SlideShare una empresa de Scribd logo

File inflection techniques

Descargar como PPTX, PDF
Sandun Perera
Sandun Perera

File inflection techniques allow computer viruses to infect files by inserting malicious code. Viruses can infect both executable files and data files. Executable files contain code that runs when the file is opened, while data files may contain scripts or code that can be executed through buffer overflow exploits or by hijacking entry points. In Windows, applications run in a restricted mode while the operating system kernel runs in a privileged mode, but viruses can access system resources through Windows API calls. Updates, antivirus software, and care regarding untrusted files can help prevent infection.

TecnologíaEntretenimiento y humor
1 de 13
File Inflection Techniques
Introduction * In this presentation I'm going to discuss about file inflection techniques that are being used by the computer viruses and virus writers. * A computer virus just simply a executable mobil code.But the problem is it can't stand alone it should find a host and inflect it. * One good host to a computer virus is a computer file. It can be a data file or a executable file. * no matter data files or executable files the , almost all files can be inflected with a virus. * After all file inflection is just only a one mechanism that virus writers are using. There are tons of other techiniques that are being exploited by virus writers. The naked truth about computing is whatever the computer operating system you using ,what security it provides , what AV/Scanners you installed , no matter how much you be careful ,almost every computer environment is a hostile environment.
Data Files vs Executable Files Executable files are the files contain executable code , or contain srcipts/macros or contain byte code for a virtual machine. * examples for a raw executable files are , linux elf executable , windows win32 and win64 executable or mac os executable. * examples for scripts are , javascript, vb scripts , linux bash scripts , etc etc. * Java and .Net is a good example for a byte code executables. Data files, * DAT , Digitial Audio tape. * Image formats like jpeg, png, bmp etc. * Microsoft office formats like .xls microsoft world , power point (ppt) , etc etc. Conclusion: If the data file only contain data streams how a virus could reside inside it? [answer] first of all, data files are not just contain just a simple data streams. A binary file Open with a for a example , JPEG format have some simple segment of javascript code. and microsoft excel have executable macros embedded capability. hex editor program. Even if it's simply contain a raw data structure , still a computer virus can reside inside it. * there are techniques like buffer-overflows which will exploits it's target software system and can be forced to execute the binary code that came as a data stream. [ I'm not going to discuss what's a buffer overflow exploit here, but I do in my next presentation]. * so don't just skip data files when you doing a scan for viruses with your virus scanner.
Windows Executable Files and Windows Architecture. Before Windows: Before windows there is a open system called Dos, where all the code was ran in real mode and have no security and any wild executable file can do anything to your computer. In this time we had DOS viruses. Dos viruses are just simple because the virus writer don't need t deal how to bypass security of a operating system. In Windows: Windows running on protected mode but still a creates a more hostile environment than the older dos. Inside windows a hostile executable code can't access the privilege mode in a microprocessor , so it can't access to the devices directly. But windows provides something called "Win32 API" ,and calling that API it's sufficient for a computer virus to survive inside windows and also do a damage to the computer.
Ring0 vs Ring3 • Alost all modern moden microprocessor provides at least two modes of privileges when executing instructions. • Intel x86 supports four modes. They are ring0,ring1 , ring2 and ring3. Where ring0 is the most privileged mode and ring3 is the least privilege mode. Ring3 ring0 is completely a • But microsoft windows operating system only hardware security mechanism. uses two modes, ring0 and ring3. Ring0 is also known as “kernel mode” and operating system kernel is running in that mode. • When you are in ring0 you can use privileged instructions like outp inp , and read/write any memory location or interrupt the processor. • Application Programs like Microsoft Excel, World ,notepad are running in the mode ring3.
