FORENSIC SCIENCE AND LAW PROJECT

ON

COMPUTER VIRUS AND COMPUTER SECURITY

In the partial fulfillment of B.A. LL.B. 5 YEARS course on the

Subject of Forensic Science and Law

Submitted to: Submitted by:

Shifali Dixit Kamaldeep Kaur

(Asst. prof of law) Roll No. 1569 (5th Year)

 ACKNOWLEDGEMENT

I express my gratitude and deep regards to my teacher for the subject Dr. Shifali Dixit for giving
me such a challenging topic and also for his exemplary guidance, monitoring and constant
encouragement throughout the course of this thesis.

I am obliged to the staff members of Library, for the timely and valuable information provided
by them in their respective fields. I am grateful for their cooperation during the period of my
assignment.

Lastly, I thank almighty, my family and friends for their constant encouragement without which
this assignment would not have been possible.

KAMALDEEP KAUR

ROLL NO. 1569 (5th Year)

Abstract

The aim of this project is to explore the hypothesis of a computer virus threat, and how
destructive it can be if executed on a targeted machine. What are the possible counter measures
to protect computers from these threats? In this study, we performed an analysis from the data
extracted from different test of scenarios and labs conducted in a test environment. Information
security risks associated with computer viruses can infect computers and other storage devices
by copying themselves into a file and other executable programs. These file get infection and
allow attackers to connect to target systems by using backdoors. The results of this study show
that, the proper security implementations and the use of up to date operating systems patches and
anti-virus programs helps users to prevent the loss of data and any viral attack on the system.
Nevertheless, this observation could be used for further research in the network security and
related fields; this study will also help computer users to use the possible steps and techniques to
protect their systems and information from any possible attacks on their network systems.

Keywords-computer virus, computer threats, lab analysis

1.Introduction

Cyber security is the biggest concern in today’s world. This threat is increasing each day as
information security researchers reveal new threats and security vulnerabilities in the
technologies that are widely used, which puts the security at a higher risk. The number of
network attacks is at its highest level in last few years, the biggest threat to any computer system
is computer virus which proves itself to be the most devastating and the most commonly found
technique to compromise systems. Moreover, investigating a various security features could be
an interesting path to explore in the future to protect Big Data. This project will address these
threats and we will try to find out its operations and types of attacker who can use these tools to
compromise the security system. Finally, the project will discuss the tips and techniques that can
prevent us from being infected by these malicious and sophisticated computer viruses.

2. What is a virus?

2.1. How does a virus work?

2.1.1. How does a virus spread?

A virus is by definition a computer program that spreads or replicates by copying itself. There
are many known techniques that can be used by a virus, and viruses appear on many platforms.
However, the ability to replicate itself is the common criterion that distinguishes a virus from
other kinds of software.

The term virus is quite often misused. Some viruses contain routines that damage the computer
system on which it runs. This so called payload routine may also display graphics, play sounds or
music etc. This has lead to a situation where viruses are assumed to cause deliberate damage,
even if there are many viruses that don’t. The term virus has, for these reasons, become a
synonym for malicious software, which is incorrect from a technical point of view.

The process of spreading a virus includes both technical features in the virus itself and the
behavior of the computer user. Most viruses are by nature parasitic. This means that they work
by attaching themselves to a carrier object. This object may be a file or some other entity that is
likely to be transmitted to another computer. The virus is linked to the host object in such a way
that it activates when the host object is used. Once activated, the virus looks for other suitable
carrier objects and attaches itself to them. This dependency on the human factor slows down the
replication of viruses. Another closely related program type, a worm, reduces this dependency
and is able to replicate much faster. Worms will be discussed separately in this project.

2.1.2. The anatomy of a virus

The main parts of a virus’ code are the replication routine and the payload routine. The
replication routine is a mandatory part of every virus. If it is missing, the program is not a virus
by definition.
The payload routine is, contrary to common belief, not mandatory. As a matter of fact, there are
many viruses that lack a payload routine altogether. The lack of a payload routine may actually
be beneficial for the virus and enable it to replicate more efficiently.

