computer viruses, trojans and worms

8/14/2019 Computer Viruses, Trojans and Worms

1/26

Computer Viruses, Trojans and Worms

Malware definitionsMalware payloads in general

Network worms

Virus propagation methodsVirus detection avoidance approachesPlatform vulnerabilty and virus resistanceMalware detection and removal

Other countermeasuresCan a virus ever be good ?Further Reading


2/26

Malware definitions: virus

Malware can be classified based on whether andhow it replicates and spreads.

A computer virus is a program which runs when a program it attaches itself to is run. When the viruscode is run, it will (sometimes or always) try tofind another program to infect. When the virus

copies or attaches itself to another program in sucha manner that when the other program is run, thevirus code is also run, the other program isconsidered to be infected.


3/26

Malware definitions: worm

A network worm is a kind of virus which propagates using computer networks. These mightdirectly exploit a vulnerability in software running

on computers which have network connections tocause themselves to be installed and to run on thevulnerable computer.

Alternatively end users may be tricked into runningthe worm program when they receive it via anetwork, e.g. by double clicking on an executablefile attached to email.


4/26

Malware definitions: trojan

A trojan is a program which a user or administrator installs on a computer because they are misled intothinking it only performs wanted functionality,

when in addition this program contains hiddenfunctionality which the user does not want.

The term "trojan" might also apply to "adware" or

"spyware" software which is installed from aremote website as part of the normal functioning of a poorly designed web browser without the enduser's consent or knowledge.


5/26

Malware payloads in general 1

Regardless of how malware propagates, it can be programmed to do anything which the security contextthe platform it infects allows it to do. Some examples:

Keylogging. This privacy invasion requires low levelaccess to the keyboard device driver and the ability tosend information back to base.

Timebomb. This causes actions to occur when thesystem clock reaches a programmed date and time.


6/26

Malware payloads in general 2

Logicbomb. If files with particular content are found or other events detected, a destructive action might be

programmed e.g. formatting a disk or other storagedevice.

Prank. A virus might be programmed to display

messages or cause other effects its author thinks areamusing. Even a virus programmed just to replicatecan take up memory and cause a system to slow or crash.


7/26

Network worms

A worm might open network connections andinfect a vulnerable target computer directly, as withthe Morris worm, which infected an estimated

6,000 of the 60,000 Internet hosts in Nov 1988.Other worms spread, as with a virus, via the use of a host file, which needs to be transferred as part of

the Network worm. More recent worms haveinclude Mydoom and Storm which were used toinstall large botnets used for distributed denial of service (DDOS) and spam attacks.


8/26

Virus propagation methods 1

Boot sector viruses infect the boot sector of the boot disk of acomputer operating system. These became widespread when itwas common for computer users accidently to leave a floppy disk in the drive and the computer BIOS was configured to boot fromthe floppy by default. These viruses would transfer via the harddisk to all writeable floppies inserted into the infected computer.This mechanism was defeated when administrators changed theBIOS settings and became less likely when floppies were lessfrequently used.

This infection vector could return to prominence again if flashUSB drives become routinely used by users to carry an operatingsystem together with applications, custom configurations and data

between physical machines.


9/26


Non-resident viruses infect application files and arerun when the application runs. Typically the virus is

prepended to the application source code for an interpretedapplication, or its executable code for a compiled

application. Alternatively the virus code might beappended with a vector to itself added at the start of the program.

When the virus part of the code runs it will search for another suitable file to infect. Once the virus codecompletes it hands control on to the infected host file. Anon-resident virus can be trivial to code (see the next slidefor an example), but such a 'virus' is extremely unlikely to

spread.


10/26

Virus propagationmethods3

This source codefor a shell scriptvirus shows howeasy it is to

create one.

This one wouldnot be able tocause harm for various reasons.


11/26


Resident viruses install themselves into memorywhen they run. Having done this they hand over control to the host application. This kind of viruswill be programmed to intercept normal systemoperations, e.g. opening a file or device, or the useof an interrupt or system call.

When the intercepted operation runs, the virusexecutes and might then find another suitableinfection target or run a payload. When the virushas run it will hand control over to the normalfunction of the intercepted operation.


12/26


Fast infecter viruses are programmed to spread asrapidly as possible to reduce the risk of the virus

being wiped out once introduced into the wild.However, a fast infecter is more likely to causechanges of behaviour of the infected system so ismore likely to be detected.

Slow infecter viruses are designed to find other targets to infect infrequently. By spreading slowlythis kind of virus is less likely to be detected.


13/26


Companion viruses do not modify the infectiontarget directly but are stored in a separate file. E.G.if a user inputs the command 'format' a file calledformat.com will execute before a file calledformat.exe . Format.com is the virus, which willrun format.exe, the host application, passing all itsarguments when it has run.


14/26


Macro viruses use the macro programminglanguages which are embedded within popular applications e.g. Word and Excel. This kind of virus became widespread in the 1990ies. The threatfrom this kind of virus has probably been reducedfollowing additional prompts when a documentcontaining macros is opened in Word or Excel.


15/26


Cross Site Scripting (XSS) viruses exploit a

combination of vulnerabilities present in both webserver applications and web browsers. These willtypically need to be coded in 2 parts, one part beingthe server code (e.g. using PHP) which propagates

from the infected browser to the vulnerable serversand the other part which runs in the browser (e.g.using Javascript).


