This document discusses network viruses and strategies for virus detection and prevention. It defines viruses, worms, and Trojan horses and explains how they differ. It then covers various virus spreading strategies and types, including binary, script, macro, boot sector, and worm viruses. The document also discusses detection methods like signature-based and heuristic detection. For prevention, it recommends keeping antivirus software and signatures updated to identify new viruses. Memory demands of antivirus software are also discussed.

1. One of the most high profile threats to information integrity is
Network viruses. Network viruses are software that behaves like
biological viruses—they attach themselves to a host and replicate,
spreading the infection. For a computer program to be classified as a
virus, it simply must replicate itself. In this paper (Network Virus
Detection and Prevention), I am presenting what are viruses, worms,
and Trojan horses and their differences, different strategies of virus
spreading, Virus detection, Virus prevention and case studies of
Slammer and Blaster worms.

2. Virus:
A self-replicating program.
Often Viruses require a host, and their goal is to infect other files
so that the virus can live longer.
Worms:
Worms are insidious because they rely less (or not at all) upon
human behavior in order to spread themselves from one computer
to others.
Trojan Horses:
A Trojan Horse is a one which pretend to be useful
programs but do some unwanted action.

3. Logic Bombs : A logic bomb is a programmed malfunction
of a legitimate application.
Germs: These are first-generation viruses in a
form that the virus cannot generate to its usual
infection process.
Exploits: Exploit is specific to single vulnerability or set of
vulnerabilities.

5. 1) Size- The sizes of the program code required for computer viruses are
very small.
2) Versatility - Computer viruses have appeared with the ability to generically
attack a wide variety of applications.
3) Propagation - Once a computer virus has infected a program, while this
program is running, the virus is able to spread to other programs
and files accessible to the computer system.
4) Effectiveness - Many of the computer viruses have far-reaching and
catastrophic effects on their victims, including total loss of data,
programs, and even the operating systems.
5) Functionality - A wide variety of functions has been demonstrated in virus
programs. Some virus programs merely spread themselves to
applications without attacking data files, program functions, or
operating system activities. Other viruses are programmed to
damage or delete files, and even to destroy systems.
6) Persistence - In many cases, especially networked operations, eradication
of viruses has been complicated by the ability of virus program to
repeatedly spread and reoccur through the networked system
from a single copy.

6. Virus/Worm types overview :

Binary File Virus and Worm: They are able to infect over
networks. Normally these are written in machine code.

Binary Stream Worms: Stream worms are a group of network
spreading worms that never manifest as files.

Script File Virus and Worm: A script virus is technically a file
virus, but script viruses are written as human readable text.

Macro Virus: Macro Viruses infect data files, documents and
spreadsheets.

Boot Virus: The first known successful computer virus . These are not
able to infect over networks. These take the boot process of personal
computers.

Multipartite Viruses: infect both executable files and boot sectors

7. Overwriting Viruses: These locate another file on the disk and overwrite with
their own copy.
Random Overwriting Viruses: This is another rare variation of the
overwriting method does not change the code at the top of the file but it chooses a
random location in the host program and overwrites that location.

8. Appending Viruses: In this technique the virus code is appended at the end of
the program and the first instruction of the code is changed to a jump or call instruction
which will be pointing to the starting address of the viral code.
Prepending Viruses: A common virus infection technique uses the principle of
inserting virus code at the front of host programs. Such viruses are called Prepending
Viruses.

9. Cavity Viruses: These typically don’t increase the size of the program they
infect. Instead they will overwrite a part of the code that can be used to store the virus
code safely.
Amoeba Infection Technique: This is a rarely seen infection technique where
the head part of the viral code is stored at the starting of the host program and the tail
part is stored after the end of the host program.

10. A worm might open network connections and infect a vulnerable
target computer directly, as with the Morris worm, which infected an
estimated 6,000 of the 60,000 Internet hosts in Nov 1988.
Other worms spread, as with a virus, via the use of a host file, which
needs to be transferred as part of the Network worm. More recent
worms have include Mydoom and Storm which were used to install
large botnets used for distributed denial of service (DDOS) and spam
attacks.