Executable File Inflection Techniques • In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32 executable format and windows uses win32 PE and PE+ executable file formats. • Executable file is nothing more than a big data-structure which have following. * header. * sections In a typical executable file there are following sections. text[executable code] data [global variables and statistically initialized data] bss [dynamically initialized data] stack [defines the hardware stack for the executable] There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text session is also possible. Following are some different techniques that virus writers are using . * Overwriting Viruses. * Append last to the text section. * Viruses that inject it’s code to the padded aligned spaces between segments. * Random Inflection. * Viruses that hijack Entry points. * and many more unspecified wild techniques are used among the virus writer underground communities. An example Executable virus source code: By M S D Perera
left picture is photo courtesy of http://www.thehackademy.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm
Shows the ‘MZ’ and ‘PE’ header signatures in a particular executable file
Windows Dynamic Link Libraries as it name says it's a dynamic library. Where it can be loaded at the runtime when it's necessary. Win32 API calls are implemented as set of dynamic link libraries. You can see your dynamic link libraries with .dll extension in your C:windowssystem32 folder. For a example kernel32.dll provides basic process creation , initialization ,scheduling , security and termination facilities. It provides api's like CreateProcess() , ExitProcess() , etc etc. The code in the DLL file also lives in the ring3 [ restricted executable mode] and it will transfer it's control to the ring0 [priviledged mode] by a software interrupt.calling the 'int 02' instruction. So , no way a windows executable can directly access to the computer's resources. But it can access through windows win32 api. So which means a virus code also can access them, so nothing prevents virus writer writing a workable virus in Windows environment , again no environment is secure.
Dependency walker – a software that can be used to track and walk trough what executable depend on what dll’s and they again recusively depend on another dll’s. Photo courtecy of http://www.brothersoft.com/dependency-walker-11721.html
Limitations of Windows Viruses If a windows virus need to do a damage to computer hardware it's not easy. It should somehow access to ring ring0 executable mode. Or exploit a predefined service or use some other complex techniques. .For a example. * ex - http://technet.microsoft.com/en-us/security/advisory/935423 [microsoft windows Animate cursor ring0 exploit] ^- there you can't find enough information about "how to exploit it" in Microsoft web site. Because they want to cover their Operating system. If you interested you can go to the following link: use it for Educational/research purposes only , don't exploit it to make a real computer viruses. http://www.exploit-db.com/exploits/3636/ - exploit-db.com contains dozens of resources for a computer virology researcher. In windows 7 you have a option called "Run as Admin" where it will give that executable all the privileges , when you need to install some software you need to chose that option.
Metasploit software – photo courtecy of http://blog.c22.cc/2011/01/09/metasploit-sap- management-console-aux-modules/
Finally The internet outside your computer is a wild place , computer viruses can't do magic but all the things and techniques that I above mentioned are technically possible and have been used by computer virus writers. Even a simple mid level computer virus can't damage your computer hardware it could do a big damage to your data stored, personal life, steal credit card pin numbers, sent punk messages to your friends, etc etc. Computer viruses can't think but those things are technically very possible and complex, but complex is not a problem for a evil genius mind. So, * Keep your virus guard up-to-date. Everyday there around 100 new viruses are released in the world. So you need to update it everyday, every hour , every minute as soon as possible. * Keep upto date your operating systems , software ,so your operating system vendor can fix the holes in your operating system. * Do not execute executable files in "Run As Admin" mode where you don't trust. Check for the author of the software. And their signature. * Keep touch with the security advisory , ex- http://www.securityfocus.com/ * Almost all file can contain a virus, so don't assume it's a JPG and how it could contain a virus ? it do. Seriously not joking. And In my next presentation I'm going to discuss about buffer overflow attacks and how they can be used in wild by the virus writers. Thank you Listening.