The replication routine

The replication mechanism is the most important part of the virus. This part of the virus code
locates suitable objects to attach the virus to and copies the virus to these objects. A large
number of various techniques have been used for this purpose.

The first problem the replication routine must solve is how to find suitable objects. A virus is
always written so as to work attached to a certain type of carrier object, such as a program file or
text document created by MS Word, or a limited number of carrier object types. The replication
routine must be able to locate objects of the correct type. This can be done by searching through
the computer, file by file. However, this is rather inefficient and requires a great deal of
computer power. A more elegant approach is for the virus to remain in memory and monitor
system activity. This enables the virus to infect files when they are used. The performance
impact of infecting a single file is so small that the user would not notice it. This behavior also
improves the ability of the virus to spread, as recently accessed files are more likely to be
transmitted to another system.

The next problem that the replication mechanism must solve is how to attach the virus to the
carrier object. This step is done using totally different techniques for different types of viruses.
However, one common requirement is that the virus’ code be executed when the object is used.
Viruses that infect program files may attach the virus code to the beginning or the end of the
program file, and patch the entry point so that when the program is run the virus code is executed
first. The virus usually transfers control to the original program when it has finished its tasks.
This ensures that the original program works properly and the virus avoids detection. Other types
of carrier objects, such as MS Word documents, may provide features for embedding macros in
the document files. These features make it easy for the replication routine of the virus to attach
the code. It can ensure that the code is run properly by using certain naming conventions for the
virus’ macros.

The payload routine

The payload routine is not a mandatory part of a virus. It does not take part in the replication of
the virus in any way. The payload is just a routine that performs something that the author of the
virus wants it to perform on all infected computers. The payload routines of different viruses can
be divided into two groups, malicious and non-malicious. Some viruses also lack a payload
routine altogether.
Malicious payloads can, for example, delete files, modify data, plant backdoors in the system or
reveal confidential data. Non malicious payloads may play music, show pictures or animations,
promote the author’s favorite heavy-metal band etc.

2.1.3. Viruses and worms

The term virus is familiar to most users of computer equipment. This term is often used to
describe all kinds of software that replicate from computer to computer, and even incorrectly for
some other kinds of software that do not replicate. However, it is not widely known that there are
two different groups of replicating software, viruses and worms. The difference between these
two groups may not be obvious to the computer user who encounters a virus or worm, but the
difference is significant from a technical point of view. A worm, for example, is able to use
services provided by a modern networked environment much more efficiently than a virus.

This results in an advantage that enables worms to spread much faster than viruses.

The name virus is borrowed from biological science. A biological virus is a passive element that
floats around until it hits a suitable cell. The mechanisms of the matching cell are then used to
reproduce the biological virus, to express it in a simplified way. The term virus is rather suitable
for computer-based equivalents, as computer viruses are passive in the same way. They attach to
a carrier object and wait for the object to be transmitted to another computer. Once transmitted,
they activate and start looking for other objects to infect.

A pure worm is more independent than a virus. A pure worm works by itself as an independent
object. It does not need a carrier object to attach itself to. The worm can also spread by initiating
telecommunications by itself. There is no need to wait for a human to send the file or document.

2.2. Different types of viruses

2.2.1. Boot sector viruses

A boot sector virus infects the boot sector of floppy disks or hard drives. These blocks contain a
small computer program that participates in starting the computer. A virus can infect the system
by replacing or attaching itself to these blocks.

These viruses replicate very slowly because they can only travel from one computer to another
on a diskette. In addition, a boot attempt must be made on the target computer using the infected
diskette before the virus can infect it. The virus may, however, reside on the diskette and infect
new computers even if there is no operating system on it.

