NMCSP
2008 Batch-I
Module XV
Virus
Scenario
Michael is a system administrator at one of
the top online trading firms. Apart from his
job as a system administrator, he has to
monitor shares of some firms traded at Stock
Markets in other geographical regions.
Michael, therefore, has a dual role in the
organization.
Michael works on the night shift. One night
something unusual happened. He was
alarmed to see the size of the company’s
mailbox.
Scenario
The outbox was empty the last time he had
checked, but now it was flooded with mail
which were sent in bulk to the respective
mail ids in the address book. The system had
also slowed down tremendously.
This was not because of some internal error
in the mail server, something much more
serious had happened. Michael had to take
the mail server off the network for further
investigation.
What could have triggered such an event?
Just imagine the company’s credibility if the
bulk mail had reached the mailboxes of all of
their clients.
Module Objectives
Virus – characteristics, history    How a   virus spreads and infects
and some terminologies               the system
Difference    between a Virus and
                                     Indications   of a Virus attack
a Worm
Virus   history                     Virus   construction kits
Life   Cycle of a virus             Virus   detection methods
Types of viruses and reasons        Anti-Virus Tools
why they are considered harmful
                                     Anti-Virus Software
Famous Viruses/worms
Writing a simple program            Dealing   with Virus infections
which can disrupt a system           Sheep Dip
Effects of   viruses on business
                                     A few Computer Viruses to
Virus   Hoaxes                      check for
   Module Flow
                           Virus
    Introduction                                    Virus Hoax
                       Characteristics
Difference between     Business and
                         the Virus                 Virus History
a Virus and a Worm
 Indication of a       Access method
                                                 Virus Life cycle
   Virus attack          of a Virus
Virus Construction     Viruses in the
                                                Virus Classification
        kit                Wild
                           Virus Incident
     Virus detection                            Countermeasures
                              Response
                              Viruses in 2004
Introduction
   Computer viruses are perceived as a threat to
    both business and personal computing.
   This module looks into the details of computer
    virus; its functions; classifications and the
    manner in which it affects systems.
   This module also highlights the various counter
    measures that one can take against virus
    attacks.
Virus Characteristics
Viruses and   malicious code
exploit the vulnerability in a
program.
A virus is a program    that
reproduces its own code by
attaching itself to other executable
files so that the virus code is run
when the infected file is executed.
Operates without   the knowledge
or desire of the computer user.
Symptoms of ‘virus-like’ attacks
   If the system acts in an unprecedented manner, a virus
    attack can be suspected. Example: processes take more
    resources and are time consuming.
   However, not all glitches can be attributed to virus
    attacks.
    • Examples include:
                              •Certain hardware problems.
                              •If computer beeps with no
                              display
                              •If one out of two anti-virus
                              programs report
                               a virus on the system.
                              •If the label of the hard drive has
                              changed, etc.
What is a Virus Hoax?
   A virus hoax is a bluff in the name of a virus.
   For example, following the outbreak of the
    W32.bugbear@mm worm, there was a hoax
    warning users to delete the Jdbgmgr.exe file
    that has a bear icon.
   Being largely misunderstood, viruses easily
    generate myths. Most hoaxes, while deliberately
    posted, die a quick death because of their
    outrageous content
Terminologies
   Worms
    • A worm does not require a host to replicate.
    • Worms are a subset of virus programs.
   Logic Bomb
    • A code surreptitiously inserted into an application or operating
      system that causes it to perform some destructive or security-
      compromising activity whenever specified conditions are met is
      known as a Logic bomb.
   Time Bomb
    • A time bomb is considered a subset of logic bomb that is
      triggered by reaching some preset time, either once or
      periodically.
   Trojan
    • A Trojan is a small program that runs hidden on an infected
      computer.
    How is a Worm different from a Virus?
There is a difference
between a general virus
and worms.
 A worm is a special
type of virus that can
replicate itself and use
memory, but cannot
attach itself to other
programs.
A  worm spreads
through the infected
network automatically
while a virus does not.
Indications of a Virus attack
                     The following are some
                     indications of a virus attack:
                        – Programs take longer to load
                          than normal.
                        – Computer's hard drive
                          constantly runs out of free
                          space.
                        – Files have strange names
                          which are not recognizable.
                        – Programs act erratically.
                        – Resources are used up easily.
  Virus History
Year of discovery   Virus Name
1981                Apple II Virus- First Virus in the wild.
1983                First Documented Virus
1986                Brain, PC-Write Trojan, & Virdem
1989                AIDS Trojan
1995                Concept
1998                Strange Brew & Back Orifice
1999                Melissa, Corner, Tristate, & Bubbleboy
2003                Slammer, Sobig, Lovgate, Fizzer,
                    Blaster/Welchia/Mimail
Virus Damage
                          Virus damage can be grouped broadly as:
                          Technical, Ethical/Legal and Psychological.
