Chapter 2

1. Viruses and
Worms

2.  It is a replicating program.
 Can produce a copy of itself by attaching itself to another program
 For example Software that piggybacks on real programs. Every
time MS Word runs, virus runs too. Virus reproduces (by
attaching copies of itself to other programs & files)
 Typical transmission via:
 File Downloads
 Infected Disks / USB / Flash drives
 Email Attachments
What is a Virus

3.  Some Viruses will affect computers as soon as there code is
executed.
 Others will remain dormant until pre-determined logical
circumstances are met.
Types & Growth

4.  Design
 Virus code developed using a program language or a virus construction kit.
 Replication
 The virus replicated itself within the target system over a period of time.
 Launch
 Virus is activated when the user performs a certain action such as running a
program.
 Detection
 A new virus has been identified typically after data corruption, system
malfunctioning and damage has taken place.
 Incorporation.
 Antivirus software developers assemble defence against the virus
 Elimination
 Antivirus defence is deployed as an update
Virus Life Stages

5. • Inflict damage to competitors
• Research projects
• Prank / Vandalism
• Targeted attack of specific company (Stuxnet)
• Distribute a political message (Injustice)
• Identity theft, Spyware (CoolWebSearch)
• Financial Gain
• Cryptoviral extortion (Gpcode)
– This is a Trojan that encrypts files with certain extensions on local and remote
drives and then asks a user to contact its author to buy a decryption solution.
Motivations in Virus Creation

6. • Programs taking longer to load
• Hard Drive available capacity falling without
usage
• Drive usage even when unused
• Unknown files appearing on your system
• Unexpected graphic displays
• File name changes
• Program size keeps changing
• High Memory usage & system slows down
Indications of Virus infection

7. • File downloads without verifying the source
• Virus infected files sent via mail with the aim of getting
the recipient to open the mail and / or execute the virus.
• Virus is incorporated onto popular software programs and
the infected software is uploaded onto websites intended
for software downloads.
• Failing to install / update security patches
• Failing to use latest versions of antivirus signature files.
• Social engineering, where the attacker tricks the end-user
to go to an innocent looking webpage containing malware.
(Discuss Spear-phishing also)
• Compromised legitimate websites
• Fake antivirus software
Infection methods

8. Types of Virus
 Email virus:
 Moves around in email messages. Replicates by auto mailing itself
to people on victim’s email address book
 Worm:
 Software that uses computer networks & security holes to replicate
itself. Copy of worm scans network for other computer with a
specific security hole & replicates there as well…
 Trojan horse:
 Program that claims to do one thing (e.g. game) `but instead does
damage when you run it (e.g. erase hard disk). Do not auto replicate
How they spread

9. Some More Types
• Encryption Virus
• Polymorphic Virus
• Metamorphic Virus
• File extension Virus
• Macro Virus

10. Encryption Virus
• Consists of a encrypted copy of the virus
• Also contains a decryption module remains
consistent
• Different Keys used for encryption
• Attached decryption module contains the Key to
decrypt the virus.
• Virus signature keeps changing
• Virus scanners must determine the Signature of
the decrypting module instead

11. Polymorphic Virus
• Modify their code each time they replicate
• They change their encryption module on
replication.
• Virus signature keeps changing
• Mutation Engine used by the Virus to
change is also used by the antivirus
software for detection.
• Can be difficult to detect

12. Metamorphic Virus
• Virus that rewrite itself
• Original algorithm remains intact but the
code changes to avoid detection.
• Complex to code
• Better than Polymorphic at avoiding
detection.

13. File extension Virus
• Used to trick the end-user into opening what
looks to be a valid file
• If the end-user file extension view is turned
off a file such as BAD.TXT.VBS will be
visible as BAD.TXT

14. Macro Virus
• Word or similar applications infected with this type of
virus.
• Typically written in a macro language such as VBA Visual
Basic for Applications.
• Typically spread via Email
• The line between data files and applications becoming
blurred.
• Files such as Word, Excel, PowerPoint and windows help,
PDF files can contain exploit macrocode.

15. Mydoom (Norvarg) Worm/Email Virus:
 Infected 250,000 computers in single day in 2004. Windows PCs only.
 When users click on email attachment, it runs the virus
 Used double extension to fool user (name.txt.exe)
 Targeted SCO and Microsoft with HTTP requests from infected hosts.
 Distributed Denial of Service (DDOS)
 Also floods computers with mass emailing
 20% to 30% of all Email traffic at its peak
Melissa Macro Virus:
 1999. Infects machines with MS Word 97. Propagated by user opening
an infected Word doc. Infects Normal.dot & hence all Word files. Virus
then creates an email message containing an infected Word doc as
attachment. Doc contains references to pornographic web sites.
 Virus propagated if macros enabled on the PC
Examples of Famous Viruses

16. ILOVEU virus :
 May 2000. Comes in an email with “I LOVE YOU” in
subject line an attachment. When attachment opened,
sends message to everyone in MS Outlook address book.
 Also deletes all JPEG, MP3, & certain other files on
your hard disk!
 Reached 45 million users in one day.
 Some large companies had to shut down email
completely.
 VBS
 $15 billion to remove the worm
More Famous Viruses

17. Bubble Boy Virus
• Not harmful
• Worm executes as soon as the message is
viewed in the preview pane
• Changes user name and company name to
“BubbleBoy”
• Opens Outlook through ActiveX and mails
itself to everyone in the address book

