E-Book, Englisch, 412 Seiten
Reihe: Collection IRIS
Filiol Computer Viruses: from theory to applications
1. Auflage 2006
ISBN: 978-2-287-28099-3
Verlag: Springer Paris
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, 412 Seiten
Reihe: Collection IRIS
ISBN: 978-2-287-28099-3
Verlag: Springer Paris
Format: PDF
Kopierschutz: 1 - PDF Watermark
A precise and exhaustive description of different types of malware from three different points of view, namely the theoretical fundamentals of computer virology, algorithmic and practical aspects of viruses and their potential applications to various areas.
Autoren/Hrsg.
Weitere Infos & Material
1;Preface;7
2;Contents;15
3;List of Figures;21
4;List of Tables;23
5;Genesis and Theory of Computer Viruses;25
5.1;1 Introduction;27
5.2;2 The Formalization Foundations: from Turing to von Neumann (1936 – 1967);31
5.2.1;2.1 Introduction;31
5.2.2;2.2 Turing Machines;32
5.2.2.1;2.2.1 Turing Machines and Recursive Functions;33
5.2.2.2;2.2.2 Universal Turing Machine;37
5.2.2.3;2.2.3 The Halting Problem and Decidability;39
5.2.2.4;2.2.4 Recursive Functions and Viruses;41
5.2.3;2.3 Self-reproducing Automata;43
5.2.3.1;2.3.1 The Mathematical Model of Von Neumann Automata;44
5.2.3.2;2.3.2 Von Neumann’s Self-reproducing Automaton;52
5.2.3.3;2.3.3 The Langton’s Self-reproducing Loop;55
5.3;3 F. Cohen and L. Adleman’s Formalization (1984 – 1989);63
5.3.1;3.1 Introduction;63
5.3.2;3.2 Fred Cohen’s Formalization;65
5.3.3;3.3 Leonard Adleman’s Formalization;89
5.3.4;3.4 Conclusion;101
5.3.5;Exercises;102
5.3.6;Study Projects;104
5.4;4 Taxonomy, Techniques and Tools;105
5.4.1;4.1 Introduction;105
5.4.2;4.2 General Aspects of Computer Infection Programs;107
5.4.3;4.3 Non Self-reproducing Malware (Epeian);122
5.4.4;4.4 How Do Viruses Operate?;127
5.4.5;4.5 Virus and Worms Classification;146
5.4.5.1;4.5.1 Viruses Nomenclature;146
5.4.6;4.6 Tools in Computer Virology;171
5.4.7;Exercises;173
5.5;5 Fighting Against Viruses;175
5.5.1;5.1 Introduction;175
5.5.2;5.2 Protecting Against Viral Infections;177
5.5.2.1;5.2.1 Antiviral Techniques;179
5.5.2.2;5.2.2 Assessing of the Cost of Viral Attacks;187
5.5.2.3;5.2.3 Computer Hygiene Rules ;188
5.5.2.4;5.2.4 What To Do in Case of a Malware Attack;191
5.5.2.5;5.2.5 Conclusion;194
5.5.3;5.3 Legal Aspects Inherent to Computer Virology;196
5.5.3.1;5.3.1 The Current Situation;196
5.5.3.2;5.3.2 Evolution of The Legal Framework: The Law Dealing With;199
6;Learning Computer Viruses by Programming;203
6.1;6 Introduction;205
6.2;7 Computer Viruses in Interpreted Programming Language;209
6.2.1;7.1 Introduction;209
6.2.2;7.2 Design of a Shell Bash Virus under Linux;210
6.2.2.1;7.2.1 Fighting Overinfection;212
6.2.2.2;7.2.2 Anti-antiviral Fighting: Polymorphism;214
6.2.2.3;7.2.3 Increasing the;218
6.2.2.4;7.2.4 Including a Payload;220
6.2.3;7.3 Some Real-world Examples;221
6.2.4;7.4 Conclusion;227
6.2.5;Exercises;227
6.2.6;Study Projects;228
6.3;8 Companion Viruses;231
6.3.1;8.1 Introduction;231
6.3.2;8.2 The companion virus;234
6.3.2.1;8.2.1 Analysis of the Virus;235
6.3.2.2;8.2.2 Weaknesses and Flaws of the;243
6.3.3;8.3 Optimized and Stealth Versions of the Vcomp ex Virus;245
6.3.4;8.4 The Vcomp ex v3 Companion Virus;262
6.3.5;8.5 A Hybrid Companion Virus: the Virus Case;265
6.3.6;8.6 Conclusion;273
6.3.7;Exercises;273
6.3.8;Study Projects;277
6.4;9 Worms;281
6.4.1;9.1 Introduction;281
6.4.2;9.2 The Internet Worm;283
6.4.3;9.3 IIS Worm Code Analysis;290
6.4.4;9.4 Xanax Worm Code Source Analysis;310
6.4.5;9.5 Analysis of the UNIX.LoveLetter Worm;331
6.4.6;9.6 Conclusion;340
6.4.7;Exercises;341
6.4.8;Study Projects;343
7;Computer Viruses and Applications;345
7.1;10 Introduction;347
7.2;11 Computer Viruses and Applications;351
7.2.1;11.1 Introduction;351
7.2.2;11.2 The State of the Art;354
7.2.3;11.3 Fighting against Crime;364
7.2.4;11.4 Environmental Cryptographic Key Generation;366
7.2.5;11.5 Conclusion;371
7.2.6;Exercises;372
7.3;12 BIOS Viruses;373
7.3.1;12.1 Introduction;373
7.3.2;12.2 bios Structure and Working;375
7.3.3;12.3 vbios Virus Description;381
7.3.4;12.4 Installation of vbios;386
