VIRUSES and MALWARE

1
VIRUSES and MALWARE

• Prepared by Constantin Britcov Tony Chavana

2
Definition and Description of Viruses and other
Malware
3
Definition and Description of Viruses and other
Malware

• A Virus is a program that can infect other
  programs by modifying them to include a possibly
  evolved copy of itself
• Every program on a workstation infected by a
  virus, can act as a virus or be a potential
  threat to still clean applications.
• For the most part viruses attack program files
  and executable files
•    http//antivirus.about.com/cs/tutorials/a/whati
  savirus.htm

4
Definition and Description of Viruses and other
Malware

• Viruses can also affect data files that have
  executable parts to them, like macros in
  Microsoft Word
• Viruses can affect data files that dont contain
  executable parts to them. A good example would
  the PDF files and JPG files
• Main goal of a virus today is not to infect a
  particular program, but to spread through the
  system files, damaging the overall system.

5
Definition and Description of Viruses and other
Malware

• Viruses range in severity. Some can add annoying
  affects to the performance of your workstations,
  some can wipe out or modify your HD, software
  and files.
• Most viruses are spread by means of an exe file.
  They are time bombs in nature, set off by
  humans actions

6
Definition and Description of Viruses and other
Malware

• Viruses are not only spread via Internet, they
  are also spread by sharing floppy disks, pirated
  software, preformatted floppy disks
• There are viruses that can stay dormant on a
  workstation without causing any harm for years.
  Some viruses may just be on your system for the
  sake of taking up free space

7
Definition and Description of Viruses and other
Malware

• Here are different categories of viruses that can
  be found
• STEALTH VIRUSES - viruses that go to some length
  to conceal their presence from programs, which
  might notice.
• OLYMORPHIC VIRUSES - viruses that cannot be
  detected by searching for a simple, single
  sequence of bytes in a possibly infected file,
  since they change with every replication.

8
Definition and Description of Viruses and other
Malware

• COMPANION VIRUSES - viruses that spread via a
  file which runs instead of the file the user
  intended to run, and then runs the original file.
  For instance, the file MYAPP.EXE might be
  "infected" by creating a file called MYAPP.COM.
  Because of the way DOS works, when the user types
  MYAPP at the C prompt, MYAPP.COM is run instead
  of MYAPP.EXE. MYAPP.COM runs its infective
  routine, then quietly executes MYAPP.EXE. NB
  this is not the only type of companion (or
  "spawning") virus.
• ARMOURED VIRUSES - viruses that are specifically
  written to make it difficult for an antivirus
  researcher to find out how they work and what
  they do

9
Definition and Description of Viruses and other
Malware

• Worms is a type of malware that copies itself
  from system to system as quickly as possible. It
  is considered to be a subclass of a virus
• Worms can propagate through email, sending a copy
  of itself to all the people in the address book
• Network worms copies itself through the network.
  Internet worm, copies itself onto computers that
  are not protected and are vulnerable to outside
  penetration

10
Definition and Description of Viruses and other
Malware

• Worms can take up so much bandwidth on the
  network due to their rapid replication, that it
  can cause the network to malfunction or even go
  down
• The very recent attack of the Blaster worm
  allowed penetration deep into the workstation
  system files and then remote control of that
  workstation by other individuals

11
Definition and Description of Viruses and other
Malware

• Trojans are another type of malware that can be
  describe as doing something other. That
  something other is the malicious part about
  Trojans. The good thing about Trojans is that
  once they get onto a machine, they are there to
  stay.
• Trojans are known for password stealing, using
  workstation for possible DOS or DDoS attacks,
  slowing down the workstation or altogether
  altering the workstations behavior

12
Definition and Description of Viruses and other
Malware

• Trojan horse is the reason for the name of that
  particular type of malware. The main weapon of a
  Trojan malware is its ability to give itself away
  for something it is not
• Trojans are known for opening a backdoor on
  your system allowing malicious access to your
  files by unauthorized persons

13
(No Transcript)
14
(No Transcript)
15
Usual sources of Virus propagation
16
Usual sources of Virus propagation

• email file attachments
• files downloaded from a non reputable web site
• boot from an infected floppy diskette

