Computer Viruses and Worms

Dragan Lojpur
Zhu Fang
 Definition of Virus
 A virus is a small piece of software that
piggybacks on real programs in order to get
executed
 Once it’s running, it spreads by inserting
copies of itself into other executable code or
documents
 PC Viruses
How they got the name
 Computer viruses are called viruses because
they share some of the traits of biological
viruses.
– A computer virus passes from computer to
computer like a biological virus passes from
person to person.
 PC Viruses
What they are
 A virus is a small piece of software (code)
that piggybacks on real programs, like
Excel, that have “embedded executable
languages”
» Macro languages -- Visual Basic, etc.
– Each time the program runs the virus runs, too
» and it has the chance to reproduce (by attaching to
other programs) or wreak havoc.
 PC Viruses
What they are
 E-mail viruses
– An e-mail virus moves around in attachments to
e-mail messages, and usually replicates itself by
automatically mailing itself to dozens of people
in the victim's e-mail address book.
 PC Viruses
What they are
 Trojan Horse
– A Trojan horse is a computer program
» The program claims to do one thing
(it may claim to be a game)
but instead does damage when you run it
(it may erase your hard disk)
» Trojan horses have no way to replicate
automatically.
 Worms
 Worm - is a self-replicating program,
similar to a computer virus. A virus
attaches itself to, and becomes part of,
another executable program; however,
a worm is self-contained and does not
need to be part of another program to
propagate itself.
 History of Worms
 The first worm to attract wide attention, the
Morris worm, was written by Robert Tappan
Morris, who at the time was a graduate
student at Cornell University.
 It was released on November 2, 1988
 Morris himself was convicted under the US
Computer Crime and Abuse Act and received
three years probation, community service and
a fine in excess of $10,000.
 Worms…
 Worms – is a small piece of software that
uses computer networks and security holes to
replicate itself. A copy of the worm scans the
network for another machine that has a
specific security hole. It copies itself to the
new machine using the security hole, and
then starts replicating from there, as well.
 They are often designed to exploit the file
transmission capabilities found on many
computers.
 Zombies
 Infected computers — mostly Windows
machines — are now the major delivery
method of spam.

 Zombies have been used extensively to

send e-mail spam; between 50% to
80% of all spam worldwide is now sent
by zombie computers
 Typical things that some current
Personal Computer (PC) viruses do
 Display a message
 Typical things that some current
Personal Computer (PC) viruses do
 Display a message
 Erase files
 Scramble data on a hard disk
 Cause erratic screen behavior
 Halt the PC
 Many viruses do nothing obvious at all
except spread!
 Distributed Denial of
Service
 A denial-of-service attack is an attack that
causes a loss of service to users, typically
the loss of network connectivity and
services by consuming the bandwidth of the
victim network or overloading the
computational resources of the victim
system.
 How it works?
 The flood of incoming messages to the target
system essentially forces it to shut down, thereby
denying service to the system to legitimate users.
 Victim's IP address.
 Victim's port number.
 Attacking packet size.
 Attacking interpacket delay.
 MyDoom
 26 January 2004: The Mydoom virus is
first identified around 8am. Computer
security companies report that Mydoom is
responsible for approximately one in ten e-
mail messages at this time. Slows overall
internet performance by approximately ten
percent and average web page load times by
approximately fifty percent
 MyDoom…
 1 February: An estimated one million computers
around the world infected with Mydoom begin the
virus's massive distributed denial of service
attack—the largest such attack to date.
 Executable Viruses
 Traditional Viruses
 pieces of code attached to a legitimate
program
 run when the legitimate program gets
executed
 loads itself into memory and looks around
to see if it can find any other programs on
the disk
 Boot Sector Viruses
 Traditional Virus
 infect the boot sector on floppy disks and
hard disks
 By putting its code in the boot sector, a
virus can guarantee it gets executed
 load itself into memory immediately, and it
is able to run whenever the computer is on
 Decline of traditional viruses
 Reasons:
– Huge size of today’s programs storing on a
compact disk
– Operating systmes now protect the boot sector
 E-mail Viruses
 Moves around in e-mail messages
 Replicates itself by automatically mailing
itself to dozens of people in the victim’s e-
mail address book
 Example: Melissa virus, ILOVEYOU virus
 Melissa virus
 March 1999
 the Melissa virus was the fastest-spreading virus
ever seen
 Someone created the virus as a Word document
uploaded to an Internet newsgroup
 People who downloaded the document and opened
it would trigger the virus
 The virus would then send the document in an e-
mail message to the first 50 people in the person's
address book
 Melissa virus
 Took advantage of the programming
language built into Microsoft Word called
VBA (Visual Basic for Applications)
The Morris worm

In 1998 Robert Morris, a university student, unleashed a worm

which affected 10 per cent of all the computers connected to the
internet (at the time the net was estimated to consist of 60,000
computers), slowing them down to a halt. Morris is now an
associate professor at MIT.
The Chernobyl virus (also known as
CIH)

Triggers on April 26 each year, the anniversary of the Chernobyl

nuclear disaster. It overwrites a chip inside PCs effectively
paralyzing the entire computer. Its author, Chen Ing Hau, was
caught by the authorities in Taiwan.
The Anna Kournikova worm
The Anna Kournikova worm posed as a picture of the tennis
player, but was in fact a virus written by Jan de Wit, an obsessed
admirer from the Netherlands. He ended up receiving a
community service sentence.

