COMPUTERVIRUSES
MALICIOUS CODES Malicious code: It is an undesired program or part caused by an agent intent to damage. Agent is Writer or Distributor.
WHAT MALICIOUS CODE CAN DO? 1. Writing a message on a computer screen. 2. Generating a sound. 3. Erasing a stored file. 4. Or can lie undetected until some event triggers the code to act. Time or date, an interval. An event. A condition. A count. Some combination or random situation.
VIRUSES Is a program that can pass on malicious code to other non malicious programs by modifying them. When the program that a virus is attached to is executed, the virus code is also executed and performs its actions.
WHAT IS COMPUTER VIRUS ? * BE A SET OF COMPUTER INSTRUCTIONS. * BE DELIBERATELY CREATED. * DO UNDESIRABLE THINGS (DAMAGES). * PROPAGATE USING HOST PROGRAMS.
COMPUTER VIRUS COMPUTER COMPONENTS SOFTWARE ROGUE SOFTWARE LEGITIMATE SOFTWARE PRODUCTIVE DESTRUCTIVE
KINDS OF MALICIOUS CODE Viruses : It attaches itself to program and propagates copies of itself to other programs. Trojan horse: It contains unexpected, additional functionality. Logic bomb: It triggers action when condition occurs. Time bomb: It triggers actions when specified time occurs. Trapdoor: It allows unauthorized access to functionally. Worm: It propagates copies of itself through a network. Rabbit: It replicates itself without limit to exhaust resource.
ROGUE SOFTWARE * BUG-WARE - NOT MEANT FOR DESTRUCTION * THE TROJAN HORSE - APPEARS TO BE USEFUL * CHAMELEONS - MISCHIEF * REPLICATORS - COPY ITSELF TO EXHAUST DISK * WORMS - TRAVEL IN NETWORK
* SOFTWARE BOMBS - EXPLODE ON LAUNCH * LOGIC BOMBS - EXPLODE ON LOGIC * TIME BOMBS - EXPLODE ON TIME / DATE
WHO ARE ROUGE PROGRAMERS ? * PSYCHO CASES: COMPUTER VIRUS - FOR FUN - RELEASE ANGER - TAKE REVENGE
WHO ARE ROUGE PROGRAMERS ? COMPUTER VIRUS * PROFIT EARNERS: $$$$$ -MONEY -ESPIONAGE -FAME
WHO ARE ROUGE PROGRAMERS ? COMPUTER VIRUS * INFO ATTACKERS: - DISRUPT ENEMY’S INFORMATION & NETWORK
WHAT CAN THEY DO ? FORMAT DISK COPY, RENAME AND DELETE FILES COPY THEMSELVES WITH NEW CONFIGURATION INFORMATION MODIFY FILE DATES AND EXTENSIONS CALL OTHER COMPUTERS TO UPLOAD AND DOWN LOAD FILES
HOW DO THEY DO ? APPENDING SURROUNDING INTEGRATING OVERWRITING CHANGING POINTERS
HOW VIRUSES ATTACH? Appended viruses: Virus Appended to a Program
HOW VIRUSES ATTACH? Viruses that surround a program.
HOW VIRUSES ATTACH? Integrated viruses:
HOW VIRUS GAIN CONTROL
HOW DO YOU NOTICE ? COMPUTER OPERATION BECOMES SLUGGISH PROGRAMS TAKE LONGER TO LOAD DISK SPACE DECREASES RAPIDLY BAD DISK SECTORS STEADILY INCREASE RAM DECREASES SUDDENLY OR STEADILY COMPUTER HALTS WITH OR WITHOUT FUNNY MESSAGES COMPUTER VIRUS
HOW DO YOU NOTICE ? PROGRAMS ENCOUNTER ERRORS PROGRAMS GENERATE UNDOCUMENTED ERRORS FILES REPLACED WITH GARBAGE FILES MYSTERIOUSLY DISAPPEAR FILE ATTRIBUTES AND DATA CHANGE DATA FILES OR DIRECTORIES OF UNKNOWN ORIGIN APPEAR COMPUTER VIRUS
NETWORK VIRUS: Spreads through a local network area. TYPES OF COMPUTER VIRUS BOOT SECTOR VIRUS MEMORY RESIDENT VIRUS MULTI-PARTITE VIRUS: Infecting more than one class of basic target. TRANSIENT RESIDENT
MACRO VIRUS: It is often scripted into common application programs such as Word or Excel, is spread by infecting documents. DOCUMENT VIRUS: Implemented within a formatted document E.g. A written document, a database, a slide presentation, or a spreadsheet. POLYMOPRPHIC VIRUS: That can change its appearance.
