Article directory
- Homework five
-
- 1. What is malicious code? What are the main types of malicious code?
- 2. What are the main basic techniques of malicious code?
- 3. What is a Trojan horse? What are the characteristics?
- 4. What is a computer virus? What are its basic components?
- 5. What is a worm? What functional structure does a worm have?
- 6. What is the difference between Trojans, viruses and worms?
- 7. What are static and dynamic analysis methods of malicious code?
Homework five
1. What is malicious code? What are the main types of malicious code?
- Definition of Malicious Code
Malicious code refers to computer software deliberately designed to harm the interests of users. That is, malware is designed to harm users’ interests and violate their intentions. - Behavioral characteristics of malicious code
According to the definition of the Internet Society of China, the behavioral characteristics of malware are:
Forced installation: Installing software on the user’s computer without permission
Difficult to uninstall: No universal uninstallation method is provided, or it is still active after uninstallation Programs
Browser hijacking: Modifying browsers or other related settings without permission, forcing users to visit specific websites or causing users to be unable to access the Internet normally
Advertising pop-ups: Pop-up advertisements through installed software without user permission
Malicious collection User information: Unauthorized and malicious collection of user information
Malicious uninstallation: Uninstalling non-malicious software without permission or in a deceptive manner
Malicious bundling: Bundling software that has been identified as malicious in the software
Other violations of the user’s right to know , malicious behavior of choice - Types of malicious code
There are many types of malicious code according to their uses and characteristics, such as computer viruses, Trojan horses, etc. Since computer viruses are the earliest malicious codes to appear, there is a view that malicious codes are equivalent to computer viruses.
Table 1 Types of malicious code
According to whether it requires a host and whether it has the ability to self-replicate (propagate), malicious code can be divided into four categories:
requires a host but does not require a host;
cannot self-replicate; is dependent on infection;
malicious code is independent; cannot be infected; malicious
code
can Self-replicating dependency that can be infected
Malicious code that can be infected Independently
Malicious code
Table 2 Malicious code classification
4. Examples of malicious code classification Category
examples
Dependent malicious code that does not infect Trojan horse
Logic bomb
Backdoor or trap door
Independent malicious code that does not infect Code dripper
Breeder (
prank )
Infectious dependent malicious code Computer virus
Infectious independent malicious code Worm
Table 3 Examples of malicious code classification
2. What are the main basic techniques of malicious code?
- Malicious code hiding technology
(1) Local hiding
is a concealment method adopted to prevent local system administrators from being aware of it.
File concealment: Name the malicious code file with a name similar to the legitimate program file name of the system, or simply replace it, or attach the malicious code file to the legitimate program file.
✓ Process concealment: Attach or replace the system process so that the malicious code runs as a legitimate service, thereby concealing the malicious code. You can also modify the process list program and modify the command line parameters so that the information of the malicious code process cannot be queried. You can also use RootKit technology to achieve process concealment.
✓ Network connection concealment: Use the port of an existing service to achieve network connection concealment. For example, if port 80 is used, the attacker sets a special identifier in his own data packet and identifies the connection information through the identifier. Unidentified WWW service network packets are still forwarded to the original service. Program processing.
✓ Compiler concealment: The compiler implants malicious code when compiling the program code, thereby realizing the hiding of malicious code in user programs and original distribution attacks. The malicious code was implanted by compiler developers.
✓ RootKit concealment: Using appropriate Rootkit tools, you can hide yourself or specified files, processes, network connections, etc., making it difficult for administrators to detect them.
(2) Network hiding
Network hiding mainly refers to the hiding of communication content and transmission channels.
✓ Communication content concealment: Using encryption algorithms to encrypt the transmitted content can conceal the communication content.
✓ Transmission channel hiding: Use covert channel technology to hide the transmission channel.
Covert channel: It is an information flow that is not controlled by security mechanisms and uses shared resources as a communication channel. Including: storage covert channel and time covert channel. - Malicious code survival techniques
Malicious code survival techniques mainly include four types:
Anti-tracking technology: Reduce the possibility of discovery by making malicious code analysis more difficult.
Encryption technology: Use encryption technology to improve the protection ability of malicious code itself.
