Malicious Software

1
Malicious Software
2
First type Viruses
3
Introduction

• Computer viruses are called viruses because they
  share some of the traits of biological viruses. A
  computer virus passes from computer to computer
  like a biological virus passes from person to
  person.
• A computer virus must piggyback on top of some
  other program or document in order to get
  executed. Once it is running, it is then able to
  infect other programs or documents.

4
Definition of viruses

• Viruses - A virus is a small piece of software
  that piggybacks on real programs. For example, a
  virus might attach itself to a program such as a
  spreadsheet program. Each time the spreadsheet
  program runs, the virus runs, too.

5
E-mail viruses

• E-mail viruses - An e-mail virus moves around in
  e-mail messages, and usually replicates itself by
  automatically mailing itself to dozens of people
  in the victim's e-mail address book.

6
The part of the viruses

• Replicator its job is to ensure the survival of
  the virus on a system. Most successful viruses do
  this by not inflicting damage on the system but
  by appending themselves to legitimate programs in
  the machine. Each time the program is run then
  the virus will 'wake up' and start to reproduce.
• Concealed - This part of the virus has the job of
  hiding the virus. by using a number of methods to
  do this.

7
The part of the viruses (con)

• The payload is what the computer virus is
  programmed to do.
• Some viruses do nothing more than copy themselves
  onto another PC, much like a real virus does from
  host to host.  This is the simplest payload that
  a virus can have.
• some computer viruses have a greater effect -
  maybe they steal files or data or allow someone
  else to take control over the PC while some will
  destroy some or all of the data on the computer. 
  
• A virus can also have multiple payloads (in fact,
  any virus that does more than just spread has
  by default more than one payload) - perhaps it
  steals data and waits until some date in the
  future when it activates a new payload and
  deletes all the data on the drive or something
  similar.

8
Viruses Types and Examples

• There are a couple of different types of computer
  viruses boot sector viruses , Program viruses
  , multi-partite viruses, macro viruses, companion
  viruses and link viruses .
• These classifications take into account the
  different ways in which the virus can infect
  different parts of a system.

9
Viruses Types and Examples

• Boot viruses
• These viruses infect floppy disk boot records or
  master boot records in hard disks.
• They replace the boot record program (which is
  responsible for loading the operating system in
  memory) copying it elsewhere on the disk or
  overwriting it.
• Boot viruses load into memory if the computer
  tries to read the disk while it is booting.
• Examples Form, Disk Killer and Stone virus

10
Types and Examples (con)

• Program viruses
• These infect executable program files, such as
  those with extensions like .BIN, .COM, .EXE,.DRV
  (driver) and .SYS (device driver).
• These programs are loaded in memory during
  execution, taking the virus with them.
• The virus becomes active in memory, making copies
  of itself and infecting files on disk.
• Examples Sunday, Cascade

11
Types and Examples (con)

• Multi-partite viruses
• A hybrid of Boot and Program viruses. They infect
  program files and when the infected program is
  executed, these viruses infect the boot record.
  When you boot the computer next time the virus
  from the boot record loads in memory and then
  starts infecting other program files on
  disk.Examples Invader, Flip, and Tequila

12
Types and Examples (con)

• Macro Viruses
• A macro virus is a new type of computer virus
  that infects the macros within a document or
  template.
• When you open a word processing or spreadsheet
  document, the macro virus is activated and it
  infects the Normal template -a general purpose
  file that stores default document formatting
  settings.
• Every document you open refers to the Normal
  template, and hence gets infected with the macro
  virus.
• Since this virus attaches itself to documents,
  the infection can spread if such documents are
  opened on other computers.
• Examples DMV, Nuclear, Word Concept.

13
Macro Viruses (con)

• Why are macro viruses so successful?
• Today people share so much data, email documents
  and use the Internet to get
  programs and documents.
• Macros are also very easy to write.
• The problem is also that Word for Windows
  corrupts macros inadvertently creating new macro
  viruses.
•    
•   New macro virus by corruption

14
Symptoms of Virus Infection

• Programs take longer to load.
• A change in dates against the filenames in the
  directory.
• The floppy disk or hard disk is suddenly accessed
  without logical reason.
• Increased use of disk space and growth in file

15
Symptoms of Virus Infection (con)

• 5. Abnormal write-protect errors. The virus
  trying to write to a protected disk.
• 6. Strange characters appear in the directory
  listing of filenames. 
• 7. Strange messages like "Type Happy Birthday
  Joshi" (Joshi Virus) or "Driver Memory Error"
  (kak.worm) appear on the screen and in
  documents. 
•  
• 8. Programs may hang the computer or not work at
  all. 

