Upload
sanjeev-kumar
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 how windows handle various viruses
1/24
Topic How windows operating system
handles viruses? Write down various virusesthat can cause serious damage to the computer
system.
Submitted By: Submitted To:
SANJEEV KUMAR RAMANPREET KAUR LAMBA
REG. 11008322
ROLL:RK2R13A36
7/29/2019 how windows handle various viruses
2/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Acknowledgement
It is a great pleasure for me to acknowledge the assistance and contributions of many individuals in
making this dissertation a success.
First and foremost, I would like to thank my supervisor, MRS. RAMANPREET KAUR LAMBA , for her
assistance, ideas, and feedbacks during the process in doing this dissertation. Without his guidance
and support, this dissertation can not be completed on time. Secondly, it is a pleasure to express my
thanks to all my friends specially
1. MR. S.K CHAKRAVARTI
2. MR. ABHAY KUMAR
3. MR. SHUBHAM PATEL
4. MR. RAHUL TEHALANI and
5. AJAY KUMAR
for sparing their time to participate in this project. I deeply appreciate their helpfulness and willingness
in providing the useful information for this project Lastly, I wish to express my sincere gratitude to my
family for their encouragement and moral support.
7/29/2019 how windows handle various viruses
3/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
INDEX
CONTENTS page no:
1. Overview
2. Introduction
3.
7/29/2019 how windows handle various viruses
4/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Abstract :A virus is potentially a destructive program code that attaches itself to a host (either afile or program) and then copies itself and spreads to other hosts. It may contain a
damaged routine or payload, which activates when triggered So computer viruses are
codes written by some people to cause serious damage to computers, this includes
private, business and government computers. Computer viruses are similar to the
biological ones in their ability to replicate themselves, infecting a large number of
victims and having a lifecycle. The term computer virus was formally defined by Fred
Cohen in 1983, while he performed academic experiments on a Digital Equipment
Corporation VAX systems
Windows operating systems in general, though it provides greater coverage of the
operating systems built on the Windows NT kernel, including Windows XP Professional
and Windows Server. It begins by presenting the development of the Windows
operating system and the design goals. The role of the Memory Manager, especially the
Virtual Memory Manager, is discussed. The use of the Device, Processor, and Network
Managers in recent versions of Windows is reviewed. The chapter then explains the role
of the file system in file management and the challenges for Windows system security
today. The chapter concludes by explaining how the current Windows user interface
functions. Throughout this chapter, many acronyms are introduced to describe this
networked operating system. Windows operating systems are descended from a seriesof graphical interfaces designed to work with or on top of Microsofts MS-DOS
operating system. The Computer virus threat is growing and home users are threatened
by them, especially with the increasing dependence on computers to accomplish the
vast verity of tasks in our modern lives. The popularity of internet aggravates the threat
and gives the virus writers the ideal environment to distribute their viruses, since
computer viruses can spread through the universe in a few hours causing distractions to
hundreds of thousands of computers around the globe. An abbreviated idea about
computer viruses nature, history and development, the damage caused by some well
known viruses and the different types of computer viruses is explained, also virus
writers types, motivations, their point of view towards ethical and legal issues, and the
effect of legal penalties on their practice is explained .The threat of computer viruses
towards home users is proved, some solutions to eliminate the threat of computer
7/29/2019 how windows handle various viruses
5/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
viruses is highlighted. Home users can protect their systems based on their
understanding of the foregoing.
Introduction :A computer virus is a computer program that can copy itself and infect a computer
without permission or knowledge of the user. However, the term "virus" is commonly
used, albeit erroneously, to refer to many different types of malware programs. The
original virus may modify the copies, or the copies may modify themselves, as occurs in
a metamorphic virus. A virus can only spread from one computer to another when its
host is taken to the uninfected computer, for instance by a user sending it over a
network or the Internet, or by carrying it on a removable medium such as a floppy disk,
CD, or USB drive. Additionally, viruses can spread to other computers by infecting files
on a network file system or a file system that is accessed by another computer. Viruses
are sometimes confused with computer worms and Trojan horses. A worm can spread
itself to other computers without needing to be transferred as part of a host, and a
Trojan horse is a file that appears harmless until executed. Most personal computers are
now connected to the Internet and to local area networks, facilitating the spread of
malicious code. Today's viruses may also take advantage of network services such as the
World Wide Web, e-mail, and file sharing systems to spread, blurring the line betweenviruses and worms. Furthermore, some sources use an alternative terminology in which
a virus is any form of selfreplicating malware. Some viruses are programmed to damage
the computer by damaging programs, deleting files, or reformatting the hard disk.
