VIRUS by wanghonghx

VIEWS: 103 PAGES: 46

									Viruses and Worms

   By: Olga Bibas
Malicious Programs are perhaps the most
sophisticated threats to computer systems.
These threats can be divided into two

• Those that need a host program- these are
  fragments of programs that cannot exist
  independently of some actual application
  program, utility or system program.
• Those that are independent- are self-
  contained programs that can be scheduled and
  run by the operating system.
The Figure below shows these differences

• Also called a backdoors. An
  undocumented way of gaining access to a
  program, online service or an entire
  computer system without going through
  the usual security access procedures. The
  trapdoor is written by the programmer
  who creates the code for the program. It
  is often only known by the programmer.
  A trapdoor is a potential security risk.
Logic Bomb

• Malicious code embedded in some
  legitimate program that is set to
  “explode” when certain conditions
  are met. Examples of conditions
  that can be used as triggers for a
  logic bomb are the presence or
  absence of certain files, a particular
  day of the week or date, or a
  particular user running the
Trojan Horses

• A useful program containing hidden code
  that, when invoked, performs some
  unwanted or harmful function. Unlike a
  virus, Trojan horses do not replicate
  themselves but they can be just as
  destructive. One of the most insidious
  types of Trojan horse is a program that
  claims to rid your computer of viruses but
  instead introduces viruses onto your

• A program or piece of code that is loaded
  onto your computer without your
  knowledge and runs against your wishes.
  It can infect other programs by modifying
  them; the modification includes a copy of
  the virus program, which can then go on
  to infect other programs. All computer
  viruses are manmade. A simple virus that
  can make a copy of itself over and over
  again is relatively easy to produce.
• A computer virus carries in its
  instructional code the recipe for making
  perfect copies of itself. Lodged in a host
  computer, the typical virus takes
  temporary control of the computer’s disk
  operating system. Then, whenever the
  infected computer comes into contact
  with an uninfected piece of software, a
  fresh copy of the virus passes into the
  new program.
• Since 1987, when a virus infected
  ARPANET, many antivirus programs have
  become available. These programs
  periodically check your computer system
  for the best-known types of viruses.

• Are programs that do not explicitly
  damage any files. Their sole purpose is to
  replicate themselves. Bacteria reproduce
  exponentially, eventually taking up all the
  processor capacity, memory, or disk
  space, denying users access to those

•    A program or algorithm that replicates
    itself over a computer network and
    usually performs malicious actions, such
    as using up the computer's resources and
    possibly shutting the system down. The
    worm cannot attach itself to other
To replicate itself, a network worm uses
some sort of network vehicle.
Some examples are:
  - Electronic mail facility: A worm mails a
 copy of itself to other systems.

  -Remote execution capability: A worm
 executes a copy of itself on another

 -Remote login capability: A worm logs
 onto a remote system as a user and then
 uses commands to copy itself from one
 system to the other.
The Nature of Viruses

• A virus can do anything that other
  programs do. The only difference is that it
  attaches itself to another program and
  executes secretly when the host program
  is run. Once a virus is executing, it can
  perform any function, such as erasing
  files and programs.
A typical virus goes through the
following stages:

 - Dormant phase
 - Propagation phase
 - Triggering phase
 - Execution phase
Dormant phase

•    The virus is idle. The virus will eventually
    be activated by some event, such as the
    date, the presence of another program or
    file, or the capacity of the disk exceeding
    some limit. Not all viruses have this stage
Propagation phase

• The virus places an identical copy of itself
  into other programs or into certain
  system areas on the disk. Each infected
  program will now contain a clone of the
  virus, which will itself enter a
  propagation phase.
Triggering phase

  The virus is activated to perform the
 function for which it was intended. This
 phase can be caused by a variety of
 system events, including a count of the
 number of times that this copy of the
 virus has made copies of itself.
Execution phase

 The function is performed. The function
 may be harmless, such as a message on
 the screen, or damaging, such as the
 destruction of programs and data files.
Virus Structure

