Information Technology Reference
In-Depth Information
Computer viruses, implemented as executables have enough flexibility when
interfacing with the operating system to replicate in several different ways. In our
experiments we consider three basic types of virus replication:
Overwriting existing files (Overwriting viruses).
Creating new look-alike files (Companion viruses).
Attaching to existing files (Parasitic viruses).
These three types of replication are sorted by simplicity of implementation, with
Overwriting viruses being the simplest. Table 2 presents details for every type, as well
as their simplified replication schemes.
All viruses, falling under these categories, require low-level access to system
resources, and therefore are detectable. However, categories have to be identified first
and described in terms of the GSR . A way to establish the GSR is to acquire samples of
a real live virus, extract self-replication behavior and process the leads. Viral behavior
acquisition was done in an isolated controlled environment running Windows XP
operating system, under surveillance of our system calls monitoring system. Apart from
maintaining a sufficient system security level, one of the acquisition problems we have
encountered was the elimination of noise from other concurrently running processes.
The most suitable solution found was to introduce a per-process monitoring and
detection scheme, where every signal detected by the monitor gets traced back to its
origin, the process ID. Therefore, every signal is associated with a unique process so
that signals coming from different sources do not mix.
As an example virus with parasitic behavior, we consider a classic internet worm
“I-Worm.Xanax”. This is a small worm, capable of replicating onto Windows system
executable files. When executed, the worm searches for .EXE files in the Windows
directory and replicates onto them while changing the entry point of the file. The virus
follows the replication algorithm accordingly, and makes a total of 639 calls to the
operating system. As it passes through the monitor, we observe some replication
related activity among many others, such as self-access by consequently opening the
source directory “Virlab” on local disk “C”:
1
NtOpenFile 100020h, {24, 0, 42h, 0, 0,
"\??\c:\Virlab\"}, 3, 33 ... 12, 0h, 1) result = 0
The execution of this call completed successfully, introducing a new directory
handle. Later, this handle is used when accessing the contents of this directory.
Indeed, after throwing some garbage into the system, the virus invokes another
suspicious command by trying to open itself for reading:
NtCreateFile 80100080h, {24, 12, 42h, 0, 1243404,
"xanax.exe"}, 0h, 128, 3, 1, 96, 0, 0 ... 68, 0h,
1) result = 0
2
Once again, upon successful execution, a new handle, #68, is created, which points
itself. According to our definition of the structure for the GSR , we may bind these two
calls and form a larger structure representing a File Access Block . These calls are
then bound by several different important parameters such as the directory handle and
input flags shown in grey above. When bound, the new structure inherits input
Search WWH ::




Custom Search