Viruses and Worm Modules Objectives Introduction to Virus  Stage of Virus  Working of Virus  Virus Analysis  Type of Viruses  Computer Worms  ATHENA Introduction to Virures A virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes  Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met  ATHENA Stage of Virus 1. Design Developing virus code using programming languages or construction kits 2. Replication Virus replicate for a period of time within the target system and then spreads itself ATHENA 5. Elimination Users install anti virus updates and eliminate the virus threat 3. Launch The virus will be activated when user performing certain action such as running an infected program 4. Incorporation Anti Virus software developer assimilate defenses against the virus 3. Detection A virus is identified as threat infecting target systems Working of viruses: Infection phase    In the infection phase, the virus replicates itself and attaches to an .exe file in the system Some viruses infect each time they are run and executed completely. The others infect only when user’s trigger them, which can include a day, time, or a particular event Infected .exe file Clean .exe file ATHENA Working of viruses: Attack Phase Some viruses have trigger event to activate and corrupt systems  Some viruses have bugs that replicate and perform activities such as file deletion and increase the session’s time  Viruses can corrupt the targets only after spreading completely as intended by their developer  Slowdown of PC due to Fragmented Files ATHENA Why do people create computer viruses ?  Viruses writer can have various reason for creating and spreading virus Inflict damage to competitors Financial benefit Research project Play prank Cyber terrorism Vandalism Distribute political message ATHENA Indications of Virus Attack   Abnormal Activities: if system act in an unprecedented manner, you can suspect a virus attack. For example, process take more resource and time False Positive: however, not all glitches can be attributed to virus attack • Computer beep with no display • Drive label change • Computer freeze frequently • Files and folders are missing • Hard drive is accessed often • Browser window freeze ATHENA How does a computer get infected by viruses ? Not running the latest anti-virus application  Not update and not installing new versions of plug-ins  Install pirates software  Opening infected email attachments  When user accepts files and download without checking properly the source  ATHENA Virus Hoaxes   ATHENA Hoaxes are false alarms claiming report about a non – existing virus which may contain virus attachments Warning messages propagating that a certain email message should not be viewed and doing so will damage one’s system Virus Analysis: W32/Sality.AA W32/Sality.AA is a virus that also act as a keylogger and spreads via email by piggy – backing on W32/Netsky-T worm It infect files of “.exe” and “ .scr” on all driver excluding those under Window W32/Sality – AA create the files: \vcmgcd32.dll and \vcmgcd32.dll_ The virus logs system information and keystrokes to certain windows and periodically submits to a remote website W32/Sality-AA deletes all files found on the system with the extension “.vdb” and “.avc” and file s that start “drw” and end “.key” ATHENA It modifies \system.ini by adding the following: [MCIDRV_VER] DEVICE = Virus Analysis: W32/Total - A W32/Total – A is an email – aware virus that arrives as an attachment called Binladen_Brasil.exe  The subject of the email will be related to the conflict in Afghanistan.  ATHENA Virus Analysis: W32/Total - A      The blank message has MIME header encoded to exploit vulnerabilities in IE 5.01/5.5 that run an attachment automatically when the email is viewed If the attached file is executed, it drops the library file INVICTUS.DLL to the window system directory and the virus itself to the window directory, using a random 3 – letter name consisting of the upper case character ‘ A – O ‘ The virus may also make a copy of itself in the C:\ directory; these copied of virus will have their file attribute set to hidden and read only The virus adds its pathname to the “shell=” line in the [Boot] section of \System.ini; this cause the virus to be run automatically each time the machine is restart The virus makes the C: drive shareable by setting various subkeys of HKLM\Software\Microsoft\Windows\Currentversion\Network\Lanman\Binlade n ATHENA Virus Analysis: W32/Virut  Virut is a family of polymorphic memory – resident appending file infectors that have EPO ( entry Point Obscuring ) capabilities Infection Method ATHENA Virus Analysis: W32/Virut ATHENA Virus Analysis: Klez  It spoofs its email messages so that they appear to have been sent by certain email account, including accounts that are not infected. Its email message arrive with randomly selected subjects  Klez virus arrives as an email attachment that automatically runs when viewed or previewed in Microsoft Outlook or Outlookexpress  It is a memory resident mass worm that uses its own SMTP engine to propagate via email  ATHENA Virus Analysis: Klez ATHENA Type of Virus            ATHENA System or Boot Sector Virus File and Multipartite Virus Macro Virus Cluster Virus Stealth/Tunneling Virus Encryption Virus Polymorphic Virus Metamorphic Virus File overwriting or Cavity Virus Sparse Infector Viruses Companion/Camouflage virus Type of Virus Shell Virus  File Extension Virus  Add on and Intrusive Viruses  Transient and Terminate and Stay Resident Virus  ATHENA System or Boot Sector Viruses Boot sector virus move MBR to another location on the hard disk and copies itself to the original location of MBR  When system boot, virus code is execute first and then control is passed to original MBR  ATHENA File and Multipartite Viruses File viruses infect files which are executed or interpreted in the system such as COM, EXE, SYS, OVL, OBJ, MNU, and BAT file  File virus can be either direct action (non resident ) or memory resident  Multipartite virus that attempt to attack both the boot sector and execute or program file at the same time  ATHENA Macro Viruses Macro Viruses infect files create by Microsoft Word or Excel  Most macro viruses are written using macro language Visual Basic for application (VBA)  Macro viruses infect templates or convert infected documents into template files, while maintaining their appearance of ordinary document files  ATHENA Cluster Virus Cluster virus modify directory table entries so that so that directory entries point to the virus code instead of the actual program.  