Others are not designed to do any damage, but simply replicate themselves and perhaps
make their presence known by presenting text, video, or audio messages. Even these
benign viruses can create problems for the computer user. They typically take up
computer memory used by legitimate programs. As a result, they often cause erratic
behavior and can result in system crashes. In addition, many viruses are bug-ridden, and
these bugs may lead to system crashes and data loss .
Due to the increasing dependence on computers to achieve most of our civilized life
tasks, from simple word-processing to controlling and monitoring the most sensitive
organizations like nuclear reactors and performing surgical operations. Therefore the
need to be dependent on computers reliability and functionality is of high concern since
any failure in the computer functionality could lead to loss of human lives or costly
financially losses. There are many threats to computer functionality and reliability, and
7/29/2019 how windows handle various viruses
6/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
computer viruses is the most commune one. The threat of computer viruses are
addressed to all computer operators in homes, business, and government, home users
and how they can eliminate the threat of computer viruses and protect their systems is
of concern. The relation between increasing the awareness and understanding of the
nature of computer viruses, and home users ability to protect their systems will betested. In order to accomplish the foregoing this paper is structured as follows: Firstly
the definition of computer viruses, their nature, their history and development, and
their different types is discussed. Secondly the threat of computer viruses to home users
is proved. Thirdly computer virus writers nature, motivations and their perspective to
legal and ethical issues is highlighted. Fourthly, ways to eliminate the threat of
computer viruses is discussed. Finally the research occlusions are illustrated.
Computer viruses are small software programs that are designed to spread from one
computer to another and to interfere with computer operation. A virus might corrupt or
delete data on your computer, use your e-mail program to spread itself to othercomputers, or even erase everything on your hard disk [9]. Viruses are most easily
spread by attachments in e-mail messages or instant messaging messages. That is why it
is essential that you never open email attachments unless you know who it's from and
you are expecting it. Viruses can be disguised as attachments of funny images, greeting
cards, or audio and video files. Viruses also spread through download on the Internet.
They can be hidden in illicit software or other files or programs you might download.
7/29/2019 how windows handle various viruses
7/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Computer Viruses History and Development :
Most of computer users whom have had hard times because of computer viruses want
believe its all started in 1982 as a joke by a teenager to tease his schoolmates .
Richerd Skrenta was in the 7th Grade when he got his first PC for Christmas an Apple II.
He started to make use of this tool by doing something different and unexpected. I had
been playing jokes on schoolmates by altering copies of pirated games to self-destruct
after a number of plays. Id give out a new game, theyd get hooked, but then the game
would stop working with a snickering comment from me on the screen (9th grade
humor at work here)When they noticed what was going on they prevented him from
being near their disks. So, he has to think of away to bass his booby trap to their disks
without putting his hands on them physically. I hit on the idea to leave a residue in the
operating system of the schools Apple II. The next user who cams by, ifthey didnt do a
clean reboot with their own disk, could then be touched by the code I left behind. I
realized that self-propagating programs could be written, but rather than blowing up
quickly, to the extent that it laid low it could spread beyond the first person to others as
well. I coded up Elk Cloner and gave it a good start in life by infecting everyones disks Icould get my hands on While Basit Farooq Alvi and Amjad Farooq Alvi seemed to have a
totally different motive to write their virus. Software piracy was the software developer
nightmare, so they started to think of a way to protect their effort from being
lost.(Paquette,2000, p.2) Basit and Amjad used to run a computer store in Lahore,
Pakistan. They decided to create a virus in order to inhabit the American software piracy
to protect their business, and they called it (C) Brain virus. In October 1987 (C) Brain
virus appeared in the University of Delaware, after one month the Lehigh or
COMMAND.COM virus were found at Lehigh University in Pennsylvania, finally in
December the Hebrew University at Jerusalem were attacked by the Friday the
13th virus (Highland ,1997, p.416).While in 1989 the 1260 was found on the wild as a
result of variable encryption techniques, also in the same year stealth viruses ( which
have the ability to avoid detection by employing various techniques), such as Zero Bug,
Dark Avenger, and Frodo were found in the wild for the first time (Dwan, 2000,13).
