Viruses and Worms

1
Viruses and Worms

• By Olga Bibas

2
Malicious Programs are perhaps the most
sophisticated threats to computer systems. These
threats can be divided into two categories

• Those that need a host program- these are
  fragments of programs that cannot exist
  independently of some actual application program,
  utility or system program.
• Those that are independent- are self-contained
  programs that can be scheduled and run by the
  operating system.

3
The Figure below shows these differences
4
Trapdoors

• Also called a backdoors. An undocumented way of
  gaining access to a program, online service or an
  entire computer system without going through the
  usual security access procedures. The trapdoor is
  written by the programmer who creates the code
  for the program. It is often only known by the
  programmer. A trapdoor is a potential security
  risk.

5
Logic Bomb

• Malicious code embedded in some legitimate
  program that is set to explode when certain
  conditions are met. Examples of conditions that
  can be used as triggers for a logic bomb are the
  presence or absence of certain files, a
  particular day of the week or date, or a
  particular user running the application.

6
Trojan Horses

• A useful program containing hidden code that,
  when invoked, performs some unwanted or harmful
  function. Unlike a virus, Trojan horses do not
  replicate themselves but they can be just as
  destructive. One of the most insidious types of
  Trojan horse is a program that claims to rid your
  computer of viruses but instead introduces
  viruses onto your computer.

7
Virus

• A program or piece of code that is loaded onto
  your computer without your knowledge and runs
  against your wishes. It can infect other programs
  by modifying them the modification includes a
  copy of the virus program, which can then go on
  to infect other programs. All computer viruses
  are manmade. A simple virus that can make a copy
  of itself over and over again is relatively easy
  to produce.

8

• A computer virus carries in its instructional
  code the recipe for making perfect copies of
  itself. Lodged in a host computer, the typical
  virus takes temporary control of the computers
  disk operating system. Then, whenever the
  infected computer comes into contact with an
  uninfected piece of software, a fresh copy of the
  virus passes into the new program.

9

• Since 1987, when a virus infected ARPANET, many
  antivirus programs have become available. These
  programs periodically check your computer system
  for the best-known types of viruses.

10
Bacteria

• Are programs that do not explicitly damage any
  files. Their sole purpose is to replicate
  themselves. Bacteria reproduce exponentially,
  eventually taking up all the processor capacity,
  memory, or disk space, denying users access to
  those resources.

11
Worms

•  
• A program or algorithm that replicates itself
  over a computer network and usually performs
  malicious actions, such as using up the
  computer's resources and possibly shutting the
  system down. The worm cannot attach itself to
  other programs.

12
To replicate itself, a network worm uses some
sort of network vehicle.Some examples are 

•   - Electronic mail facility A worm mails a
  copy of itself to other systems.
•     -Remote execution capability A worm
  executes a copy of itself on another system.
• -Remote login capability A worm logs onto a
  remote system as a user and then uses commands to
  copy itself from one system to the other.

13
The Nature of Viruses

•  
• A virus can do anything that other programs do.
  The only difference is that it attaches itself to
  another program and executes secretly when the
  host program is run. Once a virus is executing,
  it can perform any function, such as erasing
  files and programs.

14
A typical virus goes through the following
stages

• - Dormant phase
•     -  Propagation phase
• -  Triggering phase
• - Execution phase

15
Dormant phase

•  The virus is idle. The virus will eventually be
  activated by some event, such as the date, the
  presence of another program or file, or the
  capacity of the disk exceeding some limit. Not
  all viruses have this stage

16
Propagation phase

• The virus places an identical copy of itself into
  other programs or into certain system areas on
  the disk. Each infected program will now contain
  a clone of the virus, which will itself enter a
  propagation phase.

17
Triggering phase

• The virus is activated to perform the
  function for which it was intended. This phase
  can be caused by a variety of system events,
  including a count of the number of times that
  this copy of the virus has made copies of itself.

18
  Execution phase  

•      
• The function is performed. The function may
  be harmless, such as a message on the screen, or
  damaging, such as the destruction of programs and
  data files.

19
Virus Structure

•  
• The key to the operation of the virus is that
  when the infected program, when invoked, will
  first execute the virus code and then execute the
  original code of the program.

