Viruses and Worms By: Olga Bibas

Malicious Programs are perhaps the most sophisticated threats to computer systems. These threats can be divided into two categories: Those that need a host program- these are fragments of programs that cannot exist independently of some actual application program, utility or system program. Those that are independent- are self- contained programs that can be scheduled and run by the operating system.

The Figure below shows these differences

Trapdoors Also called a backdoors. An undocumented way of gaining access to a program, online service or an entire computer system without going through the usual security access procedures. The trapdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. A trapdoor is a potential security risk.

Logic Bomb Malicious code embedded in some legitimate program that is set to “explode” when certain conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence or absence of certain files, a particular day of the week or date, or a particular user running the application.

Trojan Horses A useful program containing hidden code that, when invoked, performs some unwanted or harmful function. Unlike a virus, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. It can infect other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. All computer viruses are manmade. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Virus

A computer virus carries in its instructional code the recipe for making perfect copies of itself. Lodged in a host computer, the typical virus takes temporary control of the computer’s disk operating system. Then, whenever the infected computer comes into contact with an uninfected piece of software, a fresh copy of the virus passes into the new program.

Since 1987, when a virus infected ARPANET, many antivirus programs have become available. These programs periodically check your computer system for the best-known types of viruses.

Bacteria Are programs that do not explicitly damage any files. Their sole purpose is to replicate themselves. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying users access to those resources.

Worms A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. The worm cannot attach itself to other programs.

To replicate itself, a network worm uses some sort of network vehicle. Some examples are: - Electronic mail facility: A worm mails a copy of itself to other systems. - Remote execution capability: A worm executes a copy of itself on another system. -Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other.

The Nature of Viruses A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs.

A typical virus goes through the following stages: - Dormant phase - Propagation phase - Triggering phase - Execution phase

Dormant phase The virus is idle. The virus will eventually be activated by some event, such as the date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage

Propagation phase The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.

Triggering phase The virus is activated to perform the function for which it was intended. This phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.

Execution phase The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

Virus Structure The key to the operation of the virus is that when the infected program, when invoked, will first execute the virus code and then execute the original code of the program.

Initial infection Most viral infection initiate with a disk from which programs are copied onto a machine. Many of these disks are games or any information that employees bring from their home computers and put it on an office machine. Only a small fraction of infections starts across a network connections.

Once a virus has gained entry to a system by infecting a program, it is in a position to infect some or all other executable files on that system when the infected program executes. Viral infections can be prevented by not letting the virus gain entry in the first place. Prevention might be quiet difficult because a virus can be part of any program outside the system.

Types of Viruses - Parasitic virus: It attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect. - Memory-resident virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes.

- Boot sector virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. - Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. - - Polymorphic virus: A virus that mutates with every infection, making detection by the “signature” of the virus impossible.

Macro Viruses These viruses are threatening 1.Virtually all macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports Word can be infected. 2.Macro viruses infect documents not executable portions of code. Most of the information introduced into a computer is in the form of documents. 3.Macro viruses are easily spread. Example: electronic mail.

Macro viruses take advantage of a feature found in office application, such as Microsoft Excel or Microsoft Word. This feature is the macro. A macro spreads as follows. A command macro is attached to a word document that is introduced into a system by or disk transfer. At some point when the document is opened. The macro executes. The macro copies itself to the global macro file. When the next session of Word opens, the infected global macro is active. When this macro executes, it can replicate itself and cause damage.

Macro Virus Protection tool Microsoft offers an optional Macro Virus Protection tool that detects suspicious word files and alerts the customer to the potential risk of opening a file with macros. Antivirus vendors have also developed tools to detect and correct macro viruses.

Antivirus The idle solution to the threat of viruses is to not allow them to get into the system in the first place. This is impossible to achieve, although prevention can reduce the number of successful viral attacks.

Advanced Antivirus Techniques Two of the most important sophisticated antivirus approaches are: -Generic Decryption -Digital Immune System

Generic Decryption This technology enables the antivirus program to detect easily even the most complex polymorphic viruses while maintaining fast scanning speeds. When a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a Generic Decryption scanner.

