Lec 12: Malware 1: Viruses and Virus-Defense

Question 2

Once you’ve compromised sysem, then what does the malicious software do?

Answer 2

Question 3

What is a virus? What do they require to activate?

Answer 3

Question 4

What is a virus writer’s goals?

Answer 4

Question 5

What are the kinds of viruses?

Answer 5

Question 6

What are the things that boot sector viruses affect?

Answer 6

Question 7

How do boot sector viruses work?

Answer 7

Question 8

Why attack the bootstrap?

Answer 8

Question 9

How does a virus attach to host code?

Answer 9

Question 10

What are entry-point obscuring viruses?

Answer 10

Question 11

What are polymorphic viruses?

Answer 11

Question 12

What are metamorphic viruses?

Answer 12

Question 13

Where else can viruses reside?

Answer 13

Question 14

What are macros and how prevalant are they?

Answer 14

Question 15

How was Melissa Macro Virus implemented andw hat was the strategy?

Answer 15

Question 16

What was the behavior of Melissa Macro Virus?

Answer 16

Question 17

What is the source code of melissa virus?

Answer 17

Question 18

What is the transmission rate, damage, and remedy to Melissa macro virus?

Answer 18

Question 19

How do you detect viruses?

Answer 19

Question 20

What are virus signatures? How are they used?

Answer 20

Question 21

What are the issues involved with scanning for virus signatures?

Answer 21

Question 22

What are the steps of a simple virus?

Answer 22

1. User runs an infected program
2. Program transfers control to the virus.
3. Virus locates a new program
4. Virus appends ts logic to the end of the new file
5. virus updates the new program so the virus gets control when the program is launched

Question 23

What are head/tail scanners?

Answer 23

Question 24

With knowledge of head/tail scanners, what did the bad guys do?

Answer 24

Question 25

What is scalpel scanning?

Answer 25

Question 26

What are encrypted viruses and how do they work?

Answer 26

Question 27

What are encrypted viruses?

Answer 27

Question 28

What makes encrypted viruses easy to detect?

Answer 28

Question 29

How do polymorphic viruses work?

Answer 29

Question 30

What are the steps of the polymorphic virus?

Answer 30

1. User executes program 2. virus decrypts itself 3. virus finds new progg 4. mutation engine creates new decryptor 5. virus makes a new copy of itself and encrypts this copy 6. virus appends the new decryptor and encrypted virus body to new file 7. End. we have a new infection

Question 31

What does the decryption loop from the polymorphic virus look like?

Answer 31

- main point is that there are new ones generated making them more dificult to detect

Question 32

How do you detect the polymorphic virus?

Answer 32

Question 33

What is the x-ray technique?

Answer 33

- A way to detect the polymorphic virus - plaintext attack on encrypted virus body

Question 34

What is "Generic" decryption? What are the assumptions? What is the key idea?

Answer 34

Question 35

What are the steps for how Generic Decryption works?

Answer 35

1. Load suspected program into VM 2. Allow the program to execute normally 3. "Tag" all modified memory as the program executes 3. 1 fetch byte 3. 2 decrypt byte 3. 3 store byte 3. 4 loop to 1 3. 5 and it goes on.. 4. Scan all modified areas of virtual memroy for virus signatures 5. Kill virus

Question 36

What are the challenges with Generic Decryption (GD)?

Answer 36

Question 37

What is profile-based emulation?

Answer 37

Question 38

What does having profiles specific to each polymorphic virus do in profile-based emulation?

Answer 38

Question 39

What are problems with profile-based emulation and Generic Decryption in general?

Answer 39

Question 40

How do entry-point obscuring viruses work?

Answer 40

Question 41

What to do against entry-point obscuring viruses?

Answer 41

Question 42

What is a metamorphic virus? What are the problems they cause?

Answer 42

Question 43

What is an integrated infection and what are the problems they cause?

Answer 43

Question 44

What are Modern AV programs?

Answer 44

Question 45

What are the advantages and disadvantages to virus scanning?

Answer 45

Question 46

What is innoculation? What are the drawbacks?

Answer 46

Question 47

What are integrity checks & whitelists?

Answer 47

Question 48

What are the advantages and disadvantages of integrity checks?

Answer 48

Question 49

How does behavior-based detection work?

Answer 49

Question 50

What are the advantages and disadvantages of behavior-based detection?

Answer 50

Question 51

What are reputation systems?

Answer 51

Question 52

What is the difference between standard disinfection vs generic disinfection?

Answer 52