Network virus detection & prevention


Published on

Network Virus detection & prevention Seminar Report docx file

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network virus detection & prevention

  1. 1. NETWORK VIRUS DETECTION AND PREVENTION ABSTRACT One of the most high profile threats to information integrity isNetworkviruses.Network viruses are software that behaves like biological viruses—they attachthemselves to a host and replicate, spreading the infection. For a computer program to beclassified as a virus, it simply must replicate itself. In this paper (Network Virus Detectionand Prevention), I am presenting what are viruses, worms, and Trojan horses and theirdifferences, different strategies of virus spreading, Virus detection, Virus prevention andcase studies of Slammer and Blaster worms. 1Deprt of ECE, BCET
  2. 2. NETWORK VIRUS DETECTION AND PREVENTIONCONTENTS Pg noChapter 1 Introduction 1.1 Preliminaries 5 1.2 Characteristics 8Chapter 2 Detailed descriptions 2.1 Malicious Code Environments 9 2.2 Virus/Worm types overview 9Chapter 3 File infection techniques of viruses 3.1 Overwriting Viruses 12 3.2 Random Overwriting Viruses 13 3.3 Appending Viruses 13 3.4 Prepending Viruses 14 3.5 Classical Parasitic Virus 14 3.6 Cavity Viruses 15 3.7 Compressing Viruses 16 3.8 Amoeba Infection Technique 16Chapter 4 Steps in worm propagation 4.1 Target Locator 17 4.2 Infection Propagator 18 4.3 Remote Control and Update Interface 18 4.4 Life-Cycle Manager 18 4.5 Payload 194.6 Self-Tracking 19 2Deprt of ECE, BCET
  3. 3. NETWORK VIRUS DETECTION AND PREVENTIONCONTENTS Pg noChapter 5Identification methods 5.1 Signature-based detection 20 5.2 Heuristics 21 5.3 Rootkit detection 22 5.4 Malware detection and removal 22Chapter 6 Virus prevention 6.2 Generations of Antivirus s/w 23 6.3 Advanced antivirus techniques 24 6.4 Other Technologies 24 6.4.1 Cloud antivirus 24 6.4.2 Network firewall 25 6.4.3 Online scanning 26 6.4.4 Specialist tools 26Chapter 7 Case studies 7.1 Slammer Worm 27 7.1.1 Vulnerability 27 7.1.2 Target Selection 27 7.1.3 Infection Propagator 27 7.1.4 Payload 27 7.1.5 Network Propagation 27 7.1.6 Prevention 28 3Deprt of ECE, BCET
  4. 4. NETWORK VIRUS DETECTION AND PREVENTIONCONTENTS Pg no 7.2 Blaster Worm 28 7.2.1 Vulnerability 28 7.2.2 Initialization 28 7.2.3 Target Selection 28 7.2.4 Infection Propagator 28 7.2.5 Payload 29 7.2.6 Prevention 29 Conclusion 30 References 31 4Deprt of ECE, BCET
  5. 5. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 1 INTRODUCTION The internet consists of hundreds of millions of computers distributed around theworld. Millions of people use the internet daily, taking full advantage of the availableservices at both personal and professional levels. The internet connectivity among computerson which the World Wide Web relies, however renders its nodes on easy target for malicioususers who attempt to exhaust their resources or damage the data or create a havoc in thenetwork. Computer Viruses, especially in recent years, have increased dramatically innumber. One of the most high- profile threats to information integrity is the Computer Virus.Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearingin 1986. With global computing on the rise, computer viruses have had more visibility in thepast few years. In fact, the entertainment industry has helped by illustrating the effects ofviruses in movies such as ”Independence Day”, ”The Net”, and ”Sneakers”. Along withcomputer viruses, computer worms are also increasing day by day. So, there is a need toimmunize the internet by creating awareness in the people about these in detail. In this paperI have explained the basic concepts of viruses and worms and how they spread. The basicorganization of the paper is as follows. In section 2, give some preliminaries: the definitionsof computer virus, worms, trojan horses, as well as some other malicious programs and alsobasic characteristics of a virus. In section 3, detailed description: describe Malicious CodeEnvironments where virus can propagate, Virus/Worm types overview where different typeshave been explained, and Categories of worm where the different forms of worm is explainedin broad sense. In section 4, File Infection Techniques which describe the various methods ofinfection mechanisms of a virus. In section 5, Steps in Worm Propagation describe the basicsteps that a normal worm will follow for propagation. In section 6 Case studies: two casestudies of Slammer worm and blaster worm are discussed.1.1Preliminaries:A. Virus: A self-replicating program.Some definitions also add the constraint saying that it hasto attach itself to ahost program to be able to replicate. Often Viruses require ahost, and theirgoal is to infect other files so that the virus canlive longer. Some viruses perform destructiveactions although this is not necessarily the case.Many viruses attempt to hidefrom beingdiscovered.A virus might rapidly infect every file on individual computer or slowly infect thedocuments on thecomputer, but it does not intentionally try to spread itself from thatcomputer (infected computer) to other. In mostcases, that’s where humans come in. We sende-mail documentattachments, trade programs on diskettes, or copy files to fileservers. Whenthe next unsuspecting user receives the infected file or disk, they spread the virus to theircomputers, and soon. 5Deprt of ECE, BCET
