Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • So, how does a virus work? There are some exceptions, or variations, but essentially you start with a clean program. By running an infected program in the same environment, you launch a virus. The virus then finds a suitable host (program) and attaches itself to the program. From now on, when you run the infected program, the virus gets to run first, and then the program runs. The virus is likely to attach itself to many of your programs. If you share an infected file you’ll share your virus. This is a very simple explanation of how a virus works. The example above is how a virus that we call a prepender works. Prepending viruses add their code to the beginning of a file. This makes the file larger than it was before it got infected. If a file increases in size it might be an indication of a virus, but it not always. One of the important things to realize about a virus is that is must execute to infect. If I copy an infected file onto my hard drive it dopes not mean my computer is infected. If I run the program my computer may then become infected.
  • There are also other ways that viruses infect files. The diagram on the left shows an appender. The virus has to have some code at the beginning of the file to gain control when the file is run, but the bulk of its code is appended to the end of the file. The middle diagram shows how a PE (portable executable) file is infected by viruses such as CIH. The portable executable file format has empty spaces in it. A virus is able to use these empty spaces for its code so that no change in file size occurs. Frequently when a virus infects a file there is a change in the size of the infected files. This isn’t always the case when a portable executable is infected. Many Windows files are of the PE file format. The final diagram shows an over-writer. Over-writing viruses will over-write some or all of the file with the virus code. These viruses tend to do a lot of damage, but don’t tend to get very far. Anytime a virus immediately destroys its host, it tends to get noticed and dealt with. To be successful a virus must be able to be covert for a long time. This allows it to infect more files and spread farther before it is noticed. The form virus is a simple boot sector infector. There has been detection for it for several years, yet it stayed on the list of most prevalent viruses for a very long time. Why? Form only makes its presence known one day a month by causing the keyboard to make a clicking noise each time a key is pressed. If the user isn’t at the computer that specific day, they don’t notice it. If they are at their computer, but are too busy to do something about it, the next day the problem is gone and they either blame Microsoft for a bug in the OS, or simply forget it.
  • Virus

    1. 1. COMPUTER VIRUSES <ul><li>Prepared by:- </li></ul><ul><li>Nitin dhiman </li></ul>
    2. 2. Introduction <ul><li>Computer virus have become today’s headline news </li></ul><ul><li>With the increasing use of the Internet, it has become easier for virus to spread </li></ul><ul><li>Virus show us loopholes in software </li></ul><ul><li>Most virus are targeted at the MS Windows OS </li></ul>
    3. 3. Definition of Virus <ul><li>A virus is a small piece of software that piggybacks on real programs in order to get executed </li></ul><ul><li>Once it ’ s running, it spreads by inserting copies of itself into other executable code or documents </li></ul>
    4. 4. Overview <ul><li>Background </li></ul><ul><li>Symptoms </li></ul><ul><li>Working of virus </li></ul><ul><li>Classifying Viruses </li></ul><ul><li>Examples </li></ul><ul><li>Protection/Prevention </li></ul><ul><li>Conclusion </li></ul>
    5. 5. Background <ul><li>There are estimated 30,000 computer viruses in existence </li></ul><ul><li>Over 300 new ones are created each month </li></ul><ul><li>First virus was created to show loopholes in software </li></ul>
    6. 6. Virus Languages <ul><li>ANSI COBOL </li></ul><ul><li>C/C++ </li></ul><ul><li>Pascal </li></ul><ul><li>VBA </li></ul><ul><li>Unix Shell Scripts </li></ul><ul><li>JavaScript </li></ul><ul><li>Basically any language that works on the system that is the target </li></ul>
