Computer Virus

1
Computer Virus
2
(No Transcript)
3
How secure is your computer?

• Windows Updated?
• Anti-Virus?
• Personal Firewall?
• Router protection?
• VPN?
• One major part in computer security is user
  activity patterns.

4
Think before you go on.

• Why computer security is important?
• Where is the attack comes from?
• How to prevent/protect against attack?
• What is the current security measurement in our
  campus?
• What is the international trend in computer
  security?

5
Overview

• What is Computer Virus
• History
• Replication Strategies
• Methods to avoid detection
• Society Holes
• Case Analysis
• Anti-virus

6
(No Transcript)
7
What is Computer Virus

• The definition of virus in Computer Security
• A segment of computer codes
• With a special aim
• Have self reproduction ability
• With mechanism to avoid being detected
• Modern virus target for internet-connected PCs
• May even cost hardware damage CIH
• The disaster (http//www.securitystats.com/viruss
  tats.html)
• CIH destroyed BIOS info. (1999)
• 5060K copies/hr. for Mydoom, total 1.2M at least
  (2004)

8
Many types of virus

• Trojan horses
• Pretend to do one thing, but actually does damage
  when one starts it
• Worms
• Use network and security flaws to create copies
  of itself
• E-mail viruses
• Use an email message as a mode of transport.
  Usually copy itself by automatically mailing.

9
How to judge my computer is infected?

• Some simple methods
• Machine is really slow.
• Check Windows Task Manager
• 1. CPU usage is always near 100
• 2. Strange programs run and cant be killed
• Use the net command in cmd console
• 1. use net user, there is a unknown user
  account
• 2. use netstat -a, your machine trying to
  connect many unknown hosts. Especially on the
  port of 139, 445 etc.
• Check the registry (REGEDIT), unknown program is
  registered as auto-run when starting machine.
• Anti-virus Software

10
Temporary measure

• Disable the network connection
• Check which program take majority computer
  resource
• Kill the suspicious program or threads in Task
  manager if possible
• Use another clean machine to search the special
  tool for killing this virus program in Internet
• Run the special tool on your machine
• More

11
History

• The first computer virus Elk Cloner
• 1982, written by Rich Skrenta
• Apple DOS 3.3 OS
• Spread by floppy disk
• The first PC virus Brain
• 1986, created by two brothers
• Infecting DOS File Allocation Table (FAT) file
  system
• Replacing the boot sector with a copy of the
  virus
• Motivation protect their medical software from
  piracy

12
History (cont.)

• Computer Virus came about at the late 1980s
• PCs were widespread in business, homes and campus
• The use of bulletin boards on the computer
• Macro viruses
• Appeared since the mid-1990s
• Written in scripting language
• Infected Microsoft Office documents and
  spreadsheets
• Computer worm is popular nowadays

13
How to be a famous Computer Virus

• Behavior out of ones imagination
• CIH can even cause physical damage to computer
• Cause a great disaster
• From programmer view
• File size the fewer the better
• Assembly language programming
• Technologies used to prevent to be detected
• Encryption technique

14
(No Transcript)
15
Replication strategies

• Divided into two types according to the behavior
• Nonresident viruses
• Search for other hosts that can be infected
• Infect these targets
• Transfer control to the application program
• Resident viruses
• Do not search hosts when starting
• Load itself into memory on execution
• Transfer control to the host program

16
Nonresident viruses

• Consisting of a finder module and a replication
  module
• The task of replicator
• Open a new file
• Check this file is infected or not
• Append the virus code to the executable file
• Change the starting point to the virus code
• Close the infected code
• Return to finder to search the next file

17
Resident viruses

• Replication module is similar to the above one.
  But not called by the finder module
• Load the replication module into memory, and
  infect every suitable program executed on the
  computer
• Fast infector and Slow infector
• Fast infector speed is fast, but easy to be
  detected
• Slow infector triggered infrequently, and
  challenge to anti-virus software

18
(No Transcript)
19
Methods to avoid detection

• Employing different kinds of deception
• Ensure the last modified data unchanged
• Infect files without increasing their size or
  damaging the files
• Attempting to kill the tasks associated with the
  virus scanner
• New hiding techniques adopted
• ????,????!

20
Avoiding bait files and other undesirable hosts

• What is bait file
• Specially created by anti-virus software
• Take a simple of a virus
• Study the behavior of a virus and evaluate
  detection methods
• Check the bait file regularly
• Countermeasure
• Avoid infecting bait files
• Avoid infecting small program files contain
  garbage instructions
• Sparse infection

21
Stealth

• Trick anti-virus software by intercepting its
  request to the OS
• E.g. intercepting the request from anti-virus to
  OS. And return an uninfected version of file to
  anti-virus software.
• The only completely reliable method is boot from
  a medium that is known to be clean.

22
Self-modification

• Virus signatures
• A characteristic byte-pattern that is a part of a
  certain virus or family of viruses
• Used by anti-virus software to detect virus
• Modifying their code on each infection
• Simple self-modifications
• Encryption with a variable key
• Polymorphic code
• Metamorphic code

23
Security Holes

• Security holes are everywhere
• Design or manufacture false in products
• Can be used to gain access to certain computer
  resource
• Either in software or hardware
• Cannot be avoided (in user level)
• May be caused by altering system configures and
  other software
• Detection tester and user reports
• Patch and Update

24
Security Holes Buffer Overflow

• Buffer a location to store data (temporary?)
• Usually in program written in C/C
• Lack the ability to check content boundary
• Extra user data will cover the system contents
  including data or program
• Result system will be in a un-expected state
• Solution always use a function have the ability
  to limit content length

25
(No Transcript)
26
Anti-Virus

• Windows Update regularly
• Select a good anti-virus software
• Norton, Kaspersky, Trend etc.
• Update virus database regularly
• Select a good fire wall software
• Blackice etc.
• Good using habit
• Strong password for your computer
• Dont go to some website
• Dont download and run suspicious file

27
Quiz

• Assessment 15
• Date 04 Nov, 2008
• Closed-book
• Around 30 mins
• Multiple choices

28
Sample

• Which of these is not a component of a system?
• A. Control
• B. Inference
• C. Input
• D. Output
• E. Processing

29
Sample

• What do you call a piece of code that attaches to
  an application program and secretly spreads when
  the application program is executed?
• A. Virus
• B. Worm
• C. Trojan horse
• D. Spybot
• E. Antivirus

30
Thank You !