  6. 6. NETWORK VIRUS DETECTION AND PREVENTIONB. Worms: Worms are insidious because they rely less (or not at all) upon human behavior inorder to spread themselvesfrom one computer to others. The computer worm is a programthat is designed to copy itself from one computer to another,leveraging some networkmedium: e-mail, TCP/IP, etc. Theworm is more interested in infecting as many machinesaspossible on the network, and less interested in spreading manycopies of itself on a singlecomputer (like a computer virus).The prototypical worm infects (or causes its code to run on)target system only once; after the initial infection, the wormattempts to spread to othermachines on the network. Some researchers define worms as a sub-type of Viruses. In earlyyears the worms are considered as theproblem of Mainframes only. But this has changed aftertheInternet become wide spread; worms quickly accustomed to windows and started to sendthemselves through networkfunctions.Some categories that come under worms are Mailers and Mass-Mailer worms Octopus RabbitsC. Trojan Horses: A Trojan Horse is a one which pretend to be useful programs but do some unwantedaction. Most Trojans activate when they are run and sometimes destroy the structure of thecurrent drive (FATs, directories, etc.) obliterating themselves in the process. These do notrequire a host and does not replicate. A special type is the backdoor trojan, which does not doanything overtly destructive, but sets your com- puter open for remote control andunauthorised access. 6Deprt of ECE, BCET
  7. 7. NETWORK VIRUS DETECTION AND PREVENTIOND. Others: There are other types of malicious programs apart from Viruses, Worms and TrojanHorses. Some of them are described below.1) Logic Bombs: A logic bomb is a programmed malfunction of a legitimate application. These areintentionally inserted in otherwise good code. They remains hidden with only their effects arebeing visible. These are not replicated. Bugs do everything except make more bugs.2) Germs: These are first-generation viruses in a form that the virus cannot generate to its usualinfection process. When the virus is compiled for the first time, it exists in a special form andnormally does not have a host program attached to it. Germs will not have the usual marksthat the most viruses use in second-generation form to flag infected files to avoid reinfectingan already infected object.3) Exploits: Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is to run aprogram (possibly remote, networked) system automatically or provide some other form ofmore highly previliged access to the target system. 7Deprt of ECE, BCET
  8. 8. NETWORK VIRUS DETECTION AND PREVENTION1.2 Characteristics: The following are some of the characteristics of Viruses:1) Size- The sizes of the program code required for computer viruses are very small.2) Versatility - Computer viruses have appeared with the ability to generically attack awide variety of applications.3) Propagation - Once a computer virus has infected a program, while this program isrunning, the virus is able to spread to other programs and files accessible to the computersystem.4) Effectiveness - Many of the computer viruses have far-reaching and catastrophiceffects on their victims, including total loss of data, programs, and even the operatingsystems.5) Functionality - A wide variety of functions has been demonstrated in virus programs.Some virus programs merely spread themselves to applications without attacking data files,program functions, or operating system activities. Other viruses are programmed to damageor delete files, and even to destroy systems.6) Persistence - In many cases, especially networked operations, eradication of viruses hasbeen complicated by theability of virus program to repeatedly spread and reoccur through thenetworked system from a single copy. 8Deprt of ECE, BCET
  9. 9. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 2 DETAILED DESCRIPTION2.1 Malicious Code EnvironmentsIt is important to know about the particular execution environments to understand aboutComputer Viruses. A successful penetration of the system by a viral code occurs only if thevarious dependencies of malicious code match a potential environment. The following aresome of the various malicious code environments1) Computer Architecture Dependency2) CPU Dependency3) Operating System Dependency and Operating System version Dependency4) File System Dependency5) File Form Dependency6) Interpreted Environment Dependency7) Vulnerability Dependency8) Date and Time Dependency9) Just-In-Time Dependency10) Achieve Format Dependency11) File Format Extension Dependency12) Network Protocol Dependency13) Source Code Dependency14) Self Contained Environment Dependency2.2 Virus/Worm types overviewThese are the main categories of Viruses and worms:1) Binary File Virus and Worm – File virus infect executable (program files). Theyare able to infect over networks. Normally these are written in machine code. File worms, arealso written in machine code, instead of infecting other files, worms focus on spreading toother machines. 9Deprt of ECE, BCET