Fuzzy transformation technology: Using fuzzy transformation technology, malicious code can evade signature-based malicious code detection systems and improve survivability.
Automatic production technology: Use automatic generation technology to automatically generate new malicious code with changing signatures based on existing malicious codes, thereby evading signature-based malicious code detection. - Malicious code attack technology
✓ Process injection technology: The malicious code program embeds itself into the service program of the operating system and network system, which not only hides itself, but also starts as the service is loaded.
✓ Three-thread technology: The malicious code process opens three threads at the same time, one of which is the main thread and is responsible for remote control. The other two auxiliary threads are monitoring and daemon threads. Once it is discovered that the main thread has been deleted, try to restore it immediately.
✓ Port reuse technology: Reusing ports opened by the system or network services (such as port 80) can deceive firewalls and is highly deceptive.
✓ Port reuse technology: Reusing ports opened by the system or network services (such as port 80) can deceive firewalls and is highly deceptive.
✓ Port reuse technology: Reusing ports opened by the system or network services (such as port 80) can deceive firewalls and is highly deceptive.
✓ Port reuse technology: Reusing ports opened by the system or network services (such as port 80) can deceive firewalls and is highly deceptive.
3. What is a Trojan horse? What are the characteristics?
- Definition of Trojan Horse
In a computer system, a "Trojan horse" refers to a human-designed program implanted in the system, with the purpose of remotely controlling other users' computer systems through the network, stealing information, and maliciously paralyzing the computer system. - Basic components of Trojan horses
In essence, most Trojan horses are based on the client/service program model, often consisting of a client program controlled by the attacker and one (or more) server programs running on the controlled computer. - The harm of Trojan horses
✓ Automatically search for computers infected with Trojan horses;
✓ Manage the other party’s resources, such as copying files, deleting files, viewing file contents, uploading files, downloading files, etc.; ✓ Tracking and monitoring the other party’s
screen;
✓ Directly controlling the other party’s keyboard and mouse ;
✓ Modify the registry and system files at will;
✓ Share the hard disk resources of the controlled computer;
✓ Monitor the other party's tasks and terminate the other party's tasks;
✓ Remotely restart and shut down the machine. - Classification of Trojans
According to the functions they implement, Trojans can be divided into:
✓ Remote control Trojans: allow the attacker to completely control the infected computer
✓ Password-sending Trojans: specifically designed to steal passwords on the infected host
✓ Destructive types Trojan: destroys the file system on the infected host
✓ Keylogging Trojan: records the victim’s keystrokes
✓ Denial of service attack Trojan
✓ Bounce port Trojan: the server (controlled terminal) uses the active port, and the client (control terminal) ) uses passive ports
✓ Proxy Trojan: becomes a springboard for attackers to launch attacks - Characteristics of Trojan horses
(1) Effectiveness
Trojan horses are usually an important part of network intrusion methods, because running on the target machine must be able to realize certain attempts of the intruder. Effectiveness means that the intruding Trojan can establish some effective connection with its control end (intruder), so that it can fully control the target machine and steal sensitive information. Therefore, effectiveness is one of the most important characteristics of Trojans.
(2) Concealment:
Trojans must have the ability to lurk in the target machine for a long time without being discovered. A Trojan with poor concealment will often expose itself to anti-virus (or horse-killing) software or even be manually checked by users, making the Trojan worthless. Therefore, stealth is the life of a Trojan.
(3) Perseverance:
After a Trojan is detected (loses its concealment), in order to continue to ensure the effectiveness of its intrusion, the Trojan often has another important characteristic - perseverance. Trojan stubbornness refers to the difficulty of effectively removing the Trojan. If a Trojan cannot be effectively removed at one time after being detected, then the Trojan is highly stubborn.
(4) Ease of implantation
Any Trojan must first be able to enter the target machine, so ease of implantation becomes a prerequisite for the effectiveness of the Trojan. Deception has been the most common implantation method since the birth of Trojans, so various useful software with small functions have become a common habitat for Trojans. Using system vulnerabilities to implant Trojans is also an important way for Trojans to invade. The combination of Trojan horse technology and worm and other technologies makes Trojan horses spread like worms, which greatly improves the ease of implantation of Trojan horses.
