Virus Primer - PowerPoint PPT Presentation


PPT – Virus Primer PowerPoint presentation | free to download - id: 1952fb-NTgwN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Virus Primer


... executables), the Trojan is still an effective tool for spreading malware. Other forms of Malware ... Update systems for security vulnerabilities. Use a ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 40
Provided by: csd60
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Virus Primer

Virus Primer
  • Classifications of Malware
  • The Classic Virus
  • Worms
  • Trojans
  • Other forms of Malware
  • Annoyances
  • Identifying Threats
  • Virus Naming Conventions
  • Combating Malware

Concept of Malware
  • Blanket industry term used to describe the
    variety of "malicious software" that is in
    circulation around the world
  • Includes
  • Viruses
  • Worms
  • Trojans
  • computer "bombs"
  • other forms of intentionally destructive software
  • non destructive software pranks

The Classic Virus
  • A self replicating computer program that can
    "infect" other computer programs
  • May cause no damage
  • Successful viruses try to stay undetected and
    replicate themselves as much as possible before
    actually delivering their final payload
  • Newer forms of malware that spread rapidly via
    e-mail and the internet may be configured to
    disable its host system immediately to prevent
    the user from warning the people on their contact
    list not to open the e-mail that triggered their

Components of a Virus
  • Method of Infection
  • Trigger
  • Payload/Warhead

Method of Infection
  • Infecting the boot sector
  • Modifying an existing program or lines of code
  • Inserting itself into Microsoft Office documents
  • Attaching itself to network resources

  • The component of a virus that launches its
    payload (if it has one)
  • Examples
  • a specific date or time
  • an action by the user (opening a file)
  • a sequence of events or keystrokes
  • a repetition of events
  • Trigger delay
  • Longer more opportunity to spread
  • Too long risk of detection

  • The final component
  • A screen message that taunts the user
  • Destructive package
  • scrambles data
  • deletes files
  • creates backdoors into systems
  • causes system crashes

Types of Viruses
  • Armored
  • Boot Sector
  • Companion (Spawning)
  • File Infecting/Parasitic
  • Germ
  • Intended
  • Latent
  • Macro and scripting
  • Multi-partite
  • Polymorphic
  • Proof of concept
  • Retrovirus
  • Stealth
  • Sparse Infectors

Armored Virus
  • A virus which has been "hardened" to make to make
    disassembly of its source code or reverse
    engineering by antivirus analysts more difficult.

Boot Sector Virus
  • Common when floppy disks were the primary method
    for sharing files
  • Infects the master boot record (MBR) of a floppy
  • Spreads to a users hard drive
  • Will attempt to infect every floppy disk that is
  • Continue spreading until its discovered

Companion (Spawning) Viruses
  • Companion viruses take advantage of a quirk in MS
    DOS based operating systems, and use malicious
    files with .COM extension, instead of actually
    infecting .EXE or executable files
  • Operating system "fills in" the extension for you
    and executes any .COM file before using it's
    equivalent .EXE

File Infecting/Parasitic Viruses
  • Infects programs files such as those with .EXE,
    .SYS, .PRG, .BAT, and other extensions
  • Virus writers may insert code at either the
    beginning or the end of a program so that it is
    launched whenever the program is executed
  • Overwrite code in an executable to avoid changing
    the size of the original file and hopefully
    escape detection
  • Cavity viruses attempt to use the "empty space"
    in a program to modify and infect the file
    without breaking its functionality or changing
    the file size

  • The first initial programmed form of a virus
    (generation zero).

  • Written to be viruses but don't actually
  • Contrary to the popular myth, many virus writers
    are rank amateurs as well as some of the worst
    coders in the world. Their attempts at virus
    writing are often dismal failures and they don't
    receive much press. 

