Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Viruses, Trojans and Worms ● Malware definitions ● Malware payloads in general ● Network worms ● Virus propagation methods ● Virus detection avoidance.

Published byOliver Bennett Modified over 7 years ago

Similar presentations

Presentation on theme: "Computer Viruses, Trojans and Worms ● Malware definitions ● Malware payloads in general ● Network worms ● Virus propagation methods ● Virus detection avoidance."— Presentation transcript:

1 Computer Viruses, Trojans and Worms ● Malware definitions ● Malware payloads in general ● Network worms ● Virus propagation methods ● Virus detection avoidance approaches ● Platform vulnerabilty and virus resistance ● Malware detection and removal ● Other countermeasures ● Can a virus ever be good ? ● Further Reading

2 Malware definitions: virus Malware can be classified based on whether and how it replicates and spreads. A computer virus is a program which runs when a program it attaches itself to is run. When the virus code is run, it will (sometimes or always) try to find another program to infect. When the virus copies or attaches itself to another program in such a manner that when the other program is run, the virus code is also run, the other program is considered to be infected.

3 Malware definitions: worm A network worm is a kind of virus which propagates using computer networks. These might directly exploit a vulnerability in software running on computers which have network connections to cause themselves to be installed and to run on the vulnerable computer. Alternatively end users may be tricked into running the worm program when they receive it via a network, e.g. by double clicking on an executable file attached to email.

4 Malware definitions: trojan A trojan is a program which a user or administrator installs on a computer because they are misled into thinking it only performs wanted functionality, when in addition this program contains hidden functionality which the user does not want. The term "trojan" might also apply to "adware" or "spyware" software which is installed from a remote website as part of the normal functioning of a poorly designed web browser without the end user's consent or knowledge.

5 Malware payloads in general 1 Regardless of how malware propagates, it can be programmed to do anything which the security context the platform it infects allows it to do. Some examples: Keylogging. This privacy invasion requires low level access to the keyboard device driver and the ability to send information back to base. Timebomb. This causes actions to occur when the system clock reaches a programmed date and time.

6 Malware payloads in general 2 Logicbomb. If files with particular content are found or other events detected, a destructive action might be programmed e.g. formatting a disk or other storage device. Prank. A virus might be programmed to display messages or cause other effects its author thinks are amusing. Even a virus programmed just to replicate can take up memory and cause a system to slow or crash.

7 Network worms A worm might open network connections and infect a vulnerable target computer directly, as with the Morris worm, which infected an estimated 6,000 of the 60,000 Internet hosts in Nov 1988. Other worms spread, as with a virus, via the use of a host file, which needs to be transferred as part of the Network worm. More recent worms have include Mydoom and Storm which were used to install large botnets used for distributed denial of service (DDOS) and spam attacks.

8 Virus propagation methods 1 Boot sector viruses infect the boot sector of the boot disk of a computer operating system. These became widespread when it was common for computer users accidently to leave a floppy disk in the drive and the computer BIOS was configured to boot from the floppy by default. These viruses would transfer via the hard disk to all writeable floppies inserted into the infected computer. This mechanism was defeated when administrators changed the BIOS settings and became less likely when floppies were less frequently used. This infection vector could return to prominence again if flash USB drives become routinely used by users to carry an operating system together with applications, custom configurations and data between physical machines.

9 Virus propagation methods 2 Non-resident viruses infect application files and are run when the application runs. Typically the virus is prepended to the application source code for an interpreted application, or its executable code for a compiled application. Alternatively the virus code might be appended with a vector to itself added at the start of the program. When the virus part of the code runs it will search for another suitable file to infect. Once the virus code completes it hands control on to the infected host file. A non-resident virus can be trivial to code (see the next slide for an example), but such a 'virus' is extremely unlikely to spread.

10 Virus propagatio n methods 3 This source code for a shell script virus shows how easy it is to create one. This one would not be able to cause harm for various reasons.

11 Virus propagation methods 4 Resident viruses install themselves into memory when they run. Having done this they hand over control to the host application. This kind of virus will be programmed to intercept normal system operations, e.g. opening a file or device, or the use of an interrupt or system call. When the intercepted operation runs, the virus executes and might then find another suitable infection target or run a payload. When the virus has run it will hand control over to the normal function of the intercepted operation.

12 Virus propagation methods 5 Fast infecter viruses are programmed to spread as rapidly as possible to reduce the risk of the virus being wiped out once introduced into the wild. However, a fast infecter is more likely to cause changes of behaviour of the infected system so is more likely to be detected. Slow infecter viruses are designed to find other targets to infect infrequently. By spreading slowly this kind of virus is less likely to be detected.

13 Virus propagation methods 6 Companion viruses do not modify the infection target directly but are stored in a separate file. E.G. if a user inputs the command 'format' a file called format.com will execute before a file called format.exe. Format.com is the virus, which will run format.exe, the host application, passing all its arguments when it has run.

14 Virus propagation methods 7 Macro viruses use the macro programming languages which are embedded within popular applications e.g. Word and Excel. This kind of virus became widespread in the 1990ies. The threat from this kind of virus has probably been reduced following additional prompts when a document containing macros is opened in Word or Excel.

15 Virus propagation methods 8 Cross Site Scripting (XSS) viruses exploit a combination of vulnerabilities present in both web server applications and web browsers. These will typically need to be coded in 2 parts, one part being the server code (e.g. using PHP) which propagates from the infected browser to the vulnerable servers and the other part which runs in the browser (e.g. using Javascript).

