COMPUTER VIRUS

WHAT IS VIRUS?

• Computer viruses are small software programs that are designed to spread from one computer to
another and to interfere with computer operation.
• A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to
other computers, or even erase everything on your hard disk.
• Viruses are most easily spread by attachments in e-mail messages or instant messaging messages.
That is why it is essential that you never open e-mail attachments unless you know who it's from
and you are expecting it.
• Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.
Viruses also spread through downloads on the Internet. They can be hidden in illicit software or
other files or programs you might download.
• To help avoid viruses, it's essential that you keep your computer current with the latest updates
and antivirus tools , stay informed about recent threats , and that you follow a few basic rules
when you surf the Internet, download files, and open attachments.
• Once a virus is on your computer, its type or the method it used to get there is not as important as
removing it and preventing further infection
Computer Network Security
 Viruses

Computer Network Security .

 Taxonomy of Malicious
Programs

Host
Independent
Program

Logic Trojan
Trapdoors Bombs Horses Viruses Bacteria Worms

Computer Network Security

 Types of Viruses
• Parasitic Virus - attaches itself to executable files as part of their code.
Runs whenever the host program runs.
• Memory-resident Virus - Lodges in main memory as part of the residual
operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads when
the operating system boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus Scanning
programs.
• Polymorphic - Virus - mutates with every new host to prevent signature
detection.
Computer Network Security .
 Viruses – are there “Good” ones?

Possible ideas for a “good” virus are:

• An Anti-Virus Virus
• Find other viruses and kill them
• File Compressor Virus
• Compresses the file it infects
• Encryption Virus
• Infects boot sector and encrypts the disk with a user supplied password
• Maintenance Virus
• Traverse a network and perform maintenance functions on individual
machines
Computer Network Security .
 Viruses – File (Parasitic) Viruses

• Simple File Viruses

• After transplanting
itself in the
executable, the
executable often
doesn’t work
• Stealth Component
• Work very similar to
stealth system sector
viruses
• Mask the file size of
infected files when a
directory listing is done
on Computer
themNetwork Security .
 File Infectors
.COM

Start End

Prepended virus
(.COM)

Start End
„
Appended virus … ƒ
(.COM & .EXE)
‚

Jump End = virus code
= program flow

Computer Network Security .

 Anti-Virus Technologies
• Scanners
• Interceptors
• Disinfectors
• Heuristics
• Inoculators
• Integrity Checkers
• Safe Computing (aka Common Sense)
• NBAR/QoS
• Eicar test string
• Anti-Virus Packages
Computer Network Security .
 HOW DO I REMOVE A
COMPUTER VIRUS?
• If your computer is infected with a virus, you'll want to remove it
as quickly as possible. A fast way to check for viruses is to use an
online scanner, such as the Microsoft Safety Scanner. The scanner
is a free online service that helps you identify and remove viruses,
clean up your hard disk, and generally improve your computer's
performance.
• If you're not sure whether your computer has a virus, see How
can I tell if my computer has a virus? to check for some telltale
signs. To try a different online scanner, follow the links to other
companies that provide them on the Windows Security software
providers webpage.
Computer Network Security .
 General information about
computer virus
• Different Malware Types.
• Malware is a general name for all programs that are harmful; viruses, trojan, worms and all other
similar programs.
• Viruses
• A computer virus is a program, a block of executable code, which attach itself to, overwrite or
otherwise replace another program in order to reproduce itself without a knowledge of a PC user.
• There are a couple of different types of computer viruses: boot sector viruses, parasitic viruses, multi-
partite viruses, companion viruses, link viruses and macro viruses. These classifications take into
account the different ways in which the virus can infect different parts of a system. The manner in
which each of these types operates has one thing in common: any virus has to be executed in order to
operate.
• Most viruses are pretty harmless. The user might not even notice the virus for years. Sometimes
viruses might cause random damage to data files and over a long period they might destroy files and
disks. Even benign viruses cause damage by occupying disk space and main memory, by using up
CPU processing time. There is also the time and expense wasted in detecting and removing viruses.

Computer Network Security .

 Trojan

Computer Network Security .

 Trojan

• A Trojan Horse is a program that does something else that the user thought it
would do. It is mostly done to someone on purpose. The Trojan Horses are
usually masked so that they look interesting, for example a saxophone.Wav
file that interests a person collecting sound samples of instruments. A Trojan
Horse differs from a destructive virus in that it doesn't reproduce. There has
been a password trojan out in AOL land (the American On Line).
Password30 and Pasword50 which some people thought were wav. files, but
they were disguised and people did not know that they had the trojan in their
systems until they tried to change their passwords.
• According to an administrator of AOL, the Trojan steals passwords and
sends an E-mail to the hackers fake name and then the hacker has your
account in his hands.

Computer Network Security .

 Trojan Horses

• A program which appears to be legitimate, but

performs unintended actions.
• Trojan Horses can install backdoors, perform
malicious scanning, monitor system logins and
other malicious activities.