ILOVEYOU
The Love Bug flooded internet users with ILOVEYOU messages
in May 2000, forwarding itself to everybody in the user's address
book. It was designed to steal internet access passwords for its
Filipino creator.
The Blaster Worm
The Blaster worm launched a denial of service attack against
Microsoft's website in 2003, and infected millions of computers
around the world by exploiting a security hole in Microsoft's
software. Its author has never been found.

Netsky and Sasser

Sven Jaschan, a German teenager, was found guilty of writing the
Netsky and Sasser worms. Jaschan was found to be responsible
for 70 per cent of all the malware seen spreading over the internet
at the time, but escaped prison and was eventually hired by a
security company as an "ethical hacker".
Storm worm
The Storm worm, originally posing as breaking news of bad
weather hitting Europe, infected computers around the world in
2007. Millions of infected PCs were taken over by hackers and
used to spread spam and steal identities.
Code Red
The world had not yet recovered from the damage caused by
the ILOVEYOU virus when Code Red was released in mid-2001.
Unlike other viruses, this one only targeted certain computers
running the Microsoft IIS (Internet Information Server) Web
Server, exploiting a bug in the software. Once a computer was
compromised by the virus, it would modify the handled
website, displaying the message “Welcome to
http://www.worm.com! Hacked by Chinese!” Then, it would
later seek other computers running the web server software
and do the same thing. After about two weeks of infection,
the virus was programmed to launch DDoS (Distributed Denial
of Service) attacks on certain websites, including the server of
the White House.
Bagle
Bagle was another classic type of mass-mailing malware, but was quite complex.
First detected in 2004, it infected users through an email attachment, and also
used email to spread itself. Unlike previous mass-mailing viruses, Bagle did not
rely on the MS Outlook contact list to make a list of where to send itself. It
harvested email addresses from various document files stored in the infected
computer – from plain-text files to MS Excel files. The danger of this virus was
that its design opened a backdoor where a remote user – probably the author or
a group of hackers - could gain access and control of the infected computer.
It could download additional components to either spy and steal information
from the user or launch DDoS attacks to certain networks and computers.
Though the original Bagle virus was designed to stop spreading after January
2004, hundreds of variants today are still out there, spreading.
Sasser
Sasser was another complex computer virus that crippled thousands of
computers, and was written by a 17-year-old German student in 2004. Sasser
did not spread through email, and did not require any human intervention to
compromise computers. It infected computers by exploiting vulnerability
present in both Windows 2000 and Windows XP machines, known as the RPC
(Remote Procedure Call) exploit - the same vulnerability used by the Blaster
virus. Sasser successfully infected and shut down thousands of computer
networks in just a matter of days. After infecting a computer, it is programmed
to access the Internet to search for other vulnerable machines so that it can
infect them. Sasser also displayed a notice indicating that the system was
shutting down.
LATEST COMPUTER VIRUSES

1. Stuxnet (2009-2010)
2. Conficker Virus (2009)
3. agent.btz (2008)
4. Zeus (2007)
5. PoisonIvy (2005)
6. Fizzer (2003)
 Top Ten Antivirus 2012
 BitDefender Antivirus 2012
 Norton Antivirus 2012
 Perfect Antivirus 2012
 Vipre Antivirus 2012
 ESET Antivirus 2012
 Kaspersky Antivirus 2012
 F-Secure Antivirus 2012
 TrendMicro Antivirus 2012
 ZoneAlarm Antivirus 2012
 Panda Antivirus 2012
 Prevention
 Updates
 Anti-Viruses
 More secure operating systems
e.g. UNIX
 How to prevent them
 With E-mail viruses
– defense is personal discipline
» Never double-click on an attachment that contains
an executable program
» Attachments that come in as
 Word files (.DOC), spreadsheets (.XLS), images (.GIF
and .JPG), etc., are data files
 and they can do no damage
 excepting the macro virus problem in Word and Excel
documents mentioned above
 How to prevent them
– Don't open email attachments unless you're
110% certain they are safe,
» if you're not expecting something from a friend,
confirm with them before opening it.
– (He’s) seen a few infected systems, from a
relatively benign Word Macro virus to one that
trashed the HDD (so that) a low-level format
was need to get it working again.
 How to spot a hoax

 (it says) forward this mail to anyone you

care about.
– Here it is. This is the replication engine. This is
what gives the virus the pesky lifelike ability to
multiply. This is also a dead giveaway that it is
a hoax.
 Reference
 http://mirror.aarnet.edu.au/pub/code-red/newframes-small-log.gif
 http://www.factmonster.com/ipka/A0872842.html
http://www.faqs.org/faqs/computer-virus/new-users/
 http://www.mines.edu/academic/computer/viri-sysadmin.htm