BOOT SECTOR VIRUS RELOCATING CODE:
WHAT TO DO ? ANTI VIRUS TECHNIQUES
WHAT TO DO ? SAFE COMPUTING METHODS ANTIVIRUS SOFTWARE SYSTEMS PREVENTION SYSTEM DETECTION SYSTEM COMPUTER ANTI VIRUS
WHAT TO DO ? SAFE COMPUTING METHODS * YOU MUST: COMPUTER ANTI VIRUS - DISCOURAGE PIRATED SOFTWARE - TAKE BACKUP
WHAT TO DO ? SAFE COMPUTING METHODS COMPUTER ANTI VIRUS YOU MAY: – USE PRE RUN CHECKUPS – CHANGE FILE ATTRIBUTES – REINITIALIZE SYSTEM – REINSTALL APPLICATIONS – REFORMAT HARD DISK – OBSERVE OPERATION TIMINGS – LOG DISK SPACE – LOG BAD SECTORS
WHAT TO DO ? ANTIVIRUS SOFTWARE SYSTEMS: PREVENTION SYSTEMS: –TO STOP VIRUS ATTACKS IN REAL TIME. –BLOCK ILLEGAL DISK ACCESS AND PROGRAM LOADING. –PASSWORD PROTECTION: -SLOW SPEED. -UNNECESSARY INTERRUPTS. -CAN BE INFECTED BY VIRUS.
WHAT TO DO ? ANTIVIRUS SOFTWARE SYSTEMS: DETECTION SYSTEMS: – LOAD, RUN AND EXIT. – CHECK PROGRAM BEFORE EXECUTION. – COMPLEMENT PREVENTION SYSTEM.
HOMES FOR VIRUSES The virus writer may find these qualities appealing in a virus: It is hard to detect. It is not easily destroyed or deactivated. It spreads infection widely. It can re-infect its home program or other programs. It is easy to create. It is machine independent and OS independent.
VIRUS SIGNATURES Virus cannot be completely invisible. A telltale pattern, called a signature. Virus scannerSign of Code Red worm /default.ida?NNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd HTTP/1.0
Polymorphic Malware Polymorphic worm (usually) encrypted New key is used each time worm propagates Worm body has no fixed signature Worm must include code to decrypt itself Signature detection searches for decrypt code Detectable by signature-based method Though more challenging than non-polymorphic…
Metamorphic Malware A metamorphic worm mutates before infecting a new system Such a worm can avoid signature-based detection systems The mutated worm must do the same thing as the original
RECOGNIZABLE PATTERNS IN VIRUSES
EXECUTION PATTERNS– EFFECTS & CAUSES Attach to executable program: It modifies file directory, write to executable program file. Attach to data or control file: It modifies directory, rewrite data, append to data, appended data to itself. Remain in memory: It intercepts, interrupts, load self in non transient memory area. Infect disks – It intercepts, interrupts, intercept OS calls, modifies system file, modifies ordinary executable program. Conceal self – It classify self as hidden file. Spread infection – infect boot sector, infect system program, infect ordinary program. Prevent deactivation – activate before deactivating program and block deactivation.