17
Usual sources of Virus propagation

• An infected Microsoft Word, Excel Spreadsheet,
  Access Database, or PowerPoint Slide Presentation
• running an infected Visual Basic Script or
  Microsoft Jscript including invisible ones that
  run from web pages

18
Virus prevention measures
19
Virus prevention measures

• keep all files and programs backed up on some
  type of removable media
• from day one have anti-virus protection
• make sure the definitions are up to date, this is
  your primary line of defense
• set up a virus scan schedule
• download all windows updates
• Microsoft from time to time releases patches that
  can prevent faults in the operating system

20
Virus prevention measures

• turn off hide file extensions for known types in
  Windows
• show hidden files
• Do not open attachments with the following
  extentions .exe .vbs .scr .vbe .com .bat .shs
  .cpl .dll .ocx .pif .drv .lnk .bin .sys .eml .nws

21
Virus prevention measures

• Do not open attachments from anyone you dont
  know or attachments that are send out as a
  forward type.
• Do not use programs downloaded from the internet
  unless you are certain it is from a reputable
  site

22
Example of a Virus attack and your response
23
Example of a Virus attack and your response

• Whatever you do, DONT PULL YOUR NETWORK CABLE
• The first step you want to take is to run virus
  scan on the workstation using the antivirus
  software installed
• Running an antivirus will help you detect the
  virus if it is not a hoax and be aware of what it
  is you are dealing with
• http//service1.symantec.com/SUPPORT/nav.nsf/5faa3
  ca6df6f549888256edd0061c0a4/19642ee63626266288256b
  e3007c4a63?OpenDocumentsrcbar_sch_nam
•  

24
Example of a Virus attack and your response

• If the virus propagated itself through e-mail,
  try and find out where it came from , so you
  could warn others of the source
• Different e-mail systems react differently to
  viruses. Do some research and see what systems
  does this virus target in particular
• Check with the antivirus maker to see if they
  have a patch that will fix the problem

25
Example of a Virus attack and your response

• If the virus is local and is only on a
  workstation or two, it is not necessary to
  disable the whole network, if there is one in
  place
• If there are many users and the virus spreads
  fast, it is time to bring your network down

26
Example of a Virus attack and your response

• Once you have localized the virus, try to delete
  it or run a patch on it that will eliminate the
  virus
• There are cases where a virus can not be deleted,
  especially when it is hiding in the system 32
  folder. Some situations call for a complete wipe
  and reinstall approach. In reality that is only
  acceptable in small organizations.

27
Example of a Virus attack and your response

• Once you have dealt with your problem, thinks of
  your troubleshooting process. Think of the source
  of the virus and how could you prevent it from
  happening again
• Prepare for future attacks. Install patches,
  updates and firewall your internet connections if
  possible.

28
Famous Viruses from the Past and Present
http//www.trendmicro.com/en/home/us/enterprise.ht
m  
29
Famous Viruses from the Past and Present

• Pakistani Brain
• First virus that was known to spread worldwide
• boot sector virus that transfers the current boot
  sector to an unused portion of the disk and marks
  that portion of the disk as bad sectors
• periodically marks other portions of the disk as
  bad sectors making files, and eventually the
  disk, unusable

30
Famous Viruses from the Past and Present

• Stone-Marijuana
• infects the boot sector of floppy disks and the
  File Allocation Table (FAT) of hard disk drives
• periodically display a message "Your PC is
  Stoned. Legalise Marijuana."
• makes access to the files nearly impossible
• It also gives your computer the munchies

31
Famous Viruses from the Past and Present

• Jerusalem
• virus infects both .COM and .EXE files
• virus will survive a warm boot, i.e., it will
  stay in memory after re-booting your computer
• After the virus is resident for half an hour, it
  slows the system down by a factor of ten

32
Famous Viruses from the Past and Present

• Melissa virus
• disguised itself a Rich Text Format so virus
  scanners would not scan the file for a virus
• three days reached more than 100,000 computers
• all was needed was to rename the word document
  containing the Melissa virus with a .rtf
  extension
• attacks Microsoft Word's normal.dot global
  template ensuring infection of all new word files
  from then on
• accesses the Microsoft Outlook address book and
  mails the infected Word file to the first 50
  entries in the address book
• showed the world how quick (exponentially) a
  virus can spread because each user would infect
  50 people and then each of the other 50 people
  could each infect 50 more users

