13
File Inflection Techniques

File inflection techniques

Tags:

Embed Size (px)

DESCRIPTION

this is my presentation 2

Citation preview

Page 1: File inflection techniques

File Inflection Techniques

Page 2: File inflection techniques

Introduction* In this presentation I'm going to discuss about file inflection techniquesthat are being used by the computer viruses and virus writers.

* A computer virus just simply a executable mobil code.But the problem is it can'tstand alone it should find a host and inflect it.

* One good host to a computer virus is a computer file. It can be a data file or a executable file.

* no matter data files or executable files the , almost all files can be inflected with a virus.

* After all file inflection is just only a one mechanism that virus writers are using.There are tons of other techiniques that are being exploited by virus writers. The naked truth about computing is whatever the computer operating system you using,what security it provides , what AV/Scanners you installed , no matter how much yoube careful ,almost every computer environment is a hostile environment.

Page 3: File inflection techniques

Data Files vs Executable FilesExecutable files are the files contain executable code , or contain srcipts/macros orcontain byte code for a virtual machine.

* examples for a raw executable files are , linux elf executable , windows win32 and win64 executable or mac os executable. * examples for scripts are , javascript, vb scripts , linux bash scripts , etc etc. * Java and .Net is a good example for a byte code executables.

Data files,

* DAT , Digitial Audio tape. * Image formats like jpeg, png, bmp etc. * Microsoft office formats like .xls microsoft world , power point (ppt) , etc etc.Conclusion:If the data file only contain data streams how a virus could reside inside it? [answer] first of all, data files are not just contain just a simple data streams. for a example , JPEG format have some simple segment of javascript code. and microsoft excel have executable macros embedded capability. Even if it's simply contain a raw data structure , still a computer virus can reside inside it. * there are techniques like buffer-overflows which will exploits it's target software system and can be forced to execute the binary code that came as a data stream. [ I'm not going to discuss what's a buffer overflow exploit here, but I do in my next presentation].

* so don't just skip data files when you doing a scan for viruses with your virus scanner.

A binary file Open with a hex editor program.

Page 4: File inflection techniques

Windows Executable Files and Windows Architecture.

Before Windows: Before windows there is a open system called Dos, where all the code was ran inreal mode and have no security and any wild executable file can do anything to yourcomputer. In this time we had DOS viruses. Dos viruses are just simple because the virus writer don't need t deal how to bypass security of a operating system.

In Windows: Windows running on protected mode but still a creates a more hostile environmentthan the older dos. Inside windows a hostile executable code can't access the privilege mode in a microprocessor , so it can't access to the devices directly.But windows provides something called "Win32 API" ,and calling that API it's sufficient for a computer virus to survive inside windows and also do a damage tothe computer.

Page 5: File inflection techniques

Ring0 vs Ring3• Alost all modern moden microprocessor provides at

least two modes of privileges when executing instructions.

• Intel x86 supports four modes. They are ring0,ring1 , ring2 and ring3. Where ring0 is the most privileged mode and ring3 is the least privilege mode.

• But microsoft windows operating system only uses two modes, ring0 and ring3. Ring0 is also known as “kernel mode” and operating system kernel is running in that mode.

• When you are in ring0 you can use privileged instructions like outp inp , and read/write any memory location or interrupt the processor.

• Application Programs like Microsoft Excel, World ,notepad are running in the mode ring3.

Ring3 ring0 is completely a hardware security mechanism.

Page 6: File inflection techniques

Executable File Inflection Techniques• In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32

executable format and windows uses win32 PE and PE+ executable file formats. • Executable file is nothing more than a big data-structure which have following. * header. * sections In a typical executable file there are following sections. text[executable code] data [global variables and statistically initialized data] bss [dynamically initialized data] stack [defines the hardware stack for the executable]There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text session is also possible. Following are some different techniques that virus writers are using . * Overwriting Viruses. * Append last to the text section. * Viruses that inject it’s code to the padded aligned spaces between segments. * Random Inflection. * Viruses that hijack Entry points. * and many more unspecified wild techniques are used among the virus writer underground communities.An example Executable virus source code:

By M S D Perera

Page 7: File inflection techniques

left picture is photo courtesy of http://www.thehackademy.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm

Page 8: File inflection techniques

Shows the ‘MZ’ and ‘PE’ header signatures in a particular executable file

Page 9: File inflection techniques

Windows Dynamic Link Librariesas it name says it's a dynamic library. Where it can be loaded at the runtime when it'snecessary. Win32 API calls are implemented as set of dynamic link libraries. You can seeyour dynamic link libraries with .dll extension in your C:\windows\system32 folder.

