types of malware
- needs host program (trap doors, logic bombs, trojan, virus, plugins/extension/scripts)
- independent (worms, botnets, apts - advance persistent threat)
trapdoor
- backdoor to the program, only known to the programmer and the hacker
- typically works by recognizing some special sequence of input
logic bomb
embedded in legitimate programs, activates when some conditions are met
trojan
hidden in host program, and executes when the host executes
virus
- infects a program by changing it.
- self-copy to programs to spread
4 stages of virus
- Dormant
- propagation
- trigger
- execution
Dormant phase
program is infected, but not execute yet
propagation phase
virus is spreading
trigger phase
host runs trigger virus (click email attachment)
execution phase
virus execute, then look for hosts to spread
spy on someone
trojan
cripple a computer
logic bomb
quickly spread
virus
virus structure
- first line: go to main of virus
- second line: tag (infected or not)
- main: find and infect other programs, do some damage, go to first line of host to do normal work
- avoid detection: compress, decompress host
parasitic virus
scan/infect program
memory-resident virus
infect running program
macro virus
embedded in documments
boot sector virus
- run/spread when the program is boot
- load in the bootsector, move the bootstrap loader from the bootsector to some other location, and point to it after doing damage
polymorphic virus
encrypt part of the virus using a random key
boot sector always runs first?
true
how macro virus spread?
- copies itself to the global macro
- activates, spread whenever document is open
which virus infects the OS
memory resident virus
Rookit can hide from the user?
yes, by intercepting OS activities
how does worm spread
use network connection