  10. 10. NETWORK VIRUS DETECTION AND PREVENTION2) Binary Stream Worms – Stream worms are a group of network spreading wormsthat never manifest as files. Instead, they will travel from computer to computer as just piecesof code that exist only in memory.3) Script File Virus and Worm – A script virus is technically a file virus, but scriptviruses are written as human readable text. Since computers cannot understand textinstructions directly, the text first has to be translated from text to machine code. This processis called ”Interpretation”, and is performed by separate programs on computer.4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived asdata files, like documents and spreadsheets. Just about anything that we can do with ordinaryprograms on a computer we can do with macro instructions. Macro viruses are more commonnow-a-days. These can infect over the network.VIRUS STRUCTURE: program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do- damage; goto next;} next: } 10Deprt of ECE, BCET
  11. 11. NETWORK VIRUS DETECTION AND PREVENTION5) Boot Virus – The first known successful computer viruses were boot sector viruses.Today these are rarely used. These infect boot sectors of hard drives and floppydisks and arenot dependent on the actual operating system installed. These are not able to infectovernetworks. These take the boot process of personal computers. Because most computersdon’t contain Operating System in their Read Only Memory (ROM), they need to load thesystem from somewhere else, such as from a disk or from the network (via a networkadapter).6) Multipartite Viruses – Multipartite Virus infect both executable files and bootsectors, or executable and datafiles. These are not able to infect over the networks. 11Deprt of ECE, BCET
  12. 12. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 3 FILE INFECTION TECHNIQUES OF VIRUSES The following are the common strategies that virus writes used over the years toinvade into the new host systems:3.1 Overwriting Viruses These locate another file on the disk and overwrite with their own copy. This is theeasiest approach and these can do a great damage when they overwrite all the files in thesystem. These cannot be disinfected from a system. Infected files must be deleted and shouldbe restored from backups. These don’t change the size of the host. Figure 3.1. An overwriting virus infection.Well-Known Overwriting VirusesGrog.377 - Known as a non-memory resident virus, it interprets a random sector of a harddisk in search of special instructions. If instructions exist, it overwrites that part of the sectorwith a malicious code. When launched, the infection can inflict considerable damage onsystem BIOS and prevent a computer from booting up.Grog.202/456 - Two of the most dangerous overwriting viruses. They seek out COM. filesin the current directory, quickly deleting and replacing the content with malicious code. If noCOM. files are found in that particular directory, the GROG virus dials a random phonenumber over the users modem in search of interconnected network computers. Both of theseinfections are also considered to be non-memory overwriting viruses.Loveletter - Perhaps the most complex overwriting virus. Like other variants, its mainintend is to seek out files and overwrite them with malicious code. What makes this virus 12Deprt of ECE, BCET
  13. 13. NETWORK VIRUS DETECTION AND PREVENTIONdifferent is that it acts as file infector, an email worm and a Trojan horse capable ofdownloading other types of malware.Overwriting viruses were initially deployed because of their effectiveness; a way for theinfection to infuse itself with an innocent file. This corrupts the original file in such a waythat it cant be disinfected. Many of them are able to escape the scanner of an anti-virusprogram, making no alterations to the victim file so changes arent detected.While they were very effective, most malicious codes do not write this type of virusanymore. Many tend to focus on tempting users with genuine Trojan horses and distributingmalware via email. At the same time, you must keep your computer protected from allprobable threats at all times. Your best bet would be installing a quality anti-virus programand conducting frequent scans for suspicious activity.3.2 Random Overwriting Viruses This is another rare variation of the overwriting method does not change the code atthe top of the file but it chooses a random location in the host program and overwrites thatlocation. In this case it may be possible that the code is not even get control during theexecution. In both cases , the host program is lost during the virus attack, and often crashesbefore the virus code executes. Figure 3.2. A random overwriter virus.3.3 Appending Viruses In this technique the virus code is appended at the end of the program and the firstinstruction of the code is changed to a jump or call instruction which will be pointing to thestarting address of the viral code. 13Deprt of ECE, BCET
  14. 14. NETWORK VIRUS DETECTION AND PREVENTION Figure 3.3. A typical DOS COM appender virus.3.4 Prepending Viruses A common virus infection technique uses the principle of inserting virus code at thefront of host programs. Such viruses are called Prepending Viruses. This is a simple infectiontechnique and is often successful. Virus writers wrote much of this kind on various operatingsystems, causing major outbreaks in many. Figure3.4. A typical prepender virus.3.5 Classical Parasitic Virus This is a variation of prepen- der technique. These overwrite the top portion of theprogram with virus code and the top portion is being copied at the end of the program. 14Deprt of ECE, BCET
