Report.doc
Upcoming SlideShare
Loading in...5
×
 

Report.doc

on

  • 1,826 views

 

Statistics

Views

Total Views
1,826
Views on SlideShare
1,826
Embed Views
0

Actions

Likes
0
Downloads
60
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Report.doc Report.doc Document Transcript

  • REPORT ON Virus and Antivirus By KIRAN KARKI MALIK H MUZAFFAR
  • REPORT ON Virus and Antivirus (Cmpe 296T ) Submitted to: Richard Sinn BY Kiran Karki Malik H Muzaffar 2
  • TABLE OF CONTENTS ABSTRACT ………………………………………………………………i INTRODUCTION………………………………………………………..1 What is Virus? ...................................................................................…... 1 History ……………………………………………………………………2 How virus works …………………………………………………………3 Virus ……………………………………………………………………...4 Email virus ……………………………………………….........................4 Trojan Horses …………………………………………………………….4 Worms…………………………………………………………………….4 What is Macro virus? …………………………………………………….4 Safety measures for Viruses …………………………..…………………5 Antivirus …………………………………………………………….…...6 Introduction to Antivirus Software……………………………………….6 Virus Detection Methods…………………………………………………7 Scanning ………………………………………………………….7 Integrity Checking ………………………………………………..9 Heuristic Detection ………………………………………………10 Interception ………………………………………………………11 CONCLUSION ………………………………………………………….12 REFERENCES …………………………………………………………..13 3
  • Abstract “Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation.” A virus might corrupt or delete data on our computer, use our e-mail program to spread itself to other computers, or even erase everything on our hard disk. Viruses are most easily spread by attachments in e-mail messages or instant messaging messages. So, while opening e-mail attachments it is essential to know who it's from and what we are expecting. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Viruses also spread through download from the Internet. They can be hidden in software or other files or programs. To help avoid viruses, it's essential that you keep our computer current with the latest updates and antivirus tools, stay informed about recent threats. We have to follow basic rules while surfing the internet, downloading files and opening attachments. Once a virus is on our computer, its type or the method it used to get there is not as important as removing it and preventing further infection. 4
  • Introduction: “A virus is a program or piece of code that can be loaded on our computer without our acknowledgement and runs against our wishes”. A virus is simply a computer program that is intentionally written to attach itself to other programs and replicate whenever those programs are executed. Viruses can also replicate themselves. All computer viruses are manmade. A simple virus can make numerous copies itself. A simple virus is dangerous because it will quickly use all available memory and bring the system down. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems. Computer virus damages the productivity of the organization and organizations can loss billion of dollars. So, each organization should follow preventive measures and instruction to avoid such kinds of damages. People write computer viruses. A person has to write the code, test it to make sure it spreads properly and then release it. A person also designs the virus's attack phase, and check it is functioning well according to its specifications. What is a Virus? “A virus is simply a computer program that is intentionally written to attach itself to other programs or disk boot sectors and replicate whenever those programs are executed or those infected disks are accessed”. Viruses, as purely replicating entities, will not harm our system as long as they are coded properly. Any system damage resulting from a purely replicating virus happens because of bugs in the code that conflict with the 5
  • system's configuration. In other words, a well-written virus that only contains code to infect programs will not damage our system. Program contains the virus, but there won’t be other harm. The real damage is the erasing of files, the formatting of hard drives, the scrambling of partition tables, etc. The damaged is caused by intentional destructive code contained within the virus. Generally, the destructive part of a virus is programmed to execute when certain conditions are met, usually a certain date, day, time, or number of infections. History: “The creeper virus was first detected on ARPANET, in early 1970s. This virus is propagated from TENEX operating system. It connects modem and a remote computer and infects the remote computer. It gives message as: I’M THE CREEPER: CATCH ME IF YOU CAN.” “Elk Cloner “was the first computer virus. The first pc virus was a boot sector virus called “brain”, created in 1986, Pakistan. Traditional computer viruses were first widely seen in the late 1980s, and they came about because of several factors. The first factor is due to development of personal computers. The second factor is due to the bulletin board, as people used to dial it through modem and download all kinds of programs. So, it led to the development of Trojan virus. The third factors are development of floppy disks as programs were small in size. People used to transfer all the data through floppy. Even we can reside whole operating system in floppy disk. So, replication is easier for virus developers. Cross-site scripting viruses are among the new virus. One of the most common viruses in 6
