One of the most high profile threats to information integrity isNetwork viruses. Network viruses are software that behaves likebiological viruses—they attach themselves to a host and replicate,spreading the infection. For a computer program to be classified as avirus, it simply must replicate itself. In this paper (Network VirusDetection and Prevention), I am presenting what are viruses, worms,and Trojan horses and their differences, different strategies of virusspreading, Virus detection, Virus prevention and case studies ofSlammer and Blaster worms.
Virus: A self-replicating program. Often Viruses require a host, and their goal is to infect other files so that the virus can live longer.Worms: Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others.Trojan Horses: A Trojan Horse is a one which pretend to be useful programs but do some unwanted action.
Logic Bombs : A logic bomb is a programmed malfunction of a legitimate application.Germs: These are first-generation viruses in a form that the virus cannot generate to its usual infection process.Exploits: Exploit is specific to single vulnerability or set of vulnerabilities.
1) Size- The sizes of the program code required for computer viruses are very small.2) Versatility - Computer viruses have appeared with the ability to generically attack a wide variety of applications.3) Propagation - Once a computer virus has infected a program, while this program is running, the virus is able to spread to other programs and files accessible to the computer system.4) Effectiveness - Many of the computer viruses have far-reaching and catastrophic effects on their victims, including total loss of data, programs, and even the operating systems.5) Functionality - A wide variety of functions has been demonstrated in virus programs. Some virus programs merely spread themselves to applications without attacking data files, program functions, or operating system activities. Other viruses are programmed to damage or delete files, and even to destroy systems.6) Persistence - In many cases, especially networked operations, eradication of viruses has been complicated by the ability of virus program to repeatedly spread and reoccur through the networked system from a single copy.
Virus/Worm types overview : Binary File Virus and Worm: They are able to infect over networks. Normally these are written in machine code. Binary Stream Worms: Stream worms are a group of network spreading worms that never manifest as files. Script File Virus and Worm: A script virus is technically a file virus, but script viruses are written as human readable text. Macro Virus: Macro Viruses infect data files, documents and spreadsheets. Boot Virus: The first known successful computer virus . These are not able to infect over networks. These take the boot process of personal computers. Multipartite Viruses: infect both executable files and boot sectors
Overwriting Viruses: These locate another file on the disk and overwrite with their own copy.Random Overwriting Viruses: This is another rare variation of theoverwriting method does not change the code at the top of the file but it chooses arandom location in the host program and overwrites that location.
Appending Viruses: In this technique the virus code is appended at the end ofthe program and the first instruction of the code is changed to a jump or call instructionwhich will be pointing to the starting address of the viral code. Prepending Viruses: A common virus infection technique uses the principle of inserting virus code at the front of host programs. Such viruses are called Prepending Viruses.
Cavity Viruses: These typically don’t increase the size of the program theyinfect. Instead they will overwrite a part of the code that can be used to store the viruscode safely.Amoeba Infection Technique: This is a rarely seen infection technique wherethe head part of the viral code is stored at the starting of the host program and the tailpart is stored after the end of the host program.
A worm might open network connections and infect a vulnerabletarget computer directly, as with the Morris worm, which infected anestimated 6,000 of the 60,000 Internet hosts in Nov 1988.Other worms spread, as with a virus, via the use of a host file, whichneeds to be transferred as part of the Network worm. More recentworms have include Mydoom and Storm which were used to installlarge botnets used for distributed denial of service (DDOS) and spamattacks.
Boot sector viruses infect the boot sector of the boot disk of acomputer operating system. These became widespread when it wascommon for computer users accidently to leave a floppy disk in thedrive and the computer BIOS was configured to boot from the floppyby default. These viruses would transfer via the hard disk to allwriteable floppies inserted into the infected computer. This mechanismwas defeated when administrators changed the BIOS settings andbecame less likely when floppies were less frequently used.This infection vector could return to prominence again if flash USBdrives become routinely used by users to carry an operating systemtogether with applications, custom configurations and data betweenphysical machines.
Non-resident viruses infect application files and are run when theapplication runs. Typically the virus is prepended to the applicationsource code for an interpreted application, or its executable code fora compiled application. Alternatively the virus code might beappended with a vector to itself added at the start of the program.When the virus part of the code runs it will search for anothersuitable file to infect. Once the virus code completes it hands controlon to the infected host file. A non-resident virus can be trivial to code(see the next slide for an example), but such a virus is extremelyunlikely to spread.
Fast infector viruses are programmed to spread as rapidly aspossible to reduce the risk of the virus being wiped out onceintroduced into the wild. However, a fast infector is more likely tocause changes of behaviour of the infected system so is more likelyto be detected.Slow infector viruses are designed to find other targets to infectinfrequently. By spreading slowly this kind of virus is less likely tobe detected.
Macro viruses use the macro programming languages which areembedded within popular applications e.g. Word and Excel. This kind ofvirus became widespread in the 1990ies. The threat from this kind ofvirus has probably been reduced following additional prompts when adocument containing macros is opened in Word or Excel.Cross Site Scripting (XSS) viruses exploit a combination ofvulnerabilities present in both web server applications and web browsers.These will typically need to be coded in 2 parts, one part being the servercode (e.g. using PHP) which propagates from the infected browser to thevulnerable servers and the other part which runs in the browser (e.g.using Java script).
Signature based detection is the most common method. To identifyviruses and other malware, antivirus software compares the contentsof a file to a dictionary of virus signatures. Because viruses canembed themselves in existing files, the entire file is searched, notjust as a whole, but also in pieces.Heuristic-based detection, like malicious activity detection, can beused to identify unknown viruses.File emulation is another heuristic approach. File emulationinvolves executing a program in a virtual environment and loggingwhat actions the program performs. Depending on the actionslogged, the antivirus software can determine if the program ismalicious or not and then carry out the appropriate disinfectionactions.