    7. 7. Symptoms of Virus Attack <ul><li>Computer runs slower then usual </li></ul><ul><li>Computer no longer boots up </li></ul><ul><li>Screen sometimes flicker </li></ul><ul><li>PC speaker beeps periodically </li></ul><ul><li>System crashes for no reason </li></ul><ul><li>Files/directories sometimes disappear </li></ul><ul><li>Denial of Service (DoS) </li></ul>
    8. 8. Virus through the Internet <ul><li>Today almost 87% of all viruses are spread through the internet (source: ZDNet) </li></ul><ul><li>Transmission time to a new host is relatively low, on the order of hours to days </li></ul><ul><li>“ Latent virus” </li></ul>
    9. 9. How Does a Virus Work??? <ul><li>Trouble </li></ul><ul><li>Prepender </li></ul><ul><li>Virus </li></ul><ul><li>Program </li></ul><ul><li>Start </li></ul><ul><li>End </li></ul>
    10. 10. How Does a Virus Work??? <ul><li>Appender </li></ul><ul><li>PE Infector </li></ul><ul><li>Overwriter </li></ul>
    11. 11. Classifying Virus - General <ul><li>Virus Information </li></ul><ul><li>Discovery Date: </li></ul><ul><li>Origin: </li></ul><ul><li>Length: </li></ul><ul><li>Type: </li></ul><ul><li>SubType: </li></ul><ul><li>Risk Assessment: </li></ul><ul><li>Category: </li></ul>
    12. 12. Classifying Virus - Categories <ul><li>Stealth </li></ul><ul><li>Polymorphic </li></ul><ul><li>Companion </li></ul><ul><li>Armored </li></ul>
    13. 13. Classifying Virus - Types <ul><li>Trojan Horse </li></ul><ul><li>Worm </li></ul><ul><li>Macro </li></ul>
    14. 14. Trojan Horse <ul><li>Covert </li></ul><ul><li>Leaks information </li></ul><ul><li>Usually does not reproduce </li></ul>
    15. 15. Trojan Horse <ul><li>Back Orifice </li></ul><ul><li>Discovery Date: 10/15/1998 </li></ul><ul><li>Origin: Pro-hacker Website </li></ul><ul><li>Length: 124,928 </li></ul><ul><li>Type: Trojan </li></ul><ul><li>SubType: Remote Access </li></ul><ul><li>Risk Assessment: Low </li></ul><ul><li>Category: Stealth </li></ul>
    16. 16. Trojan Horse <ul><li>About Back Orifice </li></ul><ul><ul><li>requires Windows to work </li></ul></ul><ul><ul><li>distributed by “Cult of the Dead Cow” </li></ul></ul><ul><ul><li>similar to PC Anywhere, Carbon Copy software </li></ul></ul><ul><ul><li>allows remote access and control of other computers </li></ul></ul><ul><ul><li>install a reference in the registry </li></ul></ul><ul><ul><li>once infected, runs in the background </li></ul></ul><ul><ul><li>by default uses UDP port 54320 </li></ul></ul><ul><ul><li>TCP port 54321 </li></ul></ul><ul><ul><li>In Australia 72% of 92 ISP surveyed were infected with Back Orifice </li></ul></ul>
    17. 17. Trojan Horse <ul><li>Features of Back Orifice </li></ul><ul><ul><li>pings and query servers </li></ul></ul><ul><ul><li>reboot or lock up the system </li></ul></ul><ul><ul><li>list cached and screen saver password </li></ul></ul><ul><ul><li>display system information </li></ul></ul><ul><ul><li>logs keystrokes </li></ul></ul><ul><ul><li>edit registry </li></ul></ul><ul><ul><li>server control </li></ul></ul><ul><ul><li>receive and send files </li></ul></ul><ul><ul><li>display a message box </li></ul></ul>
    18. 18. Worms <ul><li>Spread over network connection </li></ul><ul><li>Worms replicate </li></ul><ul><li>First worm released on the Internet was called Morris worm, it was released on Nov 2, 1988. </li></ul>
    19. 19. Worms <ul><li>Bubbleboy </li></ul><ul><li>Discovery Date: 11/8/1999 </li></ul><ul><li>Origin: Argentina (?) </li></ul><ul><li>Length: 4992 </li></ul><ul><li>Type: Worm/Macro </li></ul><ul><li>SubType: VbScript </li></ul><ul><li>Risk Assessment: Low </li></ul><ul><li>Category: Stealth/Companion </li></ul>
    20. 20. Worms <ul><li>Bubbleboy </li></ul><ul><ul><li>requires WSL (windows scripting language), Outlook or Outlook Express, and IE5 </li></ul></ul><ul><ul><li>Does not work in Windows NT </li></ul></ul><ul><ul><li>Effects Spanish and English version of Windows </li></ul></ul><ul><ul><li>2 variants have been identified </li></ul></ul><ul><ul><li>Is a “latent virus” on a Unix or Linux system </li></ul></ul><ul><ul><li>May cause DoS </li></ul></ul>
