Which of the following is the name for a program that reproduces by attaching copies of itself to other programs and which often carries a malicious payload?

Viruses and Worms unit is divided into two parts:

Part 1 focuses on the theory of viruses and worms.

• We give a basic introduction to viruses and worms.
• We also discuss the conceptual differences between different kinds of malware and the fact that the distinction between different kinds of malware is blurry.

Part 2 deals with

• practical aspects of viruses and worms since their first occurrence in the early 1980s.
• We provide a brief historical overview of viruses and worms and discuss some examples.
• Virus creation tools are discussed and we close with an overview of virus prevention and response.

• To be able to identify different kinds of malware
• To describe the main characteristics of viruses
• To distinguish between a virus and a worm
• To describe types of viruses and other virus characteristics To list the different stages of the virus life cycle
• To appreciate the history of viruses and worms
• To discuss a number of examples of viruses and worms
• To explain how to prevent virus infection

• “a program that can ‘infect’ other programs by modifying them to include a possibly evolved version of itself”.
  
• “a (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user
  
• Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage.
• Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them”.
• There are certain virus characteristics that are common to all virus definitions, namely that a virus is a piece of malicious code that reproduces, but cannot exist on its own and needs a carrier

• a worm is “a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program.”
• Therefore, while viruses need a carrier, worms do not. They are independently running programs.
• This also means that worms tend to spread much faster than viruses because they do not rely on human interaction, such as double- clicking an attachment or inserting a floppy disk, to spread.

• “a program intended to perform some covert and usually malicious act which the victim did not expect or want.
• It differs from a destructive virus in that it does not reproduce”.
• Thus, Trojan Horses are programs with hidden characteristics. Once installed on an end user’s system, the hidden (and usually hostile) features are triggered.

Recognition

• Recognition is the ability of a virus program to see itself.
• The virus implants a unique signature into the infected file that indicates that the file or system is already infected. Therefore, if the virus checks for this signature before attempting infection, it can avoid re-infecting an infected file.
• In contrast to modern viruses, the first generation of viruses (so-called simple viruses) did not have recognition ability. Rather, they tended to re-infect infected files, which meant they could end up in an endless loop of infecting the same files. Since simple viruses did nothing very significant other than replicate, and did nothing to hide their presence in the system, they were easily detected.

Replication

• Replication is the ability of a virus program to generate copies of itself. If the virus identifies a non-infected file, it attaches a copy of itself to this file.
• The virus program is often pre-pended to the existing file, as shown in the simple virus program below. When executing the infected file, the virus code is executed first.

Trigger

• Trigger criteria allow a virus to deliver its payload when the corresponding conditions are met.
• A trigger could, for example, relate to a certain date, time, day of the week, counter, or a certain action performed by the user.
• Note, that this is an optional characteristic: viruses that do not contain a payload do not need a trigger.

Payload

• The payload is the routine that is delivered when a virus is triggered. Please note that while this payload can be destructive, it can also be completely benign. On a later screen, we will go through some examples and show the effects that virus payloads can have.
• This is an optional characteristic. Many viruses do not contain a payload and do nothing other than replicate

What is the major difference between a virus and a worm? What are the four main characteristics of a virus?

A virus needs a carrier, whereas a worm is an independently running program.

• Recognition – the ability of the virus to see itself.
• Replication – the ability of the virus to generate copies of itself.
• Trigger – criteria to allow the virus to deliver its payload.
• Payload – the routine that is delivered when the virus is triggered.

Virus Charasteristic- Replication

• As we have already learned, both viruses and worms replicate. However, the way that they replicate differs.
• Viruses are programs that copy themselves from one file to another on a single computer.
• The speed of infection on the individual computer may differ but the virus is not capable on its own of spreading itself from that computer to another.
• In most cases that is where humans come in. Users send e-mail attachments, trade programs on diskettes, or copy files to file servers.
• When the next unsuspecting user receives the infected file or disk, the virus spreads to their computer, and so on.
• On the other hand, worms rely less (or not at all) upon human interaction in order to spread themselves from one computer to another.
• Worms are programs that spread over network connections, for example by using e-mail.
• This does not usually require interaction with a user. As a result, worms spread much more rapidly than computer viruses.

