Classification of computer viruses in the Unix environment by Le Tan Phuoc A thesis submitted in partial fulfillment of requirement for the degree of Master Engineering Examination Committee: Prof Phan Minh Dung (Chairman) Dr Ir Erik L.J Bohez Dr Ho Dinh Duan Nationality Vietnamese Previous degree B.E in Computer Science Ho Chi Minh University of Technology Viet Nam Scholarship Donor Ministry of Education and Training (Vietnam) Asian Institute of Technology School of Advanced Technologies Bangkok, Thailand December 2003 ACKNOWLEDGMENT I would like to express my deepest of gratitude to my advisor, Prof Phan Minh Dung for his valuable guidance, encouragement, and constant support through out my study Grateful thanks are also conveyed to my examination committee, Dr Ho Dinh Duan and Ir Erik L.J Bohez for their constructive comments and helpful suggestions I would especially thanks to the Department of Industrial Systems Engineering (HCMC University of Technology) and Dr Ho Thanh Phong for the support, encouragement and so forth, which allowed me to concentrate on this dissertation Special thanks for CSIM staff for support and technical assistance and thanks for all my friends, for their encouragement and support during my study I am gratly indebted for their help in solving problems during the experimentation Finally, this thesis is dedicated to my beloved parents and all family members for their moral support and great inspiration which encouraged me to pursue this study tirelessly i ABSTRACT In just over a decade, most of us have been familiar with the term computer virus Even those of us who don't know how to use a computer have heard about viruses through Hollywood films such as Independence Day or Hackers and some means like that International magazines and newspapers regularly have virus-scares as leading stories There is no doubt that our culture is fascinated by the potential danger of these viruses Computer virus have become threat to computer users and almost every field in the advance technology industrial nowadays Know about virus and environments that can be infected by virus is very necessary for anti-virus researchers as well as operating systems makers With the development of the open source systems today, computer viruses on these systems should be considered strictly This study is about Unix environment, from the analysis of internal mechanisms of Unix, propose some viruses that can work on this environment and suggest methods to prevent as well as restrain damages of these viruses ii TABLE OF CONTENT Chapter Title Page Acknowledgement Abstract Table of Content i ii iii Introduction Back ground Statement of the problem Objective of the study Scope and limitation of the study 1 1 2 Literature review 3 Internal presentation of file Inodes Conversion of a path name to Inode Inode assignment to a new file 5 System calls for the file system Open Read Write Lseek Close Create 12 12 13 14 15 16 17 Computer viruses classification Introduction Shell script virus Boot virus OpenOffice macro virus Executable and linkable format virus 16 16 17 27 31 39 Conclusion 46 iii iv v CHAPTER INTRODUCTION 1.1 Background When the possibility of computer virus was first mentioned in scientific papers published by Fred Cohen in 1984, nobody took it seriously It did not take long before the first wide scale computer virus infection swept in 1986 Along the development of internet, there are more opportunities for computer virus to spread Appearance of a virus type using network as transmission medium created a new term of the computer virus called worm In 1999, Melissa is the first worm spreading widely via email All of operating systems are target of computer viruses The first IBM-PC virus, called "Brain", appeared in 1987 After a few years, several viruses of Apple Macintosh, Commodore Amiga, and Atari systems have been detected The history of computer viruses is still incomplete and continues to pose a major threat to computer users throughout the world Just as computers and computer operating systems have become increasingly complex, computer viruses have also become more complex and harder to detect Although viruses appear in many places in the world, they always have a common method to spread out and damage, we need to have a more detail classification about virus to make them to be examined easier In this thesis, I will try to classify virus types, study mechanism, structure and damage levels of computer virus base on mechanism of Unix operating systems as well as its applications These tasks help those who want to study computer virus have a deeper look about it and also very important for anti-virus researchers 1.2 Statement of the Problem With the development of operating systems as well as applications, viruses are created and increase day by day, the study of virus is really necessary, especially for software developer or persons who are working in information technology fields Base on different operating systems or different applications, there will have viruses with structures and behaviours respectively To study and classify computer virus, firstly we have to know common structure and behaviours of a virus, and second, the most important, we have to know deeply about environment that virus are working on Depend on supports of systems, that allow virus exist or not 1.3 Objective of the Study The primary objectives of the study are: - To analyze the mechanism of some basic Unix system call functions - To analyze file structure in Unix, analyze characteristics and behaviours of some applications in Unix environment, OpenOffice for instance - Base on analyses above, give out some specific viruses with their full behaviours such as infect, damage and so forth - To propose some methods to prevent, detect and recover these kinds of virus 1.4 Scope and limitation of the Study Viruses exist in almost every operating system that allow to access and modify files in these systems Although the common behaviours of viruses are the same in all systems, base on