed.

    9.5.6. Shell CodeBased Attacks


    Another class of computer worms utilize shell code on the target machine. The basic idea is to run a command prompt on the remote system, such as cmd.exe (on Windows) or /bin/sh (on UNIX) via the exploit code. Consider Figure 9.10 for an illustration.

    Figure 9.10. A typical shell codebased attack.

    [View full size image]

    The worm follows these steps:


    1.

    It injects code into a remote process and binds a specific port to the process. The exploited process starts to listen on the port.

    2.

    The worm attempts to connect to the listening port.

    3.

    If the connection to the port is successful, the previously injected shellcode executes a command prompt and binds that process to the same port that the attacker is using.

    4.

    Finally, the worm can start to send commands to the shell.


    An example of such a worm is W32/Blaster.

    Shellcode-based attacks are typically more common on UNIX systems than on Windows systems. A few variations exist, such as back-connecting shellcode and shellcode that reuses an existing connection.

    Back-connecting shellcode immediately attempts to connect the target with the attacker by establishing a TCP connection from the target to the attacker's machine. The advantage of this method is that it allows machines behind a firewall to "connect-out" to the attacker system.

    This attack requires the attacker system to listen on a particular port and wait for the shellcode to connect, as shown in Figure 9.11.

    Figure 9.11. A back-connecting shellcode.

    Chapter 15 you can find a traced shellcode of Slapper that illustrates the reused connection better.

    Figure 9.12. A connection-reusing shellcode.

    [View full size image]


      • / 191