This document provides an introduction to computer viruses and malware. It defines viruses and malware, describes how they spread, and outlines some common types including trojans, worms, joke programs, droppers, and backdoors. It explains virus characteristics like being direct-action or memory-resident. The document aims to describe different forms of malware and their potential payloads or capabilities in order to provide safe computing tips to users.
2. Presentation Content
• Description
• Virus Characteristics
• Different Types of Malwares
• Different Types of Viruses
• Safe Computing Tips and Techniques
Introduction
3. Description
A program (a block of executable code) that has the ability to
replicate, or make copies of itself, and spread to other files.
What is a Computer Virus?
5. What does a Malware do to a
Computer
Some Possible Malware Payloads:
• Simple display of messages
• Delete or corrupt files,hard disk
• Interfere with computer operations
• Spread to other files and computers
• Compromise computer or network security
6. How do Viruses and Other Malware spread?
From Disk to Disk
From Program to Program
From Document to Document
Via E-mail and Internet
Over the Network
They spread…They spread…
13. Trojan Horse Programs
Trojans are programs that may appear harmless,
but perform unexpected or unauthorized, usually
malicious, actions
14. • downloading and uploading files on their computer
• reading all of their IRC logs and learning interesting things
about them and their friends.
• reading their ICQ messages.
• stealing information such as credit card numbers,
username and passwords, etc..
• and worst…deleting their files, formatting their hard drive.
The Dangers of a Trojan
16. Worms
A computer worm is a program (or set of programs) that is able to spread
copies of itself to other computer systems.Unlike viruses, worms do not need to
attach themselves to host programs.
17. Checking for Trojans and Worms
Some Symptoms:
• Unusual system slowdown and/or behavior
• Unusual tasks running
• Modifications on the Registry
• Modifications in configuration files.
• Unusual emails sent
(without the user’s consent)
19. Joke Programs
• Ordinary executable programs.
• Created to make fun of users.
• These programs do not intend to
destroy data
20. Some Characteristics:
• Similar to ordinary executable programs
• Will not infect other programs
• Will not do any damage directly
• May annoy or tease the user
• May be difficult to halt or terminate
• May cause some devices (e.g., mouse or
keyboard) to temporarily function abnormally
Joke Programs
22. Malware Droppers
Upon execution, this malware will
drop a virus or other malware.
When the dropped malware is
executed, it can infect files or
cause damage
A program that drops a virus or other malware
25. Backdoors
Here are some of the things that theseHere are some of the things that these
backdoors are capable of:backdoors are capable of:
Log keystrokes
Edit or delete files and folders
Edit the registry
Send out confidential information such as password to
the hacker
Run programs on the host or target machine
Restart or shut down the computer
Capture screens
Browse and send out files to the hacker
Change computer settings such as wallpaper
Kill or disable running programs
Editor's Notes
What is a Computer Virus?
A computer virus is a program (a block of executable code) that has the ability to replicate, or make copies of itself, and spread to other files.
Viruses can attach themselves to many types of files and programs. The file or program that is infected by the virus will serve as its host.
Computer viruses are actually a special case of something known as Malware.
What is Malware?
Malware is the general term used to refer to any unexpected or malicious program or mobile codes such as viruses, Trojans, worms, or Joke programs.
A malware needs to be executed for it to do anything and the malicious code would have to be in a form that the computer will actually try to execute.
To put it simply, all forms of malware require executable code. Files that are pure data are therefore generally safe.
What does malware do to computers?
Malware run on a computer just like software programs. Their actions (generally called as their payload) depend on the programming written by their writers. Some malware are deliberately designed to cause damage by deleting certain types of files, or even reformatting a hard drive and destroying all data. Others interfere with the computer's operations in various ways.
For malware which are able to infect (i.e. viruses), even if they only spread and not cause damage to files or the computer system, they still are harmful in that they take up hard disk and memory space and they reduce the computer’s overall system performance.
And the more sophisticated forms of malware may even be able to take control of a computer system or of a network thereby compromising security.
But Malware payload is also limited to what software programs can do. Their payload cannot possibly damage hardware. Malware will not burn out your CPU or cause a meltdown in your hard drive. Warnings about Malware that will physically destroy your computer are hoaxes, not legitimate.
How do viruses and other forms of malware spread?
Viruses are potentially destructive software that spread from program to program, from disk to disk, and from document to document.
Previously, viruses spread mainly through floppy disks and they only infect programs and boot sectors. Nowadays, even document files are vulnerable to viruses.
Viruses and other forms of malware are now also able to spread over networks and over the Internet. The Internet has introduced new distribution mechanisms for them which were not available before. And with email used as an important business communication tool, viruses and other forms of malware are spreading faster than ever.
Virus Characteristics (Direct-Action vs. Memory-Resident)
Viruses can be either direct-action or memory-resident. A direct-action virus selects one or more programs to infect each time a program infected by it is executed. A resident virus installs itself somewhere in memory (RAM) the first time an infected program is executed, and thereafter infects other programs when they are executed or when other conditions are fulfilled. Direct-action viruses are also sometimes referred to an non-resident viruses.
The advantage of a direct-action virus is that it automatically infects a couple of programs at the time a program infected by it is executed. The disadvantage is that it is limited in the number of programs it infects since it will take too long if a lot of programs are infected at one time and the user will most likely notice the delay.
The advantage of a memory-resident virus over a direct-action virus is that it can infect as many files as possible long after it has first executed (as long at it is still resident in memory). The disadvantage is that it will not infect files automatically when it is first executed and the user may turn off the system immediately afterwards or will not be able to trigger the conditions required and no programs may be infected.
