Viruses and Worms - PowerPoint PPT Presentation

1 / 46
About This Presentation

Viruses and Worms


... the infected program is executed, by finding other executable files to infect. ... Nimda locates e-mail addresses via MAPI from your e-mail client as well as ... – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 47
Provided by: Comp714


Transcript and Presenter's Notes

Title: Viruses and Worms

Viruses and Worms
  • By Olga Bibas

Malicious Programs are perhaps the most
sophisticated threats to computer systems. These
threats can be divided into two categories
  • Those that need a host program- these are
    fragments of programs that cannot exist
    independently of some actual application program,
    utility or system program.
  • Those that are independent- are self-contained
    programs that can be scheduled and run by the
    operating system.

The Figure below shows these differences
  • Also called a backdoors. An undocumented way of
    gaining access to a program, online service or an
    entire computer system without going through the
    usual security access procedures. The trapdoor is
    written by the programmer who creates the code
    for the program. It is often only known by the
    programmer. A trapdoor is a potential security

Logic Bomb
  • Malicious code embedded in some legitimate
    program that is set to explode when certain
    conditions are met. Examples of conditions that
    can be used as triggers for a logic bomb are the
    presence or absence of certain files, a
    particular day of the week or date, or a
    particular user running the application.

Trojan Horses
  • A useful program containing hidden code that,
    when invoked, performs some unwanted or harmful
    function. Unlike a virus, Trojan horses do not
    replicate themselves but they can be just as
    destructive. One of the most insidious types of
    Trojan horse is a program that claims to rid your
    computer of viruses but instead introduces
    viruses onto your computer.

  • A program or piece of code that is loaded onto
    your computer without your knowledge and runs
    against your wishes. It can infect other programs
    by modifying them the modification includes a
    copy of the virus program, which can then go on
    to infect other programs. All computer viruses
    are manmade. A simple virus that can make a copy
    of itself over and over again is relatively easy
    to produce.

  • A computer virus carries in its instructional
    code the recipe for making perfect copies of
    itself. Lodged in a host computer, the typical
    virus takes temporary control of the computers
    disk operating system. Then, whenever the
    infected computer comes into contact with an
    uninfected piece of software, a fresh copy of the
    virus passes into the new program.

  • Since 1987, when a virus infected ARPANET, many
    antivirus programs have become available. These
    programs periodically check your computer system
    for the best-known types of viruses.

  • Are programs that do not explicitly damage any
    files. Their sole purpose is to replicate
    themselves. Bacteria reproduce exponentially,
    eventually taking up all the processor capacity,
    memory, or disk space, denying users access to
    those resources.

  • A program or algorithm that replicates itself
    over a computer network and usually performs
    malicious actions, such as using up the
    computer's resources and possibly shutting the
    system down. The worm cannot attach itself to
    other programs.

To replicate itself, a network worm uses some
sort of network vehicle.Some examples are 
  •   - Electronic mail facility A worm mails a
    copy of itself to other systems.
  •     -Remote execution capability A worm
    executes a copy of itself on another system.
  • -Remote login capability A worm logs onto a
    remote system as a user and then uses commands to
    copy itself from one system to the other.

The Nature of Viruses
  • A virus can do anything that other programs do.
    The only difference is that it attaches itself to
    another program and executes secretly when the
    host program is run. Once a virus is executing,
    it can perform any function, such as erasing
    files and programs.

A typical virus goes through the following
  • - Dormant phase
  •     -  Propagation phase
  • -  Triggering phase
  • - Execution phase

Dormant phase
  •  The virus is idle. The virus will eventually be
    activated by some event, such as the date, the
    presence of another program or file, or the
    capacity of the disk exceeding some limit. Not
    all viruses have this stage

Propagation phase
  • The virus places an identical copy of itself into
    other programs or into certain system areas on
    the disk. Each infected program will now contain
    a clone of the virus, which will itself enter a
    propagation phase.

Triggering phase
  • The virus is activated to perform the
    function for which it was intended. This phase
    can be caused by a variety of system events,
    including a count of the number of times that
    this copy of the virus has made copies of itself.