11. Boot sector viruses infect the boot sector of the boot disk of a
computer operating system. These became widespread when it was
common for computer users accidently to leave a floppy disk in the
drive and the computer BIOS was configured to boot from the floppy
by default. These viruses would transfer via the hard disk to all
writeable floppies inserted into the infected computer. This mechanism
was defeated when administrators changed the BIOS settings and
became less likely when floppies were less frequently used.
This infection vector could return to prominence again if flash USB
drives become routinely used by users to carry an operating system
together with applications, custom configurations and data between
physical machines.

12. Non-resident viruses infect application files and are run when the
application runs. Typically the virus is prepended to the application
source code for an interpreted application, or its executable code for
a compiled application. Alternatively the virus code might be
appended with a vector to itself added at the start of the program.
When the virus part of the code runs it will search for another
suitable file to infect. Once the virus code completes it hands control
on to the infected host file. A non-resident virus can be trivial to code
(see the next slide for an example), but such a 'virus' is extremely
unlikely to spread.

13. Fast infector viruses are programmed to spread as rapidly as
possible to reduce the risk of the virus being wiped out once
introduced into the wild. However, a fast infector is more likely to
cause changes of behaviour of the infected system so is more likely
to be detected.
Slow infector viruses are designed to find other targets to infect
infrequently. By spreading slowly this kind of virus is less likely to
be detected.

14. Macro viruses use the macro programming languages which are
embedded within popular applications e.g. Word and Excel. This kind of
virus became widespread in the 1990ies. The threat from this kind of
virus has probably been reduced following additional prompts when a
document containing macros is opened in Word or Excel.
Cross Site Scripting (XSS) viruses exploit a combination of
vulnerabilities present in both web server applications and web browsers.
These will typically need to be coded in 2 parts, one part being the server
code (e.g. using PHP) which propagates from the infected browser to the
vulnerable servers and the other part which runs in the browser (e.g.
using Java script).

15. Signature based detection is the most common method. To identify
viruses and other malware, antivirus software compares the contents
of a file to a dictionary of virus signatures. Because viruses can
embed themselves in existing files, the entire file is searched, not
just as a whole, but also in pieces.
Heuristic-based detection, like malicious activity detection, can be
used to identify unknown viruses.
File emulation is another heuristic approach. File emulation
involves executing a program in a virtual environment and logging
what actions the program performs. Depending on the actions
logged, the antivirus software can determine if the program is
malicious or not and then carry out the appropriate disinfection
actions.

16. The most popular approach to this requirement is to install an
antivirus program and to keep this current. As new viruses are
detected on a daily basis the signatures and heuristic methods need to
be kept updated on a very regular basis. For this reason, modern
antivirus programs generally include facilities automatically to
update themselves using a network connection whenever new virus
signatures and heuristics become available.

17. But the number of known virus signatures continues to increase. So
even using the Clam-av antivirus package which is open source and
freely installable, growing memory demands are making this job
increasingly expensive . The next slide shows how many virus
signatures exist and how much memory these occupy as of
November 2008.
Platforms which are not themselves thought to be vulnerable to
viruses but which are used to distribute content potentially including
viruses, e.g. via email between Windows users, must also scan for
viruses to avoid becoming part of this problem.

18. Number of virus signatures: 437972
freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486)
ClamAV update process started at Fri Nov 7 18:24:28 2008
main.cld is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
Demand of anti-virus on memory: 50.9%
PID USER PR NI VIRT RES S %CPU %MEM
COMMAND
20782 clamav 20 0 126m 72m S 0.0 50.9
clamav-milter

19. One approach involves stopping a system from running and mounting its
hard disk using another operating system, booted using trusted media.
Tools can be run on the trusted system to detect suspicious changes to
files on the system being scanned. This is considered more reliable than
running antivirus software directly on the system which might have been
compromised and where the results of the antivirus scan may also have
been compromised by an unknown virus.
The trusted scanning system might also store a set of hash signatures or
checksums of files which the virus might modify and test if any
executable’s or registry tables have been modified.

