Computer Viruses

Computer VirusesMITESH SOLANKI2K10/ME/070

IntroductionComputer viruses have become todays headline newsWith the increasing use of the Internet, it has become easier for virus to spread Virus show us loopholes in softwareMost virus are targeted at the MS Windows OS

DefinitionVirus : A computer virus is a computer program that can replicate itself. A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on its own with out traveling to a new host and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability

History of virusesThe first academic work on the theory of computer viruses (although the term "computer virus" was not used at that time) was done in 1949 by John von Neumann. In his essay "Theory of self-reproducing automata" von Neumann described how a computer program could be designed to reproduce itselfIn 1984 Fred Cohen from the University of Southern California wrote his paper "Computer Viruses - Theory and Experiments". It was the first paper to explicitly call a self-reproducing program a "virus"

BackgroundThere are estimated 30,000 computer viruses in existenceOver 300 new ones are created each monthFirst virus was created to show loopholes in software

Virus LanguagesANSI COBOL C/C++PascalVBAUnix Shell ScriptsJavaScriptBasically any language that works on the system that is the target

6Infection strategiesIn order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously

Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.Symptoms of Virus Attack Computer runs slower than usual Computer no longer boots up Screen sometimes flicker PC speaker beeps periodically System crashes for no reason Files/directories sometimes disappear Denial of Service (DoS)

9Virus through the InternetToday almost 87% of all viruses are spread through the internetTransmission time to a new host is relatively low, on the order of hours to days

Classifying Virus - TypesTrojan HorseWorm Macro

Trojan HorseCovertLeaks informationUsually does not reproduce

Trojan Horse Back Orifice Discovery Date: 10/15/1998 Origin:Pro-hacker Website Length:124,928 Type: Trojan SubType:Remote Access Risk Assessment: LowCategory: StealthTrojan HorseAbout Back Orificerequires Windows to work distributed by Cult of the Dead Cowsimilar to PC Anywhere, Carbon Copy softwareallows remote access and control of other computersinstall a reference in the registryonce infected, runs in the background

Trojan Horse Features of Back Orificepings and query serversreboot or lock up the systemlist cached and screen saver passworddisplay system informationlogs keystrokesedit registryserver controlreceive and send filesdisplay a message boxWormsSpread over network connectionWorms replicateFirst worm released on the Internet was called Morris worm, it was released on Nov 2, 1988.

WormsBubbleboy Discovery Date:11/8/1999Origin:Argentina (?) Length:4992 Type:Worm/MacroSubType:VbScriptRisk Assessment: LowCategory: Stealth/CompanionWormsBubbleboyrequires WSL (windows scripting language), Outlook or Outlook Express, and IE5Does not work in Windows NTEffects Spanish and English version of Windows2 variants have been identifiedMay cause DENIAL OF SERVICEWormsHow Bubbleboy worksBubbleboy is embedded within an email message of HTML format.a VbScript while the user views a HTML pagea file named Update.hta is placed in the start up directoryupon reboot Bubbleboy executesWormsHow Bubbleboy workschanges the registered owner/organizationHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubble BoyHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization = MICROSOFTusing the Outlook MAPI address book it sends itself to each entrymarks itself in the registry HKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy = OUTLOOK.Bubbleboy1.0 by ZuluMacroSpecific to certain applications Comprise a high percentage of the virusesUsually made in WordBasic and Visual Basic for Applications (VBA) Microsoft shipped Concept, the first macro virus, on a CD ROM called "Windows 95 Software Compatibility Test" in 1995MacroMelissaDiscovery Date:3/26/1999Origin:Newsgroup PostingLength:varies depending on variantType:Macro/WormSubtype:MacroRisk Assessment:HighCategory:Companion

MacroMelissa requires WSL, Outlook or Outlook Express Word 97 SR1 or Office 2000105 lines of code (original variant)received either as an infected template or email attachmentlowers computer defenses to future macro virus attacksmay cause DoSinfects template files with its own macro codeMacroHow Melissa worksthe virus is activated through a MS word documentdocument displays reference to pornographic websites while macro runs1st lowers the macro protection security setting for future attackschecks to see is it has run in current session beforeHKEY_LOCAL_MACHINE\Software\Microsoft\Office\Melissa = by Kwyjibopropagates itself using the Outlook MAPI address book (emails sent to the first 50 addresses)Protection/PreventionKnowledgeProper configurationsRun only necessary programsAnti-virus softwareAnti virusesMany users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update

. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect novel viruses that anti-virus security firms have yet to create a signature forSome anti-virus programs are able to scan opened files in addition to sent and received email messages "on the fly" in a similar manner. This practice is known as "on-access scanning". Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to recognize the latest threats.

Methods employed by viruses to avoid detectionAvoiding bait files and other undesirable hostsStealthSelf-modificationEncryption with a variable keyPolymorphic codeMetamorphic code

Deceiving virusesInstalling anti virusesCreating back up of important filesre-installation of damaged programsSystem restore (Some viruses, however, disable System Restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor. However, many such viruses can be removed by rebooting the computer, entering Windows safe mode, and then using system tools.Operating system reinstallation

Conclusionviruses work through your system to make a better virusHave seen how viruses show us a loophole in popular softwareMost viruses show that they can cause great damage due to loopholes in programmingThank you