intro computer virus

8/2/2019 Intro Computer Virus

1/38

1University of Colombo


2/38

Consumes resources (i.e. Processor + Memory)of your PC at an extraordinary (abnormal) higherrate (while do nothing useful) causing

Drop performance Remove / Block access to important files

Delete Logically

Physically Hide Make them System Files (attrib +h +s)

Access Deny

3


3/38

What a virus can do further Spying

Copy / Download your important / secret files

without your permission Hacking

Switch on / off computer at unexpected time

Remote Log Restart (without allowing you to save

documents)

4


4/38

A computer virus is a computer program that can replicateitself and spread from one computer to another via

Removable device CD / DVD ROM

USB Thumb drives

Memory Cards

External Hard Disk

Network Wired

Wireless Bluetooth

Wi-Fi

GPRS (W@P)

Internet Any Internet Connection i.e. Broadband / Modem

5


5/38

The first theory of computer viruses

(although the term "computer virus" was notused at that time)

John von Neumann (1949)

6
http://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumann


6/38

The actual term "virus" was first used todenote a self-reproducing program in ashort story by David

Gerrold in Galaxymagazine in 1969 - andlater in his 1972 novel, When HARLIE WasOne. In that novel, a sentient computernamed HARLIE writes viral software to

retrieve damaging personal informationfrom other computers to blackmail theman who wants to turn him off.

7
http://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/David_Gerrold


7/38

The Terminal Man, a science fiction novel by MichaelCrichton (1972), told (as a sideline story) of acomputer with telephone modem dialing capability,which had been programmed to randomly dial phone

numbers until it hit a modem that is answered byanother computer. It then attempted to program theanswering computer with its own program, so thatthe second computer would also begin dialing

random numbers, in search of yet another computerto program. The program is assumed to spreadexponentially through susceptible computers.

8
http://en.wikipedia.org/wiki/The_Terminal_Manhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/The_Terminal_Man


8/38

In order to replicate itself,

Attach themselves to executable files

that may be part of legitimate programs.

If a user attempts to launch an infectedprogram, Sorry ! (the virus' code may

be executed simultaneously)

9


9/38

Nonresident viruses Immediately search for other hosts that can be

infected, infect those targets, and finally

transfer control to the applicationprogram they infected

Resident viruses

Do not search for hosts when they are started

Instead, loads itself into memory on executionand transfers control to the host program

10


10/38

Malware Computer Worms

Trojan horses

Rootkits Spyware BootsectorVirus Memory Resident

Polymorphic Logic / Time Bombs

Dishonest Adware and Other malicious or unwanted software

11


11/38

Malware, short for malicious software,is software (or script or code) designed to

disrupt computer operation, gather

sensitive information, or gain unauthorizedaccess to computer systems

12
http://en.wikipedia.org/wiki/Script_(computing)http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Script_(computing)


12/38

A computer worm is a self-replicating malware computer program,

which uses a computer networkto send

copies of itself to other nodes (computerson the network) and it may do so without

any user intervention

This is due to security shortcomings on thetarget computer

13
http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Malware


13/38

A Trojan horse, or Trojan,is software that is intended toperform, simultaneously, a desirable(expected) effect and a covert(unexpected) effect

Trojan horses can make copies ofthemselves, steal information, orharm the computer system

The term is derived from the TrojanHorse story in Greek mythology

Some of the most popular trojanhorses are Netbus

Subseven

Y3K RAT 14
http://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Software


14/38

A rootkit is a stealthy type ofmalicious software (malware) designed to hidethe existence of certain processes orprograms from normal methods of

detection and enables continued privilegedaccess to a computer. The term rootkit is

a concatenation of"root"(the traditional nameof the privileged account on Unix operatingsystems) and the word "kit" (which refers tothe software components that implement thetool)

15
http://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Superuser


15/38

A logic bomb is a piece ofcode intentionallyinserted into a software system that will set offa malicious function when specified conditionsare met. For example, a programmer may hide a

piece of code that starts deleting files (such as adatabase trigger)

A time bomb is a piece ofcode intentionallyinserted into a software system that will set offa malicious function after a specified time

16
http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Computer_filehttp://en.wikipedia.org/wiki/Database_triggerhttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Database_triggerhttp://en.wikipedia.org/wiki/Computer_filehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Source_code


16/38

A macro virus is a virus that is written ina macro language: that is to say, a language built into asoftware application such as a word processor. Sincesome applications (notably, but not exclusively, theparts ofMicrosoft Office) allow macro programs to be

embedded in documents, so that the programs may berun automatically when the document is opened, thisprovides a distinct mechanism by which viruses can bespread.