  • the world is called Form. The virus emerged from research and was academically demonstrated in 2005. The virus uses cross-site scripting for propagation. Myspace and Yahoo are most affected sites due to this virus. Some people distinguish between general viruses and worm. A computer virus passes from computer to computer like a biological virus passes from person to person. A worm is a special type of virus that can replicate it and use memory, but cannot attach it to other programs. How Virus Works? Virus has an ability to replicate. When we run infected program it loads into the memory and starts running as well. Virus has ability to infect other programs as well. When virus runs unidentified programs it adds itself to it. When we transfer some programs and files to our friend either through email and floppy disk, our friend’s computer can also be affected as well. The latest virus is email virus. When we open an email virus, it will directly attach virus to all friend list. So, prevent from email virus we have to stop downloading unnecessary email and attachments. A virus may also send link of websites as a message to all the contacts on an infected machine. So, the recipient might think that the link is from trusted zone or friends and follows the link then the virus might host recipient computer. There are of different types of virus, worms, Trojan horse. Viruses - A virus is a small piece of software that resides on real programs. For 7
  • example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce by attaching to other programs. E-mail viruses - An e-mail virus travels as an attachment to email-message and usually replicates itself by automatically mailing itself to the entire contact list on our email address book. Some e-mail viruses don't even require a double- click. If we hit once, it directly passes to system. Trojan horses - A Trojan horse is a simple computer program. Trojan horses damage the program when we run it. It can even damage hard disk. Trojan horses can’t replicate automatically. Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. What Is A Macro Virus? The most common viruses that infect computers today viruses such as Concept, Nuclear, Showoff, Adam, Wazzu, and Laroux are macro viruses. They replicate by a completely different method than conventional viruses. A virus is a small computer program that needs to be executed by either running it or having it load from the boot sector of a disk. These types of viruses can spread through any program that they attach themselves to. Macro viruses can not attach themselves to just any program. Rather, each one can only spread through one specific program. The two most common types of macro viruses are 8
  • Microsoft Word and Microsoft Excel viruses. These two programs are equipped with sophisticated macro languages so that many tasks can be automated with little or no input from the user. When, we open an infected document in Microsoft Word, contain a virus, execute when the document is opened and copy them into the global template that Word uses to store global macros. The infected macros will automatically execute and copy themselves into other word documents whenever you open any document in Microsoft Word. However, Excel macro viruses work relatively the same way. Because Word documents and Excel spreadsheets contain auto open macros it is important to think of them as computer programs in a sense. They should be checked thoroughly for viruses before you open them in their respective programs. It is important to have an effective anti-virus strategy in place to prevent infection by these and all other kinds of viruses. Safety measures for Viruses • Run a secure operating system like UNIX. • Buy virus protection software and install in yours PCs. • Avoid program from unknown sources (INTERNET). • Use commercial software. • For Microsoft application, Macro Virus Protection should be enabled. • Never download unknown email attachment. • Block receiving and sending executable codes. Antivirus Software 9
  • Introduction to Antivirus Software: From wikipedia: “Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware)”. In today’s world, where increasing emphasis is being made to ensure security throughout various systems, the antivirus software plays a very important role. Antivirus software is much more sophisticated today then it ever was but it is a fact that virus creators always keep one step ahead of the antivirus software and new viruses are continuously being released which are not able to be recognized by current antivirus software. The key to antivirus software is detection. Detection is the first step and once an infected file has been detected, it can often be repaired. If the antivirus software fails to repair the file, it quarantines it so that the virus code will not be executed. As mentioned before, new viruses are introduced at an alarming pace, this call for a need to keep the antivirus software updated to deal with the new list of threats as well. Typically when a new virus is discovered, some samples are sent to virus analysis centers. These centers analyze the virus and extract a string from the virus that identifies it uniquely. This along with some other information about the virus is added to a central database which the users can download from. Virus Detection Methods: 10
  • Four virus detection methods are used in antivirus software. These are: • Scanning • Integrity Checking • Interception • Heuristic Detection Scanning and Interception techniques are much more common in antivirus packages than the other two. We will discuss each of these mechanisms in a bit of detail with their respective advantages and disadvantages. Scanning: A scanner typically searches all files on the hard disk, memory and boot sector for code snippets that identify a file as a virus uniquely. This is also known as the virus dictionary approach. In this approach, when the antivirus looks at a file, it refers to a list or dictionary of known viruses that have been defined by the particular antivirus software implementation. If a code snippet in a file matches any virus listed in the dictionary, then the antivirus software classifies the file as infected and can take one of the following actions: 1. Try to repair the file. The antivirus software attempts to remove the virus from the file. 11