    21. 21. Worms <ul><li>How Bubbleboy works </li></ul><ul><ul><li>Bubbleboy is embedded within an email message of HTML format. </li></ul></ul><ul><ul><li>a VbScript while the user views a HTML page </li></ul></ul><ul><ul><li>a file named “Update.hta” is placed in the start up directory </li></ul></ul><ul><ul><li>upon reboot Bubbleboy executes </li></ul></ul>
    22. 22. Worms <ul><li>How Bubbleboy works </li></ul><ul><ul><li>changes the registered owner/organization </li></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOwner = “Bubble Boy” </li></ul></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOrganization = “Vandalay Industry” </li></ul></ul></ul><ul><ul><li>using the Outlook MAPI address book it sends itself to each entry </li></ul></ul><ul><ul><li>marks itself in the registry </li></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESoftwareOutlook.bubbleboy = “OUTLOOK.Bubbleboy1.0 by Zulu” </li></ul></ul></ul>
    23. 23. Macro <ul><li>Specific to certain applications </li></ul><ul><li>Comprise a high percentage of the viruses </li></ul><ul><li>Usually made in WordBasic and Visual Basic for Applications (VBA) </li></ul><ul><li>Microsoft shipped “Concept”, the first macro virus, on a CD ROM called &quot;Windows 95 Software Compatibility Test&quot; in 1995 </li></ul>
    24. 24. Macro <ul><li>Melissa </li></ul><ul><li>Discovery Date: 3/26/1999 </li></ul><ul><li>Origin: Newsgroup Posting </li></ul><ul><li>Length: varies depending on variant </li></ul><ul><li>Type: Macro/Worm </li></ul><ul><li>Subtype: Macro </li></ul><ul><li>Risk Assessment: High </li></ul><ul><li>Category: Companion </li></ul>
    25. 25. Macro <ul><li>Melissa </li></ul><ul><ul><li>requires WSL, Outlook or Outlook Express Word 97 SR1 or Office 2000 </li></ul></ul><ul><ul><li>105 lines of code (original variant) </li></ul></ul><ul><ul><li>received either as an infected template or email attachment </li></ul></ul><ul><ul><li>lowers computer defenses to future macro virus attacks </li></ul></ul><ul><ul><li>may cause DoS </li></ul></ul><ul><ul><li>infects template files with it’s own macro code </li></ul></ul><ul><ul><li>80% of of the 150 Fortune 1000 companies were affected </li></ul></ul>
    26. 26. Macro <ul><li>How Melissa works </li></ul><ul><ul><li>the virus is activated through a MS word document </li></ul></ul><ul><ul><li>document displays reference to pornographic websites while macro runs </li></ul></ul><ul><ul><li>1st lowers the macro protection security setting for future attacks </li></ul></ul><ul><ul><li>checks to see is it has run in current session before </li></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESoftwareMicrosoftOfficeMelissa = “by Kwyjibo” </li></ul></ul></ul><ul><ul><li>propagates itself using the Outlook MAPI address book (emails sent to the first 50 addresses) </li></ul></ul>
    27. 27. Macro <ul><li>How Melissa works </li></ul><ul><ul><li>infects the template file with it’s own code </li></ul></ul><ul><ul><li>Lastly if the minutes of the hour match up to the date the macro inserts a quote by Bart Simpson into the current document </li></ul></ul><ul><ul><ul><li>“ Twenty two points, plus triple word score, plus fifty points for using all my letters. Game’s over. I’m outta here.” </li></ul></ul></ul>
    28. 28. Protection/Prevention <ul><li>Knowledge </li></ul><ul><li>Proper configurations </li></ul><ul><li>Run only necessary programs </li></ul><ul><li>Anti-virus software </li></ul>
    29. 29. ~Computer Virus~ How To Scan?
    30. 30. ~Computer Virus~ Anti-Virus Is Scanning
    31. 31. ~Computer Virus~ Finding Out A Virus
    32. 32. Conclusion <ul><li>You know know more about virus and how: </li></ul><ul><ul><li>viruses work through your system </li></ul></ul><ul><ul><li>to make a better virus </li></ul></ul><ul><li>Have seen how viruses show us a loophole in popular software </li></ul><ul><li>Most viruses show that they can cause great damage due to loopholes in programming </li></ul>
    33. 33. Questions? [email_address] Copies of the latest lovebug virus code are available…in print