Chapter 1: An Overview of the Malicious Code
Characteristics of the malicious code:
Purpose, transmissible, and destructive
Types of malicious code:
- Common computer viruses
- worm
- Trojan horse
A complete Trojan horse system consists of the hardware part, the software part, and the connection part
- Rookit tool
A typical Rootkit includes the following:
Web sniffers, Trojan horse programs, hidden attacker directory and processes, log cleaning tools
- rascal software
- spyware-software that is installed in a computer without the user's knowledge and transmits information about the user's computer activities over the internet
- Malicious advertising
- logic bomb
- back door
- botnet
- phishing
- Malicious script
- spam
- ransomware
- Mobile terminal malicious code
Malicious code transmission route:
Floppy disk, optical disc, hard disk, Internet, wireless communication system
Malicious code naming rule:
Platform name. Family name.group name. Variant number
Recent trends in malicious code:
- networking
- specialization
- oversimplify
- diversify
- robotization
- Crime
Chapter II: Malicious code model and mechanism
computer model:
Random access computer model (Random Access Machine, RAM): 2 / 14 / 1946, ENIAC, which is unable to infect the virus
Random Access Stored Program Model (Random Access Stored Program Machine, RASPM): With all the features of the RAM, the program can modify itself and does not require indirect addressing
RASPM model with background storage (Random Access with Attached Background Storage, RASPM _ ABS):
With background storage (external storage)
Internet Worminth transmission model:
SIS, SI and SIR are three models commonly used in the model of infectious disease transmission. Where, S indicates the susceptible, I the infected, and R the removed. The specific explanation is given as follows:
The SIS model: The SIS model is a simple model of infectious diseases, in which susceptible people can be infected, and infected people can recover and become susceptible again. The model assumes that the total population is constant, namely without considering factors such as migration, and birth and death
SI model: The SI model is a relatively early infectious disease model, in which susceptible people can be infected, and infected people will not recover and become susceptible. The model similarly assumes that the total population number is constant
SIR model: The SIR model is the most classic model in the infectious disease model, in which the susceptible person can be infected, the infected person can recover and become the removed person, and the removed person will not be reinfected. The model similarly assumes that the total population number is constant
Theoretical model of malicious code prevention:
Fred Cohen "Four-models" theory:
Basic isolation model
Separate the model
Flow model
Restriction interpretation model
Traditional computer virus structure and mechanism:
Run sequence: reset-> Get API-> Infection file-> Return to host program
Computer virus main module:
- Guide module (stay in memory, steal system control and restore system function)
- Infection module
- Damage module
- Trigger module
Guided virus:
The guide virus first infects the guide area of the floppy disk, and then spreads to the hard disk and infects the main guide record of the hard disk (Main Boot Record, MBR). Once the MBR is infected by the virus, the virus attempts to infect the floppy guide zone in the floppy drive. The virus is hidden in the first sector of the floppy disk, allowing it to go into memory before the system files are loaded into memory, allowing for full control of the operating system.
Chapter 3: Traditional computer viruses
A 16-bit executable virus:
COM format (maximum 64 KB, absolute binary image of 16-bit program, no relocation information, no need for relocation)
MZ format (COM development, contains 16-bit code, with file header, including file entry point, stack location, relocation table, etc., need to be relocated)
NE format (when Win3.X is added, keep MZ head, add NE head, including EXE, DLL, DRV, FON, etc., for runtime dynamic link)
The 32-bit executable virus:
PE format (Portable Executable, Portable performer, relocation-> Get API-> Infection File-> Return to Host Program)
Macro virus:
Infected only the document files, including:
Microsoft: Word,Excel,Access,Powerpoint,Project,Visio,
Inprise: Lotus Amipro
Others: AutoCAD, CorelDRAW, and PDF
Word Macro virus:
Self-replication and propagation through DOC documents and DOT templates
Macro virus features:
- Spread very fast
- Easy to make, many varieties
- The possibility of the damage is great
- Multiplatform cross-infection
- Regional issues
- Version of the problem
Typical macro virus:
Melissa (Melissa)
Taiwan NO.1B
O97M.Tristate.C
ILOVEYOU
Macro.Word97.Thus
Macro.Word97.Marker
Nuclear
Chapter IV: Linux Malicious Code Technologies
The first Linux malicious code: Bliss (The Blessing of Heaven, February 1997)
The first virus across the Windows and Linux platforms: W32.Winux (aka W32.Lindoes or W32.PEElf.2132)
Linux system Malicious Code Classification:
- The Shell Malicious script
- worm
- Based on the cheat library function malicious code
- Malicious code that is compatible with the platform
Shell Malicious script:
Here is a simple shell malicious script
for file in ./infect/* / / Traverse documents
do
cp $0 $file // self-duplication
d one
ELF file format:
The executable link format (Executable and Linkable Format, ELF) is developed by the UNIX systems lab as an application binary interface.