20
Initial infection

•  
• Most viral infection initiate with a disk from
  which programs are copied onto a machine. Many of
  these disks are games or any information that
  employees bring from their home computers and put
  it on an office machine. Only a small fraction of
  infections starts across a network connections.

21

• Once a virus has gained entry to a system by
  infecting a program, it is in a position to
  infect some or all other executable files on that
  system when the infected program executes. Viral
  infections can be prevented by not letting the
  virus gain entry in the first place. Prevention
  might be quiet difficult because a virus can be
  part of any program outside the system.

22
Types of Viruses

•       - Parasitic virus It attaches itself to
  executable files and replicates, when the
  infected program is executed, by finding other
  executable files to infect.
• - Memory-resident virus Lodges in main memory
  as part of a resident system program. From that
  point on, the virus infects every program that
  executes.

23

• - Boot sector virus Infects a master boot
  record or boot record and spreads when a system
  is booted from the disk containing the virus.
•   - Stealth virus A form of virus
  explicitly designed to hide itself from detection
  by antivirus software.
• -     - Polymorphic virus A virus that mutates
  with every infection, making detection by the
  signature of the virus impossible.
•  

24
Macro Viruses

• These viruses are threatening
•  
• Virtually all macro viruses infect Microsoft Word
  documents. Any hardware platform and operating
  system that supports Word can be infected.
• Macro viruses infect documents not executable
  portions of code. Most of the information
  introduced into a computer is in the form of
  documents.
• Macro viruses are easily spread. Example
  electronic mail.

25

• Macro viruses take advantage of a feature
  found in office application, such as Microsoft
  Excel or Microsoft Word. This feature is the
  macro.
•  
• A macro spreads as follows. A command macro is
  attached to a word document that is introduced
  into a system by e-mail or disk transfer. At some
  point when the document is opened. The macro
  executes. The macro copies itself to the global
  macro file. When the next session of Word opens,
  the infected global macro is active. When this
  macro executes, it can replicate itself and cause
  damage.
•  

26
Macro Virus Protection tool

• Microsoft offers an optional Macro Virus
  Protection tool that detects suspicious word
  files and alerts the customer to the potential
  risk of opening a file with macros. Antivirus
  vendors have also developed tools to detect and
  correct macro viruses.
•  

27
Antivirus

• The idle solution to the threat of viruses is
  to not allow them to get into the system in the
  first place. This is impossible to achieve,
  although prevention can reduce the number of
  successful viral attacks.  

28
Advanced Antivirus Techniques 

• Two of the most important sophisticated
  antivirus approaches are
•  
• -Generic Decryption
• -Digital Immune System
•  

29
Generic Decryption

• This technology enables the antivirus program
  to detect easily even the most complex
  polymorphic viruses while maintaining fast
  scanning speeds. When a file containing a
  polymorphic virus is executed, the virus must
  decrypt itself to activate. In order to detect
  such a structure, executable files are run
  through a Generic Decryption scanner .
•  

30
Digital Immune System

• The objective of this system is to provide
  rapid response time so that viruses can be
  stamped out almost as soon as they are
  introduced. When a virus enters an organization,
  the immune system automatically captures it,
  analyzes it, adds detection and shielding for it,
  removes it, and passes information about the
  virus to systems running IBM AntiVirus so that it
  can be detected before it is allowed to run
  elsewhere.

31

• NIST recommends using a two-tiered approach for
  detecting and preventing viruses from spreading
• On personal computers, install and use anti-virus
  software capable of scanning disks, attachments
  to email, files downloaded from the web, and
  documents generated by word processing and
  spreadsheet programs.
• Use anti-virus software at Internet gateways or
  firewalls to scan email attachments and other
  downloaded files.

32
W32.Nimda.A_at_mm

• Discovered on September 18, 2001
•  
• W32.Nimda.A_at_mm is a new mass-mailing worm that
  utilizes email to propagate itself. The threat
  arrives as readme.exe in an email. It is a virus
  infecting both local files and files on remote
  network shares.
• Type Worm

33

• If affects Windows 95, Windows 98, Windows Me,
  Windows NT 4 and Windows 2000 users.
• Nimda is the first worm to modify existing web
  sites to start offering infected files for
  download. Also it is the first worm to use normal
  end user machines to scan for vulnerable web
  sites.

34
LIFECYCLE

• File infection
• Nimda locates EXE files from the local machine
  and infects them by putting the file inside its
  body as a resource, thus 'assimilating' that
  file.These files then spread the infection when
  people exchange programs such as games.