Mechanisms Worms employ to spread

Random Scanning

• This involves randomly selecting IP addresses to infect, eventually finding all susceptible hosts. Random scanning worms initially spread exponentially,
• but the rapid infection of new hosts becomes less effective as the worm spends more effort retrying addresses that are either already infected or immune
  

Email Attachments

• After infecting a computer, the mass mailing worm sends copies of itself to other computers via email. It does this using the email addresses from the local user's email address book.
• The worm puts one stolen email address in the TO: field and spoofs the FROM: field with another stolen address.
• The rest of the email, namely the subject, message body, and attachment are then selected at random from a list of possibilities. These bogus email messages, which contain a copy of the worm, are then sent to as many people as possible.
• The FROM: field of the bogus email messages thus contain someone else's address rather than the address of the real sender. Hence it appears that the worm was sent from this, possibly non-infected, person. Since the real sender of the bogus email message cannot be determined it becomes very hard to identify infected computers.

Exploit Bugs

• they spread by exploiting bugs in operating systems.
• Sasser exploits a bug in a part of Microsoft's Windows XP and Windows 2000 operating systems called the Local Security Authority Subsystem Service (LSASS). Microsoft revealed details of this flaw and issued a software patch to fix it some time before the Sasser worm was released.
• Once a non-patched computer is infected, Sasser scans local network connections and randomly generated IP addresses to find other computers to infect. If such a computer is vulnerable (has not been patched), the worm breaks in and installs an FTP server. A copy of the worm is then transported to the computer.

Virus charateristic- Trigger

A virus is triggered when the trigger condition becomes true.
The

can be any condition relating to:

• a certain date and/or time,
• an internal event that relates to the internal state of the local computer system (for example the state of a counter variable), or
• an external event that is signalled from outside such as a certain user action or some event signalled over the computer network (for example, the user pressing a certain key on the keyboard).

Virus and Worm charactieristic- Payload

• Viruses and worms contain payloads that are triggered when the trigger condition is met.
  
• The effects can range from completely benign to being a nuisance and, in the worst case, devastating.
  

Messages WM97/Jerk displays the message “I think (user’s name) is a big stupid ****!” Pranks The Yankee virus plays “Yankee Doodle Dandy” at 5pm. Denying access WM97/NightShade password-protects the current document on Friday the 13th. Data theft Troj/LoveLet-A emails information about the user and machine to an address in the Philippines. Corrupting data XM/Compatable makes changes to the data in Excel spreadsheets. Deleting data Michelangelo overwrites parts of the hard disk on March the 6th. Disabling hardware CIH or Chernobyl (W95/CIH-10xx) attempts to overwrite the BIOS on April the 26th, making the machine unusable

• Boot Sector Virus
• Program Virus
• Macro Virus

Boot sector virus

• Boot sector viruses were the first type of virus to appear (they are also called Boot viruses or BSIs). Boot sector viruses work by placing their starting code in the boot sector. In other words, a boot sector virus replaces the original boot sector with its own, modified, version. When the computer tries to read and execute the program in the boot sector, the virus goes into memory, where it can gain control over basic computer operations.
• From memory, a boot sector infector can spread to other drives (floppy, network, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk.
• Boot sector viruses spread through hard disks, floppies, or CDs. However, nowadays computers are hardly ever booted from floppy or CD and thus this type of virus is becoming rare. However, if a Boot sector virus is present, the corresponding code is executed every time that the computer is started and the operating system often fails to load correctly.
• Examples of boot sector viruses are the Form and Parity Boot viruses.

Program virus

• Program viruses are also called file viruses, file infectors, or parasitic viruses. They are by far the most common type of virus, making up about 85% of all known viruses.
• Program viruses work by attaching themselves to executables, such as .COM and .EXE files, but can also infect files with other extensions, such as .SYS, .DRV, .BIN, .OVL and .OVY.
• Examples of program viruses are Jerusalem, CIH (Chernobyl), and Remote Explorer.

