Computer Viruses, Trojans and Worms

1
Computer Viruses, Trojans and Worms

• Malware definitions
• Malware payloads in general
• Network worms
• Virus propagation methods
• Virus detection avoidance approaches
• Platform vulnerabilty and virus resistance
• Malware detection and removal
• Other countermeasures
• Can a virus ever be good ?
• Further Reading

2
Malware definitions virus

• Malware can be classified based on whether and
  how it replicates and spreads.
• A computer virus is a program which runs when a
  program it attaches itself to is run. When the
  virus code is run, it will (sometimes or always)
  try to find another program to infect. When the
  virus copies or attaches itself to another
  program in such a manner that when the other
  program is run, the virus code is also run, the
  other program is considered to be infected.

3
Malware definitions worm

• A network worm is a kind of virus which
  propagates using computer networks. These might
  directly exploit a vulnerability in software
  running on computers which have network
  connections to cause themselves to be installed
  and to run on the vulnerable computer.
• Alternatively end users may be tricked into
  running the worm program when they receive it via
  a network, e.g. by double clicking on an
  executable file attached to email.

4
Malware definitions trojan

• A trojan is a program which a user or
  administrator installs on a computer because they
  are misled into thinking it only performs wanted
  functionality, when in addition this program
  contains hidden functionality which the user does
  not want.
• The term "trojan" might also apply to "adware" or
  "spyware" software which is installed from a
  remote website as part of the normal functioning
  of a poorly designed web browser without the end
  user's consent or knowledge.

5
Malware payloads in general 1

• Regardless of how malware propagates, it can be
  programmed to do anything which the security
  context the platform it infects allows it to do.
  Some examples
• Keylogging. This privacy invasion requires low
  level access to the keyboard device driver and
  the ability to send information back to base.
• Timebomb. This causes actions to occur when the
  system clock reaches a programmed date and time.

6
Malware payloads in general 2

• Logicbomb. If files with particular content are
  found or other events detected, a destructive
  action might be programmed e.g. formatting a disk
  or other storage device.
• Prank. A virus might be programmed to display
  messages or cause other effects its author thinks
  are amusing. Even a virus programmed just to
  replicate can take up memory and cause a system
  to slow or crash.

7
Network worms

• A worm might open network connections and infect
  a vulnerable target computer directly, as with
  the Morris worm, which infected an estimated
  6,000 of the 60,000 Internet hosts in Nov 1988.
• Other worms spread, as with a virus, via the use
  of a host file, which needs to be transferred as
  part of the Network worm. More recent worms have
  include Mydoom and Storm which were used to
  install large botnets used for distributed denial
  of service (DDOS) and spam attacks.

8
Virus propagation methods 1

• Boot sector viruses infect the boot sector of the
  boot disk of a computer operating system. These
  became widespread when it was common for computer
  users accidently to leave a floppy disk in the
  drive and the computer BIOS was configured to
  boot from the floppy by default. These viruses
  would transfer via the hard disk to all writeable
  floppies inserted into the infected computer.
  This mechanism was defeated when administrators
  changed the BIOS settings and became less likely
  when floppies were less frequently used.
• This infection vector could return to prominence
  again if flash USB drives become routinely used
  by users to carry an operating system together
  with applications, custom configurations and data
  between physical machines.

9
Virus propagation methods 2

• Non-resident viruses infect application files and
  are run when the application runs. Typically the
  virus is prepended to the application source code
  for an interpreted application, or its executable
  code for a compiled application. Alternatively
  the virus code might be appended with a vector to
  itself added at the start of the program.
• When the virus part of the code runs it will
  search for another suitable file to infect. Once
  the virus code completes it hands control on to
  the infected host file. A non-resident virus can
  be trivial to code (see the next slide for an
  example), but such a 'virus' is extremely
  unlikely to spread.

10
Virus propagation methods 3

• This source code for a shell script virus shows
  how easy it is to
• create one.
• This one would not be able to cause harm for
  various reasons.

