Viruses using.net Framework

Similar documents
WHITE PAPER. Understanding How File Size Affects Malware Detection

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

How To Understand What A Virus Is And How To Protect Yourself From A Virus

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

What's the difference between spyware and a virus? What is Scareware?

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

Willem Wiechers 3 rd March 2015

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Module 5: Analytical Writing

PROACTIVE PROTECTION MADE EASY

Virus Definition and Adware

Personal Data Security. Grand Computers Club New Technologies SIG May 21, 2014

1. Overview of the Java Language

Characteristics of Java (Optional) Y. Daniel Liang Supplement for Introduction to Java Programming

1/20/2016 INTRODUCTION

Ohio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide

Chapter 1. Dr. Chris Irwin Davis Phone: (972) Office: ECSS CS-4337 Organization of Programming Languages

Language Evaluation Criteria. Evaluation Criteria: Readability. Evaluation Criteria: Writability. ICOM 4036 Programming Languages

N-CAP Users Guide. Everything You Need to Know About Using the Internet! How Worms Spread via (and How to Avoid That)

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

Post-Class Quiz: Software Development Security Domain

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

ANTIVIRUS BEST PRACTICES

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Multi State Information Sharing and Analysis Center. Briefing Paper. Keeping Your Broadband Internet Connection Secure

Viruses, Trojan Horses, and Worms

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Malware: Malicious Code

Desktop and Laptop Security Policy

Chapter 14 Computer Threats

Using Windows Update for Windows XP

Computer Security Maintenance Information and Self-Check Activities

What is a Virus? What is a Worm? What is a Trojan Horse? How do worms and other viruses spread? Viruses on the Network. Reducing your virus Risk.

Computer Security DD2395

CS549: Cryptography and Network Security

What are Viruses, Trojans, Worms & Spyware:

Introduction to Computer Security Table of Contents

How to prevent computer viruses in 10 steps

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Chapter 8 Types of Utility Programs and Operating Systems. Discovering Computers Your Interactive Guide to the Digital World

Intruders and viruses. 8: Network Security 8-1

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Introducing the.net Framework 4.0

Technical White Paper: Running Applications Under CrossOver: An Analysis of Security Risks

Malware: Malicious Software

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

(Self-Study) Identify How to Protect Your Network Against Viruses

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Windows XP Pro Service Pack 3

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

1949 Self-reproducing cellular automata Core Wars

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

(12) United States Patent

Using Windows Update for Windows Me

Smartphone Spying Tools Mylonas Alexios

Intro to Firewalls. Summary

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

IQware's Approach to Software and IT security Issues

License for Use Information

An Easier Way for Cross-Platform Data Acquisition Application Development

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Computer Viruses: How to Avoid Infection

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Malware Trend Report, Q April May June

APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW

Basic Computer Maintenance

Endpoint protection for physical and virtual desktops

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Electronic Security is defined d as:

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Lab Experience 17. Programming Language Translation

ESET NOD32 ANTIVIRUS 9

MOBILE MALWARE REPORT

ESET NOD32 ANTIVIRUS 8

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Rogue Programs. Rogue Programs - Topics. Security in Compu4ng - Chapter 3. l Rogue programs can be classified by the way they propagate

COB 302 Management Information System (Lesson 8)

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

BE SAFE ONLINE: Lesson Plan

Symantec Endpoint Protection

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

C# and Other Languages

Malware. Björn Victor 1 Feb [Based on Stallings&Brown]

PKOMP 89/5. Analysis of the Bouncing Ball Virus M S Olivier H W Teitge

How Spyware and Anti-Spyware Work

Introduction to Free Computer Tools

Zscaler Cloud Web Gateway Test

ESET SMART SECURITY 6

Norton AntiVirus 9.0 for Macintosh

ESET SMART SECURITY 9

Cyber Security Awareness

Web site security issues White paper November Maintaining trust: protecting your Web site users from malware.

