Viruses and Worms

1

A program that attaches itself to another executable (a host program)

Whenever the host program is executed, virus code is ran and it can make a copy of itself and infect other executables found in your memory or hard drive

Viruses can do any damage they want on your computer

2

What Is a Virus?

Viruses don’t break into your computer – they are invited by youo They cannot spread unless you run infected

application or click on infected attachmento Early viruses spread onto different applications on

your computero Contemporary viruses spread as attachments

through E-mail, they will mail themselves to people from your addressbook

Worms break into your computer using some vulnerability, install malicious code and move on to other machines o You don’t have to do anything to make them

spread 3

Viruses vs. Worms

Viruses attach themselves to other executables o For example, a Word template or a PowerPoint

presentationo They can infect any executable

Trojans claim to be other executables but instead contain malicious codeo For example, a cool new game is advertised on the

Web site but it also contains malicious codeo Trojan code will not spread to other programs on

your machine, it will simply gain access and do malicious stuff

4

Viruses vs. Trojans

File infectorso Attach to executable files or source codeo Direct action – selects and infects several

programs each time host program is runo Resident – load themselves into memory

whenever a host program is run and then remain in memory infecting any other executable that is executed

System (boot-sector) infectorso Infect some system area on disk, load

themselves on boot and then remain memory-resident

Hybrido Infect both files and boot sectors

5

Virus Types

File system (cluster)o Modify directory table entries so that virus code is

loaded and executed before the host programo Host program is not altered, only directory table is

Kernelo Target specific features of system files such as

location on disk, calling convention etc.

6

Virus Types

Stealth o Like rootkitso Hide the fact that they have infected the

system by modifying replies to system querieso Must be residento Can only be detected if we boot the system

from clean bootable floppy or CDPolymorphic

o Change virus code to avoid signature detectiono Encrypt themselves with variable key –

decryption code is always the sameo Use different encryption schemes

7

Virus Types

Fast infectors o Infect not only those files that are executed but

also those that are merely opened (e.g. by a virus scanner)

Slow infectorso Only infect modified or newly created files – fools

integrity checkersSparse infectors

o Infect infrequently (e.g. each 10th file) to avoid detection

8

Virus Types

Companionso Creates new file with similar name as the host

program o When host program is called, virus is executed

insteado Virus calls host program in the endo This fools integrity checkers that only look at

existing files

9

Virus Types

Cavitieso Overwrites part of the host program that is filled

with a constanto Does not increase the length of host program and

preserves functionalityTunneling

o Some viruses modify interrupt vectorso Tunneling viruses call interrupt handlers directly

10

Virus Types

You receive infected E-mail attachment You download infected code Your thumb drive gets infected

11

How Do Viruses Spread?

Wipe your hard driveModify or delete filesSteal filesSpread further

They frequently delay any malicious actions until they have spread sufficiently

12

What Can Viruses Do?

Changes in file sizes or checksumsUnaccounted resource consumptionChanges of interrupt vectorsBest detection would be to analyze all files

on your system for modifications – impractical

13

Indicators of Virus Infection

Activity monitoring systems (anomaly detect.)oLook for virus-like activity such as attempts to reformat disk

oMay generate false positivesScanners (signature detection)

oLook for patterns in virus code Use database of known virus signatures Detect polymorphic variations

oSometimes they use heuristics to detect new virus signatures

oMost scanners also include disinfection code

14

Virus Detection Systems

Integrity checkersoRemember file hashesoDetect file modifications

15

Virus Detection Systems

Usually residentSometimes can even be added to boot sector

to detect boot sector virusesSome virus detection systems will prohibit

access to external drives unless they have been scanned before

16

Virus Detection Systems

Defines non-writable areas of the disk for executable files

Sounds alarm and/or requires password in order to modify these areas

Might be annoying and generate false alarms

17

Virus Detection Hardware

Identify which files have been modifiedoVirus scanners will do this

Restore last known good copy of these files from your backup

It is not necessary to re-format the diskSome virus scanners can disinfect files –

remove the virus code

18

Virus Removal

Yes, but it will never be executed because data files do not contain executable code

Virus can be hidden in .gif and .jpeg files using steganography but it has to be extracted and run by an executable

19

Can a Virus Infect Data Files?