Network communications have replaced diskettes as a means of sharing data. Software is also
distributed using networks or CD-ROMs rather than diskettes. This has made the boot sector
viruses almost extinct. Some boot sector viruses still remain on stored diskettes, but they are
rarely activated and usually do not work in modern operating systems. However, some damage
does occur because these viruses may unintentionally damage file systems that they do not
understand (i.e. the NTFS file system used by Windows NT).

2.2.2. Traditional file viruses

This group of viruses replicates when attached to MS-DOS program files with the EXE or COM
extensions. They cannot infect 32-bit EXE files used by newer versions of MS Windows. This
group of viruses can replicate over any media that can transfer files, such as diskettes, local area
networks, remote lines etc. Email did not play a significant role in spreading these viruses, as it
was an unusual way of communicating in MS-DOS and Windows 3.x-based environments.
These viruses, however, have a clear disadvantage compared to boot sector viruses; they require
that program files be transmitted. In business environments this is usually done only as part of a
maintenance procedure, not as part of everyday computer usage. Home users writing their own
computer programs provide a much better environment for file viruses. This group of viruses is
extinct due to the fact that they rely on operating systems that are no longer used.

2.2.3. Document or macro viruses

Document or macro viruses are written in a macro language. Such languages are usually
included in advanced applications such as word processing and spreadsheet programs. The vast
majority of known macro viruses replicate using the MS Office program suite, mainly MS Word
and MS Excel, but some viruses targeting other applications are known as well.

2.2.4. 32-bit file viruses

Previous file viruses were made for 16-bit program files used by MS-DOS. The 32-bit versions
of Windows, such as Windows 95, 98 and NT, use a different and more complex format for the
program files. Traditional files viruses cannot infect these files. A new group of file viruses
emerged as the 32-bit operating systems became more popular. These viruses are by nature
similar to the previous file viruses with the exception that they can infect the new file format and
work in 32-bit environments. This category is also called PE-viruses, because the new executable
file format’s name is PE (portable executable). The new format is also used by many other
modules in the system, such as DLLs, system drivers etc. Some viruses infect these modules as
well, but most stick to program files with the EXE extension.

2.2.5. Worms

Mail worms

A worm is by definition similar to a virus but more independent. The first wave of worms was
seen when Internet mail became a standard way to communicate. An email client, and especially
address books and mailing lists, provide a powerful way to reach a large number of recipients
worldwide with very little effort. Modern, advanced email programs also provide this
functionality through APIs that make it possible for computer programs to automatically send
messages. All this together provides an environment that enables mail worms to spread much
faster than viruses.

A mail worm is carried by an email message, usually as an attachment but there have been some
cases where the worm is located in the message body. The recipient must open or execute the
attachment before the worm can activate. The attachment may be a document with the worm
attached in a virus-like manner, or it may be an independent file. The worm may very well
remain undetected by the user if it is attached to a document. The document is opened normally
and the user’s attention is probably focused on the document contents when the worm activates.
Independent worm files usually fake an error message or perform some similar action to avoid
detection.

Once activated, the worm usually searches the address book for suitable addresses. New email
messages are created and sent to the selected recipients. The mass mailing may very well contain
hundreds of recipients, or as many recipients as there are in the address books. The mass mailing
is especially powerful if mailing list addresses can be found in the address books. Another
strategy is to remain active in the system and monitor mail traffic. In this case, the worm can, for
example, reply to inbound messages as soon as they arrive.

Pure worms

A worm is a replicating program that works independently without a host file and without user
intervention. Pure worms meet all these requirements, whereas mail worms represent an
intermediate form that resembles both viruses and worms. Pure worms have the potential to
spread very quickly because they are not dependent on any human actions, but the current
networking environment is not ideal for them. They usually require a direct real-time connection
between the source and target computer when the worm replicates. A significant number of the
computers connected to the Internet, however, are on-line only temporarily and perhaps behind
dial-up connections. Servers are currently the main group of computers that meet these criteria.
A larger number of machines, including workstations, may be suitable targets for a worm in local
area networks that provide constant connectivity. Some technique to transfer and start the worm
on the remote machine is also needed. These kinds of actions are usually blocked for security
reasons and worms typically rely on known security holes or misconfigured security policies.