PREVENTION OF VIRUS INFECTION: Use only commercial software acquired from reliable, well-established vendors. Test all new software on an isolated computer. Open attachments only when you know them to be safe. Make a recoverable system image and store it safely. Make and retain backup copies of executable system files. Use virus detectors regularly and update them daily.
TRUTHS AND MISCONCEPTION ABOUT VIRUSES Viruses can infect only Microsoft windows system. False. Viruses can modify “hidden” or “read only” files. True. Viruses can appear only in data files, or only in Word documents, or only in programs. False. Viruses spreads only on disks or only in . False. Viruses cannot remain in memory after a complete power off/power on reboot. True. Viruses can be malevolent, benign, or benevolent. True.
MALICIOUS CODES The Brain Virus. Internet Worm. Code Red Worm. Web Bugs.
THE BRAIN VIRUS W hat it does? Locates itself in upper memory. How it spreads? Through the boot sector. What was learned. It affects the boot sector.
INTERNET WORM It caused serious damage to network. What effect it had: The disconnection of systems from internet, system burdened with many copies of worm. 6000 installations to shut down, $ 97 million loss was incurred. How it worked : . Remain undiscovered and undiscoverable.
CODE RED What it did? Day 1 to 19 of month: tried to spread infection Day 20 to 27: distributed denial of service attack on Microsoft’s IIS (Internet Information Server). Overflows buffer in the idq.dllW (dynamic link library). Infected 250,000 systems in 10 minutes!
Trojan Horse Example A trojan has unexpected function File icon for freeMusic.mp3 : For a real mp3, double click on icon o iTunes opens o Music in mp3 file plays But for freeMusic.mp3, unexpected results…
Trojan Example Double click on freeMusic.mp3 iTunes opens (expected) “Wild Laugh” (probably not expected) Message box (unexpected)
Trojan Example How does freeMusic.mp3 trojan work? This “mp3” is an application, not data! This trojan is harmless, but… Could have done anything user can do o Delete files, download files, launch apps, etc.
ABOUT THE “I LOVE YOU” VIRUS: VBS/LoveLetter is a VB Script uses Microsoft outlook to spread. It is spreading faster than Melissa virus. It causes heavy traffic and downs many mail servers. The new variant VBS/NewLove charges deadly payload and it will damage all files in the system. When opening the attachment, will create MSKernel32.vbs, LOVE-LETTER-FOR-YOU.TXT.VBS files in windows system folder and Win32Dll.VBS in windows folder. Then it changes the registry settings so that the script is automatically executed when the system is restarted. The.VBS extension will not appear if windows scripting host is installed. This worm takes advantage of this and blinds the user to open attachment.
It opens the Microsoft Outlook Address book and sends to all the ids stored in that. The message subject will be "I Love you", the message body will be "kindly check the attached love letter coming from me" and the attachment name will be "LOVE-LETTER-FOR-YOU.TXT.VBS". Then the virus searches for all local and remote drives and overwrites.js,.hta,.css,.wsh,.sct and.hta files with the script. It overwrites jpg, jpeg files with the virus code and renames to.vbs extension. In case of mp2 and mp3 files it hides the original file and creates a new file with.vbs extension and writes its code there.
It also tries to download a file from virus author's site. If the file is downloaded it modifies the registry to run the file on each reboot. It is a password stealing trojan will be stored in the name of WIN-BUGFIX.EXE. There are several variants of VBS/LoveLetter is reported in the wild. Most of them arrives with different names like LOVE-LETTER-FOR-YOU.TXT.VBS, mothersday.vbs, Urgent_virus_warning.vbs, IMPORTANT.TXT.VBS, etc.
MELISSA VIRUS: Melissa is a Macro Virus which are embedded in a spreadsheet or word-processor document. When the document is opened the macro virus does its bad work. In the case of the Melissa virus, it uses your program to send a copy of its self to the first 50 people in your address book.
Received From: To: Subject: Hi from Bill Gates Hi, I am Bill gates
THANK YOU…