Other Virus Characteristics
Aside from being either a direct-infected or memory-resident, viruses may also apply either or both of the following characteristics or techniques to enhance their chances of spreading:
Stealth
Some viruses will go to great lengths to hide their infections from normal users and even anti-virus products. This is usually achieved by staying resident in memory and monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form.
Polymorphic
To make it difficult for some virus-scanners, some viruses will employ some strategies that produce varied but operational copies of themselves.
A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus. A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.
More sophisticated polymorphic viruses vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g. a NOP instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
Classification of Malware
The more commonly encountered forms of malware are viruses and Trojans. But viruses and Trojans are only a subset of the possible classification of malware a computer user may come across. Other forms of malware include worms, joke programs, and malware droppers. Let’s go over each classification in detail.
Trojan Horse Programs
A Trojan Horse is a destructive program that comes concealed in software that not only appears harmless, but is also particularly attractive to the unsuspecting user (such as a game or a graphics application).
Trojans are non-replicating malware, they do not replicate by themselves and they rely on the user to send out copies of the Trojan to others. They sometimes achieve this by hiding themselves inside desirable software (i.e. computer games or graphics software) which novice users oftentimes forward to other users. Because a Trojan horse does not replicate, it cannot be disinfected since it is not attached to a host program. To get rid of the Trojan malware, simply delete the program.
Many people don't know what a Trojan is. They think that when they run an executable and nothing happened because their computer is still working and all the data is there, and if it was a virus their data will be damaged and their computer will stop working. Well, unbeknownst to them and if it is a Trojan, someone may already be…
downloading and uploading files on their computer
reading all of their IRC logs and learning interesting things about them and their friends.
reading their ICQ messages.
stealing information such as credit card numbers, username and passwords, etc..
and worst…deleting their files, formatting their hard drive.
Well, these are just but a few examples of how dangerous a Trojan can be. The maliciousness of the action is only limited to the imagination of the perpetrator and capability of the Trojan used.
Worms
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. Unlike viruses, worms do not need to attach themselves to host programs.
Checking for Trojans and Worms
Trojans and Worms may be operating either in the DOS or Windows environment. Therefore, checking them and determining their symptoms may be similar to those for DOS and Windows viruses.
As with other forms of malware, there may be some noticeable slowdown or unusual behavior in the system if a Trojan or computer worm is active. Sometimes, intermittent errors occur which were not happening previously. Some of these malware are also capable of residing in memory and we could oftentimes determine if they are already active by checking the Task Manager (or any similar tool that is applicable to the environment used) for any unusual tasks. Moreover, they may additionally modify the Windows Registry and/or other configuration (i.e: *.ini, *.dat, etc.) files in the system.
Nowadays, some created Trojans and computer worms have email spamming capabilities. It would be wise to check the Sent Items for any unusual emails if you suspect your system to have an email-enabled malware.
Joke Programs
Joke programs are ordinary executable programs. They are the digital equivalent of the old fashioned prank. These novelty programs are designed for humor at the expense of other users. They neither infect other programs nor replicate, and normally do not interfere with computer systems on their own.
As with all jokes, the problem with these e-pranks is in how they are received by their victims. Just as a joke could unexpectedly provoke a person to violence, joke programs can cause a computer user, especially a novice one, to act rashly. Like turning off the computer to stop the joke -- and in the process, losing all unsaved files in other programs.
Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, simply delete the file from your system.
Joke Programs
Since joke programs are ordinary something wrong is happening in his or her computer. After the joke program has finished, the computer is back to what it used to be and nothing wrong really happened to the computer.
executable programs, they will not infect other programs nor will they do any damage to the computer system directly. Most of the joke programs are meant to annoy or make fun of the user. Sometimes, they may be difficult to halt or terminate and some would temporarily reconfigure the mouse, keyboard, or some other devices.
Joke programs will commonly come in a software that fools the user into thinking that
Virus or Malware Droppers
These are programs that will install a virus, a Trojan, or some other malware in a computer system. They are usually created to provide an easy way to start infecting a system. Some of these droppers are actually virus construction software which allow novice programmers to create viruses.
If a suspected software is thought to be a dropper program, look for any dropped file or program after the suspected software is executed. If a dropped file or program is found, check if it malicious by using the techniques available for inspecting the different types of malware.
Backdoors
A backdoor is a program that opens secret access to systems, and is often used to bypass security. A backdoor is usually installed in a system by worms, Trojans, or viruses. When this backdoor is installed, it allows a hacker to have a remote access to that infected computer.
Backdoors are specific types of Trojans and they are sometimes referred to as the Remote Access Trojans. Basically, backdoors are divided in two components:
1. The Server part – this is the backdoor Trojan installed in the target computer. It enables the hacker to gain access to the infected computer.
2. The Client part – this is the actual program used by a hacker to connect to the server part installed on the target computer. This is where the hacker issues its commands or requests to the server program.
Backdoors
Once a backdoor Trojan is installed in a certain computer, a hacker can do just about anything to that computer. These are some of the things these backdoors are capable of:
1. Log keystrokes
2. Edit or delete files and folders
3. Edit the registry
4. Sends out confidential information such as password to the hacker
5. Run programs on the host or target machine
6. Restarts or shuts down the computer
7. Capture screens
8. Browse and sends out files to the hacker
9. Changes computer settings such as wallpaper
10.Kills or disables running programs.