33
Famous Viruses from the Past and Present

• ExplorerZip
• Melissa-like program, first discovered during
  June 1999
• A Trojan not a virus
• seeks out certain files and reduced their file
  size to zero
• rendering those files useless and unrecoverable

34
Famous Viruses from the Past and Present

• Chernobyl
• discovered in 1998
• the system will be unable to boot, due to
  deletion of Flash-BIOS memory
• Only flash BIOSes, meaning those that can be
  changed or updated
• wipes the first megabyte of data on a hard disk
  (making the rest useless) every April 26 -- the
  anniversary of the nuclear power plant disaster
  that occurred in Chernobyl, Ukraine
• this virus had to attach itself to executable
  files so it did not spread as widely the previous
  viruses

35
Famous Viruses from the Past and Present

• Lovletter virus aka I Love You virus
• searched all drives mapped to your computer
  including network drives
• download a file called WIN-BUGSFIX.exe from the
  Internet a password cracking program
• uses it to create a list of as many passwords as
  possible then it emails those passwords to a
  location in the Philippines
• said to have infected one in every five PCs
  worldwide.
• used Microsoft Outlook to send messages with the
  attachment file "LOVE-LETTER-FOR-YOU.TXT.vbs" to
  all addresses
• LOVELETTER also propagates using mIRC

36
Famous Viruses from the Past and Present

• Klez Virus
• ability to spoof email
• It may appear that you have received this virus
  from one person, when it was actually sent from a
  different user's system
• his situation adds to the confusion in tracing
  the real infected culprit, and complaints are
  often generated because of these spoofed "FROM"
  addresses

37
Future of Viruses
38
Future of Viruses

• Viruses may start forming their own network
• Wormnet will allow a virus to communicate with
  other copies of itself and enhance its
  reproduction and acquire information
• A hierarchy may be established where some viruses
  may start issuing commands to other, less
  powerful viruses

39
Future of Viruses

• Viruses will be PORTABLE, they will not depend on
  the OS
• Virus will be able to propagate itself into the
  OS environment and recompile itself to be
  compatible with the environment it is in
• If not successful upon compilation, it will find
  a copy of itself through Wormnet, that was
  successful in the past
• Families of viruses will be formed

40
Future of Viruses

• Viruses will eliminate any interaction with the
  end user, therefore they will become invisible to
  the end user (Nachi, MSBlaster)
• Virus will propagate through security holes in
  the Operating System of the user.
• Virus will keep track of the most convenient
  security holes to use during attack

41
Future of Viruses

• Virus will be able to freely roam on the network,
  poking different workstations
• Virus will update other relative viruses over the
  Wormnet about the best places to attack and
  ways of attacking

42
Future of Viruses

• It will be polymorphic
• As much code as possible should be changed upon
  each propagation, so that antivirus companies
  cant release a patch that will fix the virus
  problem on all workstations
• A true polymorphic virus is yet to be attained

43
Future of Viruses

• Once a bigger Wormnet will be in place it would
  be able to issue command that will eliminate any
  possibility of tracing a virus to its author
• Very valuable information can also be transmitted
  back, like bank statements, account number etc.

44
Future of Viruses

• Kevin Warwick, professor at Reading University,
  with an RFID chip in his arm and an ability to
  wire his nervous system to a computer, claims
  that people without the interest of becoming
  cyborgs in the future will be subspecies.
• THEREFORE.

45
Future of Viruses

• Networking of a human to a computer would mean an
  infinite knowledge base and ability to be
  updated.. Sound like Matrix, ha?
• Security problems that modern computers face,
  would be similar to those that future cyborgs
  will face

46
Future of Viruses

• In his experiment with a mechanical arm, Warwick,
  upon the connection to the internet protected the
  IP address from being hijacked and therefore his
  arm being manipulated from the outside

47
Future of Viruses

• Idea of RFID chips is not a novice anymore
• In Barcelona for example you can have an RFID
  chip implanted in your arm to simplify the method
  of payment for the drinks in the bars
• What does the future hold? .. Let your
  imagination work

48
Web Links

• Symantec
• McAfee