COMPUTER VIRUS

Presented by:
Manish Dixit 2011ecs37
Kaviraj 2011ecs50
Arshit Mahajan 2011ces53

Computer Network Security Assignment!

WHAT IS VIRUS?

Computer viruses are small software programs that are designed to spread from one computer to
another and to interfere with computer operation.

A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to
other computers, or even erase everything on your hard disk.

Viruses are most easily spread by attachments in e-mail messages or instant messaging messages.
That is why it is essential that you never open e-mail attachments unless you know who it's from and
you are expecting it.

Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.
Viruses also spread through downloads on the Internet. They can be hidden in illicit software or other
files or programs you might download.

To help avoid viruses, it's essential that you keep your computer current with the latest updates and
antivirus tools , stay informed about recent threats , and that you follow a few basic rules when you
surf the Internet, download files, and open attachments.

Once a virus is on your computer, its type or the method it used to get there is not as important as
removing it and preventing further infection

Computer Network Security Assignment!

Viruses

Computer Network Security Assignment!

Taxonomy of Malicious
Programs
Host
Program

Trapdoors

Logic
Bombs

Computer Network Security Assignment!

Trojan
Horses

Independent

Viruses

Bacteria

Worms

Types of Viruses
Parasitic Virus - attaches itself to executable files as part of their code.
Runs whenever the host program runs.

Memory-resident Virus - Lodges in main memory as part of the residual

operating system.

Boot Sector Virus - infects the boot sector of a disk, and spreads when
the operating system boots up (original DOS viruses).

Stealth Virus - explicitly designed to hide from Virus Scanning programs.

Polymorphic - Virus - mutates with every new host to prevent signature
detection.
Computer Network Security Assignment!

Viruses are there Good ones?

Possible ideas for a good virus are:

An Anti-Virus Virus
Find other viruses and kill them
File Compressor Virus
Compresses the file it infects
Encryption Virus
Infects boot sector and encrypts the disk with a user supplied
password

Maintenance Virus
Traverse a network and perform maintenance functions on individual
machines

Computer Network Security Assignment!

Viruses File (Parasitic) Viruses

Simple File Viruses
After transplanting
itself in the
executable, the
executable often
doesnt work

Stealth Component
Work very similar to

stealth system sector

viruses

Mask the file size of

infected files when a

directory listing is done
on them
Computer Network Security Assignment!

File Infectors
.COM
Start

End

Prepended virus
(.COM)

Start
Appended virus
(.COM & .EXE)

Jump

End

End

= virus code

= program flow
Computer Network Security Assignment!

Anti-Virus Technologies
Scanners
Interceptors
Disinfectors
Heuristics
Inoculators

Integrity Checkers
Safe Computing (aka Common Sense)
NBAR/QoS
Eicar test string

Anti-Virus Packages

Computer Network Security Assignment!

HOW DO I REMOVE A
COMPUTER VIRUS?
If your computer is infected with a virus, you'll want to remove it
as quickly as possible. A fast way to check for viruses is to use an
online scanner, such as the Microsoft Safety Scanner. The scanner
is a free online service that helps you identify and remove viruses,
clean up your hard disk, and generally improve your computer's
performance.

If you're not sure whether your computer has a virus, see How can
I tell if my computer has a virus? to check for some telltale signs.
To try a different online scanner, follow the links to other
companies that provide them on the Windows Security software
providers
webpage.
Computer Network Security Assignment!

General information about computer

virus

Different Malware Types.

Malware is a general name for all programs that are harmful; viruses, trojan, worms and all other
similar programs.

Viruses

A computer virus is a program, a block of executable code, which attach itself to, overwrite or
otherwise replace another program in order to reproduce itself without a knowledge of a PC user.

There are a couple of different types of computer viruses: boot sector viruses, parasitic viruses, multipartite viruses, companion viruses, link viruses and macro viruses. These classifications take into
account the different ways in which the virus can infect different parts of a system. The manner in
which each of these types operates has one thing in common: any virus has to be executed in order to
operate.

Most viruses are pretty harmless. The user might not even notice the virus for years. Sometimes
viruses might cause random damage to data files and over a long period they might destroy files and
disks. Even benign viruses cause damage by occupying disk space and main memory, by using up
CPU processing time. There is also the time and expense wasted in detecting and removing viruses.

Computer Network Security Assignment!

Trojan

Computer Network Security Assignment!

Trojan
A Trojan Horse is a program that does something else that the user
thought it would do. It is mostly done to someone on purpose. The
Trojan Horses are usually masked so that they look interesting, for
example a saxophone.Wav file that interests a person collecting
sound samples of instruments. A Trojan Horse differs from a
destructive virus in that it doesn't reproduce. There has been a
password trojan out in AOL land (the American On Line). Password30
and Pasword50 which some people thought were wav. files, but they
were disguised and people did not know that they had the trojan in
their systems until they tried to change their passwords.

