11

Chapter

Definition:
Any software program developed for the purpose of causing harm to a computer system.
- Malicious Software - Malicious Code - Malicious Program - Rogue Program

A) Virus B) Backdoor C) Logic Bomb D) Trojan Horse E) Worm F) Zombie G) Spyware H) Adware

A virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user, and these programs are often harmful and not beneficial; A virus can only spread from one computer to another when its host is taken to the uninfected computer. Eg: user sending it over a network or carrying it on a removable medium such as a USB drive by the Internet. Virus can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Virus needs a host program and can replicate.

Virus is also able, to move by attached itself, or with your help to other documents, programs, e-mail, web pages, etc. Virus may damage, corrupt, or destroy data, cause a computer to crash, etc. When the program is run, the viral code is also executed. The viral code causes a copy of itself to be inserted in one or more other programs. Virus cannot run on their own, and need a host program, executed to activate them. In the past, viruses usually infect .exe & .com executable files. Recently, more and more viruses make use of different types of files.

Dormant (not active) Stage: activated by some predetermined condition, e.g. date, execution of certain program, etc. Propagation stage: places a copy of itself to another program or system areas. Triggering stage: virus is activated to perform the function it intends to. Triggered by some condition in the system.

Execution stage: the function is performed, could be harmless.

1) Creation Creating of a virus requires knowledge of a programming language. 2) Replication Virus replicate for a long period of time before activation. 3) Activation virus get activated when meeting specified conditions. 4) Discovery When a virus detected and isolated, it is sent to the lab (eg: ICSA in Washington) to be documented and distributed to antivirus software developer. 5) Assimilation Anti-virus software update/modify their software so that it can detect the new virus. 6) Eradication If user install up-to-date virus pattern, any virus can be wiped out.

Program Virus:= {go to main; 1234567; /* A label of an infected program or a system area */ subroutine infect-executable:= {loop: file := get_random_executable_file; if (first_line_of_file = 1234567) then goto loop else {attach Virus to files};} subroutine do_damage:= {what_ever_damage} subroutine trigger_pulled:= {return true if trigger_condition holds} main: main_program:= {infect_executable; if trigger_pulled then do_damage; goto next;} next: }

1) Bootsector Virus 2) File Virus 3) Macro Virus 4) Companion Virus 5) Cluster virus 6) Source code virus

Bootsector virus is the most earliest type of virus. Bootsector virus spread itself via a floppy's or hard disk. Bootsector is an area on a disk containing programs such as operating system that are executed when the pc booted. When a Bootsector virus had infected your disk, the machine either froze or the floppy was no longer usable until you removed the virus. Since the system sector is executed every time a pc boots, it is vulnerable to virus attack. Damage to this sector can make the disk unreadable.

File viruses infect executable files by inserting their code into some part of the original file so that it can be executed when the program is executed. File viruses are larger in number. File viruses work by locating mostly a file name ending in .COM or .EXE and overwrite part of the program they are infecting. When this program is executed, the virus code executes and infects more files. More sophisticated file viruses save the original instructions when they insert their code into the program thus allowing them to execute the original program after the virus finishes so that everything appears normal.

Is a virus that infects a Microsoft Word or similar application document and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. It is less harmful. Eg : the undesired insertion of some comic text at certain points when writing a line. Or a crawling message is displayed when meet certain date or time. It usually spreads as an email virus. Common programs with macro capability that can be exploited by virus : MS Word, MS Excel, etc.

This virus create a companion file for each executable file the virus infects. The companion virus infects the files by locating all files with names ending in EXE. The virus then creates a matching file name ending in COM that contains the viral code. Eg : A companion virus may save itself as abc.com, and every time a user executes abc.exe, the computer will load abc.com and infect the system. The virus also attempts to hide the extra files by either placing them into a directory or give them a hidden attribute so a normal DIR command will not show them. These viruses are easy to detect.

Cluster is the logical unit of file storage on a hard disk. It's managed by the computer's operating system. Any file stored on a hard disk takes up one or more clusters of storage. The location of the clusters are kept in the hard disk's file allocation table (FAT). When you read a file, the entire file is obtained for you, from FAT. Cluster Virus modify FAT entries, so that the virus is loaded and executed with the desired program.

6) Source Code virus Virus that embedded in the source code or

programming code. There are many different types of compilers and languages available, so source code can come in many forms. Eg : Visual Basic. Once the code is executed, then the virus will be infected.