There is only one copy of virus on the disk infecting all the programs in the computer system  Virus will launch itself first when any program on the computer system is started and then the control is passed to actual program  ATHENA Stealth/Tunneling Viruses These viruses evade anti-virus software by intercepting its requests to the operating system  A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS  The virus can then return an uninfected version of the file to the anti-virus software, so that it appears as if the file is "clean"  ATHENA Encryption Virus    This type of virus uses simple encryption to encipher the code The virus is encrypted with a different key for each infected file AV scanner can not directly detect these type of viruses using signature detection methods ATHENA Polymorphic Code Polymorphic code is code that mutate while keeping the original algorithm intact  To enable polymorphic code, the virus has to have polymorphic engine ( also called mutating engine or mutation engine )  A well – written polymorphic virus therefore has no parts that stay the same on each infection  ATHENA Metamorphic Virus Metamorphic viruses rewrite themselves completely each time they are to infect new execute  Metamorphic code can reprogram itself by translating its own code into temporary representation and then back to the normal code again  For example W32/Simile consisted of over 14000 lines of assembly code, 90% it is part of the metamorphic engine  ATHENA File overwriting or Cavity Viruses  ATHENA Cavity viruses overwrites a part of host file with constant ( usually nulls ), without increasing the length of file and preserve its functionality Sparse Infector Virus Sparse infector virus infect only occasionally. For example every tenth program or only files whose lengths fall within a narrow range  By infecting less often, such viruses try to minimize the probability of being discovered  Wake on Monday of every week and execute code ATHENA Companion/Camouflage Virus   A companion virus creates a companion file for each execute file the virus infects Therefore, a companion virus may save itself as notepad.com and every time a user execute notepad.exe ( good program ), the computer will load notepad.com ( virus ), and infect the system Virus infect the system with the a file notepad.com and save it in C:\winnt\system32 directory Notepad.exe ATHENA Notepad.com Shell Viruses Virus code forms a shell around the target host program’s code, make itself the original program and host code as its sub-routine  Almost all boot program viruses are shell viruses  ATHENA File extension Viruses       File extension virus changes the extension file .txt is safe as it indicates a pure text file With extension turn off, if someone sends to you a file named BAD.txt.vbs, you only see BAD.txt If you have forgetten that extensions are turn off, you might think this is a text file and open it Then it execute Visual Basic Scripts and could do serious damage Countermeasure is turn off “Hide file extensions ” in windows ATHENA Add on and Intrusive Viruses Add on viruses append their code to the host code without making any changes to later or relocate the host code to insert their own code at the beginning  Intrusive viruses overwrite the host code partly or completely with the viral code  ATHENA Transient and Terminate and Stay Resident Viruses Basic infection techniques of direct action or transient virus : transfer all the controls of the host code to where virus reside  Select the target program to be modified and corrupts it  ATHENA Basic infection techniques of terminate and stay resident virus ( TSR ) is remain permanently in the memory during the entire network session even after the target host’s program is executed and terminate; can be rem0ve by reboot system Writing a simple virus ATHENA Writing a simple virus ATHENA Writing a simple virus ATHENA Writing a simple virus ATHENA Computer Worms    ATHENA Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction Most of the worm are created only to replicate and spread across the network, consume available computer resource. However some worms carry a payload to damage the host system Attacker use worm payload to install backdoor in infected computers, which turns them into zombies and create botnet; these botnets can be used to carry further cyber attacks How is a worm different from a virus ? Worm is special type of virus that can replicate itself and use memory, but can not attach itself to other program  A worm takes advantage of file or information transport features on computer systems and spread through infected network automatically but a virus does not  ATHENA Example of worm infection: Conficker worm The conficker worm is a computer worm that infects computers and spread itself to other computer across a network automatically, without human interaction  There are some symptoms:  • Users are locked out of the directory • Autorun.inf files are