16 Virus detection avoidance 1 Virus programmers and antivirus software developers have been engaged in an arms race ever since viruses became widespread and antivirus software was first marketed in the late 1980ies. Since then we have seen: Stealth viruses - viruses which trap interrupts to open a file and cause any application that reads the file containing them to see only the uninfected file.

17 Virus detection avoidance 2 Polymorphic and metamorphic viruses - viruses which modify their code every time they infect another target so they can only be detected using heuristic measures rather than static code signatures. Disabling anti-virus software. If a virus detects the presence of a known anti-virus program on a system it infects, it will modify the anti-virus software to disable components of this, e.g. the part of the antivirus program which can detect if it has been modified itself or if its virus signature file has been changed.

18 Virus detection avoidance 3 Avoidance of bait files. A virus might be programmed to avoid infecting program files considered likely to be bait (e.g. because they are small) as part of an advanced antivirus detection program, to see if a virus is at work. Leaving access times and file sizes unchanged. A virus may be small enough to fit into the end of a sector after a file. E.G. a filesystem may have effective file sizes of multiples of 1024 bytes, which corresponds to the size of a disk sector. A small virus might restrict its infection targets to files which do not need to add another sector to their size. Some program files have gaps in them large enough for a virus to fit inside.

19 Virus detection avoidance 4 Self-encrypting viruses take the metamorphic approach to the extreme of the virus encrypting itself using a variable key. However, enough of the virus will have to be unencrypted for it to be able to decrypt itself when the virus is executed for a heuristic antivirus approach to be feasible.

20 Platform vulnerability to viruses 1 It has been argued that viruses are reported to infect Windows PCs much more frequently than Linux or Macs because more people use Windows. But Windows had many viruses when this system had fewer users in the early 1990ies than now use Macs or Linux. Others claim that the Unix design foundation of both Linux and Mac platforms is inherently more secure. Linux isn't a single platform but has many slightly different distributions. One reason why fewer viruses are reported on Linux could be that virus writers find the differences between different Linux distributions make writing viruses that work on many of these harder. A similar advantage concerning infection resistance is gained by a genetically diverse food crop compared to a monocrop of a cloned plant.

21 Platform vulnerability to viruses 2 Other points of interest in this debate concern the levels of security knowledge of typical users of various platforms and the ease with which end users can install applications independently of the means provided by the platform developers to verify application compatibility and integrity. Different defaults are provided in connection with privileged actions carried out by end users. It is also likely to be easier for Windows users to install a wider variety of stand-alone PC software than currently comes supported through the package repositories of the the most popular Linux distributions, though Linux might have more server and embedded applications.

22 Malware detection and removal 1 The most popular approach to this requirement is to install an antivirus program and to keep this current. As new viruses are detected on a daily basis the signatures and heuristic methods need to be kept updated on a very regular basis. For this reason, modern antivirus programs generally include facilities automatically to update themselves using a network connection whenever new virus signatures and heuristics become available.

23 Malware detection and removal 2 Platforms which are not themselves thought to be vulnerable to viruses but which are used to distribute content potentially including viruses, e.g. via email between Windows users, must also scan for viruses to avoid becoming part of this problem. But the number of known virus signatures continues to increase. So even using the Clam-av antivirus package which is open source and freely installable, growing memory demands are making this job increasingly expensive. The next slide shows how many virus signatures exist and how much memory these occupy as of November 2008.

24 Malware detection and removal 3 Number of virus signatures: 437972 freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486) ClamAV update process started at Fri Nov 7 18:24:28 2008 main.cld is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) Demand of anti-virus on memory: 50.9% PID USER PR NI VIRT RES S %CPU %MEM COMMAND 20782 clamav 20 0 126m 72m S 0.0 50.9 clamav-milter

25 Other countermeasures One approach involves stopping a system from running and mounting its hard disk using another operating system, booted using trusted media. Tools can be run on the trusted system to detect suspicious changes to files on the system being scanned. This is considered more reliable than running antivirus software directly on the system which might have been compromised and where the results of the antivirus scan may also have been compromised by an unknown virus. The trusted scanning system might also store a set of hash signatures or checksums of files which the virus might modify and test if any executables or registry tables have been modified.

26 Can a virus ever be good ? In biology, viruses enable potentially beneficial DNA to be transferred between species. This is considered to be a part of the optimisation of the evolutionary process. But it is thought unlikely that anyone could benefit from computer viruses, other than the proceeds of crime which those who write and spread viruses might obtain. The difference between a virus and another kind of program is that an ordinary program will normally have the informed consent of the system owner before it can be installed. While there is a similarity between an operating system which can create a copy of itself on installation media and a virus, the OS that makes it easy for its users to copy it will do this with the users full knowledge and consent. There is no situation in which taking away the end users consent to perform an action is considered likely to be of benefit.

27 Further Reading Wikipedia article on computer viruses: http://en.wikipedia.org/wiki/Computer_virus Fred Cohen's paper on software virus theory dating from 1984: http://all.net/books/virus/index.html Are computer viruses still a good idea ? Vesselin Bontchev's 1992 paper: http://vx.netlux.org/lib/avb02.html The cross site scripting virus. A much more recent threat including proof of concept source code. http://www.bindshell.net/papers/xssv/

Download ppt "Computer Viruses, Trojans and Worms ● Malware definitions ● Malware payloads in general ● Network worms ● Virus propagation methods ● Virus detection avoidance."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Computer Viruses.

Computer Viruses.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Data Security.

Data Security.
1. 2 What is security? Computer Security deals with the prevention and detection of, and the reaction to, unauthorized actions by users of a computer.

1. 2 What is security? Computer Security deals with the prevention and detection of, and the reaction to, unauthorized actions by users of a computer.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

Similar presentations

Ads by Google