Latent Viruses
  • Viruses that simply have not been executed
  • A virus written for the Windows platform that was
    sent via e-mail to a Mac user (or stored on a
    UNIX server), is relatively benign to that system
  • Antivirus scanners that check only for viruses
    native to those platforms may miss the file
  • If that file is shared and a Windows user
    attempts to open or execute it, the virus can
    rapidly become an active threat on your network

Macro and scripting viruses
  • Exploit the scripting functionality that
    Microsoft built into its Office productivity
  • Small scripts imbedded into Word or Excel that
    allow routine tasks to be automated
  • Once an infected file is launched, the macro
    replicates itself to all similar documents and
    spreads rapidly through the network

  • Called dual infectors
  • Use more than one mechanism to spread themselves
    and infect other systems
  • May infect both the data on a disk as well as the
    Master Boot Record

  • Definition based antivirus software identifies
    viruses by searching for small unique strings of
    code (known as signatures) that only exist in
    known viruses
  • A polymorphic virus alters its code and produces
    a functional variation of itself in the hope of
    escaping detection
  • Easily detectable by most modern antivirus
  • Polymorphism concept has also been used by modern
    e-mail worms (such as LoveBug) that use variable
    subject lines and filenames in order to foil
    attempts to block them at mail gateways

Proof of Concept Viruses
  • Usually created with an academic purpose rather
    than malicious intent
  • A researcher may simply wish to prove a
    theoretical point about a vulnerability or method
    of attack
  • In most cases, proof of concept viruses are
    confined to labs and never make it into the wild,
    although some malicious programmers may create
    variants based on the concept. 

  • A virus that attacks or disables antivirus

Stealth Viruses
  • Stealth is a technology, rather than an actual
    virus type
  • Stealth viruses attempt to hide themselves from
    antivirus programs, often by intercepting or
    trapping disk access requests
  • Whenever an antivirus program attempts to read
    and analyze infected files, the virus returns
    information that the original, uninfected program
    would have returned

Sparse Infectors
  • Attempt to avoid detection by only infecting
    files intermittently
  • There are a number of mechanisms that are used to
    accomplish this, including counters and
    environmental variables such as date and time

  • Computer programs that replicate themselves
    across network connections, without modifying or
    attaching themselves to a host program.
  • Some experts consider worms as a special type of
    virus instead of giving them their own category,
    however the classifications that traditionally
    separate worms and viruses are beginning to blur

  • Trojans are programs that claim to be one thing
    (usually appearing harmless), but carry an
    undesirable and often destructive payload
  • Trojans are a delivery vehicle for other forms of
    malware and often rely on a bit of social
    engineering to trick a user into actually
    launching the program
  • Despite warning computer users not to simply
    click on e-mail attachments (especially
    executables), the Trojan is still an effective
    tool for spreading malware

Other forms of Malware
  • There are a number of non-replicating forms of
    malware that are designed to
  • destroy or steal data
  • open backdoors into systems
  • disable networks
  • hijack remote systems

DDoS Agents
  • A denial of service attack attempts to overwhelm
    a network or system resource in order to deny
    legitimate users access to that resource
  • A distributed denial of service attack (DDoS)
    utilizes hundreds or even thousands of computers
  • Hackers "recruit" computer systems to help them
    in their attacks by sending out Trojan programs
    that install agents on the affected PC
  • These agents lay relatively dormant until they
    receive further instructions from the hacker's
    computer (usually a very small bit of code), and
    then begin flooding the network (or a specific
    target) with garbage traffic. 

Logic Bombs
  • Waits for a specific trigger (such as a date or
    sequence of events) to launch
  • For hackers and disgruntled employees, it is an
    effective way of delivering a destructive payload
    long after they've left and cleaned up their
  • In one famous case, an administrator buried a
    program on his company's server that checked for
    the existence of his user account. If his account
    was deleted or disabled, the program would launch
    and begin deleting files on servers across the
  • Unfortunately, this type of logic bomb is usually
    a custom program or script that is difficult to
    detect and would not be identified by anti-virus

  • Malicious programs can be seeded onto a file
    server or placed on innocent looking disks that
    are left lying about a server
  • Usually custom programs written and spread by
    disgruntled employees or contractors with an axe
    to grind, and are almost impossible to defend

