A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user.
On one hand, viruses show us how vulnerable we are, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.
Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person .
VIRUS- Vital Information Resources Under Seige
How can a simple virus effect us ?
Mydoom worm infected approximately a quarter-million computers in a single day in January 2004
In March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained.
The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected .
Virus Year Estimated Damage CIH 1998 20M to 80M $ Melissa 1999 300M to 600M $ Code Red 2001 2.6B $ SQL Slammer 2003 shut down South Korea's online capacity for 12 hours Blaster 2003 2B to 10B $ Sobig.F 2003 5B to 10B $ MyDoom 2004 At its peak, slowed global Internet performance by 10 percent and Web load times by up to 50 percent Sasser 2004 Tens of millions of dollars
How Does a Virus Work??? Trouble Prepender Virus Program Start End
How Does a Virus Work??? Appender PE Infector Overwriter
Why does one write virus programs ?
This can be broadly categorized into 4 reasons
The first is the same psychology that drives vandals
The second reason has to do with the thrill of watching things blow up.
The third reason involves bragging rights, or the thrill of doing it. Sort of like conquering Mount Everest
The fourth reason is cyber terrorism that’s is taking place now
Types of electronic infections
A virus is a small piece of software that piggybacks on real programs. These are the types
In order for a Trojan to infect your machine, you have to install the server side of the application.
The author of the Trojan horse has to convince you to download the application.
This is why it is called a Trojan horse , you have to consciously or unconsciously run the .exe file to install the program ,it doesn't propagate on its own like a virus
Trojan Horse payloads are Remote access, data destruction, disable security software, DoS attacks
It uses a network to send copies of itself to other nodes (computers on the network).
Unlike a virus, it does not need to attach itself to an existing program.
Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
The Nachi family of worms, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system ,by exploiting those same vulnerabilities
Logic Bombs , Malware , Spyware & Adware
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
"Malware" is short for mal icious soft ware and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware.
The term spyware suggests software that secretly monitors the user's behaviour, the functions of spyware extend well beyond simple monitoring.
Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
Different Phases of Virus
During its lifetime, a typical virus goes through the following four phases:
The virus is idle and eventually activated by some event.
The virus places an identical copy of itself into other programs or into certain system areas on the disk.
The virus is activated to perform the function for which it was intended.
The function is performed .
Other Mean Programs
How Does Anti-virus Work?
Pattern recognition – find what I know.
Passive Heuristics – look at behaviors and guess.
Active Heuristics (emulation) – run the file and watch
Behavior blockers – you can’t do that!
Integrity checkers – have you changed?
Signature Based Detection
The computer sees:
The trick is in the pattern!!!
Can you find the word “VIRUS”?
How about QUART?
Maybe MCIS ?
A word you don’t know?
If I told you there was a word “WVIL” now you could find it!
You need to “decompress” 20 37 16 52 31 to find the pattern.
To find a virus in a compressed file it must be decompressed.
For a virus to execute (infect) it also must be decompressed.
A virus in an archive cannot infect.
Polymorphic software does the same thing each time, but looks different each time.
Run 5 minutes, rest 10 minutes, walk 3 minutes.
Run 5 minutes, rest 5 minutes, rest 5 minutes, walk 3 minutes.
Heuristics are used to detect unknown threats
Heuristics are used to defeat compression, encryption and polymorphism.
Heuristics are used detect brand new malicious software
Heuristics are used to detect attempts to exploit vulnerabilities
Heuristics = ZERO day - ZERO hour Protection
False positives occur when an anti-virus program calls a good program bad. It’s like arresting the wrong person.
False positives are expensive
AV doesn’t search for the entire virus, just a portion of it.
Search Google for “elephant” and you get over 58 million hits. You just need to find a specific elephant. Searching for “rude elephant” narrows the results to 1.73 million. A search for “very rude elephant” finds us “Rudy, the very rude elephant.”
Front Door Attacks
What do many of these attacks (through email, web browsing or downloads) have in common?
They all require the actions of a legitimate user.
They can be considered “front door” attacks because a user is tricked into opening the door for the attack through their action.
The key to understanding front door attacks is that when you run a program it runs with *all* your rights and privileges.
This includes any program you run even accidentally by opening an email attachment or clicking on web link.
Back Door Attacks
Not all attacks require action by a legitimate user.
“ Back door” attacks target vulnerabilities in server software that is running on your computer.
Server software is software that listens for requests that arrive over the network and attempts to satisfy these requests.
A web server is an example of server software.
The problem of DOS viruses continues to get slowly worse around the world
Increased use of 32-bit operating systems, such as OS/2 and Windows, is likely to cause a decrease in the prevalence of all current DOS viruses.
All in all it ends in a vicious circle with the programmers creating the worms and other programmers trying to destroy or stop the growth of worms.
Norman book on computer viruses
Virus-specific" Antivirus Products - Common Questions - With Answers by Andrew J Lee