Chapter 1: Literature Review
“First rule of computer security: don't buy a computer.
Second rule: if you buy one, don't turn it on.”
Chapter 1.1: Define Viruses
A computer virus is a parasitic program written by people with bad intention and sent to user's computers without knowing. The word parasitic means that a virus attaches to files or boot sectors and replicates itself. This will end up in spreading continuously to other computers on the network. These viruses' affect various from slight damage to serious damage and may also affect system performance. Virus should never be assumed as harmless and leave it on a system.
In previous years when computers networks were not used a lot, viruses were implemented on disk media mainly floppy disks. This method was used to spread the virus to as many systems as possible. Virus attacks were single mass-broad attacks directed to penetrate into many systems and caused may damage without a specific goal.
Nowadays virus attacks are much complex and user specific attacks with the consequence that they are spreading much faster because of easy access to other computer on the world network. This multi-threat attacks use different attack techniques to prevent from being detected by protection systems. Recent studies and researches show that a computer connected to the Internet may experience an attack every 39 seconds.
Chapter 1.2: Types of Malware
Malware is an abbreviation of the term malicious software which refers to a program code which has been intentionally made harmful. The following is a list of computer malware:
A worm is a small piece of self replicating program that uses computer networks and security holes to replicate itself. Unlike a virus, it does not attach itself to any existing program but it uses the network resources to infect other machines on the network. A copy of the worm scans the network for another machine that has a specific security hole and it continues to replicate and spread itself.
This is a program that enters a machine disguised or embedded inside legitimate software. The Trojan looks harmless or something interesting to a user, but is actually very harmful when executed. Each Trojan has its own characteristic that is dependent on what the designer intended it to do. The Trojan depends on successful implementation of social engineering concepts as it has to fool a user into installing the code. It does not depend on security flaws or loopholes present in the system. Once inside a system, it can exploit any resources or use the machine as a zombie, or use the infected system as a launch pad for further attacks.
Rootkit is term derived from the UNIX term root and was designed to give administrator privileges to the attacker. A well written rootkit can hook on the Operating System's Page fault handler and Virtual Memory controller to conceal its presence and that of its files. In recent years rootkits have been used more by malware, helping an intruder to maintain access to a system whilst avoiding detection.
A virus refers to a program code which is capable to replicate recursively by itself. This small piece of software attaches to real programs. A virus can be spread from one computer to another in a form of an executable file when its host is taken to the target computer. This is done when a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.
Chapter 1.2.1: Different Types of Viruses
Boot Sector Viruses
A boot sector virus is a type of virus operates by infecting the MBR (Master Boot Record) of a computer. The MBR is a program that resides on the first sector of a hard disk and it runs every time a computer starts up and is responsible for loading the rest of the Operating System. Once loaded a boot sector virus resides in memory and is capable of infecting any drive placed on the system. Boot sector infectors used to be the most commonly found viruses several years ago and did not spread across a network. They are very difficult to remove and it requires a bootable anti-virus disk to properly remove the virus. Boot sector viruses account for about 5 percent of known computer viruses. An exmpale of boot sector virus is:
* Brain Boot Virus
Brain is an example of a boot virus but also makes part of stealth virus with memory resident. At first Brain only infected diskettes; however by time this virus also infects hard disks. Once infected, the Brain virus becomes memory resident and it takes between 3K and 7K of RAM. When a diskette is infected with the Brain virus it moves the original contents to another location on the disk and it marks 6 bad sectors in the FAT (File Allocation Table). Then it writes the virus code in the boot sector and it is able to hide from detection by intercepting an attempt to interrogate the boot sector. Then it redirects the read to the original boot sector located elsewhere on the disk. This is the first Stealth technique virus and it makes detection more difficult.
A macro is an instruction which carries out program commands automatically. Word processing, spreadsheet and presentation applications are examples of macros. Macro viruses are macros which self-replicate and if a user accesses a document that contains a macro virus and execute it, it can copy itself into that application's startup files. Any document on the computer which uses the same application can then become infected. An example of a macro virus is:
* Concept Macro Virus
This virus is a macro virus which propagates by infecting Word Documents in Microsoft WORD Versions 6.x / 7.x / 97 on Windows and Macintosh platforms. The virus consists of different macros which are in an infected document. The virus becomes active by using Auto- and SystemMacros. These are the macros included in the virus: AUTOCLOSE, EXITROUTINE, BORDERSSET, ALIGNMENT, AUTOOPEN, BLASTCDRIVE, and FILESAVEAS.
A parasitic virus also known as file infector is a type of virus which attaches itself onto files or exectuables, leaving the contents of the file unchanged. When a user runs the infected application or file, the virus code executes and copies itself into the memory. The code then attempts to spread itself onto other appications and also any removable disks attached to the machine. About 85 percent of all known viruses are of this type.
“It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program. While infecting a SYS file the virus creates the temporary file DEVICES.$$$, writes its code to that file, appends the code of the SYS file, then deletes the SYS file and renames DEVICES.$$$ to the original name of infected SYS file.
While loading an infected SYS file the virus installs itself into the system memory as device driver, hooks INT 1Ch, waits for some time, then hooks INT 21h and while accessing to floppy disks searches and infects EXE files.”
A polymorphic virus contains encrypted body and a decrypted engine like the encrypted virus. It also has a mutation engine that creates new encryption schemes for every infection. If a user runs a program that contains this type of virus, the decryption engine executes and places the virus body in memory. The virus then starts the mutation engine which generates an encryption - decryption routine for the next infection. The virus finally encrypts a copy of itself and the mutation engine uses the new encryption engine. Then it places itself in a new file which creates a virus that does not have a fixed signature to scan for as no infections look the same. An example of a Polymorphic virus is:
“This is a non-resident polymorphic malicious program which infects executable COM files. The program itself is a DOS COM file. It is one of the first known polymorphic viruses. The malicious code is 1260 bytes in size. It is not packed in any way. It is written in Assembler.
Once launched, the virus searches the current directory for files using the *.com mask. The virus checks to see whether the file corresponds to the following conditions: that the file size is not equal to 10 or 63 488 bytes, and that the lower 5 bits of the file time field contain single values.
The virus infection routine is as follows: the encrypted body of the virus, which is 1260 bytes in size (each infected file is encrypted by a key which depends on the system timer value), is written to the end of the file. 3 bytes pointing to the body of the virus are written to the start of the file. The file attributes and date and time the file was created are saved prior to the file being modified. These values will be restored after the file has been infected.”
The encrypted virus is a type of virus whose body is encrypted and it contains the key for decryption and a decryption engine within itself. The encryption key varies from different infections causing the encrypted body to appear differently in every instance. This methodology was used by virus writers to hide the virus from signature scanning techniques.
* Cascade Encrypted Virus
“Cascade is a file infector, memory resident, and overwriting, encrypting virus. It specifically targets and attaches itself to .COM files. It was one of the first viruses that used the encrypted methodology.”
The time bomb virus also known as date viruses are tpes of viruses that reside in a machine and get triggered by some event such as a particular date or a day of the week. This technique is very useful for a virus ow worm to gain momentum and spread before being noticed.
Chapter 1.5: Internal Threats vs. External Threats
External security threats are aimed to affect security vulnerabilities in a network infrastructure of a company. This include daniel of service attack, worms, viruses and ip spoofing. These threats does not target internal users of the organization directly.