Password Stealers and Keystroke Loggers
  • Programs that are written to capture a users
    keystrokes, write the data to a log and then send
    the log to a remote location or e-mail address.
  • Often difficult to locate, and may not be
    detected by anti-virus software

Parasite Software
  • Some shareware, freeware, and adware programs are
    being packaged with additional software that can
    monitor your browsing habits, and even sell your
    unused CPU time and unused disk space to other
    vendors which in the process also consumes your
    network resources
  • The legal tools that allow these vendors to do
    this are buried in the end user license agreement
    that no one actually reads

Remote Access Tools (RATs)
  • Known as "backdoor agents"
  • These tools give hackers a way into a trusted
    system that exists on a network

Unlicensed software
  • While not technically "malware" because it's not
    malicious by design, unlicensed or pirated
    software can cost your company 20,000 per
    incident if your company is ever audited

  • False positives
  • Hoaxes
  • Hype
  • Jokes and Pranks
  • Mail Bombs

Virus Naming Conventions
  • The process of identifying threats is complicated
    by the lack of a formal standard for anti-virus
    and malware naming conventions
  • In some cases the virus writer includes the name
    of the virus in the code itself (Code Red, Nimda)
  • In other cases, antivirus vendors name the virus
    whatever they want without consulting each other,
    resulting in 4 or 5 different names for the same

CARO Standard
  • In 1991 a group of researchers from the Computer
    Antivirus Researcher Organization (CARO)
    attempted to standardize antivirus naming
    conventions and produce a list of guidelines that
    have been adopted by many of the leading
    antivirus vendors
  • The basic CARO formula for virus naming is

CARO Standard (cont)
  • Prefix - The prefix helps to quickly identify
    what type of virus or malware it is. A sample of
    commonly used prefixes include
  • W95Viruses written for Windows 95
  • W32Viruses written for all 32 bit Windows
  • WNTViruses written for Windows NT/2000
  • LinuxViruses written for the Linux Platform
  • WMWord Macro Viruses. These may include version
    numbers such a W97M for Word 97
  • XMExcel Macro Viruses. These may include version
    numbers such a X97M for Excel 97
  • PPTPowerPoint Viruses.
  • AMMicrosoft Access Viruses. These may include
    version numbers such a A97M for Access 97
  • VBSViruses utilizing Visual Basic Script
  • JAVAJava Viruses
  • TrojanTrojan programs, sometimes abbreviated as
  • WormA Worm. The prefix I-Worm is used to denote
    Internet Worms
  • JOKEA joke or prank

CARO Standard (cont)
  • Family Name - Represents the family to which the
    virus belongs based on the structural
    similarities of the virus, but sometimes a formal
    definition of a family is impossible. It may also
    be found in the code itself, essentially giving
    the author the chance to name the virus. 
  • Group Name - A subcategory of family, but is
    rarely used.
  • Major Variant -  Almost always a number, which is
    the infective length of the virus (if known) 
  • Minor Variant - Small variants of an existing
    virus, usually having the same infective length
    and structure. The minor variant is usually
    identified by a single letter (A, B, C, etc.)
  • Modifier - Modifiers are used to describe
    polymorphic viruses, and are identified by which
    polymorphic engine they use. If more than one
    polymorphic engine is used, the definition may
    include more than one modifier.
  • Suffix - Suffixes are used to describe specific
    how the virus spreads, such as e-mail or mass
    mailers which are abbreviated _at_M and _at_MM
  • Examples
  • W32.Nimda.A_at_MM, W32.Klez.H_at_MM

Combating Malware
  • Hire a full time antivirus administrator
  • Subscribe to antivirus vendors e-mail lists
  • Establish a single point of contact
  • Install e-mail filtering
  • Establish strict e-mail policies
  • Internet policies
  • Lock down your workstations
  • Secure your servers
  • Update systems for security vulnerabilities
  • Use a multi-tiered approach with AV software
  • Don't rely on Antivirus software alone
  • Scan proactively
  • Backup aggressively
  • Monitor your power users
  • Monitor your laptop users
  • Secure your wireless networks
  • Educate your users
  • Educate management