So it started to get more serious and virus writers accepted the undeclared challenge,
and started to improve their malicious codes to avoid detection. In 1990 the virus
writers released a virus called Whale, International Journal of Electrical & Computer
7/29/2019 how windows handle various viruses
8/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Sciences IJECS-IJENS Vol: 10 No: 03 37 which was a self-modifying virus and in 1991 GPI
virus was found, the mission of this virus was to steal Novell NetWare passwords. In the
same year Michelangelo was discovered in New Zealand (Dwan, 2000, p.13). It seems
that this war would never end. In 1995 a new technique was found to cope
with the communication revelation and internet popularity, The first reported macrovirus Concept, was seen in the wild by AV researcher Sarah Gordon in summertime of
1995. A set of five macros designed only to replicate, Concepts payload displays the
virus authors ominous message: Thats enough to prove my point .
(Paquette,2000, p.3) .
A month later Chernobyl strain CIH hits around 540,000 computers in Turkey and South
Korea, the purpose of its payload was to reformat the hard drive and zap a key chip
on the computer motherboard (Dwan, 2000, p.14). The increasing dependency on the
companies networks or the internet to exchange documents using e-mails on a daily
basis gave the macro virus a stabile spreading environment and made them the bestexample of convoying each age requirements. In the year 2000 a new Millennium had
just started and its seemed that the virus writers quiver is still full of surprises. It was an
irresistible attractive message containing a love letter Love Bug. All the user
had to do in order to infect his system and automatically send copies of the virus to
everyone on his e-mail address book was to open the attachment (Ruppe,2000, p.1).
The I LOVEYOU virus caused havoc and damage to private, business, and government
computers throughout the globe starting from Asia, Australia, Europe to North America
(Ruppe,2000, p.1). The Asian Dow Joness computers crashed and the Asian Wall Street
Journal were struck, around 30% of British and 80% of Swedish companies
e-mail systems were affected, finally in the U.S. at least 350,000 files were found hit
(Ruppe,2000, p2-3). In 2001 Pentagon and the White House were forced to halt the
public access to their Web sites for a limited period and 250,000 systems were infected
in nine hours due to the Code Red worm, which was able to infiltrate hundreds of
thousands of computers shortly after its first identification on July 19th
(Stenger,2001,
p.1). Virus writers were determined to prove their capability to threaten the world by
releasing new viruses. In 2002 the top of the virus chart was Klez virus, which was able
to have more then five million copies (advisor.com,2002, p.1). Nevertheless we can say
that the malware(short form of malicious ware) was started by releasing viruses in the
wild, regardless of the virus writers motivations or intentions to write these viruses.When software developers started to notice the need for developing programs to
protect computers from viruses, the malwar started between the virus writers and the
antivirus companies.
7/29/2019 how windows handle various viruses
9/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Virus StructureComputer viruses could have two parts at least (search and copy routines) or more
depending on how sophisticated it might be, the additional parts will give it a unique
characteristic .
(Ludwing,2002, p.23-24):
Search routine: this routine responsibility is to find a stabile target for infection.
Copy routine: to be able to infect the target which was found by search routine, the virusmust copy itself to the target and this is the copy routine responsibility.
Anti-detection routine:this could be part of the search or copy routines or it could be astand-alone routine, the mission of this routine is to avoid detection either by the user or
the anti-virus programs.
Payload routine :this routine vary depending on its porous, it could be a joke,destructive or perform a useful task.
7/29/2019 how windows handle various viruses
10/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Virus LifecycleComputer virus and biology one has a similar lifecycle, which consists of the following
stages (Cronkhitevand McCullough, 2001, p.19-20) :
Birth: bringing the computer virus to life, virus writer (the person who wrote the virus)
designs the virus and then creates it using a programming language.
Release: in this stage the virus writer sends it out to the wild (the cyberspace, the virtual
computer world).
Proliferation: the virus target in this stage is to replicate and infect as many victims as
possible without drawing any attention.
Trigger: in this stage the virus becomes alive when the trigger is reached. The virus
writer usually determines the trigger, it could be a specific date, a certain task, or
anything else depending on the writers choice.
7/29/2019 how windows handle various viruses
11/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Activation: in this stage the virus has the ability to run its destructive routine. The effect
of this could vary from erasing the hard disk content to making limited damage.
