computer virus: “a program that can infect other programs by modifying them to include a version...
TRANSCRIPT
![Page 1: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/1.jpg)
![Page 2: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/2.jpg)
Computer Virus:“A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen
Compare to an office clerk making two copies of a piece of paper.
30 seconds to copy
30 seconds to pass on
In one hour= 1 x 1018 copies
![Page 3: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/3.jpg)
Computer Virus
• Small piece of software that piggybacks on real programs
• Passes from computer to computer by producing copies of itself
• Have been around since 1986• When it is running in the memory
it looks for programs to add itself to
![Page 4: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/4.jpg)
Executable and boot sector viruses decline
• Infect boot sector• Not as easy now as most program
comes on a CD• Programs larger• Operating systems better
![Page 5: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/5.jpg)
Who Creates Viruses?• Students and school children who have
recently studied an assembly language• Young people who feel the need to feel
superior• Professional programmers: maybe
inferiority complex or unstable• Explorers-quick witted programmers
who wish to “explore”
![Page 6: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/6.jpg)
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
Brain Virus
rau ins Vi Bi
![Page 7: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/7.jpg)
The Brain Virus
• First PC virus• Written in Pakistan• Infected the boot sector of 360K
floppy disks• “Stealth” virus• Try to get into RAM, stick to files
and sectors, erases files and disks
![Page 8: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/8.jpg)
Other viruses
• 1987 Lehigh virus: “Memory resident file infector”
• 1988 Jerusalem Virus: also memory resident and reinfected already infected files
• 1988: first anti-virus virus was written• 1988 Cascade virus, first encrypted
virus
![Page 9: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/9.jpg)
And more viruses
• Polymorphism - encrypted viruses where the decryption routine code is variable
• Armoring - used to prevent anti-virus researchers from dissembling a virus
• Multipartite - infects both programs and boot sectors.
![Page 10: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/10.jpg)
Email Viruses
• Moves around in an email message• Replicates itself automatically
![Page 11: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/11.jpg)
WormsWormsWorms
![Page 12: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/12.jpg)
Worms• Program that has the ability to
copy itself from machine to machine.
• Small piece of software that uses computer networks and security holes to replicate itself
• Copies to another computers that has the same specific security hole
![Page 13: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/13.jpg)
2001 Code Red Worm
• Slowed down the internet• The worm scanned for Windows NT
or Windows 2000 that didn’t have security patch installed.
• Copied itself to that server and scanned again
![Page 14: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/14.jpg)
Code Red Designed to:
• Replicate itself the first 20 days of each month
• Replace Web pages on infected servers with the page “Hacked by Chinese”
• Overwhelm the White House Server
![Page 15: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/15.jpg)
How does Code Red Work
• Unpatched systems had a “buffer overflow” which allowed embedded code to run.
• It created a sequence of random IP addresses to find other servers.
• Inspect the time clock and wait for appointed time and send 100 connections to www.whitehouse.gov
![Page 16: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/16.jpg)
Morris: Internet Worm
• Infected more than 6000 computer systems, including NASA research
• Used errors inn operating systems to propagate.
• Total losses were 96 million dollars
![Page 17: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/17.jpg)
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
VV II RR UU SSHHOO RR SS EETT RR OO JJ AA NN
![Page 18: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/18.jpg)
Trojan Horses
• A computer program• Claims to do one thing, but does
damage when you run it (could erase your hard drive)
• They do not replicate automatically
![Page 19: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/19.jpg)
1989 Trojan Horse: AIDS
• 20000 copies of diskettes shipped marked “AIDS Information Diskette v2”
• After 90 boot-ups it encrypted all the filenames on your HD, making them invisible and left one file: Send $189 to…
![Page 20: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/20.jpg)
Virus Hoaxes
• 1988 Mike RoChenle uploaded a message to BBS systems describing a virus that spread on 2400 baud connection. Many users switched to 1200 baud.
• Other hoaxes: Goodtimes, Aol4Free
![Page 21: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/21.jpg)
1990 DiskKiller Virus
• PC Today (GB version) shipped diskette with magazine that was infected with DiskKiller
• Over 50000 copies were sold• Who is responsible here?
![Page 22: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/22.jpg)
1992 Michelangelo Virus
• Anti-virus companies made a big deal of this virus, bringing it into the news
• One US anti-virus company announced on March6 data on over 5 million computers will be destroyed
• Reality: about 10000 computers infected
![Page 23: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/23.jpg)
Other Key Dates
• 1992: First Windows Virus released• 1994: Virus gets on master disk of
CD when preparing a batch of CDs-can only destroy the CDs.
• 1994: “OneHalf” a popular Russian virus
![Page 24: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/24.jpg)
Latest Viruses
• W32.Zafi.B.Iworm
• W32.Sasser.A.Worm
![Page 25: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/25.jpg)
And so it continues
• 1995: Concept virus for Word• 1996: Windows95 virus• 1996: Excel/Word virus that was
based on Macros (Basic programs)• 1997: Office 97 Viruses• 1997: Homer, first network worm
virus using FTP
![Page 26: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/26.jpg)
• 1998 “Red Team” virus infects Windows EXE-files and sends infected files through email.
• 2000: I love you virus, when opened, sent to everyone in your address book.
![Page 27: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/27.jpg)
Protect Yourself against Viruses
• Run secure OS like UNIX or use virus protection software
• Never run macros unless you know their source.
• Never run executable attachments• Show extensions• Backup
![Page 28: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/28.jpg)
Why do we have viruses?
• Psychology that drive vandals• The thrill of watching things blow-
up• Bragging rights• Started when PCs were common,
then had BBC, then floppy disk, then Internet.
![Page 29: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/29.jpg)
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
Attachments
Virus ProtectionScanning
Backup
Show Extensions
Worms
Latest Version
Integrity Checking
Interception
Source?
DownloadsEmailTrojan Horses
![Page 30: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/30.jpg)
Scanning
• Scanning: looks for know viruses by characteristics similar to existing viruses or signature recognition
• Dangerous to depend on old SW• False alarms• Needs a clean boot
![Page 31: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/31.jpg)
Integrity Checking
• Record information about your system to check against later
• Compares your system to the “base”information to detect changes
![Page 32: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/32.jpg)
Interception
• Pop up warnings when a request is made to install itself as a resident program
• Useful for simple logic bombs and Trojan horses
![Page 33: Computer Virus: “A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen Compare to an office clerk](https://reader035.vdocuments.us/reader035/viewer/2022062305/5697bfb51a28abf838c9d9ce/html5/thumbnails/33.jpg)
Sources
• Slade, Robert. Earliest History of Viral Programs. http://www.cknow.com/vtutor/vtsladeearly.htm
• What is a computer virus? http://www.avp.ch/avpve/entry/entry2.htm
• The History of Computer Viruses-A Timeline. http://www.exn.ca/nerds/20000504-55.cfm
• Computer Knowledge Virus Tutorial. http://www.cknow.com/vtutor/index.htm