Recomendados

Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Computer Viruses
Computer VirusesComputer Viruses
Computer VirusesMikaPriya
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Virus&malware
Virus&malwareVirus&malware
Virus&malwareRobin Garza
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 

Recomendados

Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Computer Viruses
Computer VirusesComputer Viruses
Computer VirusesMikaPriya
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Virus&malware
Virus&malwareVirus&malware
Virus&malwareRobin Garza
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
08000182
0800018208000182
08000182Chathuranga Disanayaka
 
It planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbookIt planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbookNityant Singhal
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clonesUltraUploader
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
WhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romWhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romAnant Shrivastava
 
Ascomputervirus
AscomputervirusAscomputervirus
AscomputervirusKavin Karikalan
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploitAashish R
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysisallengalvan
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Virus
VirusVirus
Virusscottishigh
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Huerto de la cora
Huerto de la coraHuerto de la cora
Huerto de la corazanbraba
 
Elaboració d’un tema d’història
Elaboració d’un tema d’històriaElaboració d’un tema d’història
Elaboració d’un tema d’històriaVicent Puig i Gascó
 

Más contenido relacionado

La actualidad más candente

It planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbookIt planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbookNityant Singhal
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clonesUltraUploader
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
WhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romWhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romAnant Shrivastava
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploitAashish R
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysisallengalvan
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 

La actualidad más candente (20)

08000182
0800018208000182
08000182
 
It planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbookIt planet gigabyte gr 7 textbook
It planet gigabyte gr 7 textbook
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clones
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
WhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romWhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom rom
 
Ascomputervirus
AscomputervirusAscomputervirus
Ascomputervirus
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password reset
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysis
 
Metasploit
MetasploitMetasploit
Metasploit
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploit
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Virus
VirusVirus
Virus
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 

Destacado

Huerto de la cora
Huerto de la coraHuerto de la cora
Huerto de la corazanbraba
 
Elaboració d’un tema d’història
Elaboració d’un tema d’històriaElaboració d’un tema d’història
Elaboració d’un tema d’històriaVicent Puig i Gascó
 
Monalisa III - Leonardo da Vinci
Monalisa III - Leonardo da VinciMonalisa III - Leonardo da Vinci
Monalisa III - Leonardo da VinciMilasan
 
Fontys Hogeschool Eindhoven Lezing
Fontys Hogeschool Eindhoven LezingFontys Hogeschool Eindhoven Lezing
Fontys Hogeschool Eindhoven LezingKees Romkes
 

Destacado (6)

Huerto de la cora
Huerto de la coraHuerto de la cora
Huerto de la cora
 
Elaboració d’un tema d’història
Elaboració d’un tema d’històriaElaboració d’un tema d’història
Elaboració d’un tema d’història
 
Monalisa III - Leonardo da Vinci
Monalisa III - Leonardo da VinciMonalisa III - Leonardo da Vinci
Monalisa III - Leonardo da Vinci
 
Fontys Hogeschool Eindhoven Lezing
Fontys Hogeschool Eindhoven LezingFontys Hogeschool Eindhoven Lezing
Fontys Hogeschool Eindhoven Lezing
 
Bar attendant
Bar attendantBar attendant
Bar attendant
 
Test - Slideshare
Test - SlideshareTest - Slideshare
Test - Slideshare
 

Similar a File inflection techniques

Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Modern computer virology
Modern computer virologyModern computer virology
Modern computer virologySandun Perera
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
computerviruses-171008143158.ppt
computerviruses-171008143158.pptcomputerviruses-171008143158.ppt
computerviruses-171008143158.pptssuser342286
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Computer assignment on virus and memory and printer
Computer assignment on virus and memory and printerComputer assignment on virus and memory and printer
Computer assignment on virus and memory and printerShamzayAli
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatStefano Maccaglia
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETLicensingLive! - SafeNet
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Alexander Benoit
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 

Similar a File inflection techniques (20)

Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Modern computer virology
Modern computer virologyModern computer virology
Modern computer virology
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
computerviruses-171008143158.ppt
computerviruses-171008143158.pptcomputerviruses-171008143158.ppt
computerviruses-171008143158.ppt
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer assignment on virus and memory and printer
Computer assignment on virus and memory and printerComputer assignment on virus and memory and printer
Computer assignment on virus and memory and printer
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweat
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
 
Cutting out Malware
Cutting out MalwareCutting out Malware
Cutting out Malware
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Ch11
Ch11Ch11
Ch11
 

Más de Sandun Perera

0512575 printing request_and_press_resource_management_system_for_udara_type_...
0512575 printing request_and_press_resource_management_system_for_udara_type_...0512575 printing request_and_press_resource_management_system_for_udara_type_...
0512575 printing request_and_press_resource_management_system_for_udara_type_...Sandun Perera
 