Detection: this could happen at any stage of the virus lifecycle, detecting the virus in the
early stages makes it easer to remove it with out causing any damage. Unfortunately,real life viruses are usually discovered after they have caused havoc and damage..
Elimination: the ability to eliminate the effect of virus varies from one type to the
another, and also depends on the available tools. The solution could be simple and
inexpensive(e.g., deleting the virus) or complicated and expensive ( e.g., reformatting
and restoring the hard disk or buying a new one).
Modification: in this stage the virus lifecycle may be repeated with an improved version,
this could be done by the original virus writer or some one else.
Types Of Computer VirusesEvery year computers technology developers surprise the world with their new
inventions, therefore virus writers need to create new generations of viruses to cope
with the latest computing techniques. As a result of this competition each year
hundreds of new viruses are found in the wild.
File-infecting virus: this virus technique is to attach itself to the executable files, whichare the files ending with .exe, .com, .all, and .drv , and these are the main program files
and drivers. If any of them is infected the virus code will be executed during the run first
by loading itself to the memory and deceive the user by allowing the program to
execute normally. When the user runs any other applications, the virus replicates itself
in order to be attached to that application. The virus should remain undetected until
trigger is reached and this depends on the virus writer choices.
7/29/2019 how windows handle various viruses
12/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Boot sector virus: this virus loads itself to the boot sector of the floppy disk or master
record of hard disk in order to be loaded to the memory before the operating system is
loaded. As soon as the virus becomes residence it will be able to infect each inserted
disk to that computer.
Macro viruses: the macro language technology was invented by software companies in
order to automat repetitive tasks. This virus depends on the macro language in order to
infect the data files by attaching themselves to the global template and spreads when
the data files is opened. So as we can see virus writers took advantage of a new
invention and developed a stabile viruses for each age. These types of viruses are
categorized as dangerous ones, because they are easy to write, spread easily, and its
hard to eradicate them. The macro viruses effect could be an annoying massage, adding
password protection to files, saving files as templates instead of saving them as
documents, or moving and replacing the text randomly.
Script virus: this type of virus is written using script languages, they spread and infect
files by taking advantage of vulnerabilities in the Microsoft Windows operating systems,
opening e-mails or accessing Web pages which includes tainted scripts will activate the
virus. This type of viruses has the ability to change its signature each time the virus is
reproduced in order to remain undetected by antivirus software.
Polymorphic virus: this virus has the ability to change each time it replicates using
different encryption routines through its additional unique mutation engine. As a result
of this invented combination the virus is very difficult to detect. One Half is an example
of this virus, it has a distractive effect, its target is to encrypt the hard disk and make it
unreadable, another example is Satan Bug.Natas which specialized in attacking the
antivirus software. Virus writers are so keen to cope with the technology development,
each time antivirus software and software developers come up with a new technology
to prevent computer viruses infection, virus writers find their way to surprise the world
with a new threat by releasing the suitable virus for each age.
7/29/2019 how windows handle various viruses
13/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Handling viruses by window system :FirewallA system designed to prevent unauthorized access to or from a private network. Firewalls
can be implemented in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private
networks connected to the Internet, especially intranets. All messages entering or leaving
the intranet pass through the firewall, which examines each message and blocks those
that do not meet the specified security criteria. There are several types of firewall
techniques:
Packet filters:Looks at each packet entering or leaving the network and accepts orrejects it based on user-defined rules. Packet filtering is fairly effective and transparent to
users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
7/29/2019 how windows handle various viruses
14/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Application gateway: Applies security mechanisms to specific applications, such asFTP and Telnet servers. This is very effective, but can impose performance degradation .
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is
established. Once the connection has been made, packets can flow between the hostswithout further checking.
Proxy server:Intercepts all messages entering and leaving the network. The proxyserver effectively hides the true network addresses. In practice, many firewalls use two or
more of these techniques in concert. A firewall is considered a first line of defense in
protecting private information. For greater security, data can be encrypted.
World top 10 viruses and theirHazards :1. I LOVE YOU :
2. The Swiss Amiga Virus
The story of the so-called \Swiss" Amiga viruses is fairly interesting for a number of
reasons. The _rst reason is the name. It is called Swiss because someone at _rst thought
7/29/2019 how windows handle various viruses
15/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
it was launched from Switzerland, but the last time I heard of people searching for the
source, they thought it was from Germany or Canada. Nothing is quite as exciting as
closing right in on a perpetrator.