  Execution phase  
  • The function is performed. The function may
    be harmless, such as a message on the screen, or
    damaging, such as the destruction of programs and
    data files.

Virus Structure
  • The key to the operation of the virus is that
    when the infected program, when invoked, will
    first execute the virus code and then execute the
    original code of the program.

Initial infection
  • Most viral infection initiate with a disk from
    which programs are copied onto a machine. Many of
    these disks are games or any information that
    employees bring from their home computers and put
    it on an office machine. Only a small fraction of
    infections starts across a network connections.

  • Once a virus has gained entry to a system by
    infecting a program, it is in a position to
    infect some or all other executable files on that
    system when the infected program executes. Viral
    infections can be prevented by not letting the
    virus gain entry in the first place. Prevention
    might be quiet difficult because a virus can be
    part of any program outside the system.

Types of Viruses
  •       - Parasitic virus It attaches itself to
    executable files and replicates, when the
    infected program is executed, by finding other
    executable files to infect.
  • - Memory-resident virus Lodges in main memory
    as part of a resident system program. From that
    point on, the virus infects every program that

  • - Boot sector virus Infects a master boot
    record or boot record and spreads when a system
    is booted from the disk containing the virus.
  •   - Stealth virus A form of virus
    explicitly designed to hide itself from detection
    by antivirus software.
  • -     - Polymorphic virus A virus that mutates
    with every infection, making detection by the
    signature of the virus impossible.

Macro Viruses
  • These viruses are threatening
  • Virtually all macro viruses infect Microsoft Word
    documents. Any hardware platform and operating
    system that supports Word can be infected.
  • Macro viruses infect documents not executable
    portions of code. Most of the information
    introduced into a computer is in the form of
  • Macro viruses are easily spread. Example
    electronic mail.

  • Macro viruses take advantage of a feature
    found in office application, such as Microsoft
    Excel or Microsoft Word. This feature is the
  • A macro spreads as follows. A command macro is
    attached to a word document that is introduced
    into a system by e-mail or disk transfer. At some
    point when the document is opened. The macro
    executes. The macro copies itself to the global
    macro file. When the next session of Word opens,
    the infected global macro is active. When this
    macro executes, it can replicate itself and cause

Macro Virus Protection tool
  • Microsoft offers an optional Macro Virus
    Protection tool that detects suspicious word
    files and alerts the customer to the potential
    risk of opening a file with macros. Antivirus
    vendors have also developed tools to detect and
    correct macro viruses.

  • The idle solution to the threat of viruses is
    to not allow them to get into the system in the
    first place. This is impossible to achieve,
    although prevention can reduce the number of
    successful viral attacks.  

Advanced Antivirus Techniques 
  • Two of the most important sophisticated
    antivirus approaches are
  • -Generic Decryption
  • -Digital Immune System

Generic Decryption
  • This technology enables the antivirus program
    to detect easily even the most complex
    polymorphic viruses while maintaining fast
    scanning speeds. When a file containing a
    polymorphic virus is executed, the virus must
    decrypt itself to activate. In order to detect
    such a structure, executable files are run
    through a Generic Decryption scanner .

Digital Immune System
  • The objective of this system is to provide
    rapid response time so that viruses can be
    stamped out almost as soon as they are
    introduced. When a virus enters an organization,
    the immune system automatically captures it,
    analyzes it, adds detection and shielding for it,
    removes it, and passes information about the
    virus to systems running IBM AntiVirus so that it
    can be detected before it is allowed to run

  • NIST recommends using a two-tiered approach for
    detecting and preventing viruses from spreading
  • On personal computers, install and use anti-virus
    software capable of scanning disks, attachments
    to email, files downloaded from the web, and
    documents generated by word processing and
    spreadsheet programs.
  • Use anti-virus software at Internet gateways or
    firewalls to scan email attachments and other
    downloaded files.