According to an administrator of AOL, the Trojan steals passwords

and sends an E-mail to the hackers fake name and then the hacker
has your account in his hands.

Computer Network Security Assignment!

Trojan Horses
A program which appears to be legitimate, but
performs unintended actions.

Trojan Horses can install backdoors, perform

malicious scanning, monitor system logins and other
malicious activities.

Computer Network Security Assignment!

Windows Backdoors

Back Orifice
Back Orifice 2000 (BO2K)
NetBus
WinVNC (Virtual Network Computing)
SubSeven

Computer Network Security Assignment!

Netbus
Provides Remote Administration of Windows 9x and NT
systems

Allows full control over windows and devices.

(open and close windows remotely, Screen capture, open and close
CDROM tray)

Logs keystrokes
Listens on TCP/UDP 12345 and 12346 (configurable v 1.7 and up)
for connections

Listens on TCP/UDP 20034 (v.2.x) for connections

Computer Network Security Assignment!

Netbus

Computer Network Security Assignment!

Trojans - Jokes
One time this guy walks into a bar
Newest category of trojans
Designed to look extremely malicious and are visual
to the user

Dont really do anything at all

Computer Network Security Assignment!

Worms

Computer Network Security Assignment!

Worm
A worm is a program which spreads usually over

network connections.
Unlike a virus which attach itself to a host program,
worms always need a host program to spread.
In practice, worms are not normally associated with one
person computer systems.
They are mostly found in multi-user systems such as
Unix environments.
A classic example of a worm is Robert Morrisis Internetworm 1988.

Computer Network Security Assignment!

Why Worms?
Ease
write and launch once
many acquisitions

continually working

Pervasiveness
weeds out weakest targets

penetrates difficult networks

Computer Network Security Assignment!

The Worms Beginnings

John Shoch invented the concept at Xeroxs Palo
Alto research labs in 1978

Designed as a useful tool that borrowed clock cycles

from idle CPUs

Actually got out of control back then as well

Computer Network Security Assignment!

How it Didnt Bring 6,000 Machines Down

The worm didn't alter or destroy files
The worm didn't save or transmit the passwords which it cracked
The worm didn't make special attempts to gain root or superuser access in a
system (and didn't utilize the privileges if it managed to get them)

The worm didn't place copies of itself or other programs into memory to be

executed at a later time. (Such programs are commonly referred to as timebombs)

The worm didn't attack machines other than Sun 3 systems and VAX computers
running 4 BSD Unix (or equivalent)

The worm didn't attack machines that werent attached to the internet
The worm didn't travel from machine to machine via disk
The worm didn't cause physical damage to computer systems
Computer Network Security Assignment!

How it Did Take 10% of the Net Down

Utilized a variety of Unix security holes
Sendmail remote debug
Allowed the worm to execute remote commands on the
system

Obtained user lists

Ran dictionary attack of 432 common passwords on user
lists

Most passwords today are as insecure as 1988

Computer Network Security Assignment!

How the First Worm Changed System

Administration
File access should be limited (the worm could open the encrypted
password file)

Networks should use a conglomerate of OSes

i.e. a UNIX virus wont infect a Win2k server

Brought about forums of geeks (Us) for sharing research

Beware of reflexes! Many S.A.s shut down sendmail to stop the virus,
but only delayed information on how to patch & fix it

Logs are monotonous but are extremely useful in troubleshooting

Computer Network Security Assignment!

Six Components of Worms

Reconnaissance
Specific Attacks
Command Interface
Communication Mechanisms
Intelligence Capabilities
Unused and Non-attack Capabilities

Computer Network Security Assignment!

Specific Attacks
Exploits
buffer overflows, cgi-bin, etc.
Trojan horse injections

Limited in targets
Two components
local, remote

Computer Network Security Assignment!

Communications
Information transfer
Protocols
Stealth concerns

Computer Network Security Assignment!

UNIX Worms

Ramen Worm (01/2001)

Lion Worm (02/2001)
Adore Worm (04/2001)

Cheese Worm (05/2001)

Sadmind Worm (05/2001)
Scalper Worm (07/2002)

Slapper Worm (09/2002)

Computer Network Security Assignment!

Worm Propagation
Central Source Propagation
This type of propagation involves a central location where
after a computer is infected it locates a source where it can
get code to copy into the compromised computer then
after it infects the current computer it finds the next
computer and then everything starts over again. And
example of the this kind of worm is the 1i0n worm.

Computer Network Security Assignment!

Worm Propagation
Back-Chaining Propagation
The Cheese worm is an example of this type of
propagation where the attacking computer initiates a file
transfer to the victim computer. After initiation, the
attacking computer can then send files and any payload
over to the victim without intervention. Then the victim
becomes the attacking computer in the next cycle with a
new victim. This method of propagation is more reliable
then central source because central source data can be cut
off.
Computer Network Security Assignment!