(5) Automatic operation:
By modifying the system configuration file or registry, etc., the purpose of automatically loading and running the Trojan horse program is achieved when the target system starts. It neither requires client intervention nor is detected by the target system user.
(6) Deceptive
In order to remain hidden for a long time, Trojans will take all possible means to deceive target system users to prevent detection. The most common deception is that the Trojan horse program is often named something like a legitimate file name. For example, use a name similar to the legal file name explorer to name the Trojan horse program
(7) Automatic recovery
. In order to resist detection and killing, many Trojan horse programs are no longer composed of a single file, but are divided into multiple backups that can be restored to each other. Once it senses that one part has been deleted, other parts will try to restore it.
(8) Special features of functions
In addition to ordinary file operations, some Trojans also have functions such as searching and sending passwords in the target host, recording user events, performing keylogging, remote registry operations, and locking the mouse.
4. What is a computer virus? What are its basic components?
- Definition of computer virus Computer virus
refers to a set of computer instructions or program codes compiled or inserted into a computer program that destroy computer functions or destroy data, affect computer use, and can replicate themselves. Like biological diseases, computer viruses have unique replication capabilities, can spread quickly, and are often difficult to eradicate. They can attach themselves to various types of files. Viruses spread when files are copied or transferred from one user to another. - Computer virus module division
(1) Infection module
looks for an executable file. Check the file for infection markers. If there is no infection flag, infection is performed and the virus code is placed into the host program.
(2) Trigger module
checks whether the predetermined trigger conditions are met. If satisfied, return true value. If not satisfied, return false value.
(3) Destroy the module
and call the infection module to infect. Call the trigger module and accept its return value. If true is returned, the destruction module is executed. If a false value is returned, subsequent procedures are executed.
5. What is a worm? What functional structure does a worm have?
- Definition of worm:
A worm is an attack program or code that is intelligent, automated and integrates network attack, cryptography and computer virus technologies and can run on its own. Worms can scan and attack node hosts with system vulnerabilities on the network, and spread autonomously from one node to another through the network. Eugene H. Spafford of Purdue University defines a worm as "a computer worm that can run independently and spread a fully functional version of itself to other computers." - Worm program functional structure
(1) Unified functional model
The unified functional model of worm program decomposes the worm program into basic functional modules and extended functional modules. Worm programs with basic functions can complete the replication and propagation process, while worm programs with extended function modules have stronger survivability and destructive capabilities.
(2) Basic function module
Search module: Find the next computer to be infected; in order to improve search efficiency, a series of search algorithms can be used.
Attack module: Establish a transmission channel (infection route) on the infected computer.
Transmission module: worm program replication between computers.
Information search module: Search and build information on the infected computer.
✓ Reproduction module: Create multiple copies of itself; improve infection efficiency on the same computer and determine to avoid repeated infection.
(3) Extended function module
✓ Hidden module: Hide the worm program so that it cannot be discovered by simple detection.
✓ Destruction module: Destroy or damage the infected computer, or leave a backdoor program on the infected computer.
✓ Communication module: Communication between worms and between worms and hackers may be the focus of future worm development.
✓ Control module: adjust worm behavior, update other functional modules, and control infected computers.
6. What is the difference between Trojans, viruses and worms?
Characteristics: Trojan horse, virus, worm,
host required or not required.
The expression is disguised as other files and does not
exist as an independent file in the form of a file
. The mode of propagation relies on the user's active propagation and relies on host files
or media to propagate autonomously
. The main hazards are leaving backdoors, stealing information and destroying data integrity. , system integrity invades resources,
spreads slowly and very quickly
Table 4 Differences between Trojans, viruses and worms
7. What are static and dynamic analysis methods of malicious code?
- Malicious code static analysis definition
: Use anti-virus engine scanning to identify known malicious code families and variant names.
Reversely analyze the composition of malicious code modules, internal data structures, key control processes, etc., understand the mechanism of malicious code, and extract signatures for detection. - Malicious code static analysis method
Table 5 Malicious code static analysis method
3. Malicious code dynamic analysis definition
By executing the target code in a controlled environment, the behavior and running results of the target code can be obtained.
4. Malicious code dynamic analysis method