  15. 15. NETWORK VIRUS DETECTION AND PREVENTION Figure 4.8. A classic parasitic virus.3.6 Cavity Viruses These typically don’t increase the size of the program they infect. Instead they willoverwrite a part of the code that can be used to store the virus code safely. Normally theseoverwrite areas of files that contain zeros in binary files. These are often slow spreaders inDOS systems. Figure 3.6. A cavity virus injects itself into a cave of the host. 15Deprt of ECE, BCET
  16. 16. NETWORK VIRUS DETECTION AND PREVENTION3.7 Compressing Viruses This is a special technique where the content of host program is compressed.Compressor Viruses are sometimes beneficial because such viruses might compress theinfected program to a much shorter size saving disk space. Figure 3.7. A compressor virus.3.8 Amoeba Infection Technique This is a rarely seen infection technique where the head part of the viral code isstored at the starting of the host program and the tail part is stored after the end of the hostprogram. Figure 3.8. The Amoeba infection method. 16Deprt of ECE, BCET
  17. 17. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 4 STEPS IN WORM PROPAGATIONEach Worm has a few essential components, such as tar get locator, infection propagationmodules, and a couple of nonessential modules, such as remote control, update interface, lifecycle-manager, and payloads.4.1 Target Locator: For a worm to propagate first it must discover the existence of a machine. There aremany techniques by which a worm can discover new ma- chinesto exploit. They area) Scanning: This entails probing a set of addresses toidentify the vulnerable hosts. Twosimple forms of scanning are Sequential scanning (working through an address block usingordered set of addresses)and Random scanning (trying addresses out of a block in pseudo-random fashion).b) Pre-generated Target Lists: An attacker could obtain a target list in advance,creating a ”hit-list” of a probable victims with good network connections. This list is beingcreated well before the release of worm. There are some scanning techniques that just see forparticular criteria such as the operating system that the machine is running, what are theservers running, what is the version of operating systems etc. Stealthy scans, Distributedscanning, DNS searches, Just listen and also there are some public surveys that list such asNetcraft Survey.c) Externally Generated Target Lists: An externally generated list is one which ismaintained by a separate server, such as a matchmaking service’s metaserver. This can alsobe used to speed the worm propagation. This worm has not yet in the wild.d) Internal Target Lists: Many applications contain information about the other hostsproviding vulnerable services. Such target lists can be used to create ’topological’ worms,where the worm searches for the local information to fine new victims by trying to discoverthe local communication topology.e) Passive: These do not seek out victim machines. Instead, they either wait for potentialvictims to contact the worm or rely on user behaviour to discover new targets. Althoughpotentially slow these worms produce no anomalous traffic pat- terns during the targetdiscovery, which potentially makes them high stealthy. 17Deprt of ECE, BCET
  18. 18. NETWORK VIRUS DETECTION AND PREVENTION4.2 Infection Propagator: A very important strategy of the worm uses to transfer itself to a new node and getcontrol on remote machine. Most worms will assume that one has a copy of certain windowmachine and send a worm with such compatible system.4.3 Remote Control and Update Interface: Another important component of a worm is remote control using a communicationmodule. Without such a module, the worm’s author cannot control the worm network bysending control messages to the worm copies. Such remote control can allow the attacker touse the worm as a DDoS (distributed denial of service) tool on the zombie network againstseveral unknow targets. The attacker is interested in changing the behaviour of the worm andeven sending new infection strategies to as many compromised nodes as possible.4.4 Life-Cycle Manager: Some writers prefer to run a version of a computer worm for a preset period of time.On the other hand, many worms have bugs in their life- cycle manager component andcontinue to run without ever stopping. 18Deprt of ECE, BCET
  19. 19. NETWORK VIRUS DETECTION AND PREVENTION4.5 Payload: This is optional but common component of a worm. An increasingly popular payloadis a DDoSattack against a particular website. These can utilise the compromised systems as a”super computer”. Recently it is becoming popular to install an SMTP (Simple Mail TransferProtocol) spam relay as the payload of a worm.4.6 Self-Tracking: Many virus authors are interested in seeing how many machines the virus can infectand also they want others to track the path of virus infections. 19Deprt of ECE, BCET