Macro expansion techinical_report
Macro expansion techinical_reportMacro expansion techinical_report
Macro expansion techinical_reportSandun Perera
 
Electrical power ecx3232 lab report
Electrical power ecx3232 lab reportElectrical power ecx3232 lab report
Electrical power ecx3232 lab reportSandun Perera
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksSandun Perera
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksSandun Perera
 

Más de Sandun Perera (6)

0512575 printing request_and_press_resource_management_system_for_udara_type_...
0512575 printing request_and_press_resource_management_system_for_udara_type_...0512575 printing request_and_press_resource_management_system_for_udara_type_...
0512575 printing request_and_press_resource_management_system_for_udara_type_...
 
Macro expansion techinical_report
Macro expansion techinical_reportMacro expansion techinical_report
Macro expansion techinical_report
 
Electrical power ecx3232 lab report
Electrical power ecx3232 lab reportElectrical power ecx3232 lab report
Electrical power ecx3232 lab report
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Último

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Último (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

File inflection techniques

  • 2. Introduction * In this presentation I'm going to discuss about file inflection techniques that are being used by the computer viruses and virus writers. * A computer virus just simply a executable mobil code.But the problem is it can't stand alone it should find a host and inflect it. * One good host to a computer virus is a computer file. It can be a data file or a executable file. * no matter data files or executable files the , almost all files can be inflected with a virus. * After all file inflection is just only a one mechanism that virus writers are using. There are tons of other techiniques that are being exploited by virus writers. The naked truth about computing is whatever the computer operating system you using ,what security it provides , what AV/Scanners you installed , no matter how much you be careful ,almost every computer environment is a hostile environment.
  • 3. Data Files vs Executable Files Executable files are the files contain executable code , or contain srcipts/macros or contain byte code for a virtual machine. * examples for a raw executable files are , linux elf executable , windows win32 and win64 executable or mac os executable. * examples for scripts are , javascript, vb scripts , linux bash scripts , etc etc. * Java and .Net is a good example for a byte code executables. Data files, * DAT , Digitial Audio tape. * Image formats like jpeg, png, bmp etc. * Microsoft office formats like .xls microsoft world , power point (ppt) , etc etc. Conclusion: If the data file only contain data streams how a virus could reside inside it? [answer] first of all, data files are not just contain just a simple data streams. A binary file Open with a for a example , JPEG format have some simple segment of javascript code. and microsoft excel have executable macros embedded capability. hex editor program. Even if it's simply contain a raw data structure , still a computer virus can reside inside it. * there are techniques like buffer-overflows which will exploits it's target software system and can be forced to execute the binary code that came as a data stream. [ I'm not going to discuss what's a buffer overflow exploit here, but I do in my next presentation]. * so don't just skip data files when you doing a scan for viruses with your virus scanner.
  • 4. Windows Executable Files and Windows Architecture. Before Windows: Before windows there is a open system called Dos, where all the code was ran in real mode and have no security and any wild executable file can do anything to your computer. In this time we had DOS viruses. Dos viruses are just simple because the virus writer don't need t deal how to bypass security of a operating system. In Windows: Windows running on protected mode but still a creates a more hostile environment than the older dos. Inside windows a hostile executable code can't access the privilege mode in a microprocessor , so it can't access to the devices directly. But windows provides something called "Win32 API" ,and calling that API it's sufficient for a computer virus to survive inside windows and also do a damage to the computer.
  • 5. Ring0 vs Ring3 • Alost all modern moden microprocessor provides at least two modes of privileges when executing instructions. • Intel x86 supports four modes. They are ring0,ring1 , ring2 and ring3. Where ring0 is the most privileged mode and ring3 is the least privilege mode. Ring3 ring0 is completely a • But microsoft windows operating system only hardware security mechanism. uses two modes, ring0 and ring3. Ring0 is also known as “kernel mode” and operating system kernel is running in that mode. • When you are in ring0 you can use privileged instructions like outp inp , and read/write any memory location or interrupt the processor. • Application Programs like Microsoft Excel, World ,notepad are running in the mode ring3.