Advanced compiler construction. General course information. Teacher & assistant. Course goals. Evaluation. Grading scheme. Michel Schinz

Transcription:

SISY 2006 4 th Serbian-Hungarian Joint Symposium on Intelligent Systems Viruses using.net Framework Zsombor Zsolt Kurdi John von Neumann Faculty of Informatics, Budapest Tech Bécsi út 96/B, H-1034 Budapest, Hungary kurdi.zsombor@nik.bmf.hu Abstract: In our age, programming languages and development tools advance to make programmers' work much easier. The tools can assemble programs written different programming languages, they can build executables can be run independently of the operating system. This simplification of software development causes the simplification of writing programs with the prepense of malice (e.g. viruses). So developers of these tools have to care about the security. Farther this virtual equivalency of computers and the spreading of Internet make easier to viruses infecting a computer. Keywords:.NET Framework, MSIL, Virus, Malware 1 Introduction Viruses are small softwares attach themselves to other files (infection) and cause damage to the computer (this is their main goal) when a user executes the infected file. The concrete steps of the infection procedure depend on a lot of properties of the local environment (e.g. operating system, virus strain, file's type would be infected etc.). Penetration of.net Framework (and other development tools for writing platform-independent programs) causes a great simplification in virus development too. For example the viruses have not care about the type of operating system during the infection and damaging which is a great advantage for them. This article is organized as follows: Section 2 gives an outline about malicious softwares (short description, history, types etc.), Section 3 treats of the.net framework, it's usability and its similarity to Java Virtual Machine. The main section (Section 4) covers an introduction and analysis of viruses based on the services of the.net framework, which is followed by the conclusions (Section 5). 473

Zs. Zs. Kurdi Viruses using.net Framework 2 Viruses and Other Malicious Softwares A computer virus (or simply virus) is a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents (definition from wikipedia.org). These small pieces of programs were named viruses because they behave very similar to biological viruses. The attaching procedure, when a virus copies itself to an executable is called infection, and the infected executable is the host. The first computer virus was written in the early 1970s or even in the end of 1960s. But the term computer virus was formally defined by Fred Cohen in 1983. Actually the number of malicious programs started increasing in this period. The most self-replicating programs were written with scientific view. Since that time this growing has accelerated and the goals of writing such a program has been changed ([1]). Viruses are not the only malefic programs in the info-space, but they are the most well-known ones. There are a lot of other malicious softwares (malwares). The common property of these programs is to infiltrate or damage a computer system, without the owner s consent. A malware can be a virus, a worm, a trojan horse, a spyware, an adware, any other program written with the idea of causing damage. A worm is a special type of virus which travels over network (e.g. Internet) to find and infect files on other computers. Only viruses and worms are self-replicating programs from the enumeration above. The other malwares uses the credulousness of users to the reproduction (or the infection of the computer). Spyware and adware programs are some special kinds of malware. They were created for commercial purposes. A spyware gathers information about computer users; an adware shows annoying advertisements to them. Since 2003 these are the most common types of malware. Hereafter this article focuses on viruses (and partially on worms). Viruses can be sorted in many ways. There are viruses which uses existing executables (program virus) for running. Such a virus attaches itself to an executable file and it runs (infects and causes damage) when a user executes the host file. Other viruses overwrite the boot sector or the master boot sector of the disks (boot virus). These viruses are load into memory if the computer tries to read the disk while it is 474

SISY 2006 4 th Serbian-Hungarian Joint Symposium on Intelligent Systems booting. Some viruses combine boot and program viruses (multipartite virus) or tries to avoid virus-detection using certain techniques (polymorphic and stealth viruses). Finally a new type of viruses is macro viruses that infect the macros within a document or template. This high number of viruses and virus types calls for solutions for defend computer from the infection of any virus. There are a lot of commercial softwares (anti-virus programs) more or less efficient tools against malwares. The contest between developers of viruses and anti-virus softwares is a never-ending war which can be won by nobody. Because softwares are often designed with security features (e. g. operating system, browsers, e-mail softwares etc.), software design and development methods and strategies have to prevent as many security holes in the software as possible. Programs should have no vulnerabilities which can be used by viruses. 3 The.NET Framework Diversity is part of all segment of informatics. The hardware elements used for compiling computers can be very different and they can have unique characteristic depend on the manufacturer. One of the main goals of operating systems is to hide these dissimilarities and provide a uniform, hardware-independent interface for computer users (see Figure 1). This virtual unification of the hardware-granted functions makes computer more usable, and software development will be much easier. Operating systems (their count is essentially less than the count of hardware elements) define virtual hardware units with generic properties and functions. They use the physical hardware or software emulation to grant these properties and functions. So people have to learn how they can avail themselves of the functions of the chosen operating system (they have not concern themselves about the functions of the hardware-layer). Besides the operating systems, the most programming languages open the door to write so-called platform-independent programs (softwares uses resources available in every operating system). Up to now the programmers have had to write the program (source code) once and it has had to be compiled as many as the number of operating systems have the users (in each cases the result of this procedure is almost the same sequence of processor-instruments, but the executable file's format is different certainly). For a long time past, programmers' wish is to make this procedure easier. They would like to write and compile the source code only once. This problem has been being solved far in the past. Interpreted programming languages are the solution. 475