2.2.6. Other kinds of malware

Trojan horses

The name Trojan horse is borrowed from Greek mythology. In the computer world the term
refers to a program that contains hidden malicious functions. The program may look like
something funny or useful such as a game or utility, but harms the system when executed. Many
Trojans contain activation criteria that enable the Trojan to work for a while. The user is
convinced that the program is safe and useful, and forwards it to other users before the malicious
code strikes.

Trojans lack a replication routine and thus are not viruses by definition. A Trojan is spread to
other computers only through deliberate transfer by the users.

Backdoor Trojans

Backdoor Trojans are a special kind of Trojan that grant unauthorized access to computer
systems. This type of Trojan is rather common and can pose a significant threat to business users.
These Trojans consist of two programs that interoperate: the silent server module planted in a
victim’s computer and the console used by a hacker. The silent server module acts as a spying
tool. The console connects to it using networking protocols and transmits commands to it. This
system can then be used to retrieve data from the target computer, modify data, alter system
settings, execute programs and even record video and sound if the computer is equipped with
multimedia capabilities.

Jokes

A joke program does something funny or tasteless, but does not harm the computer environment.
The effect may be music or sounds, video or animations, interactive functions etc. Some jokes
may disturb the computer’s user interface and be rather annoying, but the effect is temporary and
no permanent damage is done. If permanent damage is done, then the program is by definition a
Trojan rather than a joke.

2.3. Hoaxes

A hoax is a chain letter that is usually circulated as an email message. These chain letters may
have any content and are actually not related to computer viruses in any way. However, the
problem is well known to vendors of anti-virus software because many hoaxes warn about a non-
existing computer virus.

A trained security expert can usually tell a hoax from a real virus warning. Many hoaxes describe
viruses with functionalities that cannot exist in real life. There are also several other attributes
that usually disclose the real nature of the message. The source is often not a reliable security
expert and the message contains the famous sentence “Forward this warning to all your friends
immediately”.

3. Impact on IT systems

The damage caused by viruses and worms can be divided into two categories: intentional damage
and unintentional damage. Intentional damage, or harmless effects, is caused explicitly by the
payload routine. Unintentional damage may be caused as a side effect when the virus replicates.
It is a common misconception that all viruses are malicious by nature. As a matter of fact, many
common viruses lack a payload altogether. It is natural that a virus that does not harm its hosts
spreads much more efficiently than a destructive virus. The virus is dependent on the host and
harming it also reduces the virus’ chances to replicate.

The term harmless virus is sometimes used to describe a virus that lacks a payload routine, or has
a payload routine that only contains non-malicious effects. However, this term is misleading as
most viruses are likely to cause some kind of unintentional damage.

Several of the groups listed here apply to all viruses, especially the unintentional PR damages
and IT support workload. Many viruses also contain a single or multiple intentional effects.

3.1. Harmless effects

These effects are always produced by the payload routine, but they are not malicious. The effect
may be a picture, animations or video, music or sounds, interactive functions, political messages
etc. These effects usually give you an idea about the virus author’s way of thinking, age or
nationality. These effects may be funny or annoying and may distract or disturb the user, but they
do not cause any permanent damage.

3.2. Compatibility problems

Individuals make viruses and worms and they do not have resources to test their creations on a
wide range of computer systems. Nor do they develop the viruses according to quality control
systems and guidelines. This makes it likely that they cause compatibility problems when run on
systems that differ from the one on which they were developed. These problems can occur as
error messages, crashes, inability to access certain functions etc. These problems are grouped as
unintentional damage.