35

• 2) Mass mailer
• Nimda locates e-mail addresses via MAPI from
  your e-mail client as well as searching local
  HTML files for additional addresses. Then it
  sends one e-mail to each address. These mails
  contain an attachment called README.EXE, which
  might be executed automatically on some systems.

36

• 3) Web worm
• Nimda starts to scan the internet, trying to
  locate www servers. Once a web server is found,
  the worm tries to infect it by using several
  known security holes. If this succeeds, the worm
  will modify random web pages on the site. End
  result of this modification is that web surfers
  browsing the site will get automatically infected
  by the worm.

37

• 4) LAN propagation
• The worm will search for file shares in the
  local network, either from file servers or from
  end user machines. When other users try to open
  these files from these directories, Word, WordPad
  or Outlook will execute RICHED20.DLL causing an
  infection of the PC. The worm will also infect
  remote files if it was started on a server.

38
E-Mail spreading

• The worm searches trough all the '.htm' and
  '.html' file in the Temporary Internet Files
  folder for e-mail addresses. It reads trough
  user's inbox and collects the sender addresses.
  When the address list is ready it uses it's own
  SMTP engine to send the infected messages.

39
IIS spreading

• The worm uses backdoors on IIS servers such as
  the one Code Red II installs. It scans random IP
  addresses for these backdoors. When a host is
  found to have one the worm instructs the machine
  to download the worm code (Admin.dll) from the
  host used for scanning. After this it executes
  the worm on the target machine this way infecting
  it.

40
DISINFECTION INSTRUCTIONS

• F-Secure Anti-Virus with the latest updates can
  detect and disinfect Nimda infections. But full
  disinfection of the worm will require some
  additional manual actions.
• The F-NIMDA tool was developed to automate these
  actions. Download them from F-NIMDA from
• ftp//ftp.f-secure.com/anti-virus/tools/fsnimda1.e
  xe  

41
ABOUT INFECTED WEB SITES

• A web site can get infected in two ways
• 1) Infected htmls are copied to the secure site.
  If there are infected computers in your
  organization, their local html files get
  infected. Users might then later copy or upload
  such infected pages to your www server.
  Alternatively, if your www files are accessible
  via file sharing the worm might infect them
  directly from a workstation. To clean your site,
  locate all html pages which refer to "README.EML"
  and remove the extra JavaScript code from the end
  of the pages.

42

• 2) Direct web worm infection. If your web site is
  running an unsafe version of IIS, the worm can
  infect your site by accessing it through http.
  After this it will restart spreading from your
  server. In this case, it is not enough to just
  clean the virus - your web server is unsafe and
  has been so for a while. It's likely there have
  been previous illegimate accesses to your site as
  well and it should be considered compromised. We
  recommend rebuilding the web server and applying
  latest patches before restoring clean copies of
  the html pages.

43
Important sites to visit

• -For an updated website of virus information,
  check out the Federal Computer Incident Response
  Capability (FedCIRC's)
• http//www.fedcirc.gov/virus database.
• -The http//www.wildlist.org/ provides a list of
  viruses that are currently loose "in the wild,"
  or active and infecting systems at the current
  moment.

44

• -The ICSA is a listing of viruses known to be
  circulating and currently infecting computer
  systems.
• http//www.icsa.net/html/communities/antivirus/al
  erts/
• -Network Associates Incorporated (A.K.A. McAfee)
   hosts a wide variety of virus information. Click
  on this link to access NAI's virus data.
• http//vil.nai.com/villib/alpha.asp

45

• -Symantec Corporation also maintains a
  comprehensive database of computer virus
  characteristics and affects. Click on this link
  to access Symantec.
• http//www.symantec.com/avcenter/data/ai.html
• -Computer Associates provides this personal
  edition of their "InoculateIt" antivirus tool.
  This version also detects denial of service
  (DDoS) daemons residing on your desktop. (Runs
  under WIN95, WIN 98 and WINNT with service pack 3
  and above)
• http//antivirus.cai.com/

46

• -Aladdin Complete list of computer virus
  characteristics.
• http//www.esafe.com/
•  
• -F-Secure Security Information Center is another
  resource for virus information.
• http//www.f-secure.com/virus-info/