virus
28
By Vinod V S (081006056)
-
Upload
vinod-siragaon -
Category
Technology
-
view
2.106 -
download
1
description
Transcript of virus
ByVinod V S
(081006056)
Introduction to Virus• A computer virus is a computer program that can copy itself and
infect a computer without the permission or knowledge of the user.
• On one hand, viruses show us how vulnerable we are, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.
• Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person.
• VIRUS- Vital Information Resources Under Seige
How can a simple virus effect us ?• Mydoom worm infected approximately a quarter-million
computers in a single day in January 2004
• In March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained.
• The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected.
Virus Year Estimated Damage
CIH 1998 20M to 80M $
Melissa 1999 300M to 600M $
Code Red 2001 2.6B $
SQL Slammer
2003 shut down South Korea's online capacity for 12 hours
Blaster 2003 2B to 10B $
Sobig.F 2003 5B to 10B $
MyDoom 2004 At its peak, slowed global Internet performance by 10 percent and Web load times by up to 50 percent
Sasser 2004 Tens of millions of dollars
How Does a Virus Work???
Virus
Trouble
Program
Start
End
Prepender
How Does a Virus Work???
Appender PE Infector Overwriter
Why does one write virus programs ?
This can be broadly categorized into 4 reasons
• The first is the same psychology that drives vandals
• The second reason has to do with the thrill of watching things blow up.
• The third reason involves bragging rights, or the thrill of doing it. Sort of like conquering Mount Everest
• The fourth reason is cyber terrorism that’s is taking place now
Types of electronic infections• Viruses
• Trojan horses
• Worms
• Logic bombs
• Malware
• Adware
• Spyware
Virus• A virus is a small piece of software that piggybacks on real
programs. These are the types
• Boot Sector Virus
• Parasitic virus
• Memory-resident virus
• Stealth Virus
• Polymorphic virus
A simple virus
#include< stdio.h > #include< stdlib.h> void main() { while(1) { system("dir>>â•ša.exe"); } }
Trojan horses• In order for a Trojan to infect your machine, you have to
install the server side of the application.
• The author of the Trojan horse has to convince you to download the application.
• This is why it is called a Trojan horse , you have to consciously or unconsciously run the .exe file to install the program ,it doesn't propagate on its own like a virus
• Trojan Horse payloads are Remote access, data destruction, disable security software, DoS attacks
Ex: Waterfalls.scr
Worms• It uses a network to send copies of itself to other nodes
(computers on the network).
• Unlike a virus, it does not need to attach itself to an existing program.
• Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
• The Nachi family of worms, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system ,by exploiting those same vulnerabilities
Logic Bombs , Malware , Spyware & Adware• A logic bomb is a piece of code intentionally inserted into a software
system that will set off a malicious function when specified conditions are met.
• "Malware" is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware.
• The term spyware suggests software that secretly monitors the user's behaviour, the functions of spyware extend well beyond simple monitoring.
• Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
Different Phases of Virus• During its lifetime, a typical virus goes through the
following four phases:
• Dormant Phase The virus is idle and eventually activated by some event.
• Propagation Phase The virus places an identical copy of itself into other programs
or into certain system areas on the disk.
• Triggering phase The virus is activated to perform the function for which it was intended.
• Execution Phase The function is performed.
Other Mean Programs• Key Loggers
• Phishing
• Pharming
• Hoaxes
• Jokes
How Does Anti-virus Work?• Pattern recognition – find what I know.
• Passive Heuristics – look at behaviors and guess.
• Active Heuristics (emulation) – run the file and watch
• Behavior blockers – you can’t do that!
• Integrity checkers – have you changed?
Signature Based DetectionRecognizes patterns
The computer sees:
111001110000110101000110011110…
The trick is in the pattern!!!
• Can you find the word “VIRUS”?
• How about QUART?
• Maybe MCIS ?
• A word you don’t know?• If I told you there was a word “WVIL” now you could find it!