3.3. Compromising system integrity

Intentional damage is often caused by erasure or modification of data. Erasing files is perhaps the
most obvious way to cause damage. Erasing files, however, is a clumsy way and modern, well
maintained, systems can usually recover from backups. Modifying data is a much more
sophisticated strategy. Small changes are made to the system now and then. The backup routine
stores partially corrupted data until the virus is detected. Restoring the data is hard or impossible
as several generations of backups are compromised. The last correct backups may be too old and
it may even be hard to tell which backups are or are not valid.

3.4. Granting unauthorized access

Viruses may plant backdoors in the system, or steal passwords. These functions can later be used
by hackers to access the system. Damage caused by such hacking activities is hard to predict.
Unauthorized usage of the system may, for example, continue unnoticed for a long time.
3.5. Disclosure of confidential data

Viruses and worms have access to the same communication methods as the user, and even use
them to replicate. A payload routine may easily locate documents that match certain criteria and
send them to anyone on the Internet. Some email worms also cause disclosure of data as a part of
replication. The worms that replicate when attached to a document, such as Melissa, send this
document to recipients to whom the user had no intention of sending the document.

3.6. Computer resource usage

Viruses and worms can disturb computer systems by spending resources, either intentionally or
unintentionally. Some viruses contain payloads that deliberately eat system resources, but
resource consumption is probably unintentional in most cases. Unintentional resource
consumption may be caused by errors in the virus or the replication. Code Red is an example of
this. Searching for new hosts to spread to requires both network traffic and CPU resources. This
load was obvious in the slower response time from the infected web servers or even in the total
inability to serve users.

4. Ways to ensure computer security against viruses

(i)Antivirus software - Always install and enable anti-virus software or malicious

code detection and repair tools.

(ii) Regular upgradation of anti-virus software - All computer users should enable and configure
the live update feature of your antivirus software, if available, setting the frequency to update
daily. If automatic update is not possible, manual updates should be conducted at least once a
week.

(iii) Practice safe e-mail protocol – Do not open messages from unknown senders Immediately
delete messages you suspect to be spam.

(iv) Other measures:- In addition, users should:

 Enable real-time detection to scan, for example, email attachments, files on removable
media, and files downloaded from the Internet.
 Schedule a regular full system scan.
 Regularly review and apply the latest security patches/hot-fixes release by product
vendors for operating systems and application programs.
 Before installing any software, verify its integrity (e.g. by comparing checksum values)
and ensure it is free of computer viruses and malicious code.
 Always boot from the primary hard disk. As far as possible, do not boot workstations
from removable storage devices.
 Backup your data regularly.
Therefore, it is known that computer virus basically destroys our efficient information,

hence, we should always keep our firewall and anti virus updated.
Anti-Virus Programs

There are number of anti-virus programs that detect, block and delete any malicious programs
that are running in the systems. There are four mechanism and techniques that are being used by
anti-virus softwares which are:

(i) Signature based detection (ii) Heuristic-based detection (iii) Behavioral based detection and
(iv) Cloud-based detection.

1) Signature based detection: Signature based detection is an essential technique of the anti-virus
programs. This method operates on matching of fingerprints to the file with the signature of the
virus; signature is a series of bytes in the file. Although this technique has drawbacks like it
cannot flag the malicious file if the signature of the new virus is not created yet, it is still more
promising than other ones in the market.

2) Heuristic-based detection: In this technique anti-virus programs operate by examining the

static file for any suspicious characteristics without an exact signature match. This technique
may also flag a legitimate file as malicious.

3) Behavioural-based detection: Behavioural-base detection works by observing suspicious

behaviours of the file. This method operates by executing and unpacking the malcode and it
listens to the keystrokes etc., this technique give anti-virus program the ability to detect any
malicious program in the computer system.

4) Cloud-based detection: Cloud-based techniques identify malwares by collecting data from

different protected computers and analyzes all the data on the provider’s systems and sends
results to the clients’ system. The decision is made on the clients’ local system by analyzing the
characteristics and behavioristics of the client.