No, virus contains OS specific codeoYou may receive virus on another OS but it won’t run and therefore won’t spread

oHow about worms?

20

Can a Virus Spread To Other OS?

Yes but it’s harderoMainframe computers have write protections among users so virus can only infect user A’s files

oHowever if user A sends his file to user B then B’s files also get infected

o If virus is places in shared area then all user’s files may get infected

oMainframe computers are generally better maintained and it is hard to write a good mainframe virus – only a few exist so far

21

Can a Virus Infect Mainframe Computers?

Add an integrity-checking code to every file so that it checks whether it is infected every time it is run

If the file is infected virus will be executed first

It can also fiddle with integrity-checking code and disable it

Ineffective against companion viruses

22

How About Self-Checking Code?

They spread beyond our control – there is no way to stop the spread of a virus that you release

It is hard to distinguish between viruses and benign code

They eat resourcesThey may do malicious thingsThey may disable self-checking programsThey may infect cyber-physical systems and

do irreparable damage

23

Why Are Viruses Perceived As Harmful?

People have toyed with the idea of useful viruses but this has not been acceptedo Virus idea simply seems to dangerouso Good virus code may be buggy and thus vulnerableo Good virus could ask for permission to infect the system – imagine this scenario on a hospital computero Bad virus code could be attached to a good virus to slip detectiono Legal issues might ariseo People don’t like the idea that someone takes control over their computer

24

How About Good Viruses?

Detect viruses and fix infected filesCompress files and decompress them at run

timeEncrypt hard drive and require user password

for decryptionMaintain machines, e.g. delete temporary files

– come by invitationPeople haven’t been able to come up with a

controlled way to plant a good viruso Asking for acceptance wastes (maybe precious) timeo Checking for invitation wastes resources

People haven’t come up with a compelling use of a good virus

25

What Would Good Viruses Do?

A program that:o Scans network for vulnerable machineso Breaks into machines by exploiting the

vulnerabilityo Installs some piece of malicious code – backdoor,

DDoS toolo Moves on

Unlike viruseso Worms don’t need any user action to spread – they

spread silently and on their owno Worms don’t attach themselves onto other

programs – they exist as a separate code in memory

Sometimes you may not even know your machine has been infected by a worm 26

What is a Worm?

They spread extremely fastThey are silentOnce they are out, they cannot be recalledThey usually install malicious codeThey clog the network

27

Why Are Worms Dangerous?

Robert Morris, a PhD student at Cornell, was interested in network security

He created the first worm with a goal to have a program live on the Internet in Nov. 1988o Worm was supposed only to spread, fairly slowlyo It was supposed to take just a little bit of resources

so not to draw attention to itselfo But things went wrong …

Worm was supposed to avoid duplicate copies by asking a computer whether it is infectedo To avoid false “yes” answers, it was programmed

to duplicate itself every 7th time it received “yes” answer

o This turned out to be too much 28

First Worm Ever – Morris Worm

It exploited four vulnerabilities to break ino A bug in sendmailo A bug in finger deamon o A trusted hosts feature (/etc/.rhosts)o Password guessing

Worm was replicating at a much faster rate than anticipated

At that time Internet was small and homogeneous (SUN and VAX workstations running BSD UNIX)

It infected around 6,000 computers, one tenth of then-Internet, in a day

29

First Worm Ever – Morris Worm

People quickly devised patches and distributed them (Internet was small then)

A week later all systems were patched and worm code was removed from most of them

No lasting damage was causedRobert Morris paid $10,000 fine, was

placed on probation and did some community work

Worm exposed not only vulnerabilities in UNIX but moreover in Internet organization

Users didn’t know who to contact and report infection or where to look for patches 30

First Worm Ever – Morris Worm

In response to Morris Worm DARPA formed CERT (Computer Emergency Response Team) in November 1988o Users report incidents and get help in handling

them from CERTo CERT publishes security advisory notes informing

users of new vulnerabilities that need to be patched and how to patch them

o CERT facilitates security discussions and advocates better system management practices

31

First Worm Ever – Morris Worm