The ELF format file infection principle:
- Infection methods in an irrelevant ELF format
- Covered infection
Some viruses will force covering a part of the execution program, embedding their own code to achieve the purpose of not changing the length of the infected file. The code covered by such viruses cannot be recovered, so that the virus cannot be killed safely. The virus destroys something of the file and cannot restore the original file after killing the virus.
- Additional infection
Different from the same coverage infection mode, the virus body is directly added to the host file, or after the host is added to the virus body, the host file is not overwritten, and the control is returned to the host file after the execution of the virus file.
- Infection infection infection the ELF format
- After the text segments fill in
- The data segment is inserted after the infection
- Text segment before inserted before infection
- Using functions to align the populated region for infection
- Use the NOTE segment or the extension.note jié
- Advanced infection technology
- The LKM infection technique
LKM technology is the Linux Kernel Module Technology (Loadable Kernel Module), a technology that can dynamically insert or delete code into the Linux kernel at runtime. With LKM technology, you can add new functions to the kernel without recompiling the kernel to dynamically modify the Linux system. LKM technology can be used for driver development, system debugging, security protection and other aspects. Since LKM technology has the ability to dynamically modify the kernel, it may also be used by hackers to develop malware, such as Rootkit.
- The PLT / GOT hijacking implementation
The PLT / GOT hijacking implementation technology is used to modify the global offset table (GOT) and the process link table (PLT) of the program to realize the control hijacking of the program. When the program runs, PLT / GOT hijacking implementation technology is often used in binary vulnerability exploitation, power extraction attack, malicious code injection and so on, which is a common technology in hacker attacks.
Chapter 5: Trojan Horse (Trojan Horse Overview)
The Trojan horse is named after the means of war in Homer's Epic Iliad. In information security, the Trojan horse is a program that establishes a connection with the remote computer, which enables the remote computer to control the user computer system through the network and may cause the user's information damage, system damage and even paralysis.
The composition of the Trojan horse:
- Hardware part
- control end
- server
- Internet
- Software part
- Control end program
- Trojan program
- Trojan configuration program
- pontes
- Control side IP and server side IP
- Control terminal port and Trojan horse ports
Classic Trojan:
Back Orifice (BO), Netspy, Picture, Netbus, Asylum, glacier, grey pigeon, Internet thief
The characteristics of Trojan horse:
- fraudulence
- crypticity
- Automatic running
- Automatic recovery function
- The particularity of function
The classification of Trojan horse:
- Remote-controlled Trojan horse
- Send a password-type Trojan horse
- Keylogging Trojan
- Damaged Trojan horse
- FTP Trojan horse
Similarities and differences between remote control software and Trojan horse:
Remote control software and Trojan horses are both tools used for remote control of computers, but there are some similarities and differences between them. Common points include: can control the computer remotely through the network, can perform malicious operations on the computer, such as stealing sensitive information, implanted back doors, etc. The differences include: the remote control software is usually legal and can be obtained through normal installation, while the Trojan is usually spread through potential vulnerabilities or social engineering means; the remote control software usually has clear functions and uses, while the Trojan is usually hidden with multiple malicious functions; the remote control software usually has clear users and users, while the Trojan can be used by anyone.
