Sie sind auf Seite 1von 28

Computer Viruses

Introduction
Computer virus have become todays headline news With the increasing use of the Internet, it has become easier for virus to spread Virus show us loopholes in software Most virus are targeted at the MS Windows OS

Definition
Virus : A true virus is capable of self replication on a machine. It may spread between files or disks, but the defining character is that it can recreate itself on its own with out traveling to a new host

Overview
Background Symptoms Classifying Viruses Examples Protection/Prevention Conclusion

Background
There are estimated 30,000 computer viruses in existence Over 300 new ones are created each month First virus was created to show loopholes in software

Virus Languages
ANSI COBOL C/C++ Pascal VBA Unix Shell Scripts JavaScript Basically any language that works on the system that is the target

Symptoms of Virus Attack


Computer runs slower then usual
Computer no longer boots up Screen sometimes flicker PC speaker beeps periodically System crashes for no reason Files/directories sometimes disappear Denial of Service (DoS)

Virus through the Internet


Today almost 87% of all viruses are spread through the internet (source: ZDNet) Transmission time to a new host is relatively low, on the order of hours to days Latent virus

Classifying Virus - General


Virus Information
Discovery Date: Origin: Length: Type: SubType: Risk Assessment: Category:

Classifying Virus - Categories


Stealth Polymorphic Companion Armored

Classifying Virus - Types


Trojan Horse Worm Macro

Trojan Horse

Covert Leaks information Usually does not reproduce

Trojan Horse
Back Orifice
Discovery Date: Origin: Length: Type: SubType: 10/15/1998 Pro-hacker Website 124,928 Trojan Remote Access

Risk Assessment: Low

Category:

Stealth

Trojan Horse
About Back Orifice
requires Windows to work distributed by Cult of the Dead Cow similar to PC Anywhere, Carbon Copy software allows remote access and control of other computers install a reference in the registry once infected, runs in the background by default uses UDP port 54320 TCP port 54321 In Australia 72% of 92 ISP surveyed were infected with Back Orifice

Trojan Horse
Features of Back Orifice
pings and query servers reboot or lock up the system list cached and screen saver password display system information logs keystrokes edit registry server control receive and send files display a message box

Worms
Spread over network connection Worms replicate First worm released on the Internet was called Morris worm, it was released on Nov 2, 1988.

Worms
Bubbleboy
Discovery Date: Origin: Length: Type: SubType: 4992 Worm/Macro VbScript 11/8/1999 Argentina (?)

Risk Assessment: Low

Category:

Stealth/Companion

Worms
Bubbleboy
requires WSL (windows scripting language), Outlook or Outlook Express, and IE5 Does not work in Windows NT Effects Spanish and English version of Windows

2 variants have been identified


Is a latent virus on a Unix or Linux system May cause DoS

Worms
How Bubbleboy works
Bubbleboy is embedded within an email message of HTML format. a VbScript while the user views a HTML page a file named Update.hta is placed in the start up directory upon reboot Bubbleboy executes

Worms
How Bubbleboy works
changes the registered owner/organization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV ersion\RegisteredOwner = Bubble Boy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV ersion\RegisteredOrganization = Vandalay Industry

using the Outlook MAPI address book it sends itself to each entry marks itself in the registry
HKEY_LOCAL_MACHINE\Software\Outlook.bubbleboy = OUTLOOK.Bubbleboy1.0 by Zulu

Macro
Specific to certain applications Comprise a high percentage of the viruses Usually made in WordBasic and Visual Basic for Applications (VBA) Microsoft shipped Concept, the first macro virus, on a CD ROM called "Windows 95 Software Compatibility Test" in 1995

Macro
Melissa
Discovery Date: 3/26/1999 Origin: Newsgroup Posting Length: Type: Subtype: Category: varies depending on variant Macro/Worm Macro Companion

Risk Assessment: High

Macro
Melissa
requires WSL, Outlook or Outlook Express Word 97 SR1 or Office 2000 105 lines of code (original variant) received either as an infected template or email attachment lowers computer defenses to future macro virus attacks may cause DoS infects template files with its own macro code 80% of of the 150 Fortune 1000 companies were affected

Macro
How Melissa works
the virus is activated through a MS word document document displays reference to pornographic websites while macro runs 1st lowers the macro protection security setting for future attacks checks to see is it has run in current session before
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Melissa = by Kwyjibo

propagates itself using the Outlook MAPI address book (emails sent to the first 50 addresses)

Macro
How Melissa works
infects the Normal.dot template file with its own code Lastly if the minutes of the hour match up to the date the macro inserts a quote by Bart Simpson into the current document
Twenty two points, plus triple word score, plus fifty points for using all my letters. Games over. Im outta here.

Protection/Prevention
Knowledge Proper configurations Run only necessary programs Anti-virus software

Conclusion
You know know more about virus and how: viruses work through your system to make a better virus Have seen how viruses show us a loophole in popular software Most viruses show that they can cause great damage due to loopholes in programming

Questions?
Copies of the latest lovebug virus code are availablein print