Chapter 1

Viruses: Attack of the Malicious Programs

What is a virus?

What is a virus?

A computer virus is a malicious computer program that, when executed by an unsuspecting human, performs tasks that primarily include replicating itself and deploying a payload.

What is a virus?

A computer virus is a malicious program..

– Written by somebody who is up to no good

that, when executed by an unsuspecting human

– Viruses need human help, usually, the human is tricked into starting the virus.

performs tasks that include replicating itself

and deploying a payload

– (next slide)

Some possible virus payloads

• jokes/vandalism

• Data destruction/corruption

• Spam distribution

• Data/information theft

• Hijacking

• Ransomware

• Virus and spyware distribution

Kinds of malware

Viruses Macro Viruses Memory-resident viruses File infector viruses Boot Viruses Trojan Horses Hoaxes Worms

Macro viruses

• Macros are command sequences available in many systems; word is one, excel is another.

• A macro can eploy a virus, just like any other executable.

• The often come with email attachments.

• They can open/close/write/destroy files.

• If they destroy your registry, your computer will not boot!

• Best: turn off the capability to run macros by default.

Turning off macros

• Office 2003:

– Tools → Options → Security tab. In macro security, click Macro security button, click security level tab, and choose a level. The book recommends medium setting.

• Office 2007:

– Office button → <product> Options → Trust Center, click trust center setting button. Choose the macro setting you want: recommended: Disable all macros with Notification.

Memory Resident Viruses

• Memory resident viruses load into RAM when activated and stay there; though they will disappear when the machine is turned off, the often set up a mechanism so they reappear when the machine is rebooted.

• They slow down the computer and can damage data and system files and may stop the computer from running correctly.

File infector viruses

• These are files that attach to program files (files called *.EXE or *.COM)

• They have access to anything the original program has and can damage any of them, ergo, the whole computer (software).

Boot Viruses

• These are viruses which “hide” the boot area of a disk/floppy. The may render the disk useless as a bootable disk.

Trojan Horses

• Trojan Horses are viruses that are inside other (interesting) programs; you run the program and launch the virus at the same time.

Multi-Partite Viruses

• They just combine all of the above.

Hoaxes

• Letters that warn you about viruses that aren't

• Threaten catastrophe

• Reference a technology authority like IBM, Microsoft or the FBI.

• Ask that it be resnt, probably several times.

• Usually a Google Search will reveal the hoax.

• Other sites to look: www.f-secure.com/virus-info/hoax and www.snopes.com

Worms

• These are malware that goes from computer to computer withut human intervention.

• Besides other ill-effects, they often clog networks looking for computers to infect.

Some avoidance tips

Install an anti-virus program and keep it up to date

McAfee or AVG from http://free.grisoft.com/ Be wary of unexpected links and attachments Don't use P2P/BitTorrent Never turn off your anti-virus or your firewall. Check thumb drives, floppies, burned CDs and DVDs Don't accept files from unknown people when using

Internet Chat programs such as MSN Messenger, IM, Yahoo Messenger, IRC.

Symptoms of a sick System

Frequent crashes and system restarts slow/erratic performance Broken/erratic internet connection An active internet connection in an otherwise

idle computer Stuff in your sent folder you didn't send. Missing or corrupt data/files.

What to do?

Update your antivirus software. Disconnect from the internet: turn off your

modem/router and wireless. (Quarantine every computer)

If your antivirus found the virus and cleaned it, you are fine, otherwise: Boot into safe mode Do a system virus scan. Repeat until clean.

If you cannot get on the Internet...

Your virus may have fiddled with a file called HOSTS

Its full name is:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

on most systems (XP and VISTA, probably Windows 7 also). Its contents should only be:

127.0.0.1 localhost

and (in Vista, Windows 7):

::1 localhost There may be some lines with ipv6xx names on them, they are

OK.

Edit the file with Notepad

Operating System Security Features

KEEP YOUR OS UP TO DATE; set it to check for updates periodically (at least once a week).

Install and run antivirus software; keep it up to date (it should update automatically).

Keep your Firewall operational. In Vista and Windows 7, (and in the MAC), every time

some program tries to change the system in some significant fashion, a window prompt appears. Called UAC in Windows, it can be turned off. DON'T

More System Security Features

Be sure to set up all accounts as STANDARD accounts; have a special Administrator account (hopefully called something else) for admin tasks.

Windows has something called Data Execution Prevention (DEP). To set: In XP: use sysdm.cpl, Advanced, performance, click

on Settings and choose the level. In Vista/Windows 7: system, Advanced System Setting,

Advanced Tab, Settings, DEP settings.

Viruses on Other devices

On the MAC: before OS X there were about 60-80 viruses.; only a handful for OS X. So, not a real problem; however: PC viruses can happily live (dormant) in MAC files. Newer MACs can run Windows, and there, all bets are

off. Unix/Linux have seen a handful of Virus, none for

monetary gain. It is possible, now, to run Windows in Linux, so, again, the Caveat above applies. Also, PC viruses can exist in any file.

Viruses in Phones/PDAs

Attacks against cell phones: Through SMS messages. The possibility existed. Otherwise

Five kinds of devices:

Symbian

Handful, spread through Bluetooth

RIM (Blackberrys)

None known

Iphones, etc.

None known, unless the phone is “jailbroken”

Windows Mobile Phones

Too new.

Android

Some apps have been malicious, but not been able to spread.

If your virus doesn't remove,try:

http://www.sarc.com/avcenter/tools.list.html http://us.mcafee.com/virusinfo/default.asp?id=vrt. http://www.kaspersky.com/removaltools http://www.bitdefender.com/site/Download/browseFree

RemovalTool/ http://www.f-secure.com/download-purchase/tools.sht

ml http://www.microsoft.com/security/malwareremove/