Computer Viruses
Seminar by:
MOHIBUR RAHMAN
Definition
Virus : A true virus is an program capable
of self replication. It may spread between
files or disks, but the defining character is
that it can recreate itself on it’s own with
out traveling to a new host.
Background
There are estimated 30,000 computer
viruses in existence
Over 300 new ones are created each month
First virus was created to show loopholes in
software
Virus Languages
ANSI COBOL
C/C++
Pascal
VBA
Unix Shell Scripts
JavaScript
Basically any language that works on the
system that is the target
Classifying Virus - Types
Trojan Horse
Worm
Companion Virus
Stealth Virus
Stealth Viruses
The STEALTH virus is one that, while "active“ can hide the changes
it has made to files or boot records. This is achieved by monitoring
the system functions used to read files or sectors from storage media
and forging the results of calls to such functions. Meaning that
programs that try to read infected files or sectors see the original,
uninfected form instead of the actual, infected form.
Companion Virus
The COMPANION virus is one that, instead of modifying an existing
file,creates a new program which is executed instead of the intended
program.
On exit, the new program executes the original program so that things
appear normal. On PCs this has usually been accomplished by
creating an infected .COM file with the same name as an existing
.EXE file.
Worms
A computer WORM is a self-contained program (or set of
programs), that is able to spread functional copies of itself or
its segments to other computer systems (usually via network
connections).
Worms do not need to attach themselves to a host program.
TROJAN HORSE
Overview
What is Trojan Horse ?
What Trojan Horses Do?
How can you be infected ?
What do attackers want ?
Well known Trojan horse?
What are methods to remove ?
Definition
a Trojan horse is a malicious program that is
disguised as legitimate software.
Like the gift horse left outside the gates of Troy
by the Greeks, Trojan Horses appear to be
useful or interesting to an unsuspecting user,
but are actually harmful
Difference between Virus Worm and
Trojan horse?
Computer virus is a program that when
triggered by an action of the user, causes
copies of itself to be created.
Computer worm is a program that causes
copies of itself to be created without any
user intervention.
Trojan horse is a program that appears to
do something useful, but in reality, masks
some hidden malicious functionality. It does
not make copies of itself.
Types of Trojans
erasing or overwriting data on a computer
corrupting files in a subtle way
spreading other malware, such as viruses. In this case the
Trojan horse is called a 'dropper'.
setting up networks of zombie computers in order to
launch DDoS attacks or send Spam.
logging keystrokes to steal information such as passwords
and credit card numbers (known as a key logger)
phish for bank or other account details, which can be used
for criminal activities.
installing a backdoor on a computer system.
Steps in Normal Program Execution
Main memory BIOS locates & OS locates & copies Program A starts
is empty at the copies OS from the program to be executing
beginning disk to memory executed into memory
OS OS OS
Program A Program A
Hard Disk
Main Memory 2 3
4 FAT
1
BIOS OS
Executing programs
code A use the OS to
perform standard
FAT : File Allocation Table stores the functions like,
ROM location of all files on the system. It is reading and writing
maintained by the OS. files etc
Virus Infection Mechanism
Virus copies itself
Infected program Virus searches into the target Virus copies the
enters memory for a suitable program infected target
program to infect in memory back into the disk
OS OS OS OS
Program A Program A Program A Program A
Virus Virus Virus Virus
Program B 4
Program B
Virus
FAT Hard Disk Hard Disk
Virus copies the
1 2 3 target program 5
OS to main memory OS
From infected B + virus
B
floppy disk or
an email When program B
attachment Virus makes use of OS constructs is executed it
to search for target files, copying etc infects a new file
How can you be infected ?
Websites
Instant message
E-mail
Where They Live
Auto start Folder
The Auto start folder is located in C:\Windows\Start
Menu\Programs\startup and as its name suggests,
automatically starts everything placed there.
Win.ini
Windows system file using load=Trojan.exe and
run=Trojan.exe to execute the Trojan
System.ini
Using Shell=Explorer.exe trojan.exe results in execution of
every file after Explorer.exe
Wininit.ini
Setup-Programs use it mostly; once run, it's being auto-
deleted, which is very handy for Trojans to restart
Config.sys
Could also be used as an auto-starting method for Trojans
What the attacker wants?
Credit Card Information (often used for domain
registration, shopping with your credit card)
Any accounting data (E-mail passwords, Dial-Up
passwords, Web Services passwords, etc.)
Email Addresses (Might be used for spamming, as
explained above)
Work Projects (Steal your presentations and work
related papers)
Children's names/pictures, Ages (pedophile
attacker?!)
School work (steal your papers and publish them with
his/her name on it)
Well Known Trojans
1. Logic bomb Trojan.
"Logic bombs" activate on certain conditions
met by the computer.
2.Time bomb Trojan.
"Time bombs" activate on particular dates
and/or times.
3.Dropper Trojan.
Droppers perform two tasks at once. A
dropper performs a legitimate task but also installs a
computer virus or a computer worm on a system or
disk at the same time.
METHODS TO REMOVE TROJAN
Norton Antivirus 2007
Trend PC-Cillin 2007
Panda Antivirus Platinum 6.0
Norman Virus Control 6.0
McAfee Security Suite
McAfee Virus Scan 8.0 and 10.0
Kaspersky Anti-Virus Personal(6.0 or 7.0).
F-Secured Anti Virus Personal Edition
Thank You