specific system, the detail mechanisms of computer virus are different In this study, I only concentrate on Unix operating system and application in Unix (Linux is typically), study viruses and their behaviours that can attack to Linux OS as well as its application Hence, give out some methods prevent computer virus, restrain the damage capability of computer virus CHAPTER LITERATURE REVIEW Virus is one of things that are mentioned the most in fields of information technology nowadays There are many seminars and report about virus every year, the suffer damage cause by virus as well as the new antivirus products, or the intelligent method to detect and clean virus Especially, in autumn of this year, Calgary, a university of Canada, intend to teach a course about virus for the fourth year student with the title “Computer Viruses and Malware”, however protests were raised against this plan Now we take a look for previous studies about virus In 1985, The Ph.D thesis with title “Computer virus” of Fred Cohen (University of Southern California) is the first formal work in the field of computer viruses He also wrote "Computer VirusesTheory and Experiments" in 1987, this paper brought the term "computer viruses" to general attention It describes computer viruses and also describes several experiments in each of which all system rights were granted to an attacker in under an hour "Models of Practical Defenses Against Computer Viruses” is written by Cohen in 1989, this paper models complexity based virus detection mechanisms, that detect modifications and thereby prevent computer viruses from causing secondary infections These models are then used to show how to protect information in both trusted and untrusted computing bases, show the optimality of these mechanisms, and discuss some of their features The models indicate that we can cover changes at all levels of interpretation with a unified mechanism for describing interdependencies of information in a system and discuss the ramifications of this unification in some depth And in 1992, the paper with title "A Formal Definition of Computer Worms and some related Results" of Cohen, a formal definition for computer worms has been presented The definition is based on Turing's model of computation The doctoral thesis of Vesselin Bontchev at University of Harmbug in 1998 with the title "Methodology of Computer Anti-Virus Research" is a detailed writing on computer viruses It can be treated as a definitive text on understanding and dealing with computer viruses The important topics discussed in this work include classification and analysis of computer viruses, state of art in anti-virus software, possible attacks against anti-virus software, test methods for anti-virus software systems and social aspects of virus problem It also discusses useful applications of self- replicating software In "Future Trends in Virus Writing" (1994), Bontchev summarizes some ideas that are likely be used by virus writers in the future and suggests the kind of measures that could be taken against them And in "Macro Virus Identification Problems" (1997), Vesselin Bontchev discusses some interesting theoretical problems to anti-virus software Two viral sets of macros can have common subsets or one of the sets could be a subset of the other The paper discusses the problems caused by this It emphasizes the difficulties that could be exploited by the virus writers and methods, which could be followed to tackle it Besides, there are also a lot of study about virus of many other authors such as Brunnstein, David M Chess, Jeffrey O Kephart and so forth And The Virus Test Center has been publishing antivirus product virus detection analyses (1994-2002) Furthermore, several papers concentrating on antivirus product evaluation have been published in EICAR conferences, Virus Bulletin conferences and information security conferences The antivirus product analysis processes described in this dissertation have been developed without knowing about other implementations and the processes developed are as such novel innovations There are many books and documents about Virus Classification, but most of them much more concentrate about characteristic of virus rather than environment of virus, they only classify base on virus’s characteristic such as family, damage level, infect ability, etc And in this study, I will classify virus base on mechanisms of a specific environment (Unix) that virus are working on, hence propose some viruses and damages that can be caused by these viruses Operators : StarOffice Basic understands common mathematical, logical, and comparison operators Mathematical Operators : Mathematical operators can be applied to all numbers types, whereas the + operator can also be used to link strings o + Addition of numbers and date values, linking of strings o - Subtraction of numbers and date values o * Multiplication of numbers o / Division of numbers o \ Division of numbers with a whole number result (rounded) o ^ Raising the power of numbers o MOD module operation (calculation of the rest of a division) Logical Operators : Logical operators allow us to link elements according to the rules of Boolean algebra If the operators are applied to Boolean values, the link provides the result required directly If used in conjunction with integer and long integer values, the linking is done at the bit level.: o AND And linking o OR Or linking o XOR Exclusive or linking o NOT Negation o EQV Equivalent test (both parts True or False) o IMP Implication (if the first expression is true, then the second must also be true) Comparison Operators : Comparison operators can be applied to all elementary variable types (numbers, date details, strings, and Boolean values) o = Equality of numbers, date values and strings o Inequality of numbers, date values and strings o > Greater than check for numbers, date values and strings o >= Greater than or equal to check for numbers, date values and strings o < Less than check for numbers, date values and strings o