11
Virus propagation methods 4

• Resident viruses install themselves into memory
  when they run. Having done this they hand over
  control to the host application. This kind of
  virus will be programmed to intercept normal
  system operations, e.g. opening a file or device,
  or the use of an interrupt or system call.
• When the intercepted operation runs, the virus
  executes and might then find another suitable
  infection target or run a payload. When the virus
  has run it will hand control over to the normal
  function of the intercepted operation.

12
Virus propagation methods 5

• Fast infecter viruses are programmed to spread as
  rapidly as possible to reduce the risk of the
  virus being wiped out once introduced into the
  wild. However, a fast infecter is more likely to
  cause changes of behaviour of the infected system
  so is more likely to be detected.
• Slow infecter viruses are designed to find other
  targets to infect infrequently. By spreading
  slowly this kind of virus is less likely to be
  detected.

13
Virus propagation methods 6

• Companion viruses do not modify the infection
  target directly but are stored in a separate
  file. E.G. if a user inputs the command 'format'
  a file called format.com will execute before a
  file called format.exe . Format.com is the virus,
  which will run format.exe, the host application,
  passing all its arguments when it has run.

14
Virus propagation methods 7

• Macro viruses use the macro programming languages
  which are embedded within popular applications
  e.g. Word and Excel. This kind of virus became
  widespread in the 1990ies. The threat from this
  kind of virus has probably been reduced following
  additional prompts when a document containing
  macros is opened in Word or Excel.

15
Virus propagation methods 8

• Cross Site Scripting (XSS) viruses exploit a
  combination of vulnerabilities present in both
  web server applications and web browsers. These
  will typically need to be coded in 2 parts, one
  part being the server code (e.g. using PHP) which
  propagates from the infected browser to the
  vulnerable servers and the other part which runs
  in the browser (e.g. using Javascript).

16
Virus detection avoidance 1

• Virus programmers and antivirus software
  developers have been engaged in an arms race ever
  since viruses became widespread and antivirus
  software was first marketed in the late 1980ies.
• Since then we have seen
• Stealth viruses - viruses which trap interrupts
  to open a file and cause any application that
  reads the file containing them to see only the
  uninfected file.

17
Virus detection avoidance 2

• Polymorphic and metamorphic viruses - viruses
  which modify their code every time they infect
  another target so they can only be detected using
  heuristic measures rather than static code
  signatures.
• Disabling anti-virus software. If a virus detects
  the presence of a known anti-virus program on a
  system it infects, it will modify the anti-virus
  software to disable components of this, e.g. the
  part of the antivirus program which can detect if
  it has been modified itself or if its virus
  signature file has been changed.

18
Virus detection avoidance 3

• Avoidance of bait files. A virus might be
  programmed to avoid infecting program files
  considered likely to be bait (e.g. because they
  are small) as part of an advanced antivirus
  detection program, to see if a virus is at work.
• Leaving access times and file sizes unchanged. A
  virus may be small enough to fit into the end of
  a sector after a file. E.G. a filesystem may have
  effective file sizes of multiples of 1024 bytes,
  which corresponds to the size of a disk sector. A
  small virus might restrict its infection targets
  to files which do not need to add another sector
  to their size. Some program files have gaps in
  them large enough for a virus to fit inside.

19
Virus detection avoidance 4

• Self-encrypting viruses take the metamorphic
  approach to the extreme of the virus encrypting
  itself using a variable key. However, enough of
  the virus will have to be unencrypted for it to
  be able to decrypt itself when the virus is
  executed for a heuristic antivirus approach to be
  feasible.

20
Platform vulnerability to viruses 1

• It has been argued that viruses are reported to
  infect Windows PCs much more frequently than
  Linux or Macs because more people use Windows.
  But Windows had many viruses when this system had
  fewer users in the early 1990ies than now use
  Macs or Linux . Others claim that the Unix design
  foundation of both Linux and Mac platforms is
  inherently more secure.
• Linux isn't a single platform but has many
  slightly different distributions. One reason why
  fewer viruses are reported on Linux could be that
  virus writers find the differences between
  different Linux distributions make writing
  viruses that work on many of these harder. A
  similar advantage concerning infection resistance
  is gained by a genetically diverse food crop
  compared to a monocrop of a cloned plant.

