Basic HTML version of Foils prepared April 7 1998

Foil 26 Naïve way Viruses Spread themselves

From Basic Principles of Java and Internet Security CPS616 Web Technologies -- Spring 98. by Geoffrey C. Fox


1 Take any good program (for which virus has write privileges) and take instruction at location L1.
2 Replace this by a jump to L2.
3 Insert the dreadful code at location L2 followed by original code at location L1. Worry about saving and restoring registers while doing this.
4 Insert a jump to location L1+1 at end of bad code.
5 Net result is a program that does all the old program did plus whatever else bad is inserted
6 This naïve approach can be detected by presence of distinctive byte codes formed by code at L2 or more precisely by checking that a particular program has unexpected length or modify time.
7 The hacker who entered NPAC installed a trapdoor into UNIX command ps in a way that left length of ps unchanged!
8 First entered NPAC by "sniffing" somebody's password and using UNIX bugs to get root permissions.

in Table To:


© Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Sun Nov 29 1998