Embed Size (px)
Citation preview
Viruses
Malware versus Virus
• Viruses belong to a larger category of software known as Malware, which is short for “malicious software”
• Computer viruses are named after their biological counterparts because of the two features they have in common– they require a host; they are not complete programs but
pieces of code that become attached to (infect) another program
– They are self-replicating, i.e. they make copies of themselves
Programs writing programs
• A program is stored as a file (it may also be loaded into memory)
• A program can write to a file (or to memory)– It can insert text into a file, append to a file, overwrite a
file, or start a new file
• The file being written may contain a program, the code in the program can be a copy of the program that wrote the file
• When that new program is executed, …
Worm
• Some distinguish between a worm and a virus, in that a worm does not attach itself to another program but fills one’s disk space and/or memory with copies of itself
• Malware need not copy itself but that is the usual mechanism for spreading from system to system
Phases
• Infection phase: the time when a virus spreads (replicates itself)
• Attack phase: the time when a virus causes its damage – The non-replication action of the virus is known as the
“payload”
– The payload may be to print a silly message or to erase everything on the hard drive
– Even the infection phase uses up system resources
Bombs
• A logic bomb is designed to cause its damage only when a particular condition is met,
• a special case is a time bomb which goes off at a particular time– e.g. the Michelangelo and Melissa viruses
• If the payload is immediate, then the virus may be detected earlier and not have a chance to spread as far
Types of computer viruses
• Viruses are typically categorized by the level of software they “infect”– Boot sector infector
• Master boot sector
– File or program infector– Macro– Multipartite: Having features of more one of
the above – hoax
"Boot Sector"
• Booting is when one loads the operating system after turning on the power
• Viruses that attach to code at this lowest level are known as “boot sector” viruses or “boot sector infectors”
• These viruses are spread by sharing disks • A disk does not have to be “bootable” to
spread a boot sector virus
Boot sector (Cont.)
• Your computer is particularly vulnerable at the booting stage because the Anti-viral utility has not yet been loaded
• You should not have a floppy in the A drive when you boot up, unless you specifically mean to boot off of the floppy.
• Some anti-virus packages warn the user if a floppy is left in the A drive when shutting down
Master Boot Sector
• Sometimes a distinction is made between a boot sector virus and a master boot sector virus
• The computer looks first to the master boot sector to see for instance which partition one boots from, it then proceeds to the boot program
• A virus affecting the master boot sector is a master boot sector virus
Program or file infector
• A virus that attaches itself to an executable file (a program)
• Program file typically have one of the following extensions– .exe (executable file)– .com (companion file)– .bat (batch file)
Renaming
• One can rename a file and change its extension, so files with other extensions might have viruses
• However, the operating system treats files with these extensions differently in that it executes them when they are clicked
Program/file infector (Cont.)
• In DOS the rule is that if there are two files: filename.com and filename.exe, then filename.com is executed first
• Viruses that attach to the .com files are sometimes called “companion viruses”
• Program infectors are spread by sharing and executing infected programs
• A program virus can infect other programs • Don’t share programs of unknown origin
Macro virus
• a macro is a small program that automates repeated tasks in an application (like Word or Excel)– Macro virus
• a macro virus is a macro code used to spread itself and cause damage
• Have Word or Excel warn you if a file contains macros, disable them if you don’t need them
Macro virus (Cont.)
• Since a macro is code embedded in a file typically thought of as a data file (such as a Word document or Excel spreadsheet), they spread more quickly because– people are more likely to share data files – They are also less wary when they do– Macros are not operating system dependent, so
a macro virus can spread from a Mac to a PC and vice versa
Visual Basic Script
• Macros for Word and Excel are written in Visual Basic Script – If you record a macro in Word or Excel and edit
it, it looks very much like Visual Basic
• Visual Basic Script have the extension .vbs though often the macro is included right in the Word (.doc) or Excel (.xls) file
"Email" or "Hoax"
• Not really virus at all, just email messages repeatedly sent to warn others about a new virus – Infects the user not the computer
• However, like their genuine counterpart, hoaxes tie up system resources causing undo Internet traffic
• Try to verify a virus warning by checking with a IT professional or reputable web site with specific information on the virus
Most Common
– Early on, the program and boot-sector viruses were the only kind and were about equal in occurrence
– Then boot-sector viruses became the more common (even though there was a much larger variety of program infectors) because they were more easily obtained (by an infected floppy)
Most common (Cont.)
• With the increasing use of the Internet, especially email, macro viruses have become the most common because they spread the most easily
• Hoax viruses have also become quite common, and there is no anti-viral utility to help prevent them
“In the wild”
• Viruses are created at a rate of several per day
• Most viruses exist only in special collections• The viruses that are being passed around by
unsuspecting users are said to be “in the wild”
• A virus in your computer is said to be “resident”
Second categorization
• Another categorization of viruses is based on how they try to gain entrance to the system or hide from anti-viral software– Trojan horse– Polymorphic– Stealth– Anti anti-virus virus
Trojan Horse
• Not necessarily a virus
• Refers to malware that is disguised as software which is useful or fun to trick the user into copying and executing the program
Polymorphic
• A polymorphic virus changes its code• One way anti-viral software works is to
identify a virus’ “signature” — a string of characters unique to it or a string of characters that occur much more often in it than the would in “normal” code
• A polymorphic virus tries to beat this means of detection
Stealth virus
• In order to replicate a virus must write to, i.e. change files
• Another behavior anti-viral software looks for is files changing
• A stealth virus takes over the part of the operating system that reads files and lies about their having been changed
Anti anti-virus virus
• A.k.a. “retro” viruses
• These viruses try to delete or disable the anti-viral utility software
Damage
• What kind of damage can a virus do? • Many viruses have no payload at all.