7.3.5;12.5 Future Prospects and Conclusion;388
7.4;13 Applied Cryptanalysis of Cipher Systems: The ymun20 Virus;391
7.4.1;13.1 Introduction;391
7.4.2;13.2 General Description of Both the Virus and the Attack;393
7.4.3;13.3 Detailed Analysis of the Virus;397
7.4.3.1;13.3.1 The Attack Context;397
7.4.3.2;13.3.2 The ymun20-V1 Virus;399
7.4.4;13.4 Conclusion;404
7.4.5;Study Project;404
8;Conclusion;407
8.1;14 Conclusion;409
9;References;415
10;Index;423
5 Fighting Against Viruses (p. 151-152)
5.1 Introduction
The purpose of this chapter is to make a survey of the di.erent techniques which are currently used to defend against viruses. These techniques, though efficient, do not remove all the risks but will at best limit them. That is the reason why it is illusive to solely base an antiviral protection policy on the use of an antivirus software, how e.cient it may be. We will present therefore the main computer "hygiene rules" which can be very e.ective when properly applied and judiciously combined with an antivirus software. Most of these rules are derived from the security models defined during the eighties.
The issue behind defense against viral infections (prevention, detection, eradication) is far more tricky to address and to deal with than it seems, beyond the theoretical results presented in Chapter 3. We will just consider these two following aspects, at least to illustrate our comments.
• The first aspect is the notion of protection. The latter is only valid with reference to a speci.c environment, speci.c tests or techniques... The theoretical complexity of viral detection compels us in practice to use probabilistic and statistical techniques which have their inherent error probalilities2. To make things clear, if the environment of reference and techniques change, the defense against viruses is bound to fail unless these new changes are taken into account. It is precisely this weakness that the virus writer will exploit. No single defense is best for all situations.
• The second aspect is to assess the reliability of antiviral techniques properly, beyond the error probabilities discussed in the last point. Let us consider the following accurate attack scenario: let us assume that my antiviral program detects the B variant of a given worm. To what extent shall I trust it? Will this antiviral program be able to detect a potential B variant, which is similar in every respect to the B variant (that it will detect as such) in which a logic bomb or a Trojan horse has been carefully hidden, in such a way that it will be installed before the worm is detected? Despite the fact that the disinfection has been successfully performed, this additional malware which has been installed and has evolved in an independent way before the eradication of its viral carrier may still be active and may have become indetectable (let us recall that its viral vector has been eradicated). Obviously, my antiviral program has done its job. The user now feels relieved, convinced that the danger is over. Let us examine the following scenario. Imagine an attacker wants to infect my computer. He is likely to choose a worm or virus that my antiviral software generally e.ciently detects and eradicates, but he will add a payload (for instance, after analysing my antiviral program) in a non discriminating way (the antiviral program will be unable to distinguish this version from the early one). Let us now consider the case of companies or public institutions, in which a targeted attack has been launched at two different levels. The antiviral program will simply detect the first level of the attack, but will fail to detect the second one. What is going on then? In fact, the antiviral program will act just as it was programmed. Certainty can only be gained from viral code analysis. Now this analysis is mostly performed at an early stage to update the product but in the absence of any good reason, this analysis is unlikely to be done again at a later stage. For instance, if the logic bomb of the attacker remained undetected, there are no grounds for performing such an analysis.