  • 2. Make the file inaccessible to other programs and make sure its virus does not spread. In other words, it quarantines the infected file. 3. Delete the infected file. Typically there are 2 types of scanning; one is the On Access scanning and the other is On Demand scanning. On Access scanning scans the files when they are loaded into the memory just before execution. The On Demand scanning is started by a user and it scans the hard disk, memory and the boot sector. Recently there has been an effort to make the On Access scanning even more aggressive. It conducts a virus scan even if the files are just selected, but not loaded. The scanning approach to virus detection requires downloads of updated virus lists at regular intervals. Users encountering new viruses can send their infected files to the antivirus software company which then includes the new viruses in their lists. Advantages: • Viruses can be found by scanners before they execute. • False alarms are extremely rare. • Antivirus software is very quick at detecting viruses they have in their dictionaries. Disadvantages: • Usually Scanners use a signature string to detect a virus. This has encouraged 12
  • virus writers to write polymorphic viruses, which encrypt some parts of them or modify themselves in some other way. In this way they can avoid the match with the virus’s signature in the dictionary. • Scanners need a record of the virus in its dictionary in order to detect it. Thus a virus cannot be detected until it has executed at least once. Integrity Checker: An integrity checker keeps tracks of threats by monitoring changes to files. It records important information or takes snap shots of important files on disk. This is usually done by calculating checksums. If a file changes due to virus activity or corruption, the file will no longer match the recorded integrity information. The user is warned and is given an option to restore the file to its original state. This is a very extensive mechanism and very little antivirus software actually utilizes it. An example of antivirus software that implements this process in the Norman Virus Control. Advantages: • Since this mechanism looks for the effects caused by viruses rather than viruses themselves, it can work without requiring a constant update to the virus list and can detect files infected by new viruses too. • Integrity Checkers also have the ability to detect other kinds of damages to data such as corruption and can restore that as well. Disadvantages: 13
  • • This mechanism generates a lot of false positives. The main reason for this is that there are many legal ways in which a file can change. Nowadays files in a computer may change by as little as booting up or shutting down. • Simple integrity checkers are not able to differentiate between damage done by corruption and damage done by a virus. Heuristic Virus Checking: This is a generic mechanism of virus detection. Rather than depending on a list of viruses, it depends on a list of rules. These rules differentiate a virus from a non virus. Thus this technique can be used to detect even new viruses. If a specific program or code snippet follows the defined rules, it is marked as a virus and appropriate action is taken. F-secure virus software utilizes this method. Advantages: • There is no need to download an updated list of viruses every week. This method can also detect viruses not present in the list. Disadvantages: • Can result in false alarms. • The technology today is not sufficient and there is a lot of room for improvement. Virus creators can write viruses that don’t follow the defined rules, hence making the current set of rules obsolete. So the rules must be changed regularly 14
  • and antivirus software must be updated with the latest rules. This means that they are not able to stop many new viruses, which makes them a bit similar to scanners. Interception: This is a behavior based technique for virus detection. It detects virus like behavior and warns the user about potential threats. It is able to detect the virus behavior based on heuristics. Many viruses show some suspicious characteristics such as relocating themselves in memory and installing themselves as resident programs. This is a part of many antivirus software packages but mostly users prefer to disable it. Advantages: • It’s a good generic mechanism to detect Trojan horses and Logic Bombs. Disadvantages: • Not really good at detecting anything other than Trojan horses and Logic Bombs. • Easy to disable so viruses disable them before launching themselves. • Can be a nuisance. They interrupt the user many times to ask for permission to allow/disallow activities. This is seen when a user tries to install new software or system updates. Conclusion: A computer virus is a small program that is transmitted across a network or passed to the 15
  • computer on disk. There are thousands of different viruses and more are being created every week by people intent on damaging other people's computer systems. Most viruses are now transmitted across the Internet, often as email attachments. Some spread very rapidly because when they infect a computer they are programmed to transmit themselves to all the users in that person's email address book. Good anti-virus software will protect a computer well but new viruses still cause millions of pounds worth of damage. To avoid from virus, different large organization, universities and antivirus programs are doing research and periodically checking the best known viruses. Antivirus software is much more sophisticated today then it ever was but it is a fact that virus creators always keep one step ahead of the antivirus software and new viruses are continuously being released which are not able to be recognized by current antivirus software. The key to antivirus software is detection. Detection is the first step and once an infected file has been detected, it can often be repaired. From this research we came to know about virus, antivirus, advantage and disadvantages of viruses. References: 16
  • 1. http://en.wikipedia.org/wiki/Computer_virus 2. http://www.webopedia.com/TERM/v/virus.html 3. http://www.howstuffworks.com/virus.htm 4. http://en.wikipedia.org/wiki/Antivirus_software 5. http://www.whatisit?.com 17