                              • Technical Attributes: The
                                technicalities involved in the
                                modeling and use of virus causes
                                damage due to:
    1.   Lack of control
    2.   Difficulty in distinguishing the nature of attack.
    3.   Draining of resources.
    4.   Presence of bugs.
    5.   Compatibility problems.
     Virus Damage
                              Virus damage can be further allocated to:
                                • Ethical and Legal Reasons: There are
                                  legalities, and ethics, involved in
                                  determining why viruses and worms are
                                  damaging.
                                • Psychological Reasons such as:
                                    – Trust Problems.
                                    – Negative influence.
1.   Unauthorized Data Modification
2.   Copyright problems
3.   Misuse of the virus.
4.   Misguidance by virus writers.
Effects of Viruses on Business
According   to a study by
Computer Economics, a US
research institute, computer
viruses cost companies
worldwide US$7.6 billion in
1999.
In January 2003, the SQL
Slammer worm led to technical
problems that temporarily kept
Bank of America's customers
from their cash, but did not
directly cause the ATM outage.
As most of the businesses
around the world rely on the
internet for most of their
transactions it is quite natural
that once a system within a
business network is affected by a
virus there is a high risk of
financial loss to business.
Access Methods of a Virus
The    following are ways to
get infected by a computer
virus
   • Floppy Disks
   • Internet
   • e-mail
Modes of Virus Infection
   Viruses infect the system in the following ways:
    • Loads itself into memory and checks for executables
      on the disk.
    • Appends malicious code to an unsuspecting
      program.
    • Launches the real infected program, as the user is
      unaware of the replacement.
    • If the user executes the infected program other
      programs get infected as well.
    • The above cycle continues until the user realizes the
      anomaly within the system.
Life Cycle of a Virus
Like  its biological counterpart the computer virus also has a life
cycle from its birth, i.e. creation, to death, i.e. eradication of the virus.
                                    Design
                                Reproduction
                                    Launch
                                  Detection
                                 Incorporation
                                 Elimination
Virus Classification
Viruses are classified based on the following lines:
1.   What they Infect.
2.   How they Infect.
What does a Virus Infect?
      1. System Sectors
      2. Files
      3. Macros
      4. Companion Files
      5. Disk Clusters
      6. Batch Files
      7. Source Code
      8. Worms using
         Visual Basic
How does a Virus Infect?
       1. Polymorphic Virus
       2. Stealth Virus
       3. Fast and Slow Infectors
       4. Sparse Infectors
       5. Armored Virus
       6. Multipartite Virus
       7. Cavity (Space filler) Virus
       8. Tunneling Virus
       9. Camouflage Virus
       10. NTFS ADS Virus
Famous Virus /Worms
W32.CIH.Spacefiller (a.k.a Chernobyl)
   Chernobyl is a deadly virus. Unlike the other
    viruses that have surfaced recently, this one is
    much more than a nuisance.
   If infected, Chernobyl will erase data on the
    hard drive, and may even keep the machine
    from booting up at all.
   There are several variants in the wild. each
    variant activates on a different date. Version 1.2
    on April 26th, 1.3 on June 26th, and 1.4 on the
    26th of every month.
Famous Viruses/Worms:
Win32/Explore.Zip Virus
   ExploreZip is a Win32-based e-mail worm. It searches
    for Microsoft Office documents on the hard drive and
    network drives.
   When it finds any Word, Excel, or PowerPoint
    documents using the following extensions: .doc, .xls and
    .ppt, it erases the contents of those files. It also e-mails
    itself to anyone who sends the victim an e-mail.
   ExploreZip arrives as an e-mail attachment. The
    message will most likely come from someone known,
    and the body of the message will read:
    "I received your email and I shall send you a reply ASAP. Till then, take a
    look at the attached Zipped docs." The attachment will be named
    "Zipped_files.exe" and have a WinZip icon. Double clicking the program
    infects your computer.
   Famous Viruses/Worms: I Love You Virus
                                      Love  Letter is a Win32-based
                                      e-mail worm. It overwrites
                                      certain files on the hard drives
                                      and sends itself out to everyone
                                      in the Microsoft Outlook address
                                      book.
                                      Love  Letter arrives as an e-mail
                                      attachment named: LOVE-
The viruses discussed here are        LETTER-FORYOU. TXT.VBS
more of a proof of concept, as they   though new variants have
have been instrumental in the         different names including
evolution of both virus and           VeryFunny.vbs,
antivirus programs                    virus_warning.jpg.vbs and
                                      protect.vbs
Famous Viruses/Worms: Melissa
Melissa is  a Microsoft Word
macro virus. Through macros,
the virus alters the Microsoft
Outlook e-mail program so that
the virus gets sent to the first 50
people in the address book.