20. It is used to prevent, detect, and remove malware, including but not
limited to computer viruses, computer worms, trojan horses, spyware
and adware. Computer security, including protection from social
engineering techniques, is commonly offered in products and services
of antivirus software companies.
An example of free antivirus software: ClamTk 3.08

21. First generation: (simple scanners) scanner uses virus signature to
identify virus or change in length of programs
Second generation: (heuristic scanners) uses heuristic rules to spot
viral infection or uses crypto hash of program to spot changes
Third generation: (activity traps) memory-resident programs identify
virus by actions
Fourth generation: (full featured protection) packages with a variety
of antivirus techniques like access control capability. E.g. scanning &
activity traps, access-controls.

22. 
Generic Decryption: Enables antivirus program to detect even the
most complex polymorphic viruses. Every executable file should
be run in the GD scanner which has CPU emulator, Virus sign
scanner and Emulation control module.

Digital Immune System: Developed by IBM. To solve threats in
a network.

Integrated mail systems

Mobile program systems

23. No matter how useful antivirus software can be, it can sometimes have
drawbacks. Antivirus software can impair a computer's performance.
Inexperienced users may also have trouble understanding the prompts
and decisions that antivirus software presents them with.
Installed antivirus software running on an individual computer is only
one method of guarding against viruses. Other methods are also used,
including cloud-based antivirus, firewalls and on-line scanners.

Cloud antivirus: Cloud antivirus is a technology that uses
lightweight agent software on the protected computer, while
offloading the majority of data analysis to the provider's
infrastructure.

Network firewall: Network firewalls prevent unknown
programs and processes from accessing the system. However,
they are not antivirus systems and make no attempt to identify or
remove anything.

24. An illustration of where a firewall would be located in a network.

25. 3. Online scanning: Some antivirus vendors maintain websites with
free online scanning capability of the entire computer, critical areas
only, local disks, folders or files. Periodic online scanning is a good
idea for those that run antivirus applications on their computers
because those applications are frequently slow to catch threats.
Using rkhunter to scan for rootkitson an Ubuntu Linux computer.

26. In biology, viruses enable potentially beneficial DNA to be transferred between
species. This is considered to be a part of the optimisation of the evolutionary
process. But it is thought unlikely that anyone could benefit from computer
viruses, other than the proceeds of crime which those who write and spread
viruses might obtain.
The difference between a virus and another kind of program is that an ordinary
program will normally have the informed consent of the system owner before it
can be installed. While there is a similarity between an operating system which
can create a copy of itself on installation media and a virus, the OS that makes it
easy for its users to copy it will do this with the users full knowledge and
consent.
There is no situation in which taking away the end users consent to perform an
action is considered likely to be of benefit.

27. I have gone through the basic definitions of Viruses and Worms,
then discussed in about the different malicious code environments.
After that I have discussed about the different types of viruses and
worms, then discussed in detail about the various ways of virus and
worm propagation techniques. After that I have discussed about the
Prevention From Viruses and Worms. I have also looked into two case
studies of slammer and blaster worms.
The ability of attackers to rapidly gain control of vast numbers of
internet hosts poses an immense risk to overall security of the
internet. Now-a-days the virus writers are more concentrating on
writing worms as they have got great capability to spread over the
network in few minutes. There are various upcoming techniques in
worm propagation such as polymorphic worms which are really a big
threat to the internet community. Worms can be written such that they
can be affected only to a particular region or country. There are worms
which willkeep quiet for a specific amount of time and attack at
random times. These worms can also be used to create Distributed
Denial of Service (DDoS) which is a real threat to the websites and the
network traffic.

28. [1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England:
Addison Wesely Professional, 2005.
[2] Norman, Norman book on Computer Virus, Norman ASA, 2003.
[3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of
Computer Virus on the Internet: An Overview, IEEE Computer Society 2004,
601-606.
[4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and
Trends, Washington, DC, USA: WORM-2003
[5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and
Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003.
[6] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, A
Taxonomy of Computer Worms, Washington, DC, USA: WORM-2003.