Computer Network Security .

 Windows Backdoors

• Back Orifice
• Back Orifice 2000 (BO2K)
• NetBus
• WinVNC (Virtual Network Computing)
• SubSeven

Computer Network Security .

 Netbus

• Provides “Remote Administration” of Windows 9x and NT systems

• Allows full control over windows and devices.
• (open and close windows remotely, Screen capture, open and close CDROM
tray)
• Logs keystrokes
• Listens on TCP/UDP 12345 and 12346 (configurable v 1.7 and up)
for connections
• Listens on TCP/UDP 20034 (v.2.x) for connections
Computer Network Security .
 Netbus

Computer Network Security .

 Trojans - Jokes

One time this guy walks into a bar…

• Newest category of trojans

• Designed to look extremely malicious and are
visual to the user
• Don’t really do anything at all
Computer Network Security .
 Worms

Computer Network Security .

 Worm
• A worm is a program which spreads usually over network
connections.
• Unlike a virus which attach itself to a host program, worms
always need a host program to spread.
• In practice, worms are not normally associated with one person
computer systems.
• They are mostly found in multi-user systems such as Unix
environments.
• A classic example of a worm is Robert Morrisis Internet-worm
1988.
Computer Network Security .
 Why Worms?

• Ease
• write and launch once
• many acquisitions
• continually working
• Pervasiveness
• weeds out weakest targets
• penetrates difficult networks

Computer Network Security .

 The Worm’s Beginnings

• John Shoch invented the concept at Xerox’s Palo

Alto research labs in 1978
• Designed as a useful tool that borrowed clock
cycles from idle CPUs
• Actually got out of control back then as well

Computer Network Security .

How it Didn’t Bring 6,000 Machines Down
• The worm didn't alter or destroy files
• The worm didn't save or transmit the passwords which it cracked
• The worm didn't make special attempts to gain root or superuser access in a
system (and didn't utilize the privileges if it managed to get them)
• The worm didn't place copies of itself or other programs into memory to be
executed at a later time. (Such programs are commonly referred to as
timebombs)
• The worm didn't attack machines other than Sun 3 systems and VAX computers
running 4 BSD Unix (or equivalent)
• The worm didn't attack machines that weren’t attached to the internet
• The worm didn't travel from machine to machine via disk
• The worm didn't cause physical damage to computer systems

Computer Network Security .

How it Did Take 10% of the Net Down
• Utilized a variety of Unix security holes
• Sendmail remote debug
• Allowed the worm to execute remote commands on the
system
• Obtained user lists
• Ran dictionary attack of 432 “common” passwords on user
lists
• Most passwords today are as insecure as 1988

Computer Network Security .

How the First Worm Changed System
Administration
• File access should be limited (the worm could open the encrypted
password file)
• Networks should use a conglomerate of OSes
• i.e. a UNIX virus won’t infect a Win2k server
• Brought about forums of geeks (Us) for sharing research
• Beware of reflexes! Many S.A.’s shut down sendmail to stop the
virus, but only delayed information on how to patch & fix it
• Logs are monotonous but are extremely useful in troubleshooting

Computer Network Security .

 Six Components of Worms

• Reconnaissance
• Specific Attacks
• Command Interface
• Communication Mechanisms
• Intelligence Capabilities
• Unused and Non-attack Capabilities

Computer Network Security .

 Specific Attacks
• Exploits
• buffer overflows (A buffer overflow attack typically involves violating programming
languages and overwriting the bounds of the buffers they exist on. Most buffer
overflows are caused by the combination of manipulating memory and mistaken
assumptions around the composition or size of data),
• cgi-bin (A CGI-bin is a folder used to house scripts that will interact with a Web
browser to provide functionality for a Web page or website. Common Gateway
Interface (CGI) is a resource for accommodating the use of scripts in Web design)
etc.
• Trojan horse injections
• Limited in targets
• Two components
• local, remote
Computer Network Security .
 Communications

• Information transfer
• Protocols
• Stealth concerns

Computer Network Security .

 UNIX Worms

• Ramen Worm (01/2001)

• Lion Worm (02/2001)
• Adore Worm (04/2001)
• Cheese Worm (05/2001)
• Sadmind Worm (05/2001)
• Scalper Worm (07/2002)
• Slapper Worm (09/2002)
Computer Network Security .
 Worm Propagation

• Central Source Propagation

• This type of propagation involves a central location
where after a computer is infected it locates a source
where it can get code to copy into the compromised
computer then after it infects the current computer it
finds the next computer and then everything starts over
again. And example of the this kind of worm is the 1i0n
worm.

Computer Network Security .