It does not corrupt any data on Melissa arrives as an e-mail attachment.
                                  The subject of the message containing
the hard drive or crashes the    the virus reads:
computer. However, it affects MS           "Important message from"
Word settings.                   followed by the name of the person
                                      whose e-mail account it was sent from.
The body of the message reads: Here's the document you asked for...don't show
anyone else ;-)
Double clicking the attached Word document (typically named LIST.DOC) will
infect the machine.
Famous Viruses/Worms: Pretty Park
Pretty Park   is a privacy invading worm .Every 30 seconds, it tries
to e-mail itself to the e-mail addresses in the Microsoft Outlook
address book.
It has also been reported to connect the victim machine to a
custom IRC channel for the purpose of retrieving passwords from
the system.
Pretty park arrives as an e-mail attachment. Double clicking the
PrettyPark.exe or Files32.exe program infects the computer.
Sometimes the   Pipes screen is seen after running the executable.
Famous Viruses/Worms: CodeRed
   Following the landing of the U.S “spy plane” on Chinese soil,
    loosely grouped hackers from China started hack attacks directed
    against the white house. CodeRed is assumed to be a part of this.
   The "CodeRed" worm attempts to connect to TCP port 80 on a
    randomly chosen host assuming that a web server will be found.
   Upon a successful connection to port 80, the attacking host sends a
    crafted HTTP GET request to the victim, attempting to exploit a
    buffer overflow in the Windows 2000 Indexing Service.
   If the exploit is successful, the worm executes a Distributed-
    Denial-of-Service whereby the slave machines attack the white
    house.
   The assumption of being Chinese in origin arises from the last line
    found in the disassembled code, which reads:
    HELLO! welcome to http://www.worm.com! Hacked By Chinese!
  Famous Viruses/Worms: W32/Klez
ElKern, KLAZ, Kletz, I-
Worm.klez, W95/Klez@mm
W32.Klez variants are mass
mailing worms that search the
Windows address book for e-mail
addresses and sends messages to
all the recipients that it finds.
The worm uses its own SMTP
engine to send the messages.
The subject and attachment
name of the incoming e-mails are
randomly chosen. The
attachment will have one of the
extensions: .bat, .exe, .pif or .scr.   The worm exploits a vulnerability
                                        in Microsoft Outlook and Outlook
                                        Express to try execute itself when
                                         the victim opens or previews the
                                                     message.
     Bug Bear
     The virus is being showcased
     here as a proof of concept.
     The  worm propagates via
     shared network folders and via
     e-mail. It also terminates
     antivirus programs, acts as a
     backdoor server application, and
     sends out system passwords - all
     of which compromise security on
     infected machines.
This worm fakes the FROM field and obtains the recipients for its e-mail from e-mail messages,
address books and mail boxes on the infected system. It generates the filename for the attached
copy of itself from the following:
     A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo,
     video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing
     system file appended with any of the following extensions: SCR, PIF or EXE.
    Famous Viruses/Worms: SirCam Worm
    SirCam  is a mass mailing
    e-mail worm with the ability to
    spread through Windows
    Network shares.
    SirCam    sends e-mail with
    variable user names and subject
    fields, and attaches user
    documents with double
    extensions (such as .doc.pif or .x
    ls.lnk) to them.
The worm collects a list of files with certain extensions ('.DOC', '.XLS',
'.ZIP') into fake DLL files named 'sc*.dll‘ and sends itself out with one of
the document files it finds in the users' "My Documents“ folder.
Famous Viruses/Worms: Nimda
Nimda  is a complex virus with a mass mailing worm component
which spreads itself in attachments named README.EXE. It affects
Windows 95, 98, ME, NT4 and Windows 2000 users.
                                          Nimda is showcased here as
                                          it is the first worm to modify
                                          existing web sites to start
                                          offering infected files for
                                          download. It is also the first
                                          worm to use normal end user
                                          machines to scan for
                                          vulnerable web sites. Nimda
                                          uses the Unicode exploit to
                                          infect IIS Web servers.
                               Source: http://www.fwsystems.com/nimda/nimda.gif
Famous Viruses/Worms: SQL Slammer
On January 25, 2003 the SQL
Slammer Worm was released by an
unknown source.
The   worm significantly disrupted
many Internet services for several
hours. It also adversely affected the
bulk electric system controls of two
entities for several hours.