Worm Propagation
Autonomous Propagation
Autonomous worms attack the victim computer and insert
the attack instructions directly into the processing space of
the victim computer which results in the next attack cycle
to initiate without any additional file transfer. Code Red is
an example of this type of worm. The original Morris
worm of 1988 was of this nature as well.

Computer Network Security Assignment!

Worm Propagation
Autonomous Propagation
Autonomous worms attack the victim computer and insert
the attack instructions directly into the processing space of
the victim computer which results in the next attack cycle
to initiate without any additional file transfer. Code Red is
an example of this type of worm. The original Morris
worm of 1988 was of this nature as well.

Computer Network Security Assignment!

Windows Worms
Code Red
Nimda

Computer Network Security Assignment!

Windows Worms
Code Red infected over 250,000 systems in 9 hours on July 19,
2001.

NIMDA and Code Red worms cost business 3 - 4 billion

dollars.

Computer Network Security Assignment!

The Future of Worms

Client and Server-Side Flaws
Buffer overflows
Format string attacks

Design flaws
Open shares
Misconfigurations

Computer Network Security Assignment!

Current Limitations

Limited capabilities
Growth and traffic patterns
Network structure
Intelligence Database

Computer Network Security Assignment!

The Future of Worms

Encryption/Obfuscation/Polymorphism
Standard Polymorphic/Mutation Techniques

Worms meet viruses

Continuously changing itself
Brute forcing new offsets

Adapting to the environment to become more fit

Computer Network Security Assignment!

The Future of Worms

Andy Warhole
Flash Worms

Faster, more accurate spread

Complete spread of all possible targets in 5-20 minutes
Very low false positive rate

Too fast to analyze/disseminate information

Computer Network Security Assignment!

The Future of Worms

Intelligent Worms
Worms meet AI
Worm infected hosts communicating in a p2p method
Exchanging information on targeting, propagation, or new
infection methods

Agent-like behavior
Computer Network Security Assignment!

The Future of Worms

Intelligent Worms

Intelligence Database
Knowledge of other nodes
Concrete vs. abstract

Complete vs. incomplete

Computer Network Security Assignment!

The Future of Worms

Bigger Scope
Multi-Platform / OS Worms
Multi-OS shell code
Attacking multiple different vulnerabilities on multiple
platforms

Single worm code, large attackable base

Computer Network Security Assignment!

Other Malawares

Computer Network Security Assignment!

Other types of virus

Bacteria, also known as rabbits, are
programs that do not directly damage the
system. Instead they replicate themselves
until they monopolize CPU, memory or
disk space. This constitutes a denial of
service attack.

Computer Network Security Assignment!

 A bomb is actually a type of Trojan horse that can

be used to release a virus or bacteria. Bombs work
by causing an unauthorized action at a specified
date, time or when a particular condition occurs.
There are two types of bombs; logic and time.
Logic bombs are set to go off when a particular
event occurs. Time bombs go off at a specified
time, date or after a set amount of time elapses.

Computer Network Security Assignment!

 Salamis cut away tiny pieces of data.

They can be particularly dangerous as
the damage they do is small and can be
attributed to some truncation of the
system. It is possible for a salami to do
a great deal of damage before it is
found.
Computer Network Security Assignment!

HOW VIRUSES ACTIVE?

We are always afraid that viruses do something harmful to files

when they get active, but not all the viruses activate. Some
viruses just spread out, but when viruses activate they do very
different things. Might play a part of melody or play music in the
background, show a picture or animated picture, show text, format
hard disk or do changes to files.

As an example, in one unnamed company: over a long period of

time, the files in a server were corrupted just a bit. So backup

copies were taken from the corrupted files. And after they noticed
that something was wrong, it was too late to get back the data
from the backups. That kind of event is the worst that can happen
for the uses.

Computer Network Security Assignment!

CONCLUSION

There are lots of viruses in the world and new viruses are coming up every day. There
are new anti-virus programs and techniques developed too. It is good to be aware of
viruses and other malware and it is cheaper to protect you environment from them
rather then being sorry.

There might be a virus in your computer if it starts acting differently. There is no

reason to panic if the computer virus is found.

It is good to be a little suspicious of malware when you surf in the Internet and
download files. Some files that look interesting might hide a malware.

A computer virus is a program that reproduces itself and its mission is to spread out.
Most viruses are harmless and some viruses might cause random damage to data
files.

A trojan horse is not a virus because it doesn't reproduce. The trojan horses are
usually masked so that they look interesting. There are trojan horses that steal
passwords and formats hard disks.

Computer Network Security Assignment!

Reference
http://en.wikipedia.org/wiki/Computer_virus
http://windows.microsoft.com/enmy/windows7/how-do-i-remove-a-computervirus

Computer Network Security Assignment!