Technical development of Trojan horse:
- Cross-platform
- building block design
- Updated to the stronger infection patterns
- Instant notice
- Stronger and more features
Chapter 5 Trojan Horse (Key technology of Trojan Horse Program)
implantation technique:
- Commonly used implantation methods
- Email implantation
- IM disseminate
- Download transmission
- Vulnerability implantation
- Online neighbor implantation
- Web implantation
- First run
- Imposing as an image file
- Program bundling deception
- Z-file
- Masquerading as an application extension component
- Website hang horse technology
- Frame hanging horse
- Js hang horse
- Picture camouflage hanging horse
- Website fishing hanging horse
- Disguise hanging horse
Self-starter technology:
- Modify batch
- Autoexec. Bat (executed on boot system)
- Winstart. Bat (executed when starting the graphical interface)
- Dosstart. Bat (performed on entering the MS-DOS)
- Modify system configuration
- System.ini
- Win,ini
- With the help of the automatic play function
- Start it up by using a Run in the registry
- Started through a file association
- Started via the API HOOK
- Started via VxD
- Start it up by browsing the web page
- exploitation JavaApplet
- Proprogram that run automatically using the system
- Other methods
Hidden technology:
- Rebound Trojan horse technology (Internet god thief)
- Hide the connections with the ICMP method
- Hidden port
- Windows NT The Trojan horse process is hidden under the system
- Remote Threading Technology
Chapter 6: malicious code of mobile intelligent terminal
Common smartphone operating systems:
Android, IOS, Windows Phone, Symbian, Linux, WebOS, BlackBerry Systems
The weaknesses of the mobile phone operating system:
- Arbitrary access control is not supported (cannot distinguish the personal privacy data of different users)
- No audit capability
- Lack of ability to reuse control through identity identifiers or authentication
- Data integrity is not protected
- Even if some systems are password protected, malicious users can still use debug mode to easily get someone else's passwords, or by using simple tools like PalmCtypt
- With password lock cases, the mobile terminal operating system still allows the installation of new applications
Key technologies of mobile terminal malicious code:
- Mobile terminal malicious code transmission route
- Terminal-Terminal
- Terminal-gateway-terminal
- PC-terminal
- Mobile terminal malicious code attack mode
- SMS attack
- Attack your phone directly
- Attack the gateway
- Attack vulnerability
- Trojan-type malicious code
- Mobile terminal malicious code survival environment
- The system is relatively closed
- The creation space is narrow
- The data format is monotonous
- A vulnerability in mobile terminal devices
- The PDU format vulnerability
- Special character vulnerability
- vCard leak
- The '%String' vulnerability for the Siemens
- Android Browser vulnerability
Classic mobile terminal malicious code:
Cabir, CopyCat, Judy, X undercover series Trojan, white card suction fee magic Trojan, VBS. Timofonica, Swalmoney greedy ghost, Skulls, Lasco
Prevention of malicious code in mobile terminals:
- Pay attention to call information
- Careful network download
- Don't receive weird text messages
- Turn off the wireless connection
- Focus on security information
Chapter 7 Worms
Classification of worms:
- For enterprise users and LAN
Code Red, Nimda, SQL Worm King
- For individual users and the networks
Love bug, cover letter
Differences between worms and traditional viruses:
Existing form: worm (independent program), traditional virus (storage file)
Infectious mechanism: worm (active attack), traditional virus (host program run)
Infection object: worm (computer), traditional virus (local file)
Composition of the worm viruses:
Transmission module: It is responsible for finding the next target computer to meet the infection conditions, and copying itself to the target computer to achieve the transmission of the worm virus.
Infection module: It infects the target computer and copies itself to the target computer to spread the worm.
Control module: Responsible for the control of the infected computer for the remote control and operation of worm viruses.
Load module: responsible for performing malicious functions of worm viruses, such as stealing sensitive information, inserting back doors, etc.
Characteristics of shock net worms:
- The target is clear
- Adopt advanced technology
Characteristics of worms:
- Use the vulnerability to actively attack actively
- Combined with the hacking technology
- There are many ways to infect
- Spread fast
- It is difficult to remove
- Destructive
Classic worm:
Morris Worms, Code Red, Nemda, shock wave, Shock Wave, shock net, Cover Letter, Love Letter, Buworm
Chapter 8 Tailware-type malicious code
Exilware malicious code is a kind of malicious software for the purpose of extortion. It is a malicious attack means for hackers to hijack users' equipment or data assets and extort money from users on conditions
There are two forms of ransomware, namely data encryption and restricted access
Typical blackmailing of malicious code:
WannaCry、Hidden-Tear
WannaCry:
- The worm module
- Vulnerability utilization module (Eternal Blue vulnerability, 445 + 139 port, SMB service)
- The extortion module
Prevention and response strategies:
- Enhance safety awareness
- Backup important files
- Detection of network traffic
- Network isolation measures
- Updated software and installation patches
Emergency strategy: isolate the infected host, cut off the transmission route, find the attack source, kill the virus and repair the vulnerability
Chapter 9 Rogue software, mail-type malicious code, WebPage malicious code, botnet, Rootkit, APT
Rogue software features:
- Forced installation
- Unable to uninstall or uninstall difficult
- Interference with normal use
- Have malicious code and hacker characteristics
The propagation mode of the malicious code (email malicious code) using the Outlook vulnerability:
- Attachment method
- The mail itself
- Embedded way
Malicious code in the WebPage:
- Malicious script based on JavaScript
- Malicious script based on VBScript
- Malicious scripts based on PHP
- The Shell Malicious script
Typical WebPage malicious code (Wanhua Valley)
Features of the botnet (botnet):
- distributivity
- Malicious spread
- One-to-many control
The working process of botnet generally includes three stages: transmission, joining and control
Botnet communication means:
Instant messaging software, mail type malicious code, active attack vulnerabilities, malicious website scripts, Trojan horse
The Hazards of botnets:
- DDoS
- Send spam
- Steal the secret
- Abuse of resources
Rootkit Concept of:
Rootkit Is a special kind of malicious software. Its function is to hide itself and the specified files, processes and network links on the installation target, so that the attacker can secretly spy on sensitive information and implant back doors on the target computer. Rootkit is characterized by concealment, persistence and advanced functions. It can hide its presence without detecting by conventional antivirus software and system tools; it can run automatically when the system starts to ensure its persistence; it can have advanced functions such as modifying the system kernel, tampering with system logs, and bypassing security protection. Rootkit Generally and Trojan, backdoor and other malicious programs in combination to achieve a more hidden and effective attack effect.