  20. 20. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 5 Identification methods One of the few solid theoretical results in the study of computer viruses is Frederick B.Cohens 1987 demonstration that there is no algorithm that can perfectly detect all possibleviruses.[The proof relies on the "infect" and "spread" abilities of computer viruses. Whilecommon, the "infect" and "spread" abilities of a computer code, which create the "replicate"ability, are not necessarily contained in malware. "Computer virus", in its recent meaning,and "malware" are overlapping terms, but not synonymous. The difference is between a codewith the ability to "infect" and "spread" and a code with malicious purpose.There are several methods which antivirus software can use to identify malware.Signature based detection is the most common method. To identify viruses and othermalware, antivirus software compares the contents of a file to a dictionary of virus signatures.Because viruses can embed themselves in existing files, the entire file is searched, not just asa whole, but also in pieces.[16]Heuristic-based detection, like malicious activity detection, can be used to identifyunknown viruses.File emulation is another heuristic approach. File emulation involves executing a program ina virtual environment and logging what actions the program performs. Depending on theactions logged, the antivirus software can determine if the program is malicious or not andthen carry out the appropriate disinfection actions.5.1 Signature-based detection: Traditionally, antivirus software heavily relied upon signatures to identify malware.This can be very effective, but cannot defend against malware unless samples have alreadybeen obtained and signatures created. Because of this, signature-based approaches are noteffective against new, unknown viruses.As new viruses are being created each day, the signature-based detection approach requiresfrequent updates of the virus signature dictionary. To assist the antivirus software companies,the software may allow the user to upload new viruses or variants to the company, allowingthe virus to be analyzed and the signature added to the dictionary. Signatures are obtained byhuman experts using reverse engineering. An example of software used in reversedengineering is Interactive Disassembler. Such a software does not implement antivirusprotection, but facilitates human analysis.Although the signature-based approach can effectively contain virus outbreaks, virus authorshave tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic"and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise 20Deprt of ECE, BCET
  21. 21. NETWORK VIRUS DETECTION AND PREVENTIONmodify themselves as a method of disguise, so as to not match virus signatures in thedictionary.5.2 Heuristics: Some more sophisticated antivirus software uses heuristic analysis to identify newmalware or variants of known malware.Many viruses start as a single infection and through either mutation or refinements by otherattackers, can grow into dozens of slightly different strains, called variants. Generic detectionrefers to the detection and removal of multiple threats using a single virus definition.For example, the Vundotrojan has several family members, depending on the antivirusvendors classification. Symantec classifies members of the Vundo family into two distinctcategories, Trojan.Vundo and Trojan.Vundo.B.While it may be advantageous to identify a specific virus, it can be quicker to detect a virusfamily through a generic signature or through an inexact match to an existing signature. Virusresearchers find common areas that all viruses in a family share uniquely and can thus createa single generic signature. These signatures often contain non-contiguous code, usingwildcard characters where differences lie. These wildcards allow the scanner to detect viruseseven if they are padded with extra, meaningless code. A detection that uses this method issaid to be "heuristic detection."Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic"and "metamorphic", where the differences between specific variants of the same virus aresignificantly high. In such cases, there are dedicated statistical analysis-based algorithms,implemented in the "real time" protection, which analyses software behaviour. This approachis not absolutely exact and results in higher resource usage on the computer. Since"oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and theresulting computer code has a (relatively) high dimension (although such cases are very rare),this approach can be used with a relatively high success rate.This approach may imply humaningeniousness for the design of the algorithm.If the antivirus software employs heuristic detection, success depends on achieving the rightbalance between false positives and false negatives. Due to the existence of the possibility offalse positives and false negatives, the identification process is subject to human assistancewhich may include user decisions, but also analysis from an expert of the antivirus softwarecompany.5.3 Rootkit detection:Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that isdesigned to gain administrative-level control over a computer system without being detected.Rootkits can change how the operating system functions and in some cases can tamper withthe anti-virus program and render it ineffective. Rootkits are also difficult to remove, in somecases requiring a complete re-installation of the operating system. 21Deprt of ECE, BCET