18. Blaster
• Worm
• August 2003
• Xp & 2000, 2003 server
• Opens a remote command shell that listens on
TCP port 4444
• sleeps for 20-second intervals and awakens to look
for new machines to infect
• Worm starts a TCP SYN Flood attack on
windowsupdate.com
• Mblast.exe

19. THE CONFICKER WORM
• One of the most notorious worms that has been
unleashed on the internet in recent times
• Speculation is that the worm was let loose by one
or more government organizations to test its
power to propagate
• Worm infected a large number of machines
around the world
• Infected only Windows machines

20. THE CONFICKER WORM
• Symptoms
– could also lock out certain user accounts
– disabled the Automatic Updates feature
– impossible for the infected machine to carry out
DNS lookup for the hostnames that correspond
to anti-virus software vendors
– modifications to the Windows registry

21. Infection method
• On the older Windows platforms, a machine would be infected with the worm by any
machine sending it a specially crafted packet disguised as an RPC (Remote Procedure
Call).
• On newer Windows platforms, the infecting packet had to be received from a user who
could be authenticated by the victim machine
• First discovered in October 2008
• The worm infection spread by exploiting a vulnerability in the executable svchost.exe
on a Windows machine

22. svchost.exe
• The job of the always-running process that executes the svchost.exe file is to facilitate
the execution of the dynamically-linkable libraries (DLLs) that the different applications
reside in or use.
• The Svchost process does by replicating itself for each DLL that needs to be executed.
So we could say that any DLL that needs to be executed must “attach” itself to the
svchost process
• The svchost process checks the services part of the registry to construct a list of services
(meaning a list of DLLs) it must load.

23. Infection method
• A machine running a pre-patched version of the Windows Server Service svchost.exe
could be infected because of a vulnerability with regard to how it handled remote code
execution needed by the RPC requests coming in through port 445.
• So if a machine allowed for remote code execution in a network perhaps because it
made some resources available to clients it would be open to infection through this
mechanism.
• Once a machine was infected, the worm could drop a copy of itself in the hard disks on
the other machines mapped in the previously infected machine (Network Shares) If it
needed a password in order to drop a copy of itself at these other locations, the worm
came equipped with a list of 240 commonly used passwords. If it succeeded, the worm
created a new folder at the root of these other disks where it placed a copy of itself.
• The worm could also drop a copy of itself as the autorun.inf file in USB media such as
memory sticks. This allowed the worm copy to execute when the drive was accessed (if
Autorun was enabled).

24. Detection
• The worm prevented an automatic download of the latest virus signatures from the anti-virus
software vendors by altering the DNS software on the infected machine. When a machine could not
be disinfected through automatic methods, you had to resort to a more manual intervention consisting
of downloading the anti-virus tool on a separate clean machine, possibly burning a CD with it, and,
finally, installing and running the tool on the infected machine.
• Since the worm was capable of resetting the system restore points that rendered this approach
impossible for system recovery.
• For the next step, as worm instructs the firewall to open a randomly selected high-numbered port to
the internet. It then uses this port to reach out to the network in order to infect other machines. In
order to succeed with propagation, the worm must become aware of the IP address of the host on
which it currently resides. This it accomplishes by reaching out to a web site like
http://checkip.dyndns.com

25. Problems it caused
• A French Navy computer network, was infected with Conficker on 15 January 2009.
The network was subsequently quarantined, forcing aircraft at several airbases to be
grounded because their flight plans could not be downloaded
• The United Kingdom Ministry of Defence reported that some of its major systems and
desktops were infected. The virus had spread across administrative offices, NavyStar/N*
desktops aboard various Royal Navy warships and Royal Navy submarines, and
hospitals across the city of Sheffield reported infection of over 800 computers.

26. Stuxnet Worm
• Discovered in 2010
• The first publicly known intentional act of
cyberwarfare to be implemented
• Stuxnet reportedly ruined almost one-fifth
of Iran's nuclear centrifuges
• Stuxnet is typically introduced to the target
environment by an infected USB flash drive

27. Spyware:
 Collects personal info about users without their
consent.
 Record personal info through logging
keystrokes, recording web browser history, or
scanning hard disk docs.
 Purposes include criminal intent, advertising, or
just to be annoying
 Identity theft, stealing credit card numbers, etc
Other unwanted software

28. What is Anti-Virus Software?
 Program that searches hard drive (& other
drives) for any known or potential viruses or
malware.
 Works in 2 ways:
 1. Scan files for viruses contained in virus
dictionary (DAT file)
 2. Identify suspicious behaviour (e.g. data
capture, monitoring)
Anti-Virus Software

29. • Very similar products.
 For home & home-office use
 Enterprise edition for corporate environments
 Integrates anti-virus, firewall, & anti-spyware
 Performance hits?
 Live updates.
 Pricing usually based on subscription (1 year).
 Get program updates for free, but pay for virus updates!
McAfee VirusScan & Norton AntiVirus

30. Virus Protection
 Install after Service Packs
 Anti-virus software runs as a process
 Schedule to run at specific times (e.g. every day)
 Specify which disks to scan
 Run each time computer boots up?
 Config for auto updates (DAT files) from web
 Anti-Virus Software:
 McAfee, Norton
Install/Config Anti-Virus Software