Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
Operating Systems Security - Chapter 2
Viruses, Worms, and Malicious Software
Chapter Overview
In this chapter, students learn how viruses, worms, and Trojan horses spread through
operating systems and across networks. They learn what they target and why. Students also
learn about the typical forms of malicious software, such as boot sector viruses and viruses
that attack through macros. After students learn how these forms of malicious software
work, they learn how to set up defenses, such as operating system patches and repair disks.
Learning Objectives
After reading this chapter and completing the exercises, students will be able to:
1) Explain how viruses, worms, and Trojan horses spread
2) Discuss typical forms of malicious software and understand how they work
3) Use techniques to protect operating systems from malicious software and to recover
from an attack
Lecture Notes
How Viruses, Worms, and Trojan Horses Spread
Viruses, Worms, and Trojan horses are all classified as forms of malicious software, or
malware. Malicious software is intended to cause distress to a user, to damage files or
systems, and/or to disrupt normal computer and network functions.
Viruses
A virus is a program that is borne by a disk or a file and has the ability to replicate
throughout a system, typically without the user’s knowledge until there is a visible outcome
or problem. W32.Pinfi is an example of a virus that replicates throughout systems and shared
drives. It may come into a system through an unused service, such as FTP or Telnet, and
then attach to a file. INIT 1984 is an example of a destructive virus that can infect Mac OS
systems. This virus replicates in the background without the user’s knowledge. It can only
become destructive if the user executes an infected file on a Friday the thirteenth.
Viruses spread in stages. The first stage involves transporting the virus from one medium
or system to another. The next stage, replicating throughout a system, is designed to
spread the infection in that system. Another stage involves the actual mark that a virus
leaves on a system, which is the form of attack. Viruses are sometimes classified according
to different schemes. One way to classify viruses is by how they infect systems, as follows:
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 1 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
 Boot or partition sector
 Macro
Chapter 2
Viruses, Worms, and Malicious Software


File infector
Multipartite
Another way to classify viruses is by the way they protect themselves from detection or from
a virus scanner, as follows:
 Armored
 Stealth


Polymorphic
Companion
A third way to classify viruses is benign or destructive.
Worms
A worm is a program that replicates and replicates on the same computer, or one that sends
itself to many other computers on a network or the Internet. Code Red and Code Red II are
examples of worms that use buffer overflow to do damage. Both versions of Code Red target
older Windows NT and Windows 2000 servers running Internet Information Services (IIS) or
indexing services, without patches installed to defend against this worm.
Besides taking up file space on the local computer, the worm uses a portion of the new files
to search for other computers to attack. At the same time, it opens a back door to all
computers it successfully attacks, giving the worm’s initiator access to those computers. A
back door is a secret avenue into an operating system that often bypasses normal security.
Trojan Horses
A Trojan horse is a program that appears useful and harmless, but instead does harm to the
user’s computer. Backdoor.Egghead is a Trojan horse targeted at Windows NT, Windows
2000, and Windows XP systems. When this program runs, it creates a new folder called
Vchost, under \Winnt\System32 or \Windows\System32, and places its own files in that
folder.
Quick Reference
Discuss the common locations for viruses, worms, and Trojan horses listed in
Table 2-1 on pages 52 and 53 of the text.
Typical Methods Used by Malicious Software
Viruses, Worms, Trojan horses, and other forms of malicious software use many methods to
accomplish their dirty work and spread to other systems.
Executable Methods
An executable virus, worm, or Trojan horse is a file that contains lines of computer code
that can be run. An interpreter takes a file of instructions and executes them, typically one
line at a time. Some examples of executable-type file extensions are listed on page 55.
A parallel, but somewhat different, interpretation of an executable virus is one that infects
the source or execution code of programs. The virus may use commands available from the
command line or an editor to append or insert malicious code affecting one or more
programs, batch files, or scripts.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 2 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
Boot and Partition Sector Methods
Boot sector or partition sector viruses particularly affect Windows and UNIX/Linux systems
(including Mac OS X). A boot sector or partition sector virus typically infects or replaces the
instructions in the Master Boot Record (MBR) or the partition Boot Sector. Another method
is to corrupt the address of the (active) primary partition, which is specified in the
partition table of a disk.
