1. Textbook summary
Malicious code classification
通常为泛指,即包括病毒(Virus)、特洛伊木马(Trojan Horse)、蠕虫(Worm)、宏病毒(Macro)、后门程序(BackDoor)、黑客软件/工具(Hacker)、间谍程序(Spyware)、广告程序(Adware)、玩笑程序(Joke)、恶作剧程序(Hoax)等等有害程序及文件(Malware)。 What is a computer virus
A computer virus is a program, a piece of executable code. Like biological viruses, computer viruses have a unique ability to replicate. Computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to various types of files. When files are copied or transferred from one user to another, they spread with the files. In addition to the ability to replicate, some computer viruses share some other characteristic: a contaminated program can deliver viral vectors. When you see virus vectors that appear to be nothing more than words and images, they may also have corrupted files, reformatted your hard drive, or caused other types of disasters. If a virus doesn't live in a polluting program, it can still cause you trouble by taking up storage space and reducing the overall performance of your computer.
The definition of computer virus can be given from different angles. One definition is a program that spreads through media such as disk, tape, and network, and can "infect" other programs. The other is a latent, infectious and destructive program that can achieve self-replication and exist with the help of a certain carrier. Another definition is an artificially created program that lurks or parasitizes in storage media (such as disks, memory) or programs through different ways. When a certain condition or time is ripe, it will reproduce and spread by itself, causing the computer's resources to be destroyed by different programs and so on. These statements borrow the concept of biological virus in a sense. The similarity between computer virus and biological virus is the "pathogen" that can invade computer systems and networks and endanger normal work. It can carry out various damages to computer systems, and at the same time can self-replicate and is contagious. Therefore, a computer virus is a set of programs or instruction sets that can be latent in a computer storage medium (or program) through a certain way, and will be activated when a certain condition is reached, which has a damaging effect on computer resources.
Classification by System of Computer Virus Attacks
(1)攻击DOS系统的病毒。这类病毒出现最早、最多,变种也最多,目前我国出现的计算机病毒基本上都是这类病毒,此类病毒占病毒总数的99%。
(2)攻击Windows系统的病毒。由于Windows的图形用户界面(GUI)和多任务操作系统深受用户的欢迎,Windows正逐渐取代DOS,从而成为病毒攻击的主要对象。目前发现的首例破坏计算机硬件的CIH病毒就是一个Windows 9598病毒。
(3)攻击UNIX系统的病毒。当前,UNIX系统应用非常广泛,并且许多大型的操作系统均采用UNIX作为其主要的操作系统,所以UNIX病毒的出现,对人类的信息处理也是一个严重的威胁。
(4)攻击OS2系统的病毒。世界上已经发现第一个攻击OS2系统的病毒,它虽然简单,但也是一个不祥之兆。Classification by virus attack type
(1)攻击微型计算机的病毒。这是世界上传染是最为广泛的一种病毒。
(2)攻击小型机的计算机病毒。小型机的应用范围是极为广泛的,它既可以作为网络的一个节点机,也可以作为小的计算机网络的计算机网络的主机。起初,人们认为计算机病毒只有在微型计算机上才能发生而小型机则不会受到病毒的侵扰,但自1988年11月份Internet网络受到worm程序的攻击后,使得人们认识到小型机也同样不能免遭计算机病毒的攻击。
(3)攻击工作站的计算机病毒。近几年,计算机工作站有了较大的进展,并且应用范围也有了较大的发展,所以我们不难想象,攻击计算机工作站的病毒的出现也是对信息系统的一大威胁。 Classification according to the link mode of computer viruses
Since the computer virus itself must have an attack object to realize the attack on the computer system, the object attacked by the computer virus is the executable part of the computer system.
(1)源码型病毒该病毒攻击高级语言编写的程序,该病毒在高级语言所编写的程序编译前插入到原程序中,经编译成为合法程序的一部分。
(2)嵌入型病毒这种病毒是将自身嵌入到现有程序中,把计算机病毒的主体程序与其攻击的对象以插入的方式链接。这种计算机病毒是难以编写的,一旦侵入程序体后也较难消除。如果同时采用多态性病毒技术,超级病毒技术和隐蔽性病毒技术,将给当前的反病毒技术带来严峻的挑战。
(3)外壳型病毒外壳型病毒将其自身包围在主程序的四周,对原来的程序不作修改。这种病毒最为常见,易于编写,也易于发现,一般测试文件的大小即可知。
(4)操作系统型病毒这种病毒用它自已的程序意图加入或取代部分操作系统进行工作,具有很强的破坏力,可以导致整个系统的瘫痪。圆点病毒和大麻病毒就是典型的操作系统型病毒。
这种病毒在运行时,用自己的逻辑部分取代操作系统的合法程序模块,根据病毒自身的特点和被替代的操作系统中合法程序模块在操作系统中运行的地位与作用以及病毒取代操作系统的取代方式等,对操作系统进行破坏。2. Experiment overview
2.1 Buffer overflow experiment
The goal of this experiment is to let students master the experience of buffer overflow vulnerability attack, and apply the vulnerability knowledge learned in the classroom
to practice. A buffer overflow is when a program attempts to write more data to the buffer than the pre-allocated fixed length. This
vulnerability can be exploited by a malicious user to change the flow control of a program or even execute arbitrary pieces of code. This vulnerability occurs
because the data buffer and the return address are temporarily closed, and overflow causes the return address to be rewritten.
In this lab, students will analyze a program with a buffer overflow vulnerability and the task is to use an attack scheme to
exploit the vulnerability and ultimately gain root privileges. In addition, students will be led to learn some
protection mechanisms in the system to prevent buffer overflow. Students need to evaluate whether their attack scheme works under these protection mechanisms and explain why.
2.2 Malicious code analysis
- Raise user security awareness
- Run anti-virus software on the system and update signature database in real time
- Pay special attention to the self-starting program attached to the ASEP point (360,
- SReng, China)
- Restrict web access on the server
- Develop and use behavior-based, or anomaly-based detection methods
- Laws and Programs
