CS451 – Information Security

Assignment 3 – Hiding viruses and worms

Due: 11 September

 

Please turn in your assignment in a professional, typed format.  Pledge your homework.

NOTE: To avoid writing "virus and worm", I will just use the term "virus" below, but I mean to include both.

1.  A virus requires a host program on which it can hitch-hike.  Virus detectors generally search for known (bit-string) patterns associated with known viruses.  Assume that a detector has a library of patterns – essentially byte arrays – for the currently known viruses.  (Many viruses are less than 4 kilobytes in code size though they may have accompanying data that is larger.)

a)     What size do you think such arrays should be so that false positives are very, very few.  (A false positive occurs when the detector checks a program and asserts that it is infected with a virus, but it is not.)  Specify a realistic range.  Consider looking into an actual detector and see what it is actually using?

b)     Is there a way to assure that there are no false positives?  If so, how.

 

2. More sophisticated viruses change their appearance.  List three distinctly different ways that a virus may alter its form – without using encryption.  Be creative.  Each kind of transformation should be different from the others.

 

3. Assume that the virus keeps itself encrypted. 

a) Itemize the things that would have to be maintained in unencrypted form, if any?  Be specific.  Suggest the rough size (number of bytes) of each item.   How does that relate to the size of detection byte arrays in question 1.

b) Assume that a virus uses encryption to alter itself.  Devise an easy way for the virus to keep, or acquire, keys so that it can re-encrypt itself periodically over a long duration.  The objective is to change a bit string; quality of encryption is not so relevant!  If you are making any assumptions, spell them out clearly.