Computer SystemsComputer Systems

VirusesViruses

VirusVirus

• A virus is a program which can destroy or cause damage to data stored on a computer.

• It’s a program that must be run in order to infect a computer.• Viruses attach themselves to other programs to ensure this happens

Virus SymptomsVirus Symptoms

►Displaying unwanted messagesDisplaying unwanted messages►Unusual visual or sound effectsUnusual visual or sound effects►Loss of data from backing storageLoss of data from backing storage►Unexpected rebootingUnexpected rebooting►Unwanted generation of emailsUnwanted generation of emails

Virus ActionsVirus Actions

► Corrupt or delete dataCorrupt or delete data►Disable computer by changing O/SDisable computer by changing O/S► Silly messages or sounds displayedSilly messages or sounds displayed►Generate enough emails to crash serversGenerate enough emails to crash servers► Record key strokes & send data back to Record key strokes & send data back to

virus writervirus writer► Use your computer to attack other Use your computer to attack other

computers.computers.

File VirusFile Virus

►This attaches itself to an executable This attaches itself to an executable file such as an application program or file such as an application program or a game. a game.

►They either replace or insert malicious They either replace or insert malicious code into the files.code into the files.

►When you run the program, the virus When you run the program, the virus instructions are also carried out.instructions are also carried out.

►Usually infect files with .com or .exe Usually infect files with .com or .exe extentions.extentions.

Boot Sector VirusBoot Sector Virus

►Every hard & floppy disk has an area Every hard & floppy disk has an area called the ‘boot sector’.called the ‘boot sector’.

►This contains boot code. These are This contains boot code. These are files your computer uses every time files your computer uses every time you power up.you power up.

►By infecting this code, a boot sector By infecting this code, a boot sector virus guarantees it gets run.virus guarantees it gets run.

Macro VirusMacro Virus

►Application programs (Word, Excel etc) Application programs (Word, Excel etc) let the user create and embed ‘Macros’.let the user create and embed ‘Macros’.

►A macro simply ‘records’ a users A macro simply ‘records’ a users actions so that repetitive tasks can be actions so that repetitive tasks can be automated.automated.

►A macro virus causes a A macro virus causes a maliciousmalicious sequence of actions to be performed sequence of actions to be performed when the document is opened.when the document is opened.

Virus TechniquesVirus Techniques

ReplicationReplication

►A virus inserts copies of itself into A virus inserts copies of itself into other program files.other program files.

►Each time the infected program is run, Each time the infected program is run, it reproduces itself , copying itself into it reproduces itself , copying itself into another program.another program.

Virus TechniquesVirus Techniques

CamouflageCamouflage►A virus can disguise itself to avoid A virus can disguise itself to avoid

detection by adding fake instructions to its detection by adding fake instructions to its code.code.

►Anti-virus software is unable to spot the Anti-virus software is unable to spot the unique pattern of code (signature) which unique pattern of code (signature) which identifies the virus.identifies the virus.

►Each time the virus runs, it changes the Each time the virus runs, it changes the false code.false code.

Virus Techniques Virus Techniques

WatchingWatching►A virus can lie and wait or A virus can lie and wait or watchwatch for a for a

particular action or date before it is particular action or date before it is activated.activated.

►Meantime, it replicates!Meantime, it replicates!

Virus TechniquesVirus Techniques

DeliveryDelivery►The method used by the virus to enter The method used by the virus to enter

the computer system.the computer system.► Infected disks used to be a common Infected disks used to be a common

method, now viruses spread in method, now viruses spread in seconds through file downloads from seconds through file downloads from the Internet or via email.the Internet or via email.

WormWorm

► A worm can transfer themselvesA worm can transfer themselves

to other computers without needing to be to other computers without needing to be transferred as part of a transferred as part of a hosthost program. They program. They are usually transferred via email.are usually transferred via email.

►Once in a computer, they simply replicate Once in a computer, they simply replicate themselves filling up memory and using themselves filling up memory and using processor resources. This prevents processor resources. This prevents programs being loaded and slows down a programs being loaded and slows down a computer drastically.computer drastically.

TrojanTrojan

► A program that A program that appears to be safe appears to be safe but hidden inside but hidden inside can be a worm or a can be a worm or a virus.virus.

► You may download You may download a game or picture a game or picture but once you run but once you run the file, the virus or the file, the virus or worm gets to work.worm gets to work.

Anti-virus (Checksum)Anti-virus (Checksum)

►All files are binary data. A checksum All files are binary data. A checksum does a calculation on this binary data. does a calculation on this binary data.

►Each time the program is run, the Each time the program is run, the calculation is re-performed.calculation is re-performed.

► If the calculation produces a different If the calculation produces a different checksum, the code has been altered. checksum, the code has been altered. Possibly by a virus.Possibly by a virus.

Anti-virus (Signature)Anti-virus (Signature)

►A virus is a program like any other.A virus is a program like any other.► It contains sections of unique code, its It contains sections of unique code, its

signature.signature.►Anti-virus software uses a table, which Anti-virus software uses a table, which

has to be regularly updated, has to be regularly updated, containing virus signatures.containing virus signatures.

Anti-virus (MRM)Anti-virus (MRM)

►Memory Resident Monitoring. Memory Memory Resident Monitoring. Memory Resident software loads into the Resident software loads into the computers memory when it’s started up computers memory when it’s started up and stays there until it’s shuts down and stays there until it’s shuts down again.again.

►Anti-virus software does this and Anti-virus software does this and constantly monitors the computer for constantly monitors the computer for viruses.viruses.

Anti-virus (Heuristics)Anti-virus (Heuristics)

►This looks for code that is triggered by This looks for code that is triggered by time or date events, for code that time or date events, for code that searches for .com or .exe files or files searches for .com or .exe files or files that try to directly write to disk without that try to directly write to disk without going through the normal O/S going through the normal O/S procedure.procedure.

► If it looks like a virus and behaves like If it looks like a virus and behaves like a virus, then it probably is a virus.a virus, then it probably is a virus.