How Viruses Work: The dirty details

Jim Young

Darrylin Coleman

November 18, 2003

What Is a Virus?

l Malicious code, i.e. code which allows unauthorized use of one’s computer

l Technical:

- Virus attaches to existing program

- Worm spreads on its own

- Trojan horse is part of a program

How a Virus Works

l Every Program has an Entry Point

l Entry point transfers to Main Sub

l Main Sub calls Subroutine A

l Subroutine A returns to Main sub

l Data buffers may be located throughout the program

l Virus needs to attach itself to the program

l Virus needs to run before the program

Virus attached to Program

l Virus Attaches itself to the end of the program

l Virus changes entry point to go to the virus code first

l Virus decides what to do:

l Infect another program

l Drop the payload

l After it finishes, Virus goes to the Main Sub

l Program appears to run correctly after the virus is complete

l Since Virus made the program larger, it is easier to detect

More clever virus infection

l Virus may place itself into an empty data buffer in the program

l This makes detecting the virus more difficult

l Requires that virus creator know where the data buffers are located in the program

l Allows the virus to only infect specific programs

Infamous Buffer Overrun

l Worms often enter a computer through a “Buffer Overrun”

l Virus creator finds vulnerable program that is always present in memory

l Overwrites area beyond the buffer

l When Subroutine A returns, control transfers to the worm code loaded beyond the data buffer

l Worm then propagates itself or drops its payload

Trap Doors / Back Doors

l Code built into a program to allow another program to communicate

l Have both legitimate and other uses

- Sometimes used to fix problems

- Usually used in test mode

l Generally deleted before system becomes operational

l Virus/worm, etc. may leave a trap door as another way to get into the system if/when the virus is detected and removed

l Usually detected by anti-virus programs

Denial of Service

l Virus/Worm programs target many systems, but do not appear to do anything

l Hide and wait until a particular date and time

l At the date and time, they all send as many messages as they can to the same Internet node to prevent it from getting regular messages, thus preventing normal commerce

l Usually target big company or government

Types of Viruses

Boot Sector Viruses

l Infect boot sector of a floppy or hard disk

l Can prevent computer from fully booting

l Can destroy various data on the hard drive—up to and including the entire hard drive itself.

l Boot sector viruses are seldom seen today.

Macro Viruses

l Infect document files rather than program files

l Launch when infected document is opened

l Most tend to target Microsoft Office documents

Worms

l Programs that copy themselves from computer to computer, typically without user action

l Spread via e-mail messages (most common method), Internet chat channels, and instant messaging

Trojan Horses

l Malicious programs that masquerade as a benign application or file

l Use Social Engineering to propagate; e.g., trick users to open e-mail attachment or download a game or cute screen saver

l Aren’t self-replicating

Blended Threats

l Combine the characteristics of viruses, worms, and Trojan Horses.

l Accounted for 60 percent of computer security breaches in the first half of 2003, according to a report by Symantec.

l Propagation speed is increasing. Slammer worm infected worldwide systems in less than five hours; Blaster virus infected over 2,500 computers/hour at its peak.

l Hackers and virus authors increasingly targeting P2P file-sharing networks and instant messaging tools: 400 percent rise in number of threats propagated this way.

Virus Hoaxes

l Warnings about nonexistent computer viruses

l Not viruses, but can cause damage

l Some trick users into deleting useful files

l Endlessly forwarded, they cause heartburn and waste valuable time and bandwidth

Ways Viruses Spread

l E-mail attachments; Preview Pane in Outlook Express

l Infected removable disks

l File sharing programs, such as KaZaA

l Internet downloads; e.g., screen savers, games, drive-by downloads, etc.

l Social Engineering: user is tricked into opening an attachment, downloading a game, etc.

Some Symptoms of a Virus

l Computer works slowly, has problems booting, freezes often, crashes

l Unusual behavior; e.g., CD tray opens or mouse pointer moves independently

l Odd or offensive messages; strange music

l Some programs or files will not open or run

l Firewall detects outgoing messages from programs you don’t recognize

Virus Prevention

l Install, and keep updated, anti virus software (Norton; McAfee; Panda; Kaspersky; AVG, etc.)

l Run weekly virus scans

l Download and install Windows Critical Updates

l Install a firewall

l Scan all removable disks and downloaded files

l Have a boot disk ready

l Don’t pass on virus warning, etc. without verifying

http://truthorfiction.com/                   Truth or Fiction

http://www.nonprofit.net/hoax/        Don’t Spread That Hoax

http://symantec.com/avcenter/hoax.html       Norton

http://vil.nai.com/vil/hoaxes.asp           McAfee

http://hoaxkill.com/                            Hoaxkill

http://urbanlegends.about.com/          Urban Legends

Virus Removal      If Virus Is Known

l On a non-infected computer, download removal tool for that virus and save on a 3-1/2” floppy or CD-R (format for CD-ROM use)

l Run the removal tool on the infected computer; update anti virus program, if any; and run full system virus scan

Virus Removal If Virus Is Unknown

l Run free online virus scan, if computer can go online

–   Panda Active Scan http://www.pandasoftware.com

–   Trend Micro’s HouseCall http://housecall.trendmicro.com

–   Symantec Security Check-Virus Detection