The most popular approach to this requirement is to install anantivirus program and to keep this current. As new viruses aredetected on a daily basis the signatures and heuristic methods need tobe kept updated on a very regular basis. For this reason, modernantivirus programs generally include facilities automatically toupdate themselves using a network connection whenever new virussignatures and heuristics become available.
But the number of known virus signatures continues to increase. Soeven using the Clam-av antivirus package which is open source andfreely installable, growing memory demands are making this jobincreasingly expensive . The next slide shows how many virussignatures exist and how much memory these occupy as ofNovember 2008.Platforms which are not themselves thought to be vulnerable toviruses but which are used to distribute content potentially includingviruses, e.g. via email between Windows users, must also scan forviruses to avoid becoming part of this problem.
Number of virus signatures: 437972freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486)ClamAV update process started at Fri Nov 7 18:24:28 2008main.cld is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)Demand of anti-virus on memory: 50.9% PID USER PR NI VIRT RES S %CPU %MEMCOMMAND20782 clamav 20 0 126m 72m S 0.0 50.9clamav-milter
One approach involves stopping a system from running and mounting itshard disk using another operating system, booted using trusted media.Tools can be run on the trusted system to detect suspicious changes tofiles on the system being scanned. This is considered more reliable thanrunning antivirus software directly on the system which might have beencompromised and where the results of the antivirus scan may also havebeen compromised by an unknown virus.The trusted scanning system might also store a set of hash signatures orchecksums of files which the virus might modify and test if anyexecutable’s or registry tables have been modified.
It is used to prevent, detect, and remove malware, including but notlimited to computer viruses, computer worms, trojan horses, spywareand adware. Computer security, including protection from socialengineering techniques, is commonly offered in products and servicesof antivirus software companies. An example of free antivirus software: ClamTk 3.08
First generation: (simple scanners) scanner uses virus signature toidentify virus or change in length of programsSecond generation: (heuristic scanners) uses heuristic rules to spotviral infection or uses crypto hash of program to spot changesThird generation: (activity traps) memory-resident programs identifyvirus by actionsFourth generation: (full featured protection) packages with a varietyof antivirus techniques like access control capability. E.g. scanning &activity traps, access-controls.
Generic Decryption: Enables antivirus program to detect even the most complex polymorphic viruses. Every executable file should be run in the GD scanner which has CPU emulator, Virus sign scanner and Emulation control module. Digital Immune System: Developed by IBM. To solve threats in a network. Integrated mail systems Mobile program systems
No matter how useful antivirus software can be, it can sometimes havedrawbacks. Antivirus software can impair a computers performance.Inexperienced users may also have trouble understanding the promptsand decisions that antivirus software presents them with.Installed antivirus software running on an individual computer is onlyone method of guarding against viruses. Other methods are also used,including cloud-based antivirus, firewalls and on-line scanners. Cloud antivirus: Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while offloading the majority of data analysis to the providers infrastructure. Network firewall: Network firewalls prevent unknown programs and processes from accessing the system. However, they are not antivirus systems and make no attempt to identify or remove anything.
An illustration of where a firewall would be located in a network.
3. Online scanning: Some antivirus vendors maintain websites withfree online scanning capability of the entire computer, critical areasonly, local disks, folders or files. Periodic online scanning is a goodidea for those that run antivirus applications on their computersbecause those applications are frequently slow to catch threats. Using rkhunter to scan for rootkitson an Ubuntu Linux computer.
In biology, viruses enable potentially beneficial DNA to be transferred betweenspecies. This is considered to be a part of the optimisation of the evolutionaryprocess. But it is thought unlikely that anyone could benefit from computerviruses, other than the proceeds of crime which those who write and spreadviruses might obtain.The difference between a virus and another kind of program is that an ordinaryprogram will normally have the informed consent of the system owner before itcan be installed. While there is a similarity between an operating system whichcan create a copy of itself on installation media and a virus, the OS that makes iteasy for its users to copy it will do this with the users full knowledge andconsent.There is no situation in which taking away the end users consent to perform anaction is considered likely to be of benefit.
I have gone through the basic definitions of Viruses and Worms,then discussed in about the different malicious code environments.After that I have discussed about the different types of viruses andworms, then discussed in detail about the various ways of virus andworm propagation techniques. After that I have discussed about thePrevention From Viruses and Worms. I have also looked into two casestudies of slammer and blaster worms. The ability of attackers to rapidly gain control of vast numbers ofinternet hosts poses an immense risk to overall security of theinternet. Now-a-days the virus writers are more concentrating onwriting worms as they have got great capability to spread over thenetwork in few minutes. There are various upcoming techniques inworm propagation such as polymorphic worms which are really a bigthreat to the internet community. Worms can be written such that theycan be affected only to a particular region or country. There are wormswhich willkeep quiet for a specific amount of time and attack atrandom times. These worms can also be used to create DistributedDenial of Service (DDoS) which is a real threat to the websites and thenetwork traffic.
 Peter Szor, The Art of Computer Virus and Defence, Harlow, England:Addison Wesely Professional, 2005. Norman, Norman book on Computer Virus, Norman ASA, 2003. Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading ofComputer Virus on the Internet: An Overview, IEEE Computer Society 2004,601-606. Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey andTrends, Washington, DC, USA: WORM-2003 David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford andNicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003. Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, ATaxonomy of Computer Worms, Washington, DC, USA: WORM-2003.