For a example kernel32.dll provides basic process creation , initialization ,scheduling, security and termination facilities. It provides api's like CreateProcess() , ExitProcess() , etc etc.

The code in the DLL file also lives in the ring3 [ restricted executable mode] and it willtransfer it's control to the ring0 [priviledged mode] by a software interrupt.calling the'int 02' instruction.

So , no way a windows executable can directly access to the computer's resources. Butit can access through windows win32 api. So which means a virus code also can access them, so nothing prevents virus writer writing a workable virus in Windows environment, again no environment is secure.

Page 10: File inflection techniques

Dependency walker – a software that can be used to track and walk trough what executable depend on what dll’s and they again recusively depend on another dll’s.Photo courtecy of http://www.brothersoft.com/dependency-walker-11721.html

Page 11: File inflection techniques

Limitations of Windows Viruses

If a windows virus need to do a damage to computer hardware it's not easy. It should somehow access to ring ring0 executable mode. Or exploit a predefined service or use some other complex techniques. .For a example. * ex - http://technet.microsoft.com/en-us/security/advisory/935423 [microsoft windows Animate cursor ring0 exploit]

^- there you can't find enough information about "how to exploit it" in Microsoft web site. Because they want to cover their Operating system. If you interested you can go to the following link:

use it for Educational/research purposes only , don't exploit it to make a real computer viruses. http://www.exploit-db.com/exploits/3636/

- exploit-db.com contains dozens of resources for a computer virology researcher.

In windows 7 you have a option called "Run as Admin" where it will give that executableall the privileges , when you need to install some software you need to chose that option.

Page 12: File inflection techniques

Metasploit software – photo courtecy of http://blog.c22.cc/2011/01/09/metasploit-sap-management-console-aux-modules/

Page 13: File inflection techniques

FinallyThe internet outside your computer is a wild place , computer viruses can't do magicbut all the things and techniques that I above mentioned are technically possible and have been used by computer virus writers.

Even a simple mid level computer virus can't damage your computer hardware it could do a big damage to your data stored, personal life, steal credit card pin numbers, sentpunk messages to your friends, etc etc. Computer viruses can't think but those thingsare technically very possible and complex, but complex is not a problem for a evilgenius mind.

So, * Keep your virus guard up-to-date. Everyday there around 100 new viruses are released in the world. So you need to update it everyday, every hour , every minute as soon as possible.

* Keep upto date your operating systems , software ,so your operating system vendor can fix the holes in your operating system.

* Do not execute executable files in "Run As Admin" mode where you don't trust. Check for the author of the software. And their signature.

* Keep touch with the security advisory , ex- http://www.securityfocus.com/

* Almost all file can contain a virus, so don't assume it's a JPG and how it could contain a virus ? it do. Seriously not joking.

And In my next presentation I'm going to discuss about buffer overflow attacks and how they can be used in wild by the virus writers.

Thank you Listening.

Thank you for

Listening.


