Session 31: Passwords and viruses

Password security (Section 5.4.5)
  pre-hashing attack
  decoy login attack
  network sniffing attack
  using OS bugs
Viruses (Section 5.4.3)
  types of viruses
  countermeasures
  countercountermeasures

Viruses

Types of viruses

Every virus has a payload, which is some sort of thing it wants to do. Typically, this is either a prank or something more malicious. Additionally, a virus needs some way of reproducing itself. A well-written virus will hide its tracks as much as possible. Generally, it has to hook itself in so that once the user inadvertently starts the virus-containing program, the virus actually executes the program the user requested.

There are many sorts of viruses.

There are other types of viruses, but the above three have good enough (simplicity+popularity)/complexity ratios to be worth mentioning.

Countermeasures

Here we're concerned mostly with countermeasures for parasitic viruses, since they're technically the most interesting. There are two approaches to viruses: prevention and detection.

Unix takes the prevention route. Unix systems generally don't run virus protection, because they're just not necessary. This is because Unix processes work in a very restricted environment: They can only mess with files created by the owner. Since a good Unix user only uses the unrestricted root account when absolutely necessary, and the root account owns all the important binaries, this means that a virus can't get to the good stuff.

This doesn't mean that you can't write a virus for Unix. It's just that it can't do any serious damage to the system, beyond infecting the files of the person who happens to execute it. (Unless, of course, there's a bug in the OS. But the OS writers will release a bug fix just as quickly as a virus scanner team would release a virus scanning fix. And the bug fix will be better, since it will make the system impervious to similar future attacks.)

PC operating systems (pre-NT and MacOS X, at least) always ran in very permissive mode, so that any program can access anywhere on the hard drive. This was convenient, since it enables programs to run more efficiently (instead of always going through the OS), and anyway generally only one user was using the system. So they didn't take the prevention route.

Instead, the industry of virus scanning arose. There are several things that a virus scanner can do.

Countercountermeasures

Of course, once you go down the road of trying to detect viruses rathre than prevent them, you've opened up a can of worms: Virus writers will simply try to find ways of beating the system. And, after they find a way, the virus scanner writer will have to find a way of beating their solution, and we find ourselves in a vicious circle.

For example, a virus program can work itself around the checksum detection in three ways: First, it can make sure it modifies the executable file in such a way that the checksum isn't modified. (If the checksum is just the sum of all the bytes, the virus first finds the checksum, then infects itself, then adds another byte so that the sum is the same as before.) Second, the virus might infect the file not doing anything, but then it would go off and find where the virus scanner software stores the checksum and modify that. Finally, the virus could simply remove the file that contains all those checksums.

Of course, the virus scanner programmer isn't going take this lying down. The virus scanner might possibly use cryptography to (a) compute a hard-to-invert checksum and (b) encrypt the file containing the checksums. That doesn't solve the problem of a virus removing the file, though if the file disappears, that's at least a detectable problem.

Thwarting the fingerprint database is more complex. But the virus program can basically encrypt itself each time it spreads, so that there's no consistent fingerprint in the virus code that can be searched. In order to execute the code, though, the virus code would have to be decrypted, and so the decryption code would have to be part of the infected file. This decryption code can in fact be the virus's fingerprint searched for by the database.

The virus writer can thwart this, though, by using different code at different times. After all, there are many ways of computing the same thing - for example, you might switch the order in which things are added, or you might switch the order of some instructions that don't interfere, or you might change the register allocation. The virus can be written so that, each time it writes down the decryption code, it writes down a different version that accomplishes the same decryption. Scuh a virus is a polymorphic virus.

The virus scanner writer may be able to find ways to get around this, but you have to keep in mind that the virus scanner writer has the harder job, since the time constraints for the virus scanner are much more severe: Since the virus scanner runs every time any executable file is run, it has to run quite quickly. The virus has more leeway, since it is run only occassionally.

Besides, it's generally easier to hide than to find. When you play hide and seek, does the game spend more time in the hiding phase (while the seeker is counting to 10) or in the seeking phase (when you eventually get bored with sitting still)? Things don't look good for the virus scanners.