16
   How to provide against viruses

• Best way to protect yourself is to prepare your
  computer against viruses in advance.
• One way to protect you computer is to use
  updated anti-virus program. When you get an email
  attachment, you should first check the attachment
  by checking the file with a anti-virus program.

17
Second type worm
18
Worms

• Worms
• is a small piece of software that uses computer
  networks and security holes to replicate itself.
• A copy of the worm scans the network for another
  machine that has a specific security hole. It
  copies itself to the new machine using the
  security hole, and then starts replicating from
  there, as well.
• Unlike a virus, it does not need to attach itself
  to an existing program. Worms always harm the
  network (if only by consuming bandwidth), whereas
  viruses always infect or corrupt files on a
  targeted computer.

19
Type of worm

• 1. Email Worms
• Spread via email messages. Typically the worm
  will arrive as email, where the message body or
  attachment contains the worm code, but it may
  also link to code on an external website.
• Poor design aside, most email systems require
  the user to explicitly open an attachment to
  activate the worm.
• Once activated the worm will send itself out
  using either local email systems (e.g. MS Outlook
  services, Windows MAPI functions), or directly
  using SMTP. The addresses it sends to are often
  harvested from the infected computers email
  system or files.

20
Type of worm (con)

• 2. Instant messaging worms
• The spreading used is via instant messaging
  applications by sending links to infected
  websites to everyone on the local contact list.
  The only difference between these and email worms
  is the way chosen to send the links
• 3. IRC worms
• Chat channels are the main target and the same
  infection/spreading method is used as above
  sending infected files or links to infected
  websites. Infected file sending is less effective
  as the recipient needs to confirm receipt, save
  the file and open it before infection will take
  place.

21
Type of worm (con)

• 4. File-sharing networks worms
• Copies itself into a shared folder, most likely
  located on the local machine.
• The worm will place a copy of itself in a shared
  folder under a harmless name.
• Now the worm is ready for download via the P2P
  network and spreading of the infected file will
  continue.

22
Type of worm (con)

• 5. Internet worms
• Those which target low level TCP/IP ports
  directly, rather than going via higher level
  protocols such as email or IRC.
• An infected machine aggressively scans random
  computers on both its local network and the
  public Internet attempting an exploit against
  port 135 which, if successful, spreads the worm
  to that machine.

23
Payload

• A "payload" is code designed to do more than
  spread the worm - it might
• delete files on a host system (eg the ExploreZip
  worm),
• encrypt files in a cryptoviral extortion attack,
• or send documents via e-mail.
• A very common payload for worms is to install a
  backdoor in the infected computer to allow the
  creation of a "zombie" under control of the worm
  author.
• Network of such machines are often referred to
  as botnets and are very commonly used by spam
  senders for sending junk email or to cloak their
  website's address. Spammers are therefore thought
  to be a source of funding for the creation of
  such worms , and worm writers have been caught
  selling lists of IP addresses of infected
  machines. Others try to blackmail companies with
  threatened DoS attacks.
• Backdoors, however they may be installed, can be
  exploited by other malware, including worms.
  Examples include Doomjuice, which spreads using
  the backdoor opened by Mydoom, and at least one
  instance of malware taking advantage of the
  rootkit backdoor installed by the Sony/BMG DRM
  software utilized by millions of music CDs prior
  to late 2005.

24
Third Type Trojan horse
25
Trojan horses

• Trojan horses - A Trojan horse is simply a
  computer program. The program claims to do one
  thing (it may claim to be a game) but instead
  does damage when you run it (it may erase your
  hard disk). Trojan horses have no way to
  replicate automatically.
• Trojan horses may appear to be useful or
  interesting programs (or at the very least
  harmless) to an unsuspecting user, but are
  actually harmful when executed.
• Trojans are also known to create a backdoor on
  your computer that gives malicious users access
  to your system, possibly allowing confidential or
  personal information to be compromised.

26
Type of Trojan horse

• There are two common types of Trojan horses.
• One, is otherwise useful software that has been
  corrupted by a cracker inserting malicious code
  that executes while the program is used. Examples
  include various implementations of weather
  alerting programs, computer clock setting
  software, and peer to peer file sharing
  utilities.
• The other type is a standalone program that
  masquerades as something else, like a game or
  image file, in order to trick the user into some
  misdirected complicity that is needed to carry
  out the program's objectives.