This is why it may be dangerous to openunexpected attachments in e-mails.

Modern antivirus software detects macro viruses aswell as other type

17
http://en.wikipedia.org/wiki/Macro_(computer_science)http://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Macro_(computer_science)http://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Microsoft_Officehttp://en.wikipedia.org/wiki/E-mail_attachmenthttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/Antivirus_softwarehttp://en.wikipedia.org/wiki/Antivirus_softwarehttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mail_attachmenthttp://en.wikipedia.org/wiki/Microsoft_Officehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Macro_(computer_science)


17/38

Adware, or advertising-supportedsoftware, is any software package which

automatically plays, displays, or downloads

advertisements to a computer These advertisements can be in the form of

a pop-ups

18


18/38

Temporary / Permanently Disable AutoPlay Never DoubleClick & Open Devices i.e. Pen

Drives / Suspicious (Infected) Drives (Hard Disk) &Folders

Use Navigation Pane instead RightClick Open Options are NOT safe !

Do not Click / DoubleClick or navigate intosuspicious files

Use Setups from Trusted resources only Use Strong Anti-Virus Software

Pointless if you dont update them at least everyother day! (Recommended Daily Update)

Update ?

19


19/38

Go to Contro Panel

20


20/38

Select AutoPlay

21


21/38

Uncheck Use AutoPlay for all media and

devices

22


22/38

23


23/38

24


24/38

Wanna See a Virus ? First Disable AutoPlay

Connect the Suspicious Device to Computer(That infected from malicious)But Still You

Cant Open ! (Remember Never Double -Click)

Enable View System Files (See Next Slide)

25


25/38

Open ANY Folder (OR Folder Options from the Control Panel)

26

A M B ill S l YES


26/38

A Message Box will appear. Select YES

27


27/38

Now, Using the Navigation Pane, Open the device

28

Icon of Virus can

be different

Description i.e. File

Folder also can differ

Actual Virus

Autorun File


28/38

What are the things can be determined ? The actual Virus (usbdur.exe) contains in sysusb

Targeted System file to be infected is SHELL32.dll, located on-

%SystemRoot%\system32\SHELL32.dll

%SystemRoot% is the hard-disk partition where the Operating System is installed

i.e. C:\

Actually not a virus ! but a supportive

Here are the instructions written How to and where to install the virus on computer

It is OK to doubleclick and open. No harm at all!

29


29/38

Smaller in Size (Most Probably less than 1024 KB)

Changes the standard icons for devices

30

Not Infected

Infected


30/38

Delete Permanently

Move to vaulta place where collected

viruses are kept under restricted

execution

Disinfect (Detach the virus from

original file) Update virus definition (Train themselves) Send info to parent company (To study them and

create anti-virus)

31


31/38

32

Free Microsoft Security Essentials

Avira AntiVir

Non-Free Avast

AVG

SymentecNorton Kaspersky

Bit-Defender


32/38

There is a database / knowledgebase about almostall viruses up to date of last update in all strongvirus guards

A virus guard can detect a virus only if it is knownto the knowledgebase (of virus guard software) At least similar patterns (behavior) should follow

That means if a new virus (not similar to a known)comes and tries to infect, which is unknown to thevirus guard, the virus guard cannot protect thecomputer from it further

Therefore, updating a virus guard is nothing butEnriching the knowledgebase about newviruses with virus definition (files)enabling thevirus guard to detect them as viruses

33


33/38

If you cant see your important files andfolders (suddenly missing) and seems

deleted, dont worry!

Because most probably (if the compilerof the virus is aware of ethical hacking /

computer ethics) they are not actually

deleted, but hidden ! Even in case of a physical (permanent)

deletion, you still can recover!!

34


34/38

Anatomy of HDD

35


35/38

Anatomy of HDD

36


36/38

Recover ?

Can you believe this story ? Whatever you delete (not only logicallyeven

physically with Shift + Del) are actually not deleted on

your hard disk Only path (where its is located on HDD) is made

unknown to the file management system of theoperating system

When you store new files on your HDD, those filesare replaced by new files

If you sure you didnt do so, the recovery softwarecan perform their task!

37


37/38

38


38/38

[email protected]

(+94) 77 567 5 416
mailto:[email protected]:[email protected]

intro computer virus

Documents