  22. 22. NETWORK VIRUS DETECTION AND PREVENTION5.4 Malware detection and removal:5.4.1 Method 1:The most popular approach to this requirement is to install an antivirus program and to keepthis current. As new viruses are detected on a daily basis the signatures and heuristic methodsneed to be kept updated on a very regular basis. For this reason, modern antivirus programsgenerally include facilities automatically to update themselves using a network connectionwhenever new virus signatures and heuristics become available.5.4.2 Method 2:Platforms which are not themselves thought to be vulnerable to viruses but which are used todistribute content potentially including viruses, e.g. via email between Windows users, mustalso scan for viruses to avoid becoming part of this problem. But the number of known virussignatures continues to increase. So even using the Clam-av antivirus package which is opensource and freely installable, growing memory demands are making this job increasinglyexpensive. The next slide shows how many virus signatures exist and how much memorythese occupy as of November 2008.5.4.3 Other countermeasures: One approach involves stopping a system from running and mounting its hard diskusing another operating system, booted using trusted media. Tools can be run on the trustedsystem to detect suspicious changes to files on the system being scanned. This is consideredmore reliable than running antivirus software directly on the system which might have beencompromised and where the results of the antivirus scan may also have been compromised byan unknown virus.The trusted scanning system might also store a set of hash signatures or checksums of fileswhich the virus might modify and test if any executable or registry tables have beenmodified. 22Deprt of ECE, BCET
  23. 23. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 6 Virus prevention6.1 Antivirus or anti-virussoftware: It is used to prevent, detect, and remove malware, including but not limited tocomputer viruses, computer worms, trojan horses, spyware and adware. Computer security,including protection from social engineering techniques, is commonly offered in products andservices of antivirus software companies. This page discusses the software used for theprevention and removal of malware threats, rather than computer security implemented bysoftware methods. An example of free antivirus software: ClamTk 3.08. A variety of strategies are typically employed. Signature-based detection involvessearching for known patterns of data within executable code. However, it is possible for acomputer to be infected with new malware for which no signature is yet known. To countersuch so-called zero-day threats, heuristics can be used. One type of heuristic approach,generic signatures, can identify new viruses or variants of existing viruses by looking forknown malicious code, or slight variations of such code, in files. Some antivirus software canalso predict what a file will do by running it in a sandbox and analyzing what it does to see ifit performs any malicious actions. 23Deprt of ECE, BCET
  24. 24. NETWORK VIRUS DETECTION AND PREVENTION6.2 Generations of antivirus s/w:First generation: (simple scanners)scanner uses virus signature to identify virusor changein length of programsSecond generation: (heuristic scanners) uses heuristic rules to spot viral infectionor usescrypto hash of program to spot changesThird generation: (activity traps) memory-resident programs identify virus by actionsFourth generation: (full featured protection) packages with a variety of antivirustechniques like access control capability. E.g. scanning & activity traps, access-controls.6.3 Advanced antivirus techniques:1. Generic Decryption:Enables antivirus program to detect even the most complexpolymorphic viruses.Every executable file should be run in the GD scanner which has CPUemulator, Virus sign scanner and Emulation control module.2. Digital Immune System:Developed by IBM.To solve threats in a network. Integrated mail systems Mobile program systems6.4 Other Technologies: No matter how useful antivirus software can be, it can sometimes have drawbacks.Antivirus software can impair a computers performance. Inexperienced users may also havetrouble understanding the prompts and decisions that antivirus software presents them with.An incorrect decision may lead to a security breach. If the antivirus software employsheuristic detection, success depends on achieving the right balance between false positivesand false negatives. False positives can be as destructive as false negatives. Finally, antivirussoftware generally runs at the highly trusted kernel level of the operating system, creating apotential avenue of attack.Installed antivirus software running on an individual computer is only one method ofguarding against viruses. Other methods are also used, including cloud-based antivirus,firewalls and on-line scanners.6.4.1 Cloud antivirus: Cloud antivirus is a technology that uses lightweight agent software on the protectedcomputer, while offloading the majority of data analysis to the providers infrastructure. 24Deprt of ECE, BCET