  • 6. Executable File Inflection Techniques • In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32 executable format and windows uses win32 PE and PE+ executable file formats. • Executable file is nothing more than a big data-structure which have following. * header. * sections In a typical executable file there are following sections. text[executable code] data [global variables and statistically initialized data] bss [dynamically initialized data] stack [defines the hardware stack for the executable] There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text session is also possible. Following are some different techniques that virus writers are using . * Overwriting Viruses. * Append last to the text section. * Viruses that inject it’s code to the padded aligned spaces between segments. * Random Inflection. * Viruses that hijack Entry points. * and many more unspecified wild techniques are used among the virus writer underground communities. An example Executable virus source code: By M S D Perera
  • 7. left picture is photo courtesy of http://www.thehackademy.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm
  • 8. Shows the ‘MZ’ and ‘PE’ header signatures in a particular executable file
  • 9. Windows Dynamic Link Libraries as it name says it's a dynamic library. Where it can be loaded at the runtime when it's necessary. Win32 API calls are implemented as set of dynamic link libraries. You can see your dynamic link libraries with .dll extension in your C:windowssystem32 folder. For a example kernel32.dll provides basic process creation , initialization ,scheduling , security and termination facilities. It provides api's like CreateProcess() , ExitProcess() , etc etc. The code in the DLL file also lives in the ring3 [ restricted executable mode] and it will transfer it's control to the ring0 [priviledged mode] by a software interrupt.calling the 'int 02' instruction. So , no way a windows executable can directly access to the computer's resources. But it can access through windows win32 api. So which means a virus code also can access them, so nothing prevents virus writer writing a workable virus in Windows environment , again no environment is secure.
  • 10. Dependency walker – a software that can be used to track and walk trough what executable depend on what dll’s and they again recusively depend on another dll’s. Photo courtecy of http://www.brothersoft.com/dependency-walker-11721.html
  • 11. Limitations of Windows Viruses If a windows virus need to do a damage to computer hardware it's not easy. It should somehow access to ring ring0 executable mode. Or exploit a predefined service or use some other complex techniques. .For a example. * ex - http://technet.microsoft.com/en-us/security/advisory/935423 [microsoft windows Animate cursor ring0 exploit] ^- there you can't find enough information about "how to exploit it" in Microsoft web site. Because they want to cover their Operating system. If you interested you can go to the following link: use it for Educational/research purposes only , don't exploit it to make a real computer viruses. http://www.exploit-db.com/exploits/3636/ - exploit-db.com contains dozens of resources for a computer virology researcher. In windows 7 you have a option called "Run as Admin" where it will give that executable all the privileges , when you need to install some software you need to chose that option.
  • 12. Metasploit software – photo courtecy of http://blog.c22.cc/2011/01/09/metasploit-sap- management-console-aux-modules/
  • 13. Finally The internet outside your computer is a wild place , computer viruses can't do magic but all the things and techniques that I above mentioned are technically possible and have been used by computer virus writers. Even a simple mid level computer virus can't damage your computer hardware it could do a big damage to your data stored, personal life, steal credit card pin numbers, sent punk messages to your friends, etc etc. Computer viruses can't think but those things are technically very possible and complex, but complex is not a problem for a evil genius mind. So, * Keep your virus guard up-to-date. Everyday there around 100 new viruses are released in the world. So you need to update it everyday, every hour , every minute as soon as possible. * Keep upto date your operating systems , software ,so your operating system vendor can fix the holes in your operating system. * Do not execute executable files in "Run As Admin" mode where you don't trust. Check for the author of the software. And their signature. * Keep touch with the security advisory , ex- http://www.securityfocus.com/ * Almost all file can contain a virus, so don't assume it's a JPG and how it could contain a virus ? it do. Seriously not joking. And In my next presentation I'm going to discuss about buffer overflow attacks and how they can be used in wild by the virus writers. Thank you Listening.