Recent Internet Viruses & Worms By Doppalapudi Raghu

Outline History of Malicious Logic Types of Viruses & Worms Recent Internet viruses Recent Internet Worms Defense Good Habits in Computer world

History Definition of malicious logic Fred cohen Brain Virus(1986) MacMag peace virus(1987) Duff’s Experiment virus(1987)

Difference between Internet virus and Internet worm Virus Worm Need a host fileNo need of host file It’s a variant of virus Human interventionNo human Intervention It infects the files and infect other systems by sharing these files Infects computers and spread over network Causes damage to hardware, software Consumes too much system resources or N/W bandwidth.

Understanding Virus names Symantec Notation Family name Names for the variants in a virus family Suffix is added to the names in the same virus family Examples badvirus.a badvirus.z badvirus.aa badvirus.az badvirus.ba badvirus.bz

Terminology in virus world ZERO DAY EXPLOIT Proof of concept Zombie computer Ethical Hacker Payload Honey pots

Types of viruses Boot sector Infectors Executable Infectors Multipartite Viruses TSR Viruses Stealth Viruses Encrypted Viruses Polymorphic Viruses Macro Viruses Many new virus types are added to the list

Companion virus file with same name is created but with extension higher in execution hierarchy Link virus These viruses create changes to the File allocation table

Types of Worms worms worms IRC worms File sharing network worms Internet worms Instant Messaging worms

Virus.win32.VB.cx Jan 12 th 2007 Virus scans victims machine for executable files. Virus itself is a windows PE.exe files Contents of the files with extension.cpp,.doc,.htm,.html,.txt,.xls will be overwritten with following text "Sorry!!!! trt" "$%%7``0924ksh<:{[86#$36455hgf#$45"

W32/FUJACKS.AB 4/7/2007 Infects.exe files also infects web pages by Inserting malicious hyperlinks of windows ani exploit It creates the following registry key to start itself at boot up time: HKEY_CURRENT_USER\Software\Microsoft\Win dows\CurrentVersion\Run\Death.exe\"\%system%\ Death. Terminates the processes containing the strings like zone alarm, Symantec anti virus. It also attempts to download other malware

Effects of Win32.fujacks Infected through network shares which are protected with very weak passwords. This virus tries with passwords present in the directory. Change in the executable file sizes. Creates the following files in root directory: setup.inf, setup.exe, GameSetup.exe

Windows Vulnerabilities W1 Web Servers & Services W2 Workstation Service W3 Windows Remote Access Services W4 Microsoft SQL Server (MSSQL) W5 Windows Authentication W6 Web Browsers W7 File-Sharing Applications W8 LSAS Exposures W9 Mail Client W10 Instant Messaging W11 ani vulnerability

Windows.ANI vulnerability Determina security User32.DLL code has vulnerability Buffer overflow Remote code execution Microsoft released patches on April 5 th

Code Red Worm July Worm spread using.ida (indexing service) vulnerability in Microsoft Internet Information Server Damage caused: Infected machines randomly attacked other web servers Performed denial of service attack on The homepage of infected machines is defaced

Code red worm working

Spida Worm Microsoft SQL server vulnerability Different worm exploiting databases On SQL server 7.0 password is blank by default Connect to sa with blank password The worm uses the extended stored procedure xp_cmdshell

My tob worm Mass mailing worm It can use even the LSASS vulnerability of windows Stack based buffer overflow It sends itself to all addresses harvested from the victim machine using its own engine Aug the proof of concept was released & by aug 11 th worms started attacking. My tob worm was designed from some version of my doom

Worms at a glance Vulnerability Spreading methods Infecting

Fighting Internet worms Honey pots Computer elements to delude aggressors 2 kinds of honey pots are used High Interaction Low Interaction Honey pots versus worms Honey pots and worm infections Honey pots and payload worms Honey pots and propagation of worms

How anti-virus software works Virus dictionary approach DAT files are released by the Anti virus company. These DAT files have virus definitions and signatures of the virus. Suspicious behavior approach Other ways to detect viruses Sandboxing

Good practices Install the patches supplied by the software vendors Keep your Antivirus software updated Do not open the attachments from the unknown. Configure the firewall properly Use strong passwords so that others cant brute force Be aware of the Internet viruses and worms Zero day exploits cannot be avoided.

Kaspersky discovers an iVirus Even the I pods are effected with viruses Last year 2 viruses were found which infected during manufacturing process Podloso virus is the proof of concept Currently it does not have any malicious payload It just display a message on the screen that “You are infected with Oslo the first iPodLinux Virus.”