Also called : Trap door. It needs a host program and It cannot replicate. Is a secret, undocumented entry point into a program, usually inserted during code development for testing, debugging and/or for future modification It allows someone that is aware of the trapdoor to gain access without going through the usual security access procedures. But, developer forgets to remove trapdoor when done. Or Someone intentionally keeps the trapdoor for future modification or for accessing unauthorized information Or Someone installed a backdoor into someone else computer or system to get access in the future.

Also called : slag code Is a programming code, inserted / embedded intentionally in a legitimate program or OS, and it is set to perform or trigger some destructive / execute (or explode) when specific conditions are met. Explosion, may be designed to erase files, delete files, shut down the system, display a message, etc. An example of a logic bomb : The famous logic bomb : Friday the 13th it duplicated itself every Friday and on the 13th of the month, causing system slowdown. Millennium Time bomb designed to take advantage of concern over the arrival of the year 2000.

The most dangerous form of the logic bomb is a logic bomb that activates when something doesn't happen. Eg : Imagine a unethical system administrator who creates a logic bomb which deletes all of the data on a server if he doesn't log in for a month. The system administrator programs the logic bomb with this logic because he knows that if he is fired, he won't be able to get back into the system to set his logic bomb. His logic bomb goes off and the server is wiped clean.

It needs a host program and cannot replicate. Logic bomb will not spread to unintended victims. In some ways, a logic bomb is the most civilized programmed threat, because a logic bomb must be targeted against a specific victim. Other Eg of logic bomb: is to ensure payment for software. If payment is not made by a certain date, the logic bomb activates and the software automatically deletes itself.

Trojan horse : is a hidden code that performs unexpected or unauthorized actions. It needs a host program and cannot replicate. Main difference between trojan horse and virus is the inability of trojan horse to replicate itself. With the help of a trojan, the attacker gets access to stored passwords, can read personal documents, delete files, display pictures, and show messages on the screen. Examples of trojan activities: Collect passwords of a user Examples of trojan horse : NetBus, SubSeven, Donald Dick

Example of a simple Trojan horse A simple example of a trojan horse would be a program named "waterfalls.scr.exe" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the victims computer.

Trojan horses can cause extensive damage because : they have both an overt and covert function. Overt function can be anything the victim find interesting. Covert function is launched when the overt function is being executed, where users do not know what happen.

D) Trojan Horse
Example of advanced Trojan horse An attacker might attach a Trojan horse with an innocent-looking filename to an email message which encourage the recipient into opening the file. The Trojan horse itself would be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. It also come with an extension that might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt. When the recipient double-clicks on the attachment, the Trojan horse might do what the user expects it to do (eg : open a text file). This trojan might modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining a distributed denial-of-service attack.

Some of the symptoms of a computer that is infected with Subseven: CD-ROM drive opens at random times Wave (.wav) files play for no reason Strange dialog boxes appear Internet downloads are slow Files appear or disappear Restarts the computer whenever the infected

program is started upload and download files

Scan for suspicious open ports using tools such as Netstat, Fport Scan for suspicious running processes using Process Viewer, Insider Scan for suspicious registry entries using tools such as MS config Scan for suspicious network activities using Ethereal Run Trojan scanner

Ability to open and close the CD-ROM drawer System which infected with Trojans, hackers can make the computer screen blink, flip upside-down or be inverted so everything is displayed backwards May change the default background or wallpaper settings They (hackers) can access the printer and print personal message or print documents found in the folder The hackers can the color settings of the operating systems to colors of their choice If there is a microphone connected to the computer the hacker can record and listen to what is going on in the computer room The hacker will turn the sound volume all the way up or down to attract the attention of victim The hacker change the time and date on the computer

A common way that attackers install backdoors on a system or network is through the use of Trojan programs. A Trojan program has the capability of penetrating a companys defenses, sneaking inside the network, and creating a backdoor on an unsuspecting victim. This Trojan programs can be used to create a backdoor on a system by opening up a port. One of the famous Trojan program that can do this is called Netcat.

Netcat has a lot of features and functionality. When it is receiving data, it is basically just listening on a specific port waiting for a remote system to attach to that port. Netcat is available from www.l0pht.com When an attacker creates a backdoor, he wants to acquire a command prompt, so he can issue whatever commands he wants on the remote system. Netcat runs on both UNIX and NT.

Tini is similar to netcat in that it is used to create a backdoor on Windows systems. It has less features and is not configurable, but as its name states, it is very tiny. One of the main advantages of Tini is that it is only 3 KB in size. It takes minimal bandwidth and space to get on a system, and after it is running on a system, it takes up little space on the hard drive. The program is available from http://ntsecurity.nu/toolbox/tini. What makes the program so small is that it is written in assembly language. From an attackers standpoint, the main drawback is that most backdoor listens on port 7777 and runs the command prompt when someone attaches to this port. This makes it easier for a victim system to detect because if a company finds out port 7777 is open on a system, it has a really good idea that Tini is running.

