Information Technology Reference
In-Depth Information
5
Level 4:
Replication occured
4
Level 3:
Ready f or transmission
3
Level 2:
Code integration
Attempt # 1
2
Attempt # 2
Level 1:
Code generation
Attempt # 3
1
Level 0:
Normal acti vi t y
0
0
50
100
150
200
250
300
System Call #
Fig. 7. Sample legitimate code activity graph 240 points, (3 attempts)
5.1 Replication over the Local Network and the Internet
Ever since computers started communicating with each other using local networks,
virus writers have exploited this feature. Indeed, networking opens endless
possibilities for a virus to replicate itself to as many computer systems as it possibly
can within the network instead of just infecting a limited number of files on a host
machine. Such a remote replication is possible with the use of specific network
protocols administrated by the operating system.
Theoretically speaking, replication over the network is almost identical to local
replication with the only difference being the necessity for a computer virus to
enumerate available network resources before it can access target files on a remote
computer. Therefore, a complete algorithm of virus replication for a parasitic virus,
which attaches itself to an existing file by injecting its code into the body of the
executable and replacing code entry points, would look as follows:
1. Open “Virus.exe”
2. Read “Virus.exe” Code
3. Enumerate network resources
4. Open remote “Host.exe”
5. Inject Code into “Host.exe”
6. Patch “Host.exe” Entry point
Hence, it is only required to add one block into the Gene's syntax describing
Network resources enumeration in order for the detector to recognize the behavior.
However, enumeration can be accomplished in several different ways such as:
Sockets
Remote Procedure Calls
Named pipes
NetBIOS
Other networking APIs
 
Search WWH ::




Custom Search