 Worm Propagation

• Back-Chaining Propagation
• The Cheese worm is an example of this type of
propagation where the attacking computer initiates a file
transfer to the victim computer. After initiation, the
attacking computer can then send files and any payload
over to the victim without intervention. Then the victim
becomes the attacking computer in the next cycle with a
new victim. This method of propagation is more reliable
then central source because central source data can be cut
off.
Computer Network Security .
 Worm Propagation

• Autonomous Propagation
• Autonomous worms attack the victim computer and
insert the attack instructions directly into the processing
space of the victim computer which results in the next
attack cycle to initiate without any additional file
transfer. Code Red is an example of this type of worm.
The original Morris worm of 1988 was of this nature as
well.

Computer Network Security .

 Worm Propagation

• Autonomous Propagation
• Autonomous worms attack the victim computer and
insert the attack instructions directly into the processing
space of the victim computer which results in the next
attack cycle to initiate without any additional file
transfer. Code Red is an example of this type of worm.
The original Morris worm of 1988 was of this nature as
well.

Computer Network Security .

 Windows Worms

• Code Red
• Nimda

Computer Network Security .

 Windows Worms

• Code Red infected over 250,000 systems in 9 hours on July

19, 2001.
• NIMDA and Code Red worms cost business 3 - 4 billion
dollars.

Computer Network Security .

 The Future of Worms

• Client and Server-Side Flaws

• Buffer overflows
• Format string attacks
• Design flaws
• Open shares
• Misconfigurations

Computer Network Security .

 Current Limitations

• Limited capabilities
• Growth and traffic patterns
• Network structure
• Intelligence Database

Computer Network Security .

 The Future of Worms

Encryption/Obfuscation/Polymorphism

• Standard Polymorphic/Mutation Techniques

• Worms meet viruses
• Continuously changing itself
• Brute forcing new offsets
• Adapting to the environment to become “more fit”
Computer Network Security .
 The Future of Worms

“Andy Warhole”

• Flash Worms
• Faster, more accurate spread
• Complete spread of all possible targets in 5-20 minutes
• Very low false positive rate
• Too fast to analyze/disseminate information
Computer Network Security .
 The Future of Worms

Intelligent Worms

• Worms meet AI
• Worm infected hosts communicating in a p2p method
• Exchanging information on targeting, propagation, or
new infection methods
• Agent-like behavior
Computer Network Security .
 The Future of Worms

Intelligent Worms

• Intelligence Database
• Knowledge of other nodes
• Concrete vs. abstract
• Complete vs. incomplete

Computer Network Security .

 The Future of Worms

Bigger Scope

• Multi-Platform / OS Worms
• Multi-OS shell code
• Attacking multiple different vulnerabilities on multiple
platforms
• Single worm code, large attackable base
Computer Network Security .
 Other Malawares

Computer Network Security .

 Other types of virus

Bacteria
• Bacteria, also known as rabbits, are programs
that do not directly damage the system. Instead
they replicate themselves until they
monopolize CPU, memory or disk space. This
constitutes a denial of service attack.

Computer Network Security .

Bombs
• A bomb is actually a type of Trojan horse that can
be used to release a virus or bacteria. Bombs work
by causing an unauthorized action at a specified
date, time or when a particular condition occurs.
There are two types of bombs; logic and time.
Logic bombs are set to go off when a particular
event occurs. Time bombs go off at a specified
time, date or after a set amount of time elapses.

Computer Network Security .

Salami

• Salamis cut away tiny pieces of data. They

can be particularly dangerous as the damage
they do is small and can be attributed to
some truncation of the system. It is possible
for a salami to do a great deal of damage
before it is found.

Computer Network Security .

HOW VIRUSES ACTIVE?
• We are always afraid that viruses do something harmful to files
when they get active, but not all the viruses activate. Some viruses
just spread out, but when viruses activate they do very different
things. Might play a part of melody or play music in the background,
show a picture or animated picture, show text, format hard disk or
do changes to files.
• As an example, in one unnamed company: over a long period of
time, the files in a server were corrupted just a bit. So backup copies
were taken from the corrupted files. And after they noticed that
something was wrong, it was too late to get back the data from the
backups. That kind of event is the worst that can happen for the uses.

Computer Network Security .

 CONCLUSION
• There are lots of viruses in the world and new viruses are coming up every day. There
are new anti-virus programs and techniques developed too. It is good to be aware of
viruses and other malware and it is cheaper to protect you environment from them
rather then being sorry.
• There might be a virus in your computer if it starts acting differently. There is no
reason to panic if the computer virus is found.
• It is good to be a little suspicious of malware when you surf in the Internet and
download files. Some files that look interesting might hide a malware.
• A computer virus is a program that reproduces itself and its mission is to spread out.
Most viruses are harmless and some viruses might cause random damage to data files.
• A trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually
masked so that they look interesting. There are trojan horses that steal passwords and
formats hard disks.

Computer Network Security .

 Reference

• http://en.wikipedia.org/wiki/Computer_viru
s
• http://windows.microsoft.com/en-my/windo
ws7/how-do-i-remove-a-computer-virus

Computer Network Security .