Typically, eradicating boot sector or partition sector viruses involves recreating the MBR and
partition Boot Sector instructions. On Windows and NetWare systems using the FAT file
system, you can use the fdisk /mbr –or- dos sys command-line commands to recreate
these instruction sets. For Windows systems that uses NTFS, there are utilities on the
installation disk to replace the MBR and partition Boot Sector instructions. Also, in NTFS,
you can use the fixboot command from the recovery console to fix the boot sector, or
fixmbr command to fix only the MBR.
Macro Methods
A macro is scripting language or a set of instructions or keystrokes that is started by using the
name of the macro or pressing a key on the keyboard. Macros are used in software, such as
word processors and spreadsheets, and they are used programming languages. A virus can
infect a macro and spread each time the macro is used.
E-mail Methods
Most e-mail users are now aware that viruses, worms, and Trojan horses can be sent as
attachments to e-mail. One of the most famous macro viruses, the Melissa virus, was sent
as an e-mail attachment with the subject header: “Import Message From username”. The
Melissa virus did not destroy data, but instead inserted the following line in the virus-carrying
document when it was opened: “Twenty-two points, plus triple-word score, plus fifty points
for using all my letters. Game’s over. I’m outta here.”
Microsoft and other software vendors now configure software, such as the Microsoft Office
products, so that macros are disabled unless they are digitally signed by a trusted source
(see Figure 2-3 on page 58 of the text). A digital signature is a code that is placed in the
file to verify its authenticity by showing that it originated from a trusted source.
Software Exploitation
When there is a new version of an operating system, attackers may begin by looking for
problems (e.g. exploits) in services, applications, systems, and functions that are known to
be vulnerable, such as the following:




DNS services
Network services and applications
Internet services and applications
Database systems
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004




Newly developed or enhanced services
E-mail and messaging services
Remote access services
Buffer overflow handling
Page 3 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
Spyware
Spyware is software that is placed on a computer, typically without the user’s knowledge,
and then reports back informationto an attacker or an advertiser. On the Internet, some
forms of spyware operate through monitoring cookies. A cookie is information that a Web
server stores on a client computer, such as the client’s preferences when accessing a
particular Web site, or where the client has been on the Web site.
Protecting an Operating System from Malicious Software
There are several basic steps to take to protect an operating system from
malicious software. These include:
1)
2)
3)
4)
5)
6)
Installing updates
Viewing what is loaded when a system is booted
Using malicious software scanners
Using digital signatures for system and driver files
Backing up systems and creating repair disks
Creating and implementing organizational policies
1. Installing Updates
Installing updates and patches is an effective way to prevent attacks on an operating system.
Windows 2000, Windows XP Professional, and Windows Server 2003/2008
The two main ways to install updates for Windows 2000, Windows XP Professional, and
Windows Server 2003/2008 are Windows Update and service packs. Windows (Automatic)
Update (WAU) is used to provide access to patches that are regularly issued, particularly
security patches.
Windows 2000 Server and Windows 2000 Professional, the Windows Update option is available
Start menu. Windows XP Professional and Windows Server 2003/2008 come with the
Automatic Updates Setup Wizard. Service packs are designed to address security issues as well as
In
from the
problems affecting stability, performance, or the operation of features included with the operating system.
Service packs come out less frequently than the patches you obtain from Windows Update, but they
Windows Update, major fixes, new
operating system features, and any previous service packs.
generally include, in one place, patches that can be obtained from
Quick Reference
Examine the guidelines when installing the latest service packs for Windows
XP Pro, and Windows Server 2003/2008 listed on page 62 of the text.
Red Hat Linux
Red Hat issues frequent updates for Red Hat Linux that can be downloaded from Red Hat’s
Web site (www.redhat.com) by using the Red Hat Network Alert Notification Tool.
Quick Reference
Discuss the options available when you right-click the notification tool and the
general steps for configuring the Red Hat Network Alert Notification Tool as
shown on pages 63 and 64 of the text.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 4 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
NetWare
Novell maintains a support section on its Web site that enables you to download updates for
NetWare 6.x and access the support portion of the Web site and then select a link to find
patches and fixes for NetWare. Novell also offers consolidated support packs for its
operating systems that are similar in principle to Microsoft’s service packs.