• The key to the operation of the virus is
  that when the infected program, when
  invoked, will first execute the virus code
  and then execute the original code of the
Initial infection

• Most viral infection initiate with a disk
  from which programs are copied onto a
  machine. Many of these disks are games
  or any information that employees bring
  from their home computers and put it on
  an office machine. Only a small fraction of
  infections starts across a network
• Once a virus has gained entry to a system
  by infecting a program, it is in a position
  to infect some or all other executable
  files on that system when the infected
  program executes. Viral infections can be
  prevented by not letting the virus gain
  entry in the first place. Prevention might
  be quiet difficult because a virus can be
  part of any program outside the system.
Types of Viruses

   - Parasitic virus: It attaches itself to
 executable files and replicates, when the
 infected program is executed, by finding
 other executable files to infect.

 - Memory-resident virus: Lodges in main
 memory as part of a resident system
 program. From that point on, the virus
 infects every program that executes.
     - Boot sector virus: Infects a master boot
    record or boot record and spreads when a
    system is booted from the disk containing
    the virus.

     - Stealth virus: A form of virus explicitly
    designed to hide itself from detection by
    antivirus software.

-    - Polymorphic virus: A virus that
    mutates with every infection, making
    detection by the “signature” of the virus
Macro Viruses
These viruses are threatening

1. Virtually all macro viruses infect
   Microsoft Word documents. Any
   hardware platform and operating
   system that supports Word can be
2. Macro viruses infect documents not
   executable portions of code. Most of the
   information introduced into a computer
   is in the form of documents.
3. Macro viruses are easily spread.
   Example: electronic mail.
Macro viruses take advantage of a feature
found in office application, such as
Microsoft Excel or Microsoft Word. This
feature is the macro.

A macro spreads as follows. A command
macro is attached to a word document
that is introduced into a system by e-mail
or disk transfer. At some point when the
document is opened. The macro executes.
The macro copies itself to the global
macro file. When the next session of
Word opens, the infected global macro is
active. When this macro executes, it can
replicate itself and cause damage.
Macro Virus Protection tool

 Microsoft offers an optional Macro Virus
 Protection tool that detects suspicious
 word files and alerts the customer to the
 potential risk of opening a file with
 macros. Antivirus vendors have also
 developed tools to detect and correct
 macro viruses.

 The idle solution to the threat of viruses
 is to not allow them to get into the
 system in the first place. This is
 impossible to achieve, although
 prevention can reduce the number of
 successful viral attacks.
Advanced Antivirus Techniques

 Two of the most important sophisticated
 antivirus approaches are:

 -Generic Decryption
 -Digital Immune System
Generic Decryption

This technology enables the antivirus
program to detect easily even the most
complex polymorphic viruses while
maintaining fast scanning speeds. When a
file containing a polymorphic virus is
executed, the virus must decrypt itself to
activate. In order to detect such a
structure, executable files are run
through a Generic Decryption scanner .
Digital Immune System

 The objective of this system is to provide
 rapid response time so that viruses can
 be stamped out almost as soon as they
 are introduced. When a virus enters an
 organization, the immune system
 automatically captures it, analyzes it,
 adds detection and shielding for it,
 removes it, and passes information about
 the virus to systems running IBM
 AntiVirus so that it can be detected
 before it is allowed to run elsewhere.
NIST recommends using a two-tiered
  approach for detecting and preventing
  viruses from spreading:

• On personal computers, install and use
  anti-virus software capable of scanning
  disks, attachments to email, files
  downloaded from the web, and
  documents generated by word processing
  and spreadsheet programs.

• Use anti-virus software at Internet
  gateways or firewalls to scan email
  attachments and other downloaded files.
Discovered on: September 18, 2001

W32.Nimda.A@mm is a new mass-mailing
 worm that utilizes email to propagate
 itself. The threat arrives as readme.exe in
 an email. It is a virus infecting both local
 files and files on remote network shares.

Type: Worm
If affects Windows 95, Windows 98,
Windows Me, Windows NT 4 and
Windows 2000 users.