16/26

Virus detection avoidance 1

Virus programmers and antivirus softwaredevelopers have been engaged in an arms race ever since viruses became widespread and antivirussoftware was first marketed in the late 1980ies.

Since then we have seen:

Stealth viruses - viruses which trap interrupts toopen a file and cause any application that reads thefile containing them to see only the uninfected file.


17/26

Virus detection avoidance 2 Polymorphic and metamorphic viruses - viruseswhich modify their code every time they infectanother target so they can only be detected usingheuristic measures rather than static codesignatures.

Disabling anti-virus software. If a virus detects the presence of a known anti-virus program on asystem it infects, it will modify the anti-virussoftware to disable components of this, e.g. the partof the antivirus program which can detect if it has

been modified itself or if its virus signature file has been changed.


18/26


Avoidance of bait files. A virus might be programmed toavoid infecting program files considered likely to be bait (e.g.

because they are small) as part of an advanced antivirusdetection program, to see if a virus is at work.

Leaving access times and file sizes unchanged. A virusmay be small enough to fit into the end of a sector after a file.E.G. a filesystem may have effective file sizes of multiples of 1024 bytes, which corresponds to the size of a disk sector. Asmall virus might restrict its infection targets to files which donot need to add another sector to their size. Some programfiles have gaps in them large enough for a virus to fit inside.


19/26


Self-encrypting viruses take the metamorphicapproach to the extreme of the virus encryptingitself using a variable key. However, enough of thevirus will have to be unencrypted for it to be able to

decrypt itself when the virus is executed for aheuristic antivirus approach to be feasible.


20/26

Platform vulnerability to viruses 1It has been argued that viruses are reported to infect WindowsPCs much more frequently than Linux or Macs because more

people use Windows. But Windows had many viruses when thissystem had fewer users in the early 1990ies than now use Macsor Linux . Others claim that the Unix design foundation of both

Linux and Mac platforms is inherently more secure.

Linux isn't a single platform but has many slightly differentdistributions. One reason why fewer viruses are reported onLinux could be that virus writers find the differences betweendifferent Linux distributions make writing viruses that work onmany of these harder. A similar advantage concerning infectionresistance is gained by a genetically diverse food crop comparedto a monocrop of a cloned plant.


21/26

Platform vulnerability to viruses 2

Other points of interest in this debate concern the levels of security knowledge of typical users of various platforms and theease with which end users can install applications independentlyof the means provided by the platform developers to verifyapplication compatibility and integrity.

Different defaults are provided in connection with privilegedactions carried out by end users. It is also likely to be easier for Windows users to install a wider variety of stand-alone PC

software than currently comes supported through the packagerepositories of the the most popular Linux distributions, thoughLinux might have more server and embedded applications.


22/26

Malware detection and removal 1

The most popular approach to this requirement is toinstall an antivirus program and to keep this

current. As new viruses are detected on a daily basis the signatures and heuristic methods need to be kept updated on a very regular basis. For thisreason, modern antivirus programs generally

include facilities automatically to updatethemselves using a network connection whenever new virus signatures and heuristics becomeavailable.


23/26


Platforms which are not themselves thought to bevulnerable to viruses but which are used to distributecontent potentially including viruses, e.g. via email

between Windows users, must also scan for viruses toavoid becoming part of this problem.

But the number of known virus signatures continues toincrease. So even using the Clam-av antivirus packagewhich is open source and freely installable, growing

memory demands are making this job increasinglyexpensive . The next slide shows how many virussignatures exist and how much memory these occupy as of

November 2008.


24/26


Number of virus signatures: 437972

freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486)ClamAV update process started at Fri Nov 7 18:24:28 2008main.cld is up to date (version: 49, sigs: 437972, f-level:35, builder: sven)

Demand of anti-virus on memory: 50.9%

PID USER PR NI VIRT RES S %CPU %MEM COMMAND20782 clamav 20 0 126m 72m S 0.0 50.9 clamav-milter


25/26

Other countermeasures

One approach involves stopping a system from running andmounting its hard disk using another operating system, bootedusing trusted media. Tools can be run on the trusted system todetect suspicious changes to files on the system being scanned.

This is considered more reliable than running antivirussoftware directly on the system which might have beencompromised and where the results of the antivirus scan mayalso have been compromised by an unknown virus.

The trusted scanning system might also store a set of hashsignatures or checksums of files which the virus might modifyand test if any executables or registry tables have beenmodified.


26/26

Can a virus ever be good ?

In biology, viruses enable potentially beneficial DNA to be transferred between species. This is considered to be a part of the optimisation of theevolutionary process. But it is thought unlikely that anyone could benefitfrom computer viruses, other than the proceeds of crime which thosewho write and spread viruses might obtain.

The difference between a virus and another kind of program is that anordinary program will normally have the informed consent of the systemowner before it can be installed. While there is a similarity between anoperating system which can create a copy of itself on installation mediaand a virus, the OS that makes it easy for its users to copy it will do this

with the users full knowledge and consent.

There is no situation in which taking away the end users consent to perform an action is considered likely to be of benefit.

computer viruses, trojans and worms

Documents