To understand how this particular virus works, you have to understand how Amigas
work. Not the technical aspects, but rather how people share information when theyuse Amigas. Amigas have very strong user groups. For example, it's not unusual for an
Amiga user group to have hundreds of people, with meetings twice a week. So they
have several hundred people meeting twice a week, exchanging disks with each other,
giving talks, and doing all sorts of computer related social activities. Sharing is very
prevalent under these circumstances. This virus enters one of the system _les on an
Amiga, and eventually destroys the information on the disk in a similar way to the PC
based viruses we have discussed. When I _rst heard about this virus, I called up the
person at Commodore (the manufacturer of the Amiga) in charge of defending against
it; the chief systems programmer. He said \I have it under control, it's no big deal", and
he wrote a program that looked for the _rst byte of the virus in that particular _le. If the_rst byte of that virus was present, it said \this is an infected program, restore from
backups to repair the problem" or some such thing. So, he sent this defense out, and
about a week later there was a new version of the virus that started
with a di_erent _rst byte. So I called the guy up and said \Wouldn't you like to do
something better?" He said \No, no, we have it under control . . . ", and then he sent out
a program that looked for either of those two _rst bytes. The third round involved a
copy of the virus that evolved through any of ten di_erent _rst bytes, so I called him
again and he said \No, no, I've got it under control . . . " This time he wrote a program
that checked to see whether the _rst byte was not the legitimate byte of the Amiga
program. About a week later, there was a version of the virus that had the same _rst
byte as the legitimate Amiga program, but a di_erent second byte. That was the last
time I bothered calling this guy up. I _gure that by now, they're up to about the tenth or
eleventh byte, and still battling it out.
The Mainframe Christmas Card Virus
In 1987, we also had the Christmas card virus that spread throughout mainframes of the
world by way of computer mail. It was created by a student in Germany as a Christmas
card. In order to understand how this virus worked, you have to understand that part of
the corporate culture in IBM was for people to send each other Christmas cards via
computer mail. As a result, when someone you knew sent you a Christmas card you
would normally read it without hesitation. So this person in Germany created a
7/29/2019 how windows handle various viruses
16/24
7/29/2019 how windows handle various viruses
17/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
punishment, MacMag was kicked o_ of CompuServ \forever", which I guess is as big a
punishment as they can come up with. CompuServ and most of the rest of the
community thought the attack was all over, until .About two months later (so the story
goes), a man was visiting his friend who was a contract programmer. He showed his
friend a copy of a game called \Frogger". The programmer tried Frogger once, andsaid \This is really a dumb game, in fact, this is the dumbest game I've ever seen. I'm
never going to run this game again". However, once was enough. This particular
programmer, it just so happens, wrote training software for several companies,
including such industry leaders as Lotus, Ashton-Tate, and Aldus. Over the next couple
of weeks, he distributed copies of his newest training software to one or more of these
companies, and the virus that came in Frogger spread. Aldus subsequently released
about 5,000 copies of their newest program \Freehand" which
were infected. This was the _rst (but not the last) time that a virus was released in a
legitimate, shrink wrapped, commercial software distribution.
The Scores Virus
The so-called \Scores" virus operates on Apple MacIntosh computers, and was
apparently written by a disgruntled ex-employee of Electronic Data Systems, a Texas
_rm that does computer security work world-wide. The reason we believe this, is that it
directs its attacks against programs written by partic- ular programmers from EDS, and
through an anonymous source, I heard some further details that were convincing.
The Scores virus does absolutely nothing for about four days after its initial infection.
For the next four days, it infects, but does no other damage. The 4 day time period maybe because of a procedural defense at EDS, which a 4 day wait bypasses, but nobody is
certain of this except the attacker. From then on, whenever you run an infected
program, it operates as follows: For the _rst 15 minutes of operation it does nothing.
For the next 15 minutes, it prevents saving anything. Finally (mercifully), the system
crashes. So if you are running an editor written by one of these authors at EDS, for the
_rst 15 minutes everything works great. After that, when you try to save the _le, it says
(in e_ect) \Sorry, I can't save that". The user typically responds with something like
\What do you mean you can't save it? Save it!", and for the next several minutes, a
frantic e_ort to save the _le is made, until _nally the system crashes, and the changes
are lost. Needless to say, it is a very disconcerting experience for the user when it
happens. the _rst time, but things get worse .It takes about 2 hours to completely get
rid of the Scores virus from a MacIntosh with a hard disk (from the details I have heard),
but as I have mentioned, there is another side e_ect. Over the four day period of
reproduction without damage, the virus tends to get into oppy disks and backups,
spread over networks, etc. As a result, many organizations have the Scores virus for a
7/29/2019 how windows handle various viruses
18/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
long time. One administrator from a government agency described curing this virus from
all of the computers in one network once a week for a year.