  25. 25. NETWORK VIRUS DETECTION AND PREVENTIONOne approach to implementing cloud antivirus involves scanning suspicious files usingmultiple antivirus engines. This approach was proposed by an early implementation of thecloud antivirus concept called CloudAV. CloudAV was designed to send programs ordocuments to a network cloud where multiple antivirus and behavioral detection programsare used simultaneously in order to improve detection rates. Parallel scanning of files usingpotentially incompatible antivirus scanners is achieved by spawning a virtual machine perdetection engine and therefore eliminating any possible issues. CloudAV can also perform"retrospective detection," whereby the cloud detection engine rescans all files in its fileaccess history when a new threat is identified thus improving new threat detection speed.Finally, CloudAV is a solution for effective virus scanning on devices that lack thecomputing power to perform the scans themselves.6.4.2 Network firewall:Network firewalls prevent unknown programs and processes from accessing the system.However, they are not antivirus systems and make no attempt to identify or remove anything.They may protect against infection from outside the protected computer or network, and limitthe activity of any malicious software which is present by blocking incoming or outgoingrequests on certain TCP/IP ports. A firewall is designed to deal with broader system threatsthat come from network connections into the system and is not an alternative to a virusprotection system. An illustration of where a firewall would be located in a network. 25Deprt of ECE, BCET
  26. 26. NETWORK VIRUS DETECTION AND PREVENTION6.4.3 Online scanning:Some antivirus vendors maintain websites with free online scanning capability of the entirecomputer, critical areas only, local disks, folders or files. Periodic online scanning is a goodidea for those that run antivirus applications on their computers because those applicationsare frequently slow to catch threats. One of the first things that malicious software does in anattack is disable any existing antivirus software and sometimes the only way to know of anattack is by turning to an online resource that is not installed on the infected computer. Using rkhunter to scan for rootkits on an UbuntuLinux computer.6.4.4 Specialist tools: Virus removal tools are available to help remove stubborn infections or certain typesof infection. Examples include Trend Micros Rootkit Buster, and rkhunter for the detectionof rootkits, Aviras AntiVir Removal Tool, PCTools Threat Removal Tool, and AVGs Anti-Virus Free 2011.A rescue disk that is bootable, such as a CD or USB storage device, can be used to runantivirus software outside of the installed operating system, in order to remove infectionswhile they are dormant. A bootable antivirus disk can be useful when, for example, theinstalled operating system is no longer bootable or has malware that is resisting all attemptsto be removed by the installed antivirus software. 26Deprt of ECE, BCET
  27. 27. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 7 CASE STUDIES7.1 Slammer Worm Slammer worm sometimes called as Sapphire was the fastest computer worm inhistory till now. It began his journey on January 25, 2003. It began spreading through theInternet infected more than 90 percent of vulnerable hosts within 10 minutes, causing asignificant disruption to financial, transportation, and government institutions and precludingany human-based response.1) Vulnerability: Microsoft’s database server SQL Server or Microsoft SQL ServerDesktop Engine(MSDE) 2000 exhibits two buffer overrun vulnerabilities that can beexploited by a remote attacker without ever having to authenticate to the server. These arebeing attacked based on the Stack overflow and heap overflow techniques.2) Target Selection: It used random scanning for selecting IP addresses, there byselecting vulnerable systems. Random scanning worms intially spread exponentially,laterinfection slows as the worms continually retry infected or immune addresses. Slammer isbandwidth-limited, in contrast to Code Red which is latency-limited.3) Infection Propagator: It carries only 376 bytes of code where there is a simple, fastscanner. Along with the headers of the protocol it will of total size of 404 bytes. It used UDPprotocol for propagation so it can transmit the entire packet in a single transfer. It uses 1434port to transfer packets. It doesnot write itself into the system. It exists only as networkpackets and in running processes on the infected computers.4) Payload: This does not contain any additional malicious content in the form ofbackdoors, etc. The speed at which it attempts to re-infect systems to create a denial surfaceof attack.5) Network Propagation: When the SQL server receives a malicious request, theoverrun in the server’s buffer allows the worm code to be executed. After the worm hasentered into the vulnerable system,, first it gets the addresses to certain functions then start aninfinite loop to scan for the othervulnerable hosts on the internet. This performs pseudo-randomnumber generation formula using the GetTickCount() value to generate an IP addressthat is used as target thereby, spreading furher into the network and infecting the vulnerablemachines. These don’t check for the multiple instances of the worm affected the system. Thiscould have been a great damage if it would have carried any malicious code with it. There arefew wrong things that this wormauthor did such as in the pseudo random number generationalgorithm the author used the following equation x1= (x?214013+2531011)mod232here theauthorsubstituted a different value for 2531011 increment value: hex 0xFFD9613C. Thisvalue is equivalent to -2531012 when interpreted as a twos-complement decimal. 27Deprt of ECE, BCET