Mac OS X
Mac OS X uses a Software Update tool that connects to the Internet to obtain patches. The
Software Update tool is accessed through the Software Update icon in the System section of
System Preferences, as shown in Figure 2-8 on page 65 of the text. This tool enables you to:
1) Configure the system to automatically check for updates at specified intervals when
the system is connected to the Internet, with weekly as the default
2) Manually check for updates
3) View the currently installed updates
2. Viewing What Is Loaded When A System Is Booted
One way to troubleshoot a boot problem caused by malicious code in the boot sector or
partition sector is to use an operating system mode that enables you to watch on-screen what
is loading in an operating system as it is booting, or to view a log of the process. Here are
some options provided by different operating systems:
1) In Windows 2000, Windows XP Professional, and Windows Server 2003/2008 you can
view the information on-screen or have a log record the information so that you can
view the log after the system has booted.
2) Red Hat Linux and NetWare automatically display the boot load information to the
screen each time one of these systems is booted.
3) In Mac OS X, you can display the boot process by booting into either single user mode
or verbose mode
3. Using Malicious Software Scanners
Malicious software (Malware) scanners are an effective way to help protect an operating
system. Although they scan systems for viruses, worms, and Trojan horses, these scanners are
often called virus scanners. Figure 2-10 illustrates Norton AntiVirus installed for Mac OS X.
Quick Reference
Discuss the number of features to look for when purchasing virus scanning
software as described on page 67. Also, examine Table 2-2, which describes
different virus scanning software shown on pages 68 and 69 of the text.
4. Using Digital Signatures for System and Driver Files
When a system file or driver is verified by Microsoft, a unique digital signature is
incorporated by Microsoft into that system file or driver, in a process called driver signing.
Setting your system to require digital signatures in system files and drivers triggers two
protective mechanisms:
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 5 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
1) Whenever there is an attempt to install a new system or driver file, the operating
system checks to make sure it is digitally signed.
2) If for some reason a system or driver file is compressed, whenever the operating
system reboots, it replaces that file with the last known good version of it that is
stored in a backup system folder.
5. Backing Up Systems and Creating Repair Disks
Besides backups, some operating systems enable you to create a boot disk or repair disk to
be used in the event that a system file is corrupted and the system won’t boot. These disks
enable you to either boot the computer from operating system files on a floppy disk or CD, or
to use a repair disk to recover system files.
6. Creating a Windows “Emergency Repair Disk”
After Windows 2000 Server or Professional is installed, you can choose to create an
emergency repair disk (ERD), which enables you to fix problems that may arise with the
server, such as corrupted system files. Plan to create a new ERD each time you install
software, make a server configuration change, install a new adapter, add a NIC, restructure a
partition, or upgrade the operating system.
Quick Reference
Describe how to create and use a Windows Emergency Repair Disk as
illustrated on pages 70 through 72 of the text.
Creating an Automated System Recovery Set
For each computer running Windows XP Pro –or- Windows Server 2003/2008, you should
create an Automated System Recovery (ASR) set in the event that your system fails. The
Automated System Recovery (ASR) set is similar to an emergency repair disk that is created
under previous Windows versions and contains the system files needed to start your system.
The ASR set has two components: a backup of all system files –and- a backup of system
settings. The ASR set does not back up application data files, which you must do separately.
Creating a Red Hat Linux Boot Disk
You can create a Red Hat Linux boot disk that enables booting a system from a floppy disk,
in case a system file on the hard disk is corrupted. When you install Red Hat Linux, the final
steps of the installation process include the opportunity to create a boot disk. If you did not
make a boot disk during installation, then you can make one later from a terminal window.
Quick Reference
Discuss the general steps for making a boot disk for Red Hat Linux
as shown on page 74 of the text.
Creating and Implementing Organizational Policies
One of the most effective forms of defense is to educate users through organizational
policies and training. Some organizations establish computer security committees that set
up security guidelines. Organizational policies work best when users are included in the
process. Social engineering, in relation to computer system attacks, refers to the use of
human interaction to gain access to a system or to do damage.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 6 of 7
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 2
Viruses, Worms, and Malicious Software
Sample areas of focus for an organizational computer security policy include:
1) Provide training to users in security techniques.
2) Train users about common malicious software.
3) Require that users scan floppy disks and CD-Rs with a virus scanner before taking them
to be used on another computer.
4) Refer to page 75 of the text for the remainder of this list.
Discussion Questions
 Discuss the many ways that anyone can protect their computer from virus infection.
 Discuss the procedures involved in developing an organizational security policy.
Additional Activities
 Create your own organizational computer security policy and compare it with one
created by professionals and chart the differences.
 Utilizing the Internet, search for and compare different anti-virus software.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 7 of 7
ISBN: 0-619-16040-3