  • Discovered on September 18, 2001
  • W32.Nimda.A_at_mm is a new mass-mailing worm that
    utilizes email to propagate itself. The threat
    arrives as readme.exe in an email. It is a virus
    infecting both local files and files on remote
    network shares.
  • Type Worm

  • If affects Windows 95, Windows 98, Windows Me,
    Windows NT 4 and Windows 2000 users.
  • Nimda is the first worm to modify existing web
    sites to start offering infected files for
    download. Also it is the first worm to use normal
    end user machines to scan for vulnerable web

  • File infection
  • Nimda locates EXE files from the local machine
    and infects them by putting the file inside its
    body as a resource, thus 'assimilating' that
    file.These files then spread the infection when
    people exchange programs such as games.

  • 2) Mass mailer
  • Nimda locates e-mail addresses via MAPI from
    your e-mail client as well as searching local
    HTML files for additional addresses. Then it
    sends one e-mail to each address. These mails
    contain an attachment called README.EXE, which
    might be executed automatically on some systems.

  • 3) Web worm
  • Nimda starts to scan the internet, trying to
    locate www servers. Once a web server is found,
    the worm tries to infect it by using several
    known security holes. If this succeeds, the worm
    will modify random web pages on the site. End
    result of this modification is that web surfers
    browsing the site will get automatically infected
    by the worm.

  • 4) LAN propagation
  • The worm will search for file shares in the
    local network, either from file servers or from
    end user machines. When other users try to open
    these files from these directories, Word, WordPad
    or Outlook will execute RICHED20.DLL causing an
    infection of the PC. The worm will also infect
    remote files if it was started on a server.

E-Mail spreading
  • The worm searches trough all the '.htm' and
    '.html' file in the Temporary Internet Files
    folder for e-mail addresses. It reads trough
    user's inbox and collects the sender addresses.
    When the address list is ready it uses it's own
    SMTP engine to send the infected messages.

IIS spreading
  • The worm uses backdoors on IIS servers such as
    the one Code Red II installs. It scans random IP
    addresses for these backdoors. When a host is
    found to have one the worm instructs the machine
    to download the worm code (Admin.dll) from the
    host used for scanning. After this it executes
    the worm on the target machine this way infecting

  • F-Secure Anti-Virus with the latest updates can
    detect and disinfect Nimda infections. But full
    disinfection of the worm will require some
    additional manual actions.
  • The F-NIMDA tool was developed to automate these
    actions. Download them from F-NIMDA from
  • ftp//

  • A web site can get infected in two ways
  • 1) Infected htmls are copied to the secure site.
    If there are infected computers in your
    organization, their local html files get
    infected. Users might then later copy or upload
    such infected pages to your www server.
    Alternatively, if your www files are accessible
    via file sharing the worm might infect them
    directly from a workstation. To clean your site,
    locate all html pages which refer to "README.EML"
    and remove the extra JavaScript code from the end
    of the pages.

  • 2) Direct web worm infection. If your web site is
    running an unsafe version of IIS, the worm can
    infect your site by accessing it through http.
    After this it will restart spreading from your
    server. In this case, it is not enough to just
    clean the virus - your web server is unsafe and
    has been so for a while. It's likely there have
    been previous illegimate accesses to your site as
    well and it should be considered compromised. We
    recommend rebuilding the web server and applying
    latest patches before restoring clean copies of
    the html pages.

Important sites to visit
  • -For an updated website of virus information,
    check out the Federal Computer Incident Response
    Capability (FedCIRC's)
  • http// database.
  • -The http// provides a list of
    viruses that are currently loose "in the wild,"
    or active and infecting systems at the current

  • -The ICSA is a listing of viruses known to be
    circulating and currently infecting computer
  • http//
  • -Network Associates Incorporated (A.K.A. McAfee)
     hosts a wide variety of virus information. Click
    on this link to access NAI's virus data.
  • http//

  • -Symantec Corporation also maintains a
    comprehensive database of computer virus
    characteristics and affects. Click on this link
    to access Symantec.
  • http//
  • -Computer Associates provides this personal
    edition of their "InoculateIt" antivirus tool.
    This version also detects denial of service
    (DDoS) daemons residing on your desktop. (Runs
    under WIN95, WIN 98 and WINNT with service pack 3
    and above)
  • http//

  • -Aladdin Complete list of computer virus
  • http//
  • -F-Secure Security Information Center is another
    resource for virus information.
  • http//
Write a Comment
User Comments (0)