Digital Immune System The objective of this system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about the virus to systems running IBM AntiVirus so that it can be detected before it is allowed to run elsewhere.

NIST recommends using a two-tiered approach for detecting and preventing viruses from spreading: On personal computers, install and use anti-virus software capable of scanning disks, attachments to , files downloaded from the web, and documents generated by word processing and spreadsheet programs. Use anti-virus software at Internet gateways or firewalls to scan attachments and other downloaded files.

Discovered on: September 18, 2001 is a new mass-mailing worm that utilizes to propagate itself. The threat arrives as readme.exe in an . It is a virus infecting both local files and files on remote network shares. Type: Worm

If affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users. Nimda is the first worm to modify existing web sites to start offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web sites.

LIFECYCLE 1)File infection Nimda locates EXE files from the local machine and infects them by putting the file inside its body as a resource, thus 'assimilating' that file.These files then spread the infection when people exchange programs such as games.

2) Mass mailer Nimda locates addresses via MAPI from your client as well as searching local HTML files for additional addresses. Then it sends one to each address. These mails contain an attachment called README.EXE, which might be executed automatically on some systems.

3) Web worm Nimda starts to scan the internet, trying to locate www servers. Once a web server is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm will modify random web pages on the site. End result of this modification is that web surfers browsing the site will get automatically infected by the worm.

4) LAN propagation The worm will search for file shares in the local network, either from file servers or from end user machines. When other users try to open these files from these directories, Word, WordPad or Outlook will execute RICHED20.DLL causing an infection of the PC. The worm will also infect remote files if it was started on a server.

spreading: The worm searches trough all the '.htm' and '.html' file in the Temporary Internet Files folder for addresses. It reads trough user's inbox and collects the sender addresses. When the address list is ready it uses it's own SMTP engine to send the infected messages.

IIS spreading: The worm uses backdoors on IIS servers such as the one Code Red II installs. It scans random IP addresses for these backdoors. When a host is found to have one the worm instructs the machine to download the worm code (Admin.dll) from the host used for scanning. After this it executes the worm on the target machine this way infecting it.

DISINFECTION INSTRUCTIONS F-Secure Anti-Virus with the latest updates can detect and disinfect Nimda infections. But full disinfection of the worm will require some additional manual actions. The F-NIMDA tool was developed to automate these actions. Download them from F-NIMDA from ftp://ftp.f-secure.com/anti- virus/tools/fsnimda1.exe

ABOUT INFECTED WEB SITES A web site can get infected in two ways: 1) Infected htmls are copied to the secure site. If there are infected computers in your organization, their local html files get infected. Users might then later copy or upload such infected pages to your www server. Alternatively, if your www files are accessible via file sharing the worm might infect them directly from a workstation. To clean your site, locate all html pages which refer to "README.EML" and remove the extra JavaScript code from the end of the pages.

2) Direct web worm infection. If your web site is running an unsafe version of IIS, the worm can infect your site by accessing it through http. After this it will restart spreading from your server. In this case, it is not enough to just clean the virus - your web server is unsafe and has been so for a while. It's likely there have been previous illegimate accesses to your site as well and it should be considered compromised. We recommend rebuilding the web server and applying latest patches before restoring clean copies of the html pages.

Important sites to visit -For an updated website of virus information, check out the Federal Computer Incident Response Capability (FedCIRC's) database.. -The provides a list of viruses that are currently loose "in the wild," or active and infecting systems at the current moment.

-The ICSA is a listing of viruses known to be circulating and currently infecting computer systems. antivirus/alerts/ -Network Associates Incorporated (A.K.A. McAfee) hosts a wide variety of virus information. Click on this link to access NAI's virus data.

-Symantec Corporation also maintains a comprehensive database of computer virus characteristics and affects. Click on this link to access Symantec. a/ai.html -Computer Associates provides this personal edition of their "InoculateIt" antivirus tool. This version also detects denial of service (DDoS) daemons residing on your desktop. (Runs under WIN95, WIN 98 and WINNT with service pack 3 and above)

-Aladdin Complete list of computer virus characteristics. -F-Secure Security Information Center is another resource for virus information.