By: Jason Boylan and Jeff George COMPUTER VIRUSES Table of Contents Definition History Vulnerability How it works Types of viruses Virus Removal Summary Virus Definition Self replicating computer program Potentially unknown to user Potentially self modifying Programmed to damage computer in someway or just be a nuisance to user What do viruses do? The bottom line: they damage your computer; possibly crash your system. Examples: corrupting programs, deleting files, or reformatting the hard disk. History 1970’s – ARPANET Creeper virus 1980’s – Elk Cloner, Pakistani flu, Stoned, Jerusalem, Morris worm 1990’s – Chameleon, Michelangelo, CIH, Melissa worm, ExploreZip 2000 and beyond - ILOVEYOU, Sadmind, Sircam, Nimda, Klez, Code Red, Blaster Worm, Welchia, MyDoom, Sasser worm, Santy, Sony rootkit History I (1970) ARPANET Creeper virus Simply displayed 'I'M THE CREEPER : CATCH ME IF YOU CAN.‘ when it infected a system History II (1980) Elk Cloner, first virus that was a very large outbreak and outside of computer system in which it was created. It was made on the Apple II and took advantage of the boot sector of a floppy disk and would copy itself to memory, simply displayed a message every 50th boot Pakistani Flu, also took advantage of the boot sector this virus was developed as an anti-piracy measure because if it spread to a disk then it would simply rename the disk label to ©Brain Stoned, another nuisance virus that slowed down the users computer and would display the message “Your PC is now Stoned!” at startup Jerusalem, There are many spin offs of this virus and all seem to follow the pattern that on certain days or times this virus will execute and make itself known, typically every Friday the 13th History III (1980 - 1990) Morris worm, was originally developed to try to find out the size of the internet but ended up slowing down systems because a design flaw caused the virus to copy itself too much, it took advantage of a few commands to overflow the buffer and write to memory it shouldn’t have access to, made by Robert Morris ExploreZip, E-mail virus, would destroy Office documents and C and C++ source files History VI (2000 and beyond) ILOVEYOU, would spread by e-mailing itself to everyone on the infected users e-mail contacts, people would unknowingly open the attached virus thinking it was from a trusted source the virus would overwrite important files and media files SadMind, exploited OS weaknesses Sircam, Nimda, Klez, Code Red, all e-mailers Blaster Worm, a worm to perpetrate a DDoS attack against windowsupdate.com MyDoom, fastest spreading e-mail virus Sasserworm, propagated by windows port exploit Santy, used google to find new targets Sony rootkit, a virus that was put on sony CD’s to prevent piracy Vulnerability Diversity in software lowers vulnerability Standardization is bad because it means that everyone using the same software are all vulnerable Users of Microsoft Office and Internet Explorer are typically more vulnerable because of their widespread use Mac’s are less vulnerable because of low market share in PC’s How do they do it? In order to replicate itself, the virus needs the permission to execute code and write to memory. They attach themselves to an executable file of a legitimate program. When the user runs that program, the virus code is executed. Sometimes only the virus code is executed. Two types of Viruses 1. Non Resident Viruses Finder module Replication module 2. Resident Viruses Non Resident Viruses It constantly looks for suitable files that can be infected. Then infects it and the file is then ready to execute damage. It consists of two distinct components to do the task. The Finder Module is the component that looks for potential prey (files to infect). Then calls the Replication Module to infect that particular file. Resident Viruses Resident viruses do not have distinct components like the finder module. Instead it loads the replication module into memory and starts working in the background. Each time the operating system is called to perform an action the replication module is called. So then, every suitable program that is executed on the computer is a possible prey to infection. Methods to avoid detection Both types of viruses discussed previously remain hidden. The below are possible tricks for remaining hidden. 1. The virus might pretend to be “Hot_Girls.jpeg” and get into your computer. But really, it is “Hot_Girls.jpeg.exe.” 2. Some viruses have the ability to keep the “last modified date” unchanged after altering the content of the file. 3. Stealth: Some viruses have the ability to intercept an anti-virus software’s request to the operating system. So the anti-virus requests a read permission to the virus instead of the os. Then the virus returns an uninfected version of the file and remains undetected. The Computer is infected. What can I do now? First of all, it is very important you don’t just ignore it because at some point you will not be able to. Also, be prepared to lose some data. You can do one of two things? 1. 2. Virus removal Operating System Reinstallation Virus Removal - 1 The simplest method: in most windows machines (Windows me, xp or vista) there is the System Restore tool. This tool will restore the registry and critical system files to a previous checkpoint. Virus Removal - 2 Software that can detect and eliminate viruses. However, these softwares, usually only detect know viruses and hence has its limitations. So, its best to get the newest anti-virus software available. Virus Removal - 3 Operating System Reinstallation This is the final means of deleting virus. This method will also kill not some but all your data and gives you a fresh start. However, this method is typically guaranteed to remove the virus. It involves simply reformatting the OS partition and installing the OS from its original media. The recovery disk might have come with the computer when first bought or you might have to purchase one. In Summary Viruses infect systems by: 1. Appending to a program 2. Copying themselves to other programs 3. Distributing themselves without the users knowledge They can be very harmful to a system and cost users a lot of money To stay protected keep up to date with anti-virus software and if you suspect infection don’t ignore it