Macro virus

• Some files contain macros or scripts that are interpreted by specific programs, such as word-processing documents and spreadsheets. These macros are written in a high-level macro programming language and attach to a document file (such as Word or Excel).
• Macro viruses attach themselves to macros, therefore infecting files that are regarded as data rather than programs. When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus.
• On opening a file that contains a macro virus, the virus copies itself into the application’s startup files. Subsequent files (of the same application) then become infected.
• The first macro virus to appear was the CONCEPT virus in 1995.

Virus characteristics- relates to a specific implementation method of the virus (1)

Memory-resident viruses

• A memory-resident virus, sometimes called TSR (Terminate and Stay Resident), installs itself in the computer’s memory and remains there even after execution of the original infected application has terminated. It then infects other files when certain conditions are met.
• In contrast, non-memory-resident viruses are active only while an infected application runs.
• One characteristic of memory-resident viruses is that they remain virulent even after disinfecting all files; virus scanners scan files in secondary storage, not in memory.

Multi-partite viruses

• Multi-partite viruses use a combination of techniques to infect computers. They can, for example, infect documents, executables, and boot sectors. Hence, they combine the different types of viruses into one.
• Most multi-partite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multi-partite viruses may infect the entire system.
• Removing multi-partite viruses requires cleaning both the boot sectors and any infected files. Before you attempt the repair, you must have a clean, write-protected Rescue Disk.

Virus characteristics- relates to a specific implementation method of the virus (2)

Polymorphic viruses

• Polymorphic viruses are also called self-mutating viruses. They infect their targets with a modified or encrypted version of themselves to avoid detection from anti-virus software. The virus code is different in each infected file, but its functionality remains the same.
• Some polymorphic viruses use different encryption schemes and require different decryption routines. Thus, the same virus may look completely different on different systems, or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its decryption routine.
• Nowadays, toolkits are available that can be incorporated into a virus and that give it polymorphic capabilities, for example SMEG, the Simulated Metamorphic Encryption Generator, mentioned later in this unit.

Virus characteristics- relates to a specific implementation method of the virus (3)

Stealth viruses

• Stealth viruses or Interrupt Interceptors attempt to conceal their presence from anti-virus software.
• Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a ‘clean’ image of the requested item.
• Other viruses hide the actual size of an infected file and display the size of the file before infection. Stealth viruses must be running to exhibit their stealth qualities.

Armoured viruses

• Armoured viruses are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.
• They use special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example of an armoured virus is the Whale virus.

Companion viruses

• A companion virus spreads via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM.
• Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE.

• Creation Until a few years ago, virus writing required sophisticated programming knowledge and deep technical insight. Nowadays, it has become quite “easy”. Automated tools and a more intuitive communication infrastructure allow the creation of viruses even by amateurs (for example so-called “script kiddies”).
• Replication Viruses need to replicate in order to cause widespread damage, thereby trying to conceal their presence in order to remain undetected. In the beginning, floppy disks, CD-ROMs and other media were the main vehicles of replication, whereas nowadays viruses spread mainly via the Internet, either through email or web pages.
• Activation A virus is activated when its trigger is pulled. This could be a time, a date, a particular action performed by the user or some other arbitrary event.
• Discovery Usually, viruses are detected after their activation, but this is not necessarily the case. The virus is then isolated and sent to the International Computer Security Association (ICSA) in Washington. From there, the virus is distributed to anti-virus laboratories. Viruses are often discovered long before they cause widespread damage.
• Assimilation Before the virus’s “definition” can be used to update virus definition files in end user’s machines, the virus has to be deconstructed and a procedure developed to safely remove the virus from infected machines/programs. This assimilation is performed by anti-virus developers and can take anywhere from one day to six months, depending on the type of virus and the developer.
• Eradication In principle, a virus could become extinct, if all end users worldwide would employ up-to-date anti-virus software (i.e. with up-to-date virus definition files). However, this is not the case and, therefore, no virus has ever become completely eradicated.

Why have worms dominated over viruses in the past few years?

• One main reason for this is that worms replicate much faster than traditional viruses, which need a carrier and human interaction to spread resulting in a more limited speed of infection.
• Another reason may be that it has become more difficult to spread viruses from computer to computer. The use of special hardware, such as floppies and CD-ROMs, to transfer files has decreased

• A new virus, or even just the rumour of a new virus, can have devastating effects.
  
