Computer Viruses, Trojans and

Worms

Malware definitions

Malware payloads in general

Network worms

Virus propagation methods

Virus detection avoidance approaches

Platform vulnerabilty and virus resistance

Malware detection and removal

Other countermeasures

Can a virus ever be good ?

Further Reading
 Malware definitions: virus

Malware can be classified based on whether and

how it replicates and spreads.

A computer virus is a program which runs when a

program it attaches itself to is run. When the virus
code is run, it will (sometimes or always) try to
find another program to infect. When the virus
copies or attaches itself to another program in such
a manner that when the other program is run, the
virus code is also run, the other program is
considered to be infected.
 Malware definitions: worm

A network worm is a kind of virus which

propagates using computer networks. These might
directly exploit a vulnerability in software running
on computers which have network connections to
cause themselves to be installed and to run on the
vulnerable computer.

Alternatively end users may be tricked into running

the worm program when they receive it via a
network, e.g. by double clicking on an executable
file attached to email.
 Malware definitions: trojan

A trojan is a program which a user or administrator

installs on a computer because they are misled into
thinking it only performs wanted functionality,
when in addition this program contains hidden
functionality which the user does not want.

The term "trojan" might also apply to "adware" or

"spyware" software which is installed from a
remote website as part of the normal functioning of
a poorly designed web browser without the end
user's consent or knowledge.
 Malware payloads in general 1

Regardless of how malware propagates, it can be

programmed to do anything which the security context
the platform it infects allows it to do. Some examples:

Keylogging. This privacy invasion requires low level

access to the keyboard device driver and the ability to
send information back to base.

Timebomb. This causes actions to occur when the

system clock reaches a programmed date and time.
 Malware payloads in general 2

Logicbomb. If files with particular content are found or

other events detected, a destructive action might be
programmed e.g. formatting a disk or other storage
device.

Prank. A virus might be programmed to display

messages or cause other effects its author thinks are
amusing. Even a virus programmed just to replicate
can take up memory and cause a system to slow or
crash.
 Network worms

A worm might open network connections and

infect a vulnerable target computer directly, as with
the Morris worm, which infected an estimated
6,000 of the 60,000 Internet hosts in Nov 1988.

Other worms spread, as with a virus, via the use of

a host file, which needs to be transferred as part of
the Network worm. More recent worms have
include Mydoom and Storm which were used to
install large botnets used for distributed denial of
service (DDOS) and spam attacks.
 Virus propagation methods 1
Boot sector viruses infect the boot sector of the boot disk of a
computer operating system. These became widespread when it
was common for computer users accidently to leave a floppy disk
in the drive and the computer BIOS was configured to boot from
the floppy by default. These viruses would transfer via the hard
disk to all writeable floppies inserted into the infected computer.
This mechanism was defeated when administrators changed the
BIOS settings and became less likely when floppies were less
frequently used.

This infection vector could return to prominence again if flash

USB drives become routinely used by users to carry an operating
system together with applications, custom configurations and data
between physical machines.
 Virus propagation methods 2

Non-resident viruses infect application files and are

run when the application runs. Typically the virus is
prepended to the application source code for an interpreted
application, or its executable code for a compiled
application. Alternatively the virus code might be
appended with a vector to itself added at the start of the
program.

When the virus part of the code runs it will search for
another suitable file to infect. Once the virus code
completes it hands control on to the infected host file. A
non-resident virus can be trivial to code (see the next slide
for an example), but such a 'virus' is extremely unlikely to
spread.
Virus
propagatio
n
methods
3
This source code
for a shell script
virus shows how
easy it is to
create one.

This one would

not be able to
cause harm for
various reasons.
 Virus propagation methods 4

Resident viruses install themselves into memory

when they run. Having done this they hand over
control to the host application. This kind of virus
will be programmed to intercept normal system
operations, e.g. opening a file or device, or the use
of an interrupt or system call.

When the intercepted operation runs, the virus

executes and might then find another suitable
infection target or run a payload. When the virus
has run it will hand control over to the normal
function of the intercepted operation.
 Virus propagation methods 5

Fast infecter viruses are programmed to spread as

rapidly as possible to reduce the risk of the virus
being wiped out once introduced into the wild.
However, a fast infecter is more likely to cause
changes of behaviour of the infected system so is
more likely to be detected.

Slow infecter viruses are designed to find other

targets to infect infrequently. By spreading slowly
this kind of virus is less likely to be detected.
 Virus propagation methods 6

Companion viruses do not modify the infection

target directly but are stored in a separate file. E.G.
if a user inputs the command 'format' a file called
format.com will execute before a file called
format.exe . Format.com is the virus, which will
run format.exe, the host application, passing all its
arguments when it has run.
 Virus propagation methods 7

Macro viruses use the macro programming

languages which are embedded within popular
applications e.g. Word and Excel. This kind of
virus became widespread in the 1990ies. The threat
from this kind of virus has probably been reduced
following additional prompts when a document
containing macros is opened in Word or Excel.
 Virus propagation methods 8

Cross Site Scripting (XSS) viruses exploit a

combination of vulnerabilities present in both web
server applications and web browsers. These will
typically need to be coded in 2 parts, one part being
the server code (e.g. using PHP) which propagates
from the infected browser to the vulnerable servers
and the other part which runs in the browser (e.g.
using Javascript).
 Virus detection avoidance 1

Virus programmers and antivirus software

developers have been engaged in an arms race ever
since viruses became widespread and antivirus
software was first marketed in the late 1980ies.