Zs. Zs. Kurdi Viruses using.net Framework In this case, the source code is the program which is executed by another program (interpreter). These codes can be executed with each operating system has the required interpreter. But the interpreted programs have disadvantages: the executing procedure is too slow and the source code's syntax can not be checked fully. Sun Microsystems Inc. has given a solution for this. The programmers of Sun have created the Java programming language which integrate interpretation and compilation during software development and execution. After the Java source code has been written, it has to be compiled (the result is a sequence of Java Byte Code), so the syntax and semantics of the source code can be checked, and the code can be made more efficient. The Java Byte Code constitutes the instrument set of the Java Virtual Machine (JVM), so the result of compilation can be interpreted by a JVM. Because Sun has published JVMs for the most common operating systems, the once written and compiled program can be executed by all the computers run JVM. Programmers of Microsoft solved the problem otherwise. They created the Microsoft.NET Framework. This solution is very similar to Java, JVM and Java Byte Code, but it is much more. It exploits the hidden power of JVM, and eliminates its weaknesses. The.NET Framework is development and execution environment for several programming languages (C\#, C++, Visual Basic etc.), so software component written in different programming languages can be assembled by.net Framework. Moreover, the compiled source would not be interpreted; it will be compiled to native code before execution using the Just-In-Time (JIT) compiling strategy. The first compilation produces a code written using Microsoft Intermediate Language (MSIL). The.NET Framework as the Java environment constitutes a new layer over the operating system which hides the dissimilarities of various operating systems (this architecture is shown on Figure 1). Figure 1 Layered Architecture 476

SISY 2006 4 th Serbian-Hungarian Joint Symposium on Intelligent Systems 4.NET Viruses Executable files written for.net Framework can be infected by viruses as other executables. In this case there are two ways for the infection: malicious code can be added to the file contains MSIL code-sequence or to the native code after the JIT compilation (see Figure 2). Figure 2 Infection types If the virus infects an MSIL file, the infection will be platform independent too. The infected PE (portable executable) file can execute without any changes by other operating systems, so the infection can be spread very fast. While the infection of native code is localized for the operating system using the same executable format. Because lot of web services use the.net architecture, they create new infection mechanisms unwittingly or almost unwittingly ([2]). Anti-virus professionals' opinion is the security model of.net Framework can stop several attacks of viruses, but not all. There are other possible ways to take advantages of.net services. Still the malwares and.net Framework's collaboration is an unanswered question. There are several viruses using the.net Framework in the info-space. The firs one was Donut (also known as dotnet ) which was exposed in 2002. It is a native executable targets PE files written for.net Framework. It overwrites the initial jump to the _CorExeMain() function (located in mscoree.dll) with a jump to the end of the file where the malicious code is located. (This process is similar to the standard infection of native executables.) The virus also injects short MSIL code into the PE file for display a message that akes the fact of infection known to the user (source: virus escription from Symantec). The basic form of Donut is a native executable which is an e-mail irus (it uses the address book in Microsoft Outlook to spread via -mails sent without the user's will 477

Zs. Zs. Kurdi Viruses using.net Framework ([3]). If this file is executed on a local computer, it infects the executables in the same folder and up to 20 parent folder. However Donut is defined as a low-risk virus, it is a good example, that the viral infection of.net executables are possible indeed. Conclusions The efforts make the program development easier faster and comfortable draw down the simply way to develop viruses and other malwares. So developers of programming frameworks (e.g..net) and creators of programming languages interpreted by virtual machines (e.g. Java) have to care the security leaks and features of these development tools through all ages. The popularity of Internet and the new computing model based on.net Framework used for web application creates fresh vulnerabilities can be exploit by virus (and malware) writers day-by-day. Donut is an example that good security conception (as the security of.net Framework) can reduce this vulnerabilities, but they can be never completely removed. References [1] B. Krebs: A Short History of Computer Viruses and Attacks, The Washington Post, 14 th February 2003 [2] J. Layden:.NET may Lead to Fewer Viruses, The Register, 28 th September 2001 [3] J. Layden: C\# Virus Pitched against.net, The Register, 4 th March 2002 [4] Microsoft Knowledge Base: Information About the.net W32.Donut Virus, Q316287, 8 th July 2005 478

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information