The Internet Virus
The \Internet Virus", commonly called the \Internet Worm" (it turns out that worms area special caseof viruses), was launched in 1988 in the Internet. The Internet is a networkthat, at that time, intercon- nected about 100,000 to 200,000 computers around the
world, is used by Universities and other research organizations, and provides
connectivity to many other networks. I can't remember the names of half the
networks it is connected to, but among the connected networks in 1988 were the ARPA-
net (Advanced Research Projects Agency) and the DOD-net (US Department of Defense).
In the Internet attack, a graduate student at Cornell University designed and launched a
computer virus that replicated and moved from machine to machine in the Internet. It
entered about 60,000 to 70,000 computers, but was designed to only replicate in 6,000
of them. In a matter of a few hours, it spread throughout the network causing
widespread denial of services. According to the author, it was not intended to deny
services, but due to an error in programming it replicated too quickly.
This virus was designed speci_cally to work in a particular version of a particular
operating system and, even though it would be very simple to make it work on other
versions, special code was in place to prevent its undue spread. It replicated by `fork'ing
processes and tried to move from system to system by exploiting a (de)bug in the
computer mail protocol. It turned out that if you had debugging turned on
in the mail protocol on your machine, then if somebody wanted to, they could issue
commands as if they were the `Superuser' on your computer. It also turns out that mostof the systems in the Internet had this switch turned on at compile time, and in many
cases, they could not turn it back o_ because they didn't have the source code to the
mail program for recompilation, and the designers didn't provide any
mechanism for overriding the debugging mode.
This particular virus also crossed the boundaries between the ARPA-net and the DOD-
net, which were supposedly secured against all such intrusions. In the next few days,
several viruses apparently crossed this boundary, and the link was then severed.
The AIDS DiskIn late 1989, a well funded group purchased a mailing list from a PC magazine, and
distributed between 20,000 and 30,000 copies of an infected disk to the people on this
list. The disk was a very poor virus, but it caused a great deal of damage because there
were so many copies mailed, and the recipients used the disk widely despite procedural
policies in place prohibiting such use. The disk was advertised as a program to evaluate
a person's risk of getting AIDS based on their behavior. Included in the distribution was a
7/29/2019 how windows handle various viruses
19/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
description of the fact that this was a limited use distribution, and that it would cause
damage to the system if it was used without paying royalties.
The disk infected the host system by adding a line to the \AUTOEXEC.BAT" system
startup _le which, although it appeared to be a comment, was actually a peculiar
program name. After running this program a number of times, the virus would encryptdirectory information so that _le names became unusable. If you continued to use the
system it would eventually try to convince you to put in a oppy disk to make a copy for a
friend. The alleged perpetrator was eventually caught by tracing the mailing list
purchase process back to the buyer. The last I heard, the person they caught was in the
middle of extradition hearings to England, where the virus caused enough damage to
warrant prosecution.
The Datacrime Virus
The Datacrime" virus was the most widely announced and least widely spread well
known virus in recent memory. It was rumored to exist as early as 6 months before it
was to cause damage, and was eventuallythe subject of the _rst NIST National Computer
Virus Alert in the United States. This virus only caused minor damage in a few instances
in Europe, and never took hold in the United States. Perhaps coincidently, IBM
introduced its antivirus program to the world on exactly the same day as NIST
announced its _rst national computer virus alert. Not a single incident was reported or
detected in the US as far as I can tell, but IBM sure sold a lot of virus detection software.