ABMCISVCEYWOUTXNDRUSLWINTQURPLKXUIXNHSQARNQUARTLPOLLPWNMAZIWALNOIBVARKLVOWELSVWESETNODHEREW
Problems with Signatures• New threats are not detected until signatures are generated
• You may be vulnerable for hours, days, or weeks
• If a threat slows down the internet it may be difficult to obtain signatures (Slammer worm)
• In corporate environments signatures may need testing, further delaying protection
• Compressing files hides malware
Understanding Compression and Encryption• Symbols can be used to represent patterns.
• Example: = 1,2,3,4, and 5
• This is the “file” we need to compress.
• 0000 0000 0111 0111 0111 0110 0010 0010 0010 0010 0010 0001 0001 0001
• We have 14 sets of 4 numbers or 4 * 14 = 56 characters.
• How can we say the same thing with fewer characters?
• Code Key: 0000=0 0001=1 0010=2 0011=3 0100=4 0101=5 0110=6
0111=7 1000=8 1001=9
• 20 means 2 sets of pattern 0000
• 20 = 0000 0000
• 37 means 3 sets of the pattern 0111
• 37 = 0111 0111 0111
Contd…..Look up table: 0=0000 1=0001 2=0010 6=0110 7=0111
|-----20----| |-------37---------| |-16-| |-----------------52--------------| |--------31---------|
0000 0000 0111 0111 0111 0110 0010 0010 0010 0010 0010 0001 0001 0001
20 37 16 52 31 - 10 characters represent 56 characters!
Now go find 0111 0010 in 20 37 16 52 31
You need to “decompress” 20 37 16 52 31 to find the pattern.
•To find a virus in a compressed file it must be decompressed.
•For a virus to execute (infect) it also must be decompressed.
•A virus in an archive cannot infect.
Understanding PolymorphismPolymorphic software does the same thing each time, but looks different each time.
5=5
2+3=5
1-3+9*(1037/32*(32/1037))+(11-33)+(10*2)=5
Run 5 minutes, rest 10 minutes, walk 3 minutes.
Run 5 minutes, rest 5 minutes, rest 5 minutes, walk 3 minutes.
Understanding Heuristics• Heuristics are used to detect unknown threats
• Heuristics are used to defeat compression, encryption and polymorphism.
• Heuristics are used detect brand new malicious software
• Heuristics are used to detect attempts to exploit vulnerabilities
• Heuristics = ZERO day - ZERO hour Protection
False Positives• False positives occur when an anti-virus program calls a good program
bad. It’s like arresting the wrong person.
• False positives are expensive
• AV doesn’t search for the entire virus, just a portion of it.
• Search Google for “elephant” and you get over 58 million hits. You just need to find a specific elephant. Searching for “rude elephant” narrows the results to 1.73 million. A search for “very rude elephant” finds us “Rudy, the very rude elephant.”
Front Door Attacks
• What do many of these attacks (through email, web browsing or downloads) have in common?– They all require the actions of a legitimate user.
• They can be considered “front door” attacks because a user is tricked into opening the door for the attack through their action.
• The key to understanding front door attacks is that when you run a program it runs with *all* your rights and privileges.
• This includes any program you run even accidentally by opening an email attachment or clicking on web link.
Back Door Attacks
• Not all attacks require action by a legitimate user.
• “Back door” attacks target vulnerabilities in server software that is running on your computer.
• Server software is software that listens for requests that arrive over the network and attempts to satisfy these requests.– A web server is an example of server software.
Conclusion• The problem of DOS viruses continues to get slowly worse
around the world
• Increased use of 32-bit operating systems, such as OS/2 and Windows, is likely to cause a decrease in the prevalence of all current DOS viruses.
• All in all it ends in a vicious circle with the programmers creating the worms and other programmers trying to destroy or stop the growth of worms.
References• www.howstuffworks.com
• www.wickipidea.com
• www.google.com
• www.eset.com
• Norman book on computer viruses
• Virus-specific" Antivirus Products - Common Questions - With Answers by Andrew J Lee
Questions ????????????
