Chapter 6

Viruses and Malicious Code

Introduction

• Viruses are primarily spread over the internet through a variety of mechanisms including:– e-mail, attachments, downloadable files, web

pages, newsgroups, peer-to-peer file transfers, instant messaging, digital pictures, and several other techniques and tactics

Federal Survey• 85% commercial users experienced some type

of security breach in the prior year.• An additional 35% of the responders claimed

over $375,000,000 million dollars in losses to hacker and viruses.

• An average virus outbreak took approximately 20 person-days or less to recover and cost the company between $10,000 (median) and $120,000 (average) in estimated direct costs.

Experts

• Most people who claim to speak with authority about computer viruses have little or no genuine expertise.

• Some virus experts describe it as “False Authority Syndrome” – the person feels competent to discuss viruses because of his job title, or because of his expertise in another computer field, or simply because he knows how to use a computer.

Introduction

• Legend: experts around the world believe the ILoveYou virus in May 2000 caused $2.7 billion, $4.7 billion, $6.7 billion, or $8.7 billion in damages.

• Fallout: the antivirus industry can cite yet another plausible-sounding estimate.

Viruses and Malicious Code• Viruses in the wild are those that are spreading

as a result of normal day-to-day operations on and between the computers of unsuspecting users.

• Two or more virus experts must report problems with the virus to be recognized as a virus in the wild.

• There are currently 303 viruses currently in the wild.

Viruses and Malicious Code• The virus is executed by some type of

payload trigger which causes the virus or malicious code to deliver its contents or execute its commands.

• The trigger can be something the user does:– opening an e-mail attachment or – downloading a file; – triggered by a date or condition on a computer; – it can self-execute based on code written into the

virus program.

Virus Construction Tools

• The development of virus construction tools by virus writers allows a larger number of less sophisticated computer users to write and create viruses.

• A virus construction set is a utility program intended for creating new computer viruses.

• Virus construction sets allow generating of source code of the viruses, object modules and/or infected files themselves.

Viruses and Malicious Code

• Another tool developed by virus writers known as a mutation engine allows viruses to change their code each time they infect a new machine.

• Known as a polymorphic virus or malicious code, these programs do not have any constant section of code.

Viruses and Malicious Code

• One area of interest is termed the TSR (terminate and stay resident) capability of the virus.

• This essentially means that the virus is able to leave itself in system memory, intercept some events, and in the process run infecting routines on files and sectors of the disk.

Viruses and Malicious Code• Another feature of the operating algorithm of a

virus is the use of stealth algorithms.• Stealth allows the virus to remain hidden on a

system and cover its tracks during and after the infection process.

• Another virus is the use of self encryption and polymorphism.

• Polymorphic viruses are exceedingly difficult to detect and they have no permanent signatures, none of their code fragments remain unchanged.

History and Development

• Several things combined to aid the spread of viruses:– Rapid growth of the internet– Rapid growth and availability of personal

computers– Availability of the polymorphic engine– Availability of virus creation tools that first hit

in July of 1992

History and Development

• The main problem with trying to give the exact definition of a virus is that virtually all the unique features of a virus – such as stealth behavior, potential danger, and potential for spread – may be found in other nonvirus programs.

• A second difficulty is that viruses are operating-system and software-system specific.

Viruses • Other types of malicious code include

worms, Trojan horses, adware or spyware, logic bombs, denial of service attacks, and blended threats.

• Viruses operate in four primary environments:– File viruses– Boot viruses– Macro viruses– Network viruses

Viruses

• File viruses use a particular operating system to propagate, and they can infect virtually any type of executable file.

• Boot viruses attack either the boot sector of the system, the master boot record, or change the system pointer to an active boot sector

Viruses

• Macro viruses are most commonly associated with common business software and infect documents, spreadsheets, databases, and presentation files. Macro viruses transfer themselves from one infected file to another within a given system and cross over to other systems.

• Network viruses attack the networks themselves or e-mail systems of the networks in order to spread themselves.

Worms

• The worm is a stand-alone piece of code; although it may need to use another program to spread, it does not change that program in any way.

• They penetrate the computer’s memory from a computer network, calculate network addresses of other computers and send their own copies to these addresses.

Worms

• A work is self-propagating malicious code program that does not necessarily require user intervention to spread.

• A worm self-propagates and infects systems in a very short period of time. The Code Red worm infected more than 250,000 systems in just nine hours on July 19, 2001.

Trojan Horses

• Is commonly an unauthorized program contained within a legitimate program that performs functions unknown (and probably unwanted) by the user.

• Just like the Trojan horse of history, there is a hidden purpose and program hidden within the desirable file.

Trojan Horses

• Trojan horses can be viruses or remote control programs that provide complete access to a victim’s computer

• If a certain type of Trojan horse is installed and initialized on a system, that computer is now completely open to anyone who knows to connect to it using the Trojan horse as a server.

• Trojans use auto-starting methods, so even when you shut down your computer they’re able to restart and give the attacker access.

Trojan Horses

• Several types of Trojan horses:– Remote Access Trojans

• The most common

– Password-Sending Trojans• Steal all of the cached passwords

– Keyloggers• Log the keystrokes of the victim

– Destructive• Destroy and delete files

Trojan Horses

– Denial of Service Attack Trojans• Start attacking the secondary victim

simultaneously, this will generate a great deal of traffic and access to the internet will be shut down

– Proxy/Wingate Trojans• Turn the victim’s computer into a proxy/wingate

server available to the whole world or to the attacker only

– Software Detection Killers• Kill ZoneAlarm, Norton Antivirus, and many other

popular anti-virus/firewall programs

Adware and Spyware• Programs that can be contained in e-mail

attachments, downloaded as part of another software program, or downloaded from a Web site.

• Adware is a type of program that is a pain to the user that manifests itself in several ways, including changes to the browser, redirecting startup pages on the internet browser, replacing the search function within the browser, and generating pop-up ads

Adware and Spyware

• Spyware typically takes advantage of the fact that many software users do not read the end user license agreement

• They would see legal disclaimers and permissions to share information and install the spyware

• There is now spyware killer software available.

Denial of Service Attacks

• A denial of service attack uses multiple systems to attack one or more victim systems or Web sits with the intent of denying service to legitimate users wishing to log on or utilize the attacked server.

Blended Threats

• Combine the characteristics of viruses, worms, Trojan horses, and malicious code with server and internet vulnerabilities to initiate, transmit, and spread an attack.

Extent of Viruses and Malicious Code Attacks

• The number of known viruses surpassed 70,000 in January 2002.