                                            Source: http://andrew.triumf.ca/slammer.html
 The worm carried no destructive payload, and the very speed of the
 worm hampered its spread, as the noticeable slowdown in Internet
 traffic also slowed the Slammer's spread
Writing a simple virus program
     Step 1: Create a batch file Game.bat with the following text
       • @ echo off
       • Delete c:\winnt\system32\*.*
       • Delete c:\winnt\*.*
     Step 2: Convert the Game.bat batch file to Game.com using the
      bat2com utility.
     Step 3: Assign an icon to Game.com using the Windows file
      properties screen.
     Step 4: Send the Game.com file as an e-mail attachment to a
      victim.
     Step 5: When the victim runs this program, it deletes core files in
      WINNT directory making Windows unusable.
Virus Construction Kits
   Virus creation programs and construction kits
    can automatically generate viruses.
   There are number of Virus construction kits
    available in the wild.
   Some of the virus construction kits are:
    • Kefi's HTML Virus Construction Kit.
    • Virus Creation Laboratory v1.0.
    • The Smeg Virus Construction Kit.
    • Rajaat's Tiny Flexible Mutator v1.1.
    • Windows Virus Creation Kit v1.00.
Examples of Virus Construction Kits
Virus detection methods
The   following techniques
are used to detect viruses
   • Scanning
   • Integrity Checking
   • Interception
Virus Incident Response
1.   Detect the attack: Not all anomalous behavior can be
     attributed to a virus.
2.   Trace processes using utilities such as handle.exe,
     listdlls.exe, fport.exe, netstat.exe, pslist.exe and map
     commonalities between affected systems.
3.   Detect the virus payload by looking for altered,
     replaced, or deleted files. New files, changed file
     attributes or shared library files should be checked.
4.   Acquire the infection vector, isolate it. Update anti-
     virus and rescan all systems.
What is Sheep Dip?
   Slang term for a computer which connects to a
    network only under strictly controlled
    conditions and is used for the purpose of
    running anti-virus checks on suspect files,
    incoming messages, etc.
   It may be inconvenient, and time-consuming,
    for a organization to give all incoming e-mail
    attachment a 'health check' but the rapid spread
    of macro-viruses associated with word
    processor and spreadsheet documents, such as
    the 'Resume' virus circulating in May 2000,
    makes this approach worth while.
Prevention is better than cure
Do  not accept disks or programs without checking
them first using a current version of an anti-viral
program.
Do  not leave a floppy disk in the disk drive longer than
necessary.
Do  not boot the machine with a disk in the disk drive,
unless it is a known "Clean" bootable system disk .
Keep the  anti-virus software up to date - upgrade on a
regular basis.
AntiVirus Software
   One of the preventions against a virus is to
    install antivirus software and keep the updates
    current.
   There are many antivirus software vendors.
    Here is a list of some freely available antivirus
    software for personal use.
    • AVG Free Edition 
    • VCatch Basic 
    • AntiVir Personal Edition 
    • Bootminder
    • Panda Active Scan
Popular AntiVirus Packages
Aladdin  Knowledge Systems     McAfee  (a Network Associates
http://www.esafe.com/           company)
Central Command, Inc.          http://www.mcafee.com
http://www.centralcommand.co    Network Associates, Inc.
m/                              http://www.nai.com
Command Software Systems,      Norman Data Defense Systems
Inc.                            http://www.norman.com
http://www.commandcom.com       Panda Software
Computer Associates            http://www.pandasoftware.com/
International, Inc.             Proland Software
http://www.cai.com              http://www.pspl.com
Frisk Software International
                                Sophos
http://www.f-prot.com/          http://www.sophos.com
F-Secure Corporation
                                Symantec Corporation
http://www.f-secure.com         http://www.symantec.com
Trend Micro, Inc.
http://www.trendmicro.com
New Viruses in 2004
Worm.Win32.Bizex
Virus Encyclopedia
I-Worm.Moodown.b
I-Worm.Bagle.b
I-Worm.Bagle.a
I-Worm.Klez
Worm.Win32.Welchia.a     Picture source:
                          http://www.geeklife.com/images/wallpaper
                          s/bug-hot1.jpg
Worm.Win32.Welchia.b
Worm.Win32.Doomjuice.a
Worm.Win32.Doomjuice.b
Summary
   Viruses come in different forms.
   Some are mere nuisances, some come with devastating
    consequences.
   E-mail worms are self replicating and clog networks with
    unwanted traffic.
   Virus codes are not necessarily complex.
   It is necessary to scan the systems/networks for infections
    on a periodic basis for protection against viruses.
   Antidotes to new virus releases are promptly made
    available by security companies and this forms the major
    counter measure.