CSCI 262

Fall 2013

Lab week 10/11/2013

SOLUTIONS
Last First Student Signature
name Name ID

MALWARE

LEARNING OUTCOMES:
a) Assess the vulnerability of an access control policy to malware
b) Recognize malware types
c) Recognize metamorphic code
d) Analyze virus fragments

1
1. Access rights and malware
Assume the following access control matrix:

File 1 File 2 Program P

User A RWE W E
User B R RWE

Program P contains a Trojan horse.

Assume that when A executes P it creates a process Proc(A).
 What will be the access privileges of Proc(A)?
 Will the Trojan infect any file? Why? Why not?
 Assuming the ideal situation where user A can restrict his own access rights of
how would A restrict his own acess to prevent any malicious action by the Trojan.
 In fact, Can user A prevent such an event by restricting the access rights of
process? Explain why or why not?

2
2. Flaw in virus program

In class, the following program was used a sample of a virus program. If has a flaw in it.
What is it?

3
3. Another Flaw
The question arises as to whether it is possible to develop a program that can anlysze a
piece of software to determine if it is a virus.
Consider that you have a program D that is supposed to be able to do just that. In other
words, for any program P, if we run D(P), the result is:
 TRUE if P is virus
 FALSE if P is not a virus.
Consider the following program:
Program CV :=
{ ………
main-program :=
{if D(CV) then goto next :
else infect-executable;
}
next:
}

In program CV, infect-executable is a module that scans memory for executable

programs and replicates itself in those programs. Determine if D can correctly decide if
CV is a virus or not.

4
4. Metamorphic code
The following code fragments show a sequence of viruses instructions and a
metamorphic version of the virus. Describe the effect produced by the metamorphic
code:

Original code Metamorphic code

mov eax, 5 mov ax, 5
add eax, ebx push exc
call [eax] pop exc
add eax, ebx
swap eax ebx
swap ebx eax
call [eax]
nop

5
5. Desiging malicious code

The point of this problem is to demonstrate the type of puzzles that must be solved in
the design of malicious code and therefore, the type of mindset that one wishing to
counter such attacks must adopt.
a. Consider the following C program:
begin
print (*begin print (); end.*);
end
What do you think the program was intended to do? Does it work?

b. Answer the same questions for the following program:

char [] = {'0', ' ', '}', ';', 'm', 'a', 'i', 'n',
'(', ')', '{', and so on... 't', ')', '0'};
main ()
{
int I;
printf(*char t[] = (*);
for (i=0; t[i]!=0; i=i+1)
printf("%d, ", t[i]);
printf("%s", t);
}

c. What is the specific relevance of this problem to this chapter?

6
6. Type of malware
Consider the following fragment in an authentication program:
username = read_username();
password = read_password();
if username is “ 133t h4ch0r” return ALLOW_LOGIN ;
if username and password valid return ALLOW_LOGIN
else return DENY_LOGIN

What type of malicious software is it?

7. Program sabotage
A program is written to computer the sum of the integers from 1 to 10. The programmer,
well trained in reusability and maintainability, writes the program so that it computes the
sum of the numbers from k to n. However, a team of security specialists scrutinized the
code. The team certified that the program properly set k to 1 and n to 10; therefore, the
program is certified as being properly restricted in that it always operate on precisely the
range 1 to 10. List different ways that this program can be sabotaged , so that during
execution it computes a different sum, for example, 3 to 20.