2.3.13 Early Evolutionary Viruses In late 1989, the _rst seriously evolutionary virus to
appear in the real world began spreading in Europe.Earlier viruses had evolved in minor ways, simple self-encryption had been used before,
and experimental viruses with no association between evolutions had been
demonstrated, but this virus was the _rst one to be released into the world with many
of these properties. This virus replicates by inserting a pseudo-random number of extra
bytes into a decryption algorithm that in turn decrypts the remainder of the virus stored
in memory. The net e_ect is that there is no common sequence of more than a few
bytes between two successive infections. This has two major implications. The _rst
problem is that it makes false positives high for pattern matching defenses looking for
the static pattern of this virus, and the second problem is that special purpose detection
mechanisms were simply not designed to handle this sort of attack.Since the _rst evolving real-world virus appeared, authors have improved their evolution
techniques substantially. One author even created a set of evolutionary subroutines
called the `Mutating Engine' (often referred to as MtE) which can be integrated with
other viruses to form a highly evolutionary form. After over a full year of analysis and
response, the best virus scanning programs still hadn't achieved a detection rate over
95% on a sample of several thousand mutations created by Vesselin Bontichev (a well
7/29/2019 how windows handle various viruses
20/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
known Bulgarian malicious virus defender) to test their quality. This brings up an
important point about virus detection rates that I will defer to our discussion on
epidemiology.
Simulation (Stealth) Viruses
The simulation virus that appeared in late 1989 represented a major step toward attacks
meant to bypass virus defenses. In essence, this virus simulates all of the DOS system
calls that would lead to its detection, causing them to return the information that would
be attained if the attack were not present. It is presently spreading widely throughout
the world, and because it does no obvious damage, it is generally going undetected.
Since that _rst simulation virus, researchers have decided to use the term `stealth' to
indicate viruses that use sophisticated hiding techniques to avoid detection. The term
stealth is derived from the US `stealth' aircraft that were so successful at avoiding radardetection in the Gulf War in the early 1990s.
Hiding techniques have their biological analogy, the most commonly known example
being the chameleon which changes its color to match the background. Many insects
blend into their background and thus avoid predators, and a common feature of
invasive micro-organisms is the presence of chemical sequences identical to those of
their hosts, which enable them to pass as if they were native cells instead of invaders.
Now there is a very important di_erence between biological stealth techniques and the
techniques of modern malicious viruses that I think I should mention before you get any
misimpressions. There is a tendency to anthropomorphize hiding techniques as if to
indicate that a conscious e_ort is made by an organism to hide by creating matchingchemical sequences. In biological systems, except for higher forms of animals, there is
apparently no evidence that there is intent behind the hiding techniques. Rather,
random variations caused some color di_erences or chemical sequences, and it just
happened that those creatures didn't die as often as others because of their stealthy
characteristics, and so they survived to reproduce.
The stealth techniques we see in modern computer viruses are quite di_erent in that
they are intentionally designed to hide by exploiting weaknesses in the operating
environment. For that reason, all current stealth viruses are designed to attack PC and
MacIntosh operating systems, which are inherently vulnerable. Against the stronger
defense techniques now available, current stealth attacks fail completely when
operating system protection such as that provided in Unix, MVS, and VMS is in use.
There are ways of hiding in most modern timesharing systems with these protections in
place, but none of the real-world viruses we have seen have done this yet. For example,
an infected program could start a background process to perform infection so as to
reduce the time e_ects associated with infection, and give the memory resident process
7/29/2019 how windows handle various viruses
21/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
a name similar to the name of other common memory resident programs so that it
would not be easily di_erentiated when looking at operating processes.
The Bulgarian Viruses
In early 1990, a research institute in Bulgaria released a set of 24 viruses to the rest ofthe world research community. They had not previously been known outside of
Bulgaria. Astonishingly, none of these had been detected in Western Europe until these
samples were provided. With the fall of the Iron Curtain, the ow of people and
information between the former Soviet Bloc countries and the rest of the world
dramatically increased. Along with this openness, came the open exchange of viruses,
and a whole new set of problems were created for defenders on both sides of the
former partition.