But some viruses can: – Clog email servers– Delete or modify files – Release confidential information – Lowers computer performance – Loss of productivity
Damage (Cont.)
– Display serious or silly message on screen – Erase files – Scramble data – Erratic screen behavior halt pc – Beeping the keyboard – Damage software – Destroy your trust in your computer – Play music – Display animation screen – Slow down computer
Useful Information
• You cannot get a virus from simply "being on" the Internet. No one can "give" you a virus over the Internet without some user assistance at some level.
• Cannot be infected from CMOS memory. • Be aware that viruses are found in pirated
software regularly.• Viruses do not infect compressed files although
compressed files can carry a virus that it was infected with before it was compressed.
Useful Information (Cont.)
• You can’t get a virus by downloading, you need to execute the download to get the virus. – Be careful with some software, downloading and
installing occur simultaneously
• Files sent such as pictures and MP3 music CANNOT contain viruses. (see renaming)
• Viruses do not infect computer hardware (though they can render it useless)
Useful Information (Cont.)
• Can get viruses from certain data files in Microsoft Office because they contain macros, which are programs that are executable.
• Cookies (data files some web sites store on your disk) cannot have viruses.
• Can get viruses from EXE and COM files. • Viruses cannot infect files on write protected
disks, but infected disks that are then write protected can infect other files.
• Viruses do not identify themselves.
Quarantine area
• When an anti-viral utility cannot repair (“clean”) a virus-infected file, it might place it in “quarantine” — a holding area for suspicious or infected file
• they are unavailable to the user, but not lost for ever (in case they contain important data that needs recovering)
Quarantine area (Cont.)
• One benefit of allowing the administrator to decide whether files should be returned is that many macro viruses make deliberate and malicious changes to documents or spreadsheets they infect. This means that even after cleaning, files may contain damage, possibly subtle, which affects their validity or usefulness.
Prevention Measures
• Backup all files regularly – Doesn’t prevent viruses but prevents losses they
might cause
• Use a reputable anti-virus program• Update your anti-virus program regularly
– Sometimes this process can be automated
• Be aware of what your anti-virus software does with a virus but cannot disinfect
Prevention Measures (Cont.)
• Always remove floppy disks from the A drive when you are not using them
• Don't use floppy disks that have been used many times, and passed from computer to computer.
• If you are through editing the files on a floppy, write protect it
• Don't lend your floppy disks to others • Scan for viruses before using floppy disks
from others
Prevention Measures (Cont.)
• Don't download files from unknown sources • NEVER open an email attachment unless you
are SURE it doesn't contain a virus. – Save or detach an attachment instead of
launching it from the mail package
• Check all new software for viruses, even ones that were wrapped by the publisher– Pirated software is especially notorious for
containing viruses
Prevention Measures (Cont.)
• Open Microsoft Office documents with a viewer program rather then directly into the Microsoft application or have the application prompt you if a macro is used
• NEVER accept "games" or "updates" from strangers over email, ICQ, BBS, or any other transfer medium.
• Check everything for a virus before using it• Send an email to anyone who send you an
infected file
Prevention Measures (Cont.)
• Don't pass on virus warnings without some verification– At work, this is the job of the computer support
personnel
• Note strange occurrences in your PC's behavior ( odd messages, mouse directions switching, etc.)
• Never use undocumented commands such as fdisk \mbr to fix virus contamination
The EICAR Standard Anti-Virus Test File
• Testing your anti-viral software• This is a simple ASCII (text) file that can
also serve as a program. • It contains one line of printable characters;• If saved as EICAR.COM, it can actually be
executed. It prints the message:• EICAR-STANDARD-ANTIVIRUS-TEST-
FILE!
The EICAR Standard Anti-Virus Test File
• Most anti-virus products detect this file as if it were a virus.
• This provides a safe and simple way of testing the installation and behavior of your anti-virus software without needing to use a real virus.
The EICAR Standard Anti-Virus Test File
• To make your own EICAR test file, create a text file called EICAR.COM containing a single line that looks like this:
• X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
• Note that the "O" in the third character position is the letter "oh", not the digit "zero". If you have typed (or pasted) the text correctly, Sophos Anti-Virus will tell you the file contains "EICAR-AV-Test".
Word Macro Security
• Make Word prompt you whenever you try to open a document containing a macro
• Some viruses were able to turn this setting off, so it doesn’t hurt to check it
Word Macro Security
Browser security
• Many web pages have programs embedded in them
• Make sure your browser prompts you before any program is downloaded into your system
I.E. Security
I.E. Security
References
• http://www.us.sophos.com/virusinfo/whitepapers/vfiles.html
• http://www.vmyths.com/
• http://www.geocities.com/siliconvalley/1710/
• http://library.thinkquest.org/C005965F/main.htm
• http://www.cai.com/viurusinfo/virus_intro.htm