Since then we have seen:

Stealth viruses - viruses which trap interrupts to

open a file and cause any application that reads the
file containing them to see only the uninfected file.
 Virus detection avoidance 2
Polymorphic and metamorphic viruses - viruses
which modify their code every time they infect
another target so they can only be detected using
heuristic measures rather than static code
signatures.

Disabling anti-virus software. If a virus detects the

presence of a known anti-virus program on a
system it infects, it will modify the anti-virus
software to disable components of this, e.g. the part
of the antivirus program which can detect if it has
been modified itself or if its virus signature file has
been changed.
 Virus detection avoidance 3

Avoidance of bait files. A virus might be programmed to

avoid infecting program files considered likely to be bait (e.g.
because they are small) as part of an advanced antivirus
detection program, to see if a virus is at work.

Leaving access times and file sizes unchanged. A virus

may be small enough to fit into the end of a sector after a file.
E.G. a filesystem may have effective file sizes of multiples of
1024 bytes, which corresponds to the size of a disk sector. A
small virus might restrict its infection targets to files which do
not need to add another sector to their size. Some program
files have gaps in them large enough for a virus to fit inside.
 Virus detection avoidance 4

Self-encrypting viruses take the metamorphic

approach to the extreme of the virus encrypting
itself using a variable key. However, enough of the
virus will have to be unencrypted for it to be able to
decrypt itself when the virus is executed for a
heuristic antivirus approach to be feasible.
 Platform vulnerability to viruses 1
It has been argued that viruses are reported to infect Windows
PCs much more frequently than Linux or Macs because more
people use Windows. But Windows had many viruses when this
system had fewer users in the early 1990ies than now use Macs
or Linux . Others claim that the Unix design foundation of both
Linux and Mac platforms is inherently more secure.

Linux isn't a single platform but has many slightly different

distributions. One reason why fewer viruses are reported on
Linux could be that virus writers find the differences between
different Linux distributions make writing viruses that work on
many of these harder. A similar advantage concerning infection
resistance is gained by a genetically diverse food crop compared
to a monocrop of a cloned plant.
 Platform vulnerability to viruses 2

Other points of interest in this debate concern the levels of

security knowledge of typical users of various platforms and the
ease with which end users can install applications independently
of the means provided by the platform developers to verify
application compatibility and integrity.

Different defaults are provided in connection with privileged

actions carried out by end users. It is also likely to be easier for
Windows users to install a wider variety of stand-alone PC
software than currently comes supported through the package
repositories of the the most popular Linux distributions, though
Linux might have more server and embedded applications.
Malware detection and removal 1

The most popular approach to this requirement is to

install an antivirus program and to keep this
current. As new viruses are detected on a daily
basis the signatures and heuristic methods need to
be kept updated on a very regular basis. For this
reason, modern antivirus programs generally
include facilities automatically to update
themselves using a network connection whenever
new virus signatures and heuristics become
available.
Malware detection and removal 2
Platforms which are not themselves thought to be
vulnerable to viruses but which are used to distribute
content potentially including viruses, e.g. via email
between Windows users, must also scan for viruses to
avoid becoming part of this problem.

But the number of known virus signatures continues to

increase. So even using the Clam-av antivirus package
which is open source and freely installable, growing
memory demands are making this job increasingly
expensive . The next slide shows how many virus
signatures exist and how much memory these occupy as of
November 2008.
 Malware detection and removal 3

Number of virus signatures: 437972

freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486)
ClamAV update process started at Fri Nov 7 18:24:28 2008
main.cld is up to date (version: 49, sigs: 437972, f-level:
35, builder: sven)

Demand of anti-virus on memory: 50.9%

PID USER PR NI VIRT RES S %CPU %MEM COMMAND
20782 clamav 20 0 126m 72m S 0.0 50.9 clamav-milter
 Other countermeasures

One approach involves stopping a system from running and

mounting its hard disk using another operating system, booted
using trusted media. Tools can be run on the trusted system to
detect suspicious changes to files on the system being scanned.
This is considered more reliable than running antivirus
software directly on the system which might have been
compromised and where the results of the antivirus scan may
also have been compromised by an unknown virus.

The trusted scanning system might also store a set of hash

signatures or checksums of files which the virus might modify
and test if any executables or registry tables have been
modified.
 Can a virus ever be good ?
In biology, viruses enable potentially beneficial DNA to be transferred
between species. This is considered to be a part of the optimisation of the
evolutionary process. But it is thought unlikely that anyone could benefit
from computer viruses, other than the proceeds of crime which those
who write and spread viruses might obtain.

The difference between a virus and another kind of program is that an

ordinary program will normally have the informed consent of the system
owner before it can be installed. While there is a similarity between an
operating system which can create a copy of itself on installation media
and a virus, the OS that makes it easy for its users to copy it will do this
with the users full knowledge and consent.

There is no situation in which taking away the end users consent to

perform an action is considered likely to be of benefit.