Rootkit Composition of:
- Network sniffing program
- The Trojan horse program
- A program to hide the attacker's directory and processes
- Log cleanup tool
- FIX order ... And other tools
Advanced Persistent Threat (Advanced Persistent Threat, APT):
Attack process of the APT:
The first stage is directed to information collection
The second stage of the single-point attack breakthrough
The third stage, build the channel
The fourth stage, lateral penetration
The fifth stage, the target action
Characteristics of the APT:
- Advanced sex
- Advanced means of collection
- Threat advanced data
- Advanced attack techniques
- constancy
- Continuous latent
- Continuous attack
- Continue to cheat
- Continuous control
Chapter 10: Malicious code prevention technology
Malicious code detection technology:
- Feature code scanning technique
- Heuristic scanning technique
- Integrity analysis technique
- Semantics-based detection techniques
- Behavior monitoring and analysis technology
- Code simulation and analysis technology
Malicious code detection method:
- Manual detection
- sense
Core components of automatic Test Procedure:
- condition code
The feature code should not contain the malicious code data area, the data area is often changed.
The code is sufficient to distinguish malicious code from other malicious code and other variants of that malicious code.
Under the premise of maintaining the uniqueness, the feature code length should be made as short as possible to reduce the time and space overhead.
The signature code must be able to distinguish malicious code from normal programs.
- Scan engine
Data backup and data recovery:
Storage and backup technology:
- Full backup
Comprehensive backup of all files specified by the entire system or by the user.
- incremental backup
Only back up newly created or updated data since the last backup operation.
- Differential backup
Backup all the data generated and updated after the last full backup.
Chapter 11 Common antivirus software and solutions
Antivirus software selection reference:
- The ability to kill
- Ability to guard against new malicious code
- Backup and recovery capabilities
- Real-time monitoring capability
- Upgrade ability
- Intelligent installation capability
- Simple and easy to use
- Resource occupation
- compatibility
- price
- The strength of the manufacturer
The geography of malicious code prevention products: the living space of the author, the specific operating system and software environment, targeted attacks and conditional transmission
Chapter 12 Malicious code control strategy
Basic principles for malicious code control strategy:
- Refuse access
- detectability
- The ability to control the transmission
- Clear ability
- recovery capability
- Alternative operation
National-level prevention and control strategies:
- Improve relevant laws and regulations and their implementation
- Establish a malicious code early warning system in each backbone network
- Establish a multi-level malicious code emergency response system
- Establish a dynamic systematic risk assessment measures
- Establish a malicious code accident analysis system
- Develop a complete backup and recovery plan
- Improve the security of domestic operators themselves
- Strengthen information security training
- Strengthen technical preventive measures
Single-machine user prevention and control strategy:
- The newly purchased computer immediately upgrades the system to ensure that all known security vulnerabilities are repaired
- Use a high-intensity password
- Install the system patch in time
- Important data should be backed up
- Select and install the security prevention software certified by the authority
- Use a network firewall
- Do not access the Internet, or disconnect, when the network is not needed
- Set up the mail automatic antivirus function of the antivirus software
- Correct configuration of malicious code prevention products, give play to the technical characteristics of the products
- Make full use of the security mechanism provided by the system, correctly configure the system, and reduce malicious code intrusion events
- Regularly check sensitive documents to ensure timely detection of infected malicious code and hacking programs
sundry:
"Network Security Law of the People's Republic of China" effective time 6 / 1 / 2017.
Article 286 of the Criminal Law stipulates that anyone who intentionally makes or spreads a computer virus with serious consequences shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention, and if the consequences are especially serious, he shall be sentenced to fixed-term imprisonment of not less than five years.
In the late 1990s, China's Ministry of Public Security launched China's earliest anti-virus software Kill 6.0.
Citations:
《Computer Virus and Malicious Code-Principles, Technologies and Prevention》(fourth edition)