  28. 28. NETWORK VIRUS DETECTION AND PREVENTION6) Prevention: This can be prevented using a firewall which blocks 1434 port as the worminfects through this port only.7.2 Blaster Worm It is a multi stage worm first observed on August 11, 2003. It affected between200,000 and 500,000 computers.1) Vulnerability: It exploited a remote procedure call (RPC) vulnerability of MicrosoftWindows 2000 and Windows XP operating systems which were made public in July 2003.2) Intialization: The worm when launched, opens a mutexcalled ”BILLY” that is used toprevent multiple infections of the same machine and sets a registry key which ensures that itis started every time the system reboots.3) Target Selection: In theintialization phase it decides whether it will exploit code forMicrosoft XP with 80% probability or the one for Windows 2000. It first scans with 60%, anIPv4 address of the form X.Y.Z.0 with X, Y, Z are chosen at random. With 40% probability,and address of the form X.Y.Z1.0 derived from the infected computer’s local addressX.Y.Z.U is chosen. Z1 is set to Z unless Z1 is greater than 20, in which case a random valuesless than 20 is subtracted from Z to get Z1. The destination IP is incremented after each scan.4) Infection Propagator: If TCP connection to a destination 135 port is opened, theexploit code is sent to victim. If the machine was vulnerable it can start listening on4444/TCP and allows remote command execution. unpatched windows automatically rebootsXP. Next it intiates a TCP connection to 4444 port, if successful, using TFTP( Trivial FileTransfer Protocol - which is a smaller version of FTP) the mblast.exe file is transfered. After 28Deprt of ECE, BCET
  29. 29. NETWORK VIRUS DETECTION AND PREVENTIONthat if TFTP requests are not blocked, on UDP port 69 the worm code is being downloaded.Infected host stops TFTP daemon after transmission or after 20 secsof inactivity. If successfulit sends a command mblast.exe on the already open TCP connection to port 4444 of thevictim.5) Payload: The payload of the worm for RPC step is as follows– 72 bytes for RPC, 1460bytes for ”request” and a 244 bytes of TCP packet, Along with these there is 40-48 bytes forTCP/IP which makes the worm to 1976 to 2016 bytes.The worm code is of 6176 bytes. alongwith the overhead of headers it will come to 6592 bytes on the IP layer.6) Prevention: This can be prevented by using the firewall that blocks traffic to incomingto port 135/TCP or 4444 port or TFTP port and by applying the operating system patchagainst the RPC vulnerability. 29Deprt of ECE, BCET
  30. 30. NETWORK VIRUS DETECTION AND PREVENTION CONCLUSION I have gone through the basic definitions of Viruses and Worms, then discussed inabout the different malicious code environments. After that I have discussed about thedifferent types of viruses and worms, then discussed in detail about the various ways of virusand worm propagation techniques. After that I have discussed about the Prevention FromViruses and Worms. I have also looked into two case studies of slammer and blaster worms.The ability of attackers to rapidly gain control of vast numbers of internet hosts poses animmense risk to overall security of the internet. Now-a-days the virus writers are moreconcentrating on writing worms as they have got great capability to spread over the networkin few minutes. There are various upcoming techniques in worm propagation such aspolymorphic worms which are really a big threat to the internet community. Worms can bewritten such that they can be affected only to a particular region or country. There are wormswhich willkeep quiet for a specific amount of time and attack at random times. These wormscan also be used to create Distributed Denial of Service (DDoS) which is a real threat to thewebsites and the network traffic.Can a virus ever be good? In biology, viruses enable potentially beneficial DNA to be transferred betweenspecies. This is considered to be a part of the optimisation of the evolutionary process. But itis thought unlikely that anyone could benefit from computer viruses, other than the proceedsof crime which those who write and spread viruses might obtain.The difference between a virus and another kind of program is that an ordinary program willnormally have the informed consent of the system owner before it can be installed. Whilethere is a similarity between an operating system which can create a copy of itself oninstallation media and a virus, the OS that makes it easy for its users to copy it will do thiswith the users full knowledge and consent.There is no situation in which taking away the end users consent to perform an action isconsidered likely to be of benefit. 30Deprt of ECE, BCET
  31. 31. NETWORK VIRUS DETECTION AND PREVENTION REFERENCES[1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England: Addison WeselyProfessional, 2005.[2] Norman, Norman book on Computer Virus, Norman ASA, 2003.[3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of Computer Virus onthe Internet: An Overview, IEEE Computer Society 2004, 601-606.[4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and Trends,Washington, DC, USA: WORM-2003[5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and NicholasWeaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003.[6] Thomas Subendorfer, Arno Wagner, TheusHossmann, and Bernhard Plattner, Flow-LevelTraffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone,Springer-Verlag Berlin Heidelberg 2005.[7] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, A Taxonomy ofComputer Worms, Washington, DC, USA: WORM-2003.[8] H. Kopka and P. W. Daly, A Guide to LATEX, 3rd ed. Harlow, England: Addison-Wesley, 1999. 31Deprt of ECE, BCET