• Users and organisations tend to overreact and panic. Their reactions can be as devastating as the virus itself.
  
• This fact can be exploited by hackers who release virus hoaxes, which are reports on a non-existing virus.
  
• These are typically sent by email and often contain one or more of the following characteristics:
  

• Warnings of a highly-destructive virus.
• Claims that the warnings were issued by a major software company.
• Urgent requests to forward the warning to other users.
• Adoption of pseudo-technical language to describe the virus effects.
• Although not malicious in themselves, virus hoaxes can lead to overloaded mail servers and jammed network connections. However, they can also cause much more drastic reactions, including companies shutting down their mail servers or corporate networks.
  

A zoo is a collection of viruses and worms that exist only in laboratories (for example, of anti-virus vendors). A zoo is used to proactively study how malware programs are written and distributed. On the other hand, some viruses and worms are released into the public Internet. These are then termed in the wild (ITW).
There is an important distinction between the two categories.

• Most of the really high level virus writers do not want to face legal problems. Rather, they write malware for the fun of it and do not deploy their viruses and worms into the wild. Instead, they email copies of their malware directly to virus researchers.
• On the other hand, most writers who release viruses into the wild tend to be less experienced programmers and are frequently characterised as “script kiddies”. Often, ITW viruses are derivates of previous viruses, which makes them easier for the virus writer to create and for the anti-virus industry to disassemble them.

Conventional prevention methods

Conventional method of virus prevention and detection include:

1. Anti-virus scanners: These have to be updated regularly with the newest virus definition files in order to be able to combat the newest threats.

2. Patching operating systems: Vulnerabilities in operating systems can often be exploited for an attack and need to be patched regularly, requiring careful patch management processes to be in place.

3. Firewalls: These help to monitor suspicious traffic in and out of a computer system and network and make unneeded resources unavailable to the outside world.

4. Education: Best management practices, such as not opening email attachments and not downloading files and software from sources that you do not know, provide quite a high level of protection but need to be communicated to computer users.

Integrity managers

• Integrity managers or checksummers test whether files have been changed, which can indicate a virus infection. First, original "prints" of files and system sectors are stored in a database. When started again, the integrity checker compares information from its database with current "prints" and informs a user on changes that have occurred.
• This type of anti-virus program also has two weaknesses:
• • Checkers cannot detect the virus when it has just appeared on the system and can only function after some time, when the virus has already then expanded into the computer.
  • Checkers cannot detect a virus in new files (e-mail, files on diskettes, files restored from backup, files extracted from archive) since in their databases there is no information about these files.

Heuristics

• Static heuristic analysis tests patterns of code to determine if they contain virus material.
• Often viruses are easy to identify and general rules about what viruses look like can be deduced. All files are then tested against this rule base. IBM’s “Digital Immune System” is one such example.

Behaviour blockers

• A behaviour blocker or sandbox is a memory-resident program intercepting various events at runtime and, if a virus- suspected action (one that can be performed by a virus or some other harmful program) is detected then it prohibits it, or asks the user for instructions.
• In other words the behaviour blocker does not search for virus signatures, but monitors its activity and prevents harmful actions.

• In this unit we have addressed different kinds of malware, focussing on viruses and worms. We explained how viruses and worms operate and also gave an overview of their historical development.
• One fact that is important to remember is that the functionality of viruses, worms, and other types of malware are increasingly merging. What is called a “worm” may have virus functionality and what is called a “virus” may have worm functionality. So, if you hear about new malware attacks, be critical and assess the type of malware yourself. Remember, the main distinction between a virus and a worm is that a virus needs a carrier whereas a worm does not.
• The whole area of malware is a fast moving field. Vulnerabilities in operating systems are exploited by virus writers, knowing that a large proportion of users, even in large organisations, do not patch their systems regularly and do not use up-to-date anti-virus software. The fact that more and more home users employ broadband connections and are “always-on” makes the problem harder to address.

What do you call a collection of programs that can infiltrate a computer system?

What can self replicate without a host program and will spread without human interaction or directives from malware authors?

What type of system security malware allows for access to a computer program or service without authorization?

Is a program that gathers information about your surfing habits without your knowledge?