It is an independent programs (no need host program) and can replicate (makes copies of itself). Example : from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. Example : SQLSlammer caused a denial of service on many Internet hosts and slowed down the Internet traffic. It started to spread on January 25, 2003. The worm double in size every 8.5 seconds and within 10 minutes, the worm had infected more than 90% of vulnerable hosts. At least 75,000 hosts were infected. Other example of worms : Nimda, Melissa, Netsky, Klez, I Love You, Sir cam, Chernobyl, Pretty park, Code red, Bug bear, Doom juice, etc.

 Is a program secretly takes over another Internetattached computer and then uses that computer to launch attacks. Used in denial-of-service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties. They are then used to overloading the target by launching a lot of network traffics. Example : Trinoo is an attack tool released in late december 1999, that performs a distributed Denial of Service attack. Zombie can replicate and do not need a host program.

The term "Spyware" is a contraction of the words "spy" and "software". Spyware is a program that hides itself on your computer and watches you and your habits as you use your computer. It collects information about the user's surfing habits or system configuration without his knowledge. It then reports this information to the company that created the spyware or attacker. Spyware is usually legal. In most cases, you must click "Yes" or "I Accept" before the spyware is installed. The information selected depends on the Spyware and can include anything from surfing habits to passwords.

The picture below shows a common way that spyware is installed. In almost cases where you get this window, press "No".

Adware is a program that hides itself on your computer and creates "pop-up" advertisements. It can also provide advertisements based on what Web sites you are viewing. Adware can slow your PC by using RAM and CPU cycles. Adware can also slow your Internet connection by using bandwidth to retrieve advertisements. In addition, adware can increase the instability of your system because many adware applications are not programmed well.

An example of pop-up.

LavaSoft Ad-Aware is a program that removes adware and spyware. The standard verison of Ad-Aware is FREE.

 Programs take longer to load The hard drive is always full even without installing any programs The floppy disk or hard drive runs when it is not being used Unknown files keep appearing on the system Strange sounds or beeping noises come from the computer or keyboard The computer monitor displays strange graphics The file names are strange and are difficult to recognize The hard drive becomes inaccessible while trying to boot from the floppy drive Program size keeps on changing The memory on the system seems to in use and the system slows down

1) Technical Reasons a) Lack of control Once the virus is released, the writer has no control on the spread of the virus. b) Resource wasting Computer virus eats up disk space, CPU time, and memory resources during its replication. c) Compatibility problems - A computer virus that can attach itself to any of the users program would capable to disable any of the programs that perform a security approaches on them.

2) Ethical and Legal Reasons

a) Unauthorized Data Modification It is unethical

and illegal to modify other peoples data without their authorization. So, these viruses were considered doing unethical / illegal actions. b) Copyright and Ownership Problems Modifying a particular program means that copyright or ownership for this program are voided.

3) Psychological Reasons
a) Trust Problems An average users which lack of

knowledge about virus will become fear to use computer, and ruins the trust that user has on their computers.

1) The best defense is education and awareness. 2) Use Antivirus Software

Most popular solution, regularly scan system looking for known

signatures. Most popular antivirus products now include adware and spyware scanning. For example, the latest versions of McAfee, Norton Antivirus 2004, and Trend Micro Pc-Cillin 2004, now scan for some adware and spyware. Always update antivirus pattern. But remember, new malware will not be detected by antivirus software.

 3) Make sure users have and actively use current antivirus software. 4) Make sure they know what malware are and who to contact if they find it. 5) Make sure the people they contact remove the reported infection. 6) Make sure that your network administrator educate the users and keep all signature databases up to date.

7) Web Browser Security

Disabling browsing features like Active

Scripting, JavaScript, ActiveX, Java, etc, because there have a lot of vulnerability to be exploit. Surf only sites that you trust, dont go underground.

8) Install a pop-up blocker to prevent adware and spyware popup windows. Much spyware installs after you click a deceptive link in a pop-up browser window. If you insatll a pop-up blocker, you won't even be tempted to click those links. There are pop-up blockers are completely free. Eg: MSN Toolbar and Google Toolbar. But, pop-up windows are annoying time wasters anyway.

9) Dont even simply accept to install something If you do click what seems like a innocuous link, and then you see a dialog box similar to the one shown below, don't click the Yes button to install the software. You should only install programs from the Internet that you choose to install.

Malware When it was borned or detected? Where it was borned? How it get the name? What are their features? What are their signatures? How does it spread? What are the symptoms or how it can be recognized? How to protect? References