Inflection Points and Polar Bears

Inflection Points and Polar Bears

Documents
Inflection contrast.pdf

Inflection contrast.pdf

Documents
Transistor Inflection - Applied Materials

Transistor Inflection - Applied Materials

Documents
1 Inflection

1 Inflection

Documents
INFLECTION POINT VENTURES€¦ · of success: Inflection Point Approach 01 With these factors in mind we searched for like-minded individuals and Inflection Point Ventures was born

INFLECTION POINT VENTURES€¦ · of success: Inflection Point Approach 01 With these factors in mind we searched for like-minded individuals and Inflection Point Ventures was born

Documents
Verbal inflection and overflow auxiliaries

Verbal inflection and overflow auxiliaries

Documents
INFLECTION VERSUS DERIVATION - philol.msu.ruotipl/new/main/people/kibrik-aa/files/Inflection... · Inflection versus Derivation and the Template ... which multiple derivational and

INFLECTION VERSUS DERIVATION - philol.msu.ruotipl/new/main/people/kibrik-aa/files/Inflection... · Inflection versus Derivation and the Template ... which multiple derivational and

Documents
Strategic Inflection -Tivo

Strategic Inflection -Tivo

Documents
Concavity & Inflection Points

Concavity & Inflection Points

Documents
Inflection Point Introduction

Inflection Point Introduction

Business
120716 allomorpheme inflection

120716 allomorpheme inflection

Education
Darren Cunningham, Inflection Bio Sciences

Darren Cunningham, Inflection Bio Sciences

Healthcare
Inflection Morpheme

Inflection Morpheme

Documents
Blazek - Indo-european Nominal Inflection

Blazek - Indo-european Nominal Inflection

Documents
Points of Inflection - Process Book

Points of Inflection - Process Book

Documents
Strategic Inflection Points

Strategic Inflection Points

Business
Technical Analysis: Inflection Points

Technical Analysis: Inflection Points

Documents
TV Advertising's Inflection Point

TV Advertising's Inflection Point

Business
Inflection Year

Inflection Year

Documents
The Inflection Point

The Inflection Point

Technology
Inflection - uni-duesseldorf.de · 4.1 Inflection Within a lexeme-based theory of morphology, the difference between derivation and inflection is very simple. Derivation gives you

Inflection - uni-duesseldorf.de · 4.1 Inflection Within a lexeme-based theory of morphology, the difference between derivation and inflection is very simple. Derivation gives you

Documents
File Compression Techniques

File Compression Techniques

Documents
Extremum and inflection of point

Extremum and inflection of point

Documents
1 Inflection - UCLAlinguistics.ucla.edu/.../205/Readings/Stump1998InflectionalMorphology.pdf · 1 Inflection GREGORY T. STUMP 1 The logic of inflection The notion of inflection rests

1 Inflection - UCLAlinguistics.ucla.edu/.../205/Readings/Stump1998InflectionalMorphology.pdf · 1 Inflection GREGORY T. STUMP 1 The logic of inflection The notion of inflection rests

Documents
Inflection: Assembling Interdisciplinary Material

Inflection: Assembling Interdisciplinary Material

Documents
FACULTAD DE FILOSOFÍA Y LETRAS 2020/21 Year · 12. Verb inflection: pronunciation and spelling of regular verbs 13. Verb inflection: irregular verbs 14. Adjective inflection: inflectional

FACULTAD DE FILOSOFÍA Y LETRAS 2020/21 Year · 12. Verb inflection: pronunciation and spelling of regular verbs 13. Verb inflection: irregular verbs 14. Adjective inflection: inflectional

Documents
2016, the year of inflection

2016, the year of inflection

Technology
6 INFLECTION derivation inflection Derivation versus ...anthropology.uwo.ca/faculty/creider/9640a/Chapter6Inflection.pdf · Baker & Bobaljik, Inflection 3 e. c&ita-j ‘read !’

6 INFLECTION derivation inflection Derivation versus ...anthropology.uwo.ca/faculty/creider/9640a/Chapter6Inflection.pdf · Baker & Bobaljik, Inflection 3 e. c&ita-j ‘read !’

Documents
Nrf16 Retail's Digital Inflection Point

Nrf16 Retail's Digital Inflection Point

Retail
Organizational Transformation Using Wavelength Inflection Points · 2016. 9. 8. · Inflection Points are the means Wavelength uses to address both concerns. Inflection Points are

Organizational Transformation Using Wavelength Inflection Points · 2016. 9. 8. · Inflection Points are the means Wavelength uses to address both concerns. Inflection Points are

Documents