Some TrendsAlthough many of these viruses have not spread widely, the number of widespreadviruses is on the increase, and the incidence level is increasing quickly. For example, in a
recent visit to Taiwan, I was surprised to learn that of 50 companies represented at a
seminar, on the average they experienced about 10 viruses per year! This is particularly
important in light of the fact that most 3 of the world's PCs are manufactured in Taiwan,
and several incidents of widespread dissemination of viruses from manufacturers have
been reported. Another interesting trend is that only about 10% of the known viruses
are responsible for 90% of the incidents. According to several minor studies, this has
been true for several years, and according to a recent larger scale study done by IBM of
Fortune 500 companies, only 15% of the known viruses were detected in the real-world.They also report that 33% of incidents are caused by the two most prevalent
viruses (`Stoned' and `Form'), and the 10 most prevalent viruses are responsible for 66%
of incidents. These numbers represent very substantial growth, but don't reect the
recent advances in attack technology. Several virus generating programs are currently
available, both from semi-legitimate software houses, and from other less identi_able
sources. Some of these virus generators are capable of generating millions of
di_erent viruses automatically. Some even allow the user to select di_erent infection
techniques, triggering mechanisms, and damage using a menu. Even simple evolution is
available in some of these generators. A far more interesting program has been
developed to perform automated evolution of existing programs so as to create
numerous equivalent but di_erent programs. This program exploits knowledge of
program structure, equivalence of large classes of instructions, and sequential
independence of unrelated instructions to replace the sequence of instructions
comprising a program with a behaviorally equivalent instruction sequence that is
substantially di_erent in appearance and operation from the original. In one of the
7/29/2019 how windows handle various viruses
22/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
appendices, several examples of evolutionary and hiding techniques are shown, and a
good case is made to show that detection by looking for viruses is quite di_cult and time
consuming if these techniques are applied.The _gure 80% appears in their o_cial
government documents.
2.3.18 Cruncher
The `Cruncher' virus is a real-world version of the compression virus described earlier,
but with an interesting twist. For the decompression process, it uses a very common
decompression program; and the virus is added to the _le being infected before
compression. The net e_ect is that when we look at the _le, it looks like a legitimate
compressed executable program. If we try to scan for the virus, we are in great
di_culty because the compression algorithm is adaptive in that it generates codings for
subsequent bits based on occurrence rates earlier in the _le. Since this particular virus is
placed at the end of the _le, we can't detect it until we decompress the entire _le! No
_nite number of `scan' strings exist for detecting the virus because the virus is
compressed with the adaptive compression algorithm. This virus _rst appeared in
January of 1993, and as of this writing is not detected by any virus scanners.
It is not likely to be reliably detected by them soon, unless they dramatically increase
run times.
Conclusions :The number of computer viruses found in the world is increasing each year. Every time
software and antivirus software developers invent new technology to prevent virus
infection, computer virus writers thrilled the world with their ability to go around the
new technology and develop the right virus for each age. Macro viruses were their ideal
proof of their intention to accept the challenge and cope with the new technology
developments. Script viruses were another prove, they have the ability to encrypt each
time its reproduced to have a different signature in order to deceive the antivirus andremain undetected . The antivirus developers reaction to this challenge is to develop
their programs to detect the pattern in the decryption of the virus, virus writers reaction
was creating polymorphic viruses So the malware will go on between software and
antivirus software developers and virus writers.
7/29/2019 how windows handle various viruses
23/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
Computer virus writers are not a homogenous group, their motivations could be the
need to express their dissatisfaction with their social level, draw attention, become
famous and well known, to achieve their revenge, or to prove their technical ability. It
seems that the virus writers desire to accomplish their goal conceals their vision from
viewing the ethical and legal issues. Another reason could be their dissatisfaction withtheir society, since the ethics and legal codes belongs to it, and they want revenge for
everything in their society including the ethics and legal codes. The legal penalties are
not deterring virus writers, but seems to encourage the writers to accept the challenge
of writing and releasing a virus to cause the maximum destruction and get away with it
or cause serious damage and become famous. By comparing the increasing number of
home users with the increasing number of computer viruses each year, we can easily
realize the growing threat of computer viruses towards home users. The increasing
awareness of computer viruses and basic IT security principles will help home users to
eliminate the threat of computer viruses.
Being largely misunderstood, viruses easily generate myths. Some people think it's
funny to generate hoaxes. By careful checking you can usually spot them. Silly tricks and
poor policies are no substitute for individual protection methods. Any product that
advertises itself as a "quick and easy cure" for "all viruses past, present, and future" is
more likely than not exercising its advertising imagination. Keep in mind that not
everything that goes wrong with a computer is caused by a computer virus or worm.
Both hardware and software failure is still a leading cause of computer problems.
ReferencesWebs:
http://www.ebusinessadvisor.com/Articles.nsf/dp/29DD4BBF288F4FD488256C7C00610777
7/29/2019 how windows handle various viruses
24/24
CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.
By sanjeev 11008322
BOOKS :
Kemmerer R A, Vigna G, Hi DRA: Intrusion Detection for internet Security, Proceedingsof the IEEE, Vol 93, issue 10, Pg 1848-1857, Oct 2005