21
Platform vulnerability to viruses 2

• Other points of interest in this debate concern
  the levels of security knowledge of typical users
  of various platforms and the ease with which end
  users can install applications independently of
  the means provided by the platform developers to
  verify application compatibility and integrity.
• Different defaults are provided in connection
  with privileged actions carried out by end users.
  It is also likely to be easier for Windows users
  to install a wider variety of stand-alone PC
  software than currently comes supported through
  the package repositories of the the most popular
  Linux distributions, though Linux might have more
  server and embedded applications.

22
Malware detection and removal 1

• The most popular approach to this requirement is
  to install an antivirus program and to keep this
  current. As new viruses are detected on a daily
  basis the signatures and heuristic methods need
  to be kept updated on a very regular basis. For
  this reason, modern antivirus programs generally
  include facilities automatically to update
  themselves using a network connection whenever
  new virus signatures and heuristics become
  available.

23
Malware detection and removal 2

• Platforms which are not themselves thought to be
  vulnerable to viruses but which are used to
  distribute content potentially including viruses,
  e.g. via email between Windows users, must also
  scan for viruses to avoid becoming part of this
  problem.
• But the number of known virus signatures
  continues to increase. So even using the Clam-av
  antivirus package which is open source and freely
  installable, growing memory demands are making
  this job increasingly expensive . The next slide
  shows how many virus signatures exist and how
  much memory these occupy as of November 2008.

24
Malware detection and removal 3

• Number of virus signatures 437972
• freshclam daemon 0.94 (OS linux-gnu, ARCH i386,
  CPU i486)?
• ClamAV update process started at Fri Nov 7
  182428 2008
• main.cld is up to date (version 49, sigs
  437972, f-level 35, builder sven)?
• Demand of anti-virus on memory 50.9
• PID USER PR NI VIRT RES S CPU MEM
  COMMAND
• 20782 clamav 20 0 126m 72m S 0.0 50.9
  clamav-milter

25
Other countermeasures

• One approach involves stopping a system from
  running and mounting its hard disk using another
  operating system, booted using trusted media.
  Tools can be run on the trusted system to detect
  suspicious changes to files on the system being
  scanned. This is considered more reliable than
  running antivirus software directly on the system
  which might have been compromised and where the
  results of the antivirus scan may also have been
  compromised by an unknown virus.
• The trusted scanning system might also store a
  set of hash signatures or checksums of files
  which the virus might modify and test if any
  executables or registry tables have been
  modified.

26
Can a virus ever be good ?

• In biology, viruses enable potentially beneficial
  DNA to be transferred between species. This is
  considered to be a part of the optimisation of
  the evolutionary process. But it is thought
  unlikely that anyone could benefit from computer
  viruses, other than the proceeds of crime which
  those who write and spread viruses might obtain.
• The difference between a virus and another kind
  of program is that an ordinary program will
  normally have the informed consent of the system
  owner before it can be installed. While there is
  a similarity between an operating system which
  can create a copy of itself on installation media
  and a virus, the OS that makes it easy for its
  users to copy it will do this with the users full
  knowledge and consent.
• There is no situation in which taking away the
  end users consent to perform an action is
  considered likely to be of benefit.

27
Further Reading

• Wikipedia article on computer viruses
• http//en.wikipedia.org/wiki/Computer_virus
• Fred Cohen's paper on software virus theory
  dating from 1984 http//all.net/books/virus/inde
  x.html
• Are computer viruses still a good idea ? Vesselin
  Bontchev's 1992 paper http//vx.netlux.org/lib/av
  b02.html
• The cross site scripting virus. A much more
  recent threat including proof of concept source
  code.
• http//www.bindshell.net/papers/xssv/