Viruses, Worms

1
Viruses, Worms Trojans

• David Turton
• Conestoga College
• Institute of Technology Advanced Learning
• http//www.conestogac.on.ca/turton
• Doon 1B43 x3610

2
Definitions

• Virus
• replicates by attaching to other programs
• can do damage
• runs when infected program is executed
• Worm
• spreads without a host program
• damage is usually network overloading

3
Definitions cont'd

• Trojan horse
• substitutes itself for a legitimate program
• doesn't replicate
• requires human intervention to move locations
• Logic bomb
• dormant code added to software
• triggered by predetermined event
• eg programmer fired (userid deactivated)

4
File Macro Viruses

• File virus
• hides in an executable program
• Example
• looks for .exe files
• creates like-named .com file
• .com executes first, loading virus to memory
• virus launches .exe so user unaware
• Macro virus
• in macro of word-processing document or
  spreadsheet
• commonly spread as e-mail attachment
• loads when program/document opened
• eg Melissa 1999 macro virus
• around the world in 1 day
• e-mails itself to 50 people in your address book
• infected other Word documents

5
Boot Sector Virus

• hides in in MBR program code
• or OS boot program
• commonly spread by diskette
• PC boots, virus loads
• CMOS can prevent writing to boot sector

• Multipartite Virus
• boot file virus
• can hide in either

6
How Viruses HideAnti-Viruses are programmed for
virus signatures (characteristics)

• virus hides by changing its signature
• Note must be loaded to memory to enact the
  change
• Polymorphic Viruses
• mutates on replication
• Encrypting Viruses
• AV looking for replicating programs
• virus transforms itself into non-replicating
• becomes "visible" when it reverts to spread
  itself
• Stealth Viruses
• alters O/S info on size of file it's in
• monitors file open/close
• removes itself when its host is about to be opened

7
Damage (aka payload)

• viruses, Trojans, worms
• not known to cause hardware damage
• but can damage information on hard drives
• files/folders
• MBR
• boot sector
• file system
• partition table

8
how Infections Spread

• executing e-mail attachments
• floppies with program files
• connecting to unprotected network
• software from questionable sources/Internet
• floppy disks from unknown sources
• shared network programs
• used, pre-formatted disks
• e-mail that automatically executes word processor
  for attachments
• not write-protecting install disks

9
How Viruses replicate

• if computer used by others
• do hard boot to clear memory-resident viruses
• Load an Anti-Virus program
• keep it current

10
How Trojans get in

• masquerade as a legitimate program
• AOL4FREE unauthorised AOL access
• AOL blocked it
• re-emerged as a destructive Trojan
• does damage when executed
• Want free AOL? Take your risks.
• requires people to spread it around

11
How worms get in

• do port scans over network Internet
• looking for open TCP ports
• determine program by port
• Vary attack accordingly
• use your machine to probe others
• or to produce mass mailings
• protection
• use a firewall
• software firewall - commercial or Windows'
• hardware firewall - server or cable/DSL router

12
Virus Hoaxesaka Social Engineering

• a false warning about a virus
• doesn't do damage
• encourages you forward warning to friends
• overloads e-mail with useless traffic

13
Protecting against Viruses

• up-to-date anti-virus software
• Automatically loads at boot
• Weekly scans
• Auto-scan
• e-mail attachments
• Word documents when loading
• implement a firewall
• keep O/S up-to-date with patches
• software
• reputable vendors
• sparingly from Internet
• not via floppies
• never pirated
• write-protect original disks

• company
• policy about unauthorised s/w
• block installs
• CMOS
• boot from C first not A or CD
• enable BIOS MBR protection
• floppies
• always scan before reading
• format yourself before use
• PCs
• hard boot if others have used it
• backup
• backup
• backup
• make a schedule
• stick to it

14
Virus Symptoms

• "downloaded document contains macros"
• program takes longer to load
• excessive disk access for task
• or when no task running from disk
• regular, unusual error messages
• strange graphics or noises
• less memory or disk space
• no hard drive seen when booted from floppy
• cannot recognise CD-ROM any more
• executables change size, fail to work or give
  errors
• files constantly become corrupted
• error messages about FAT or partition tables
• hard drive boots and hangs before Windows comes
  up
• people complain about infected e-mail from you
• task manager shows unfamiliar processes
• command sigverif shows uncertified software
  installed

15
Troubleshooting Hard Drives(again)

• Norton Utilities www.symantec.com
• prevent drive damage, recover data, repair
  damage, improve performance
• use version for your O/S
• damage could result
• Partition Magic www.powerquest.com
• FAT16 to FAT32, create/resize/move partitions
• without losing data
• hide partitions
• SpinRite www.grc.com
• DOS small footprint, real mode from floppy
• analyse drive surface, data recovery from
  corrupted files, recover file system information

16
Resolving drive problems

• invalid drive or drive specification
• same message if boot from A try to access C
• partition table damaged
• Win 9x fdisk /mbr XP fixmbr
• Invalid media type
• Non-DOS disk
• Unable to read from drive C
• O/S boot record damaged
• recover from backup copy, if have one
• repair w/ Norton disk doctor or SpinRite

17
Resolving drive problems cont'd

• Sector not found reading drive C, abort, retry,
  Ignore, Fail?
• FAT or root directory damage
• try copying important files off drive
• Norton Disk Doctor
• to repair FAT or root directory
• Non system disk or disk error
• Invalid system disk
• Win9x to recover io.sys msdos.sys
• sys C
• Win XP copy, from another machine
• ntldr, ntdetect.com, boot.ini