Nimda is the first worm to modify existing
web sites to start offering infected files
for download. Also it is the first worm to
use normal end user machines to scan for
vulnerable web sites.

1) File infection

 Nimda locates EXE files from the local
   machine and infects them by putting the
   file inside its body as a resource, thus
   'assimilating' that file.These files then
   spread the infection when people
   exchange programs such as games.
2) Mass mailer

 Nimda locates e-mail addresses via MAPI
 from your e-mail client as well as
 searching local HTML files for additional
 addresses. Then it sends one e-mail to
 each address. These mails contain an
 attachment called README.EXE, which
 might be executed automatically on some
3) Web worm

 Nimda starts to scan the internet, trying
 to locate www servers. Once a web
 server is found, the worm tries to infect it
 by using several known security holes. If
 this succeeds, the worm will modify
 random web pages on the site. End result
 of this modification is that web surfers
 browsing the site will get automatically
 infected by the worm.
4) LAN propagation

 The worm will search for file shares in
 the local network, either from file servers
 or from end user machines. When other
 users try to open these files from these
 directories, Word, WordPad or Outlook
 will execute RICHED20.DLL causing an
 infection of the PC. The worm will also
 infect remote files if it was started on a
E-Mail spreading:

• The worm searches trough all the '.htm'
  and '.html' file in the Temporary Internet
  Files folder for e-mail addresses. It reads
  trough user's inbox and collects the
  sender addresses. When the address list
  is ready it uses it's own SMTP engine to
  send the infected messages.
IIS spreading:

• The worm uses backdoors on IIS servers
  such as the one Code Red II installs. It
  scans random IP addresses for these
  backdoors. When a host is found to have
  one the worm instructs the machine to
  download the worm code (Admin.dll)
  from the host used for scanning. After
  this it executes the worm on the target
  machine this way infecting it.

• F-Secure Anti-Virus with the latest
  updates can detect and disinfect Nimda
  infections. But full disinfection of the
  worm will require some additional
  manual actions.
• The F-NIMDA tool was developed to
  automate these actions. Download them
  from F-NIMDA from
• A web site can get infected in two ways:
• 1) Infected htmls are copied to the
  secure site. If there are infected
  computers in your organization, their
  local html files get infected. Users might
  then later copy or upload such infected
  pages to your www server. Alternatively,
  if your www files are accessible via file
  sharing the worm might infect them
  directly from a workstation. To clean your
  site, locate all html pages which refer to
  "README.EML" and remove the extra
  JavaScript code from the end of the
• 2) Direct web worm infection. If your web
  site is running an unsafe version of IIS,
  the worm can infect your site by
  accessing it through http. After this it will
  restart spreading from your server. In
  this case, it is not enough to just clean
  the virus - your web server is unsafe and
  has been so for a while. It's likely there
  have been previous illegimate accesses to
  your site as well and it should be
  considered compromised. We recommend
  rebuilding the web server and applying
  latest patches before restoring clean
  copies of the html pages.
Important sites to visit

• -For an updated website of virus
  information, check out the Federal
  Computer Incident Response Capability
  (FedCIRC's) database.
• -The provides a
  list of viruses that are currently loose "in
  the wild," or active and infecting systems
  at the current moment.
• -The ICSA is a listing of viruses known to
  be circulating and currently infecting
  computer systems.

• -Network Associates Incorporated (A.K.A.
  McAfee) hosts a wide variety of virus
  information. Click on this link to access
  NAI's virus data.
• -Symantec Corporation also maintains a
  comprehensive database of computer
  virus characteristics and affects. Click on
  this link to access Symantec.
• -Computer Associates provides this
  personal edition of their "InoculateIt"
  antivirus tool. This version also detects
  denial of service (DDoS) daemons
  residing on your desktop. (Runs under
  WIN95, WIN 98 and WINNT with service
  pack 3 and above)
• -Aladdin Complete list of computer virus

• -F-Secure Security Information Center is
  another resource for virus information.

To top