places in the recycled directory or trash bin • Access to security related sites is blocked • Traffic is sent through port 445 on non – Directory Services Server • Access to administrator shared drives is deny ATHENA What does conficker worm do ? The conficker worm can also disable important services on your computer  In Autoplay dialog box, the option open folder to view files – Publisher not specifies was added by the worm  The highlighted option, open folder to view files – using Window explorer is the option that Windows provides and the option you should use  If you select the first option, the worm executes and can begin to spread itself to other computers  ATHENA How does the conficker worm work ? ATHENA Worm analysis: W32/Netsky W32/Netsky – A is a worm that spread using email and Window network shares  It searches all map drives for files with these extensions in order to find email addresses: MSG, OFT, SHT, DBX, TBB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, PL, HTM, PHP, TXT, EML  The worm will also attempt to copy itself into root folder of drives C: to Z: using many different names  ATHENA Worm analysis: W32/Netsky ATHENA Worm analysis: W32/Bagle.CE ATHENA Worm Maker: Internet Work Maker Thing ATHENA [...]... Extension Virus  Add on and Intrusive Viruses  Transient and Terminate and Stay Resident Virus  ATHENA System or Boot Sector Viruses Boot sector virus move MBR to another location on the hard disk and copies itself to the original location of MBR  When system boot, virus code is execute first and then control is passed to original MBR  ATHENA File and Multipartite Viruses File viruses infect files... extension “.vdb” and “.avc” and file s that start “drw” and end “.key” ATHENA It modifies \system.ini by adding the following: [MCIDRV_VER] DEVICE = Virus Analysis: W32/Total - A W32/Total – A is an email – aware virus that arrives as an attachment called Binladen_Brasil.exe  The subject of the email will be related to the conflict in Afghanistan  ATHENA Virus Analysis: W32/Total... completely with the viral code  ATHENA Transient and Terminate and Stay Resident Viruses Basic infection techniques of direct action or transient virus : transfer all the controls of the host code to where virus reside  Select the target program to be modified and corrupts it  ATHENA Basic infection techniques of terminate and stay resident virus ( TSR ) is remain permanently in the memory during the entire...Virus Analysis: W32/Sality.AA W32/Sality.AA is a virus that also act as a keylogger and spreads via email by piggy – backing on W32/Netsky-T worm It infect files of “.exe” and “ scr” on all driver excluding those under Window W32/Sality – AA create the files: \vcmgcd32.dll and \vcmgcd32.dll_ The virus logs system information and keystrokes to certain windows and periodically... might think this is a text file and open it Then it execute Visual Basic Scripts and could do serious damage Countermeasure is turn off “Hide file extensions ” in windows ATHENA Add on and Intrusive Viruses Add on viruses append their code to the host code without making any changes to later or relocate the host code to insert their own code at the beginning  Intrusive viruses overwrite the host code... Stealth/Tunneling Viruses These viruses evade anti-virus software by intercepting its requests to the operating system  A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS  The virus can then return an uninfected version of the file to the anti-virus software, so that it appears as if the file is "clean"  ATHENA... OBJ, MNU, and BAT file  File virus can be either direct action (non resident ) or memory resident  Multipartite virus that attempt to attack both the boot sector and execute or program file at the same time  ATHENA Macro Viruses Macro Viruses infect files create by Microsoft Word or Excel  Most macro viruses are written using macro language Visual Basic for application (VBA)  Macro viruses infect... companion virus creates a companion file for each execute file the virus infects Therefore, a companion virus may save itself as notepad.com and every time a user execute notepad.exe ( good program ), the computer will load notepad.com ( virus ), and infect the system Virus infect the system with the a file notepad.com and save it in C:\winnt\system32 directory Notepad.exe ATHENA Notepad.com Shell Viruses. .. constant ( usually nulls ), without increasing the length of file and preserve its functionality Sparse Infector Virus Sparse infector virus infect only occasionally For example every tenth program or only files whose lengths fall within a narrow range  By infecting less often, such viruses try to minimize the probability of being discovered  Wake on Monday of every week and execute code ATHENA Companion/Camouflage... Metamorphic viruses rewrite themselves completely each time they are to infect new execute  Metamorphic code can reprogram itself by translating its own code into temporary representation and then back to the normal code again  For example W32/Simile consisted of over 14000 lines of assembly code, 90% it is part of the metamorphic engine  ATHENA File overwriting or Cavity Viruses  ATHENA Cavity viruses ... Working of viruses: Attack Phase Some viruses have trigger event to activate and corrupt systems  Some viruses have bugs that replicate and perform activities such as file deletion and increase...  Add on and Intrusive Viruses  Transient and Terminate and Stay Resident Virus  ATHENA System or Boot Sector Viruses Boot sector virus move MBR to another location on the hard disk and copies... systems and spread through infected network automatically but a virus does not  ATHENA Example of worm infection: Conficker worm The conficker worm is a computer worm that infects computers and