27
Types of Trojan horse payloads

• Trojan horse payloads are designed to do various
  harmful things, but could be harmless.
• They are broken down in classification based on
  how they breach systems and the damage they
  cause,
• The nine main types of Trojan horse payloads are
• Remote Access
• Email Sending (Data Sending Trojans )
• Data Destructive
• Downloader
• Proxy Trojan (disguising others as the infected
  computer)
• FTP Trojan (adding or copying data from the
  infected computer)
• security software disabler
• denial-of-service attack (DoS)
• URL trojan (directing the infected computer to
  only connect to the internet via an expensive
  dial-up connection)

28
Some examples are

• erasing or overwriting data on a computer.
• corrupting files in a subtle way.
• upload and download files.
• allowing remote access to the victim's computer.
  This is called a RAT (remote administration
  tool).
• spreading other malware, such as viruses. In this
  case the Trojan horse is called a 'dropper' or
  'vector'.
• setting up networks of zombie computers in order
  to launch DDoS attacks or send spam.
• make screenshots.
• logging keystrokes to steal information such as
  passwords and credit card numbers (also known as
  a keylogger).
• installing a backdoor on a computer system.
• opening and closing CD-ROM tray.
• Restarts the computer whenever the infected
  program is started.

29
Time bombs and logic bombs

• "Time bombs" and "logic bombs" are types of
  trojan horses.
• "Time bombs" activate on particular dates and/or
  times.
• "Logic bombs" activate on certain conditions met
  by the computer.

30
Methods of Infection

• The majority of Trojan horse infections occur
  because the user was tricked into running an
  infected program.
• The infected program doesn't have to arrive via
  email , it can be sent to you in an Instant
  Message, downloaded from a Web site or by FTP, or
  even delivered on a CD or floppy disk.
• Furthermore, an infected program could come from
  someone who sits down at your computer and loads
  it manually.
• By Websites You can be infected by visiting a
  rogue website.
• Email Email viruses will often send copies of
  themselves to people in the infected user's
  address book.

31
Methods of Infection (con)

• 3. open ports
• Computers running their own servers (HTTP, FTP,
  or SMTP, for example), allowing Windows file
  sharing, or running programs that provide
  filesharing capabilities such as Instant
  Messengers (AOL's AIM, MSN Messenger, etc.) may
  have vulnerabilities to trojan horse effect
• These programs and services may open a network
  port giving attackers a means for interacting
  with these programs from anywhere on the
  Internet. Vulnerabilities allowing unauthorized
  remote entry are regularly found in such
  programs, so they should be avoided or properly
  secured.
• A firewall may be used to limit access to open
  ports. Firewalls are widely used in practice, and
  they help to mitigate the problem of remote
  trojan insertion via open ports, but they are not
  a totally impenetrable solution, either.
• Some of the modern trojans that come through
  messages. They come in as a very important
  looking message, but contain trojans, the
  executable files are same as that of windows
  system processes like 'Svchost.exe',
• some of the look alike trojans are Svchost32.exe
  ,Svhost.exe ,back.exe

32
Precautions against Trojan horses

• Trojan Horses are most commonly spread through an
  e-mail, much like other types of common viruses.
  The only difference being of course is that a
  Trojan Horse payload is hidden. The best ways to
  protect yourself and your company from Trojan
  Horses are as follows
• If you receive e-mail from someone that you do
  not know or you receive an unknown attachment,
  never open it right away. As an e-mail user you
  should confirm the source. Some hackers have the
  ability to steal address books, so if you see
  e-mail from someone you know, it is not
  necessarily safe.
• When setting up your e-mail client, make sure
  that you have the settings so that attachments do
  not open automatically. Some e-mail clients come
  ready with an anti-virus program that scans any
  attachments before they are opened. If your
  client does not come with this, it would be best
  to purchase one or download one for free.

33
Precautions against Trojan horses (con)

• 3. Make sure your computer has an anti-virus
  program on it and update it regularly. If you
  have an auto-update option included in your
  anti-virus program you should turn it on that
  way if you forget to update your software you can
  still be protected from threats
• 4. Operating systems offer patches to protect
  their users from certain threats. Software
  developers like Microsoft offer patches that in a
  sense "close the hole" that the Trojan horse or
  other virus would use to get through to your
  system. If you keep your system updated with
  these patches, your computer is kept much safer.
• 5. Avoid using peer-to-peer or P2P sharing
  networks like Kazaa, Limewire, Ares, or Gnutella
  because they are generally unprotected from
  viruses and Trojan Horse viruses spread through
  them especially easily.
• If you insist on using P2P, it would be safe to
  not download files that claim to be "rare" songs,
  books, movies, pictures, etc.

34
Methods of Deletion

• Since there is a variety of trojans, deleting
  them isn't always the same.
• The common way of deleting the majority of
  trojans is by clearing your temporary internet
  files, or finding the file and deleting it
  manually, in both regular mode and safe mode.
• In certain cases, registry editing is needed. In
  this case, go to start, run, regedit, and delete
  or repair any corrupted file the trojan has made
  on the registry.