computer virus: “a program that can infect other programs by modifying them to include a version...
TRANSCRIPT
Computer Virus:“A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen
Compare to an office clerk making two copies of a piece of paper.
30 seconds to copy
30 seconds to pass on
In one hour= 1 x 1018 copies
Computer Virus
• Small piece of software that piggybacks on real programs
• Passes from computer to computer by producing copies of itself
• Have been around since 1986• When it is running in the memory
it looks for programs to add itself to
Executable and boot sector viruses decline
• Infect boot sector• Not as easy now as most program
comes on a CD• Programs larger• Operating systems better
Who Creates Viruses?• Students and school children who have
recently studied an assembly language• Young people who feel the need to feel
superior• Professional programmers: maybe
inferiority complex or unstable• Explorers-quick witted programmers
who wish to “explore”
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
Brain Virus
rau ins Vi Bi
The Brain Virus
• First PC virus• Written in Pakistan• Infected the boot sector of 360K
floppy disks• “Stealth” virus• Try to get into RAM, stick to files
and sectors, erases files and disks
Other viruses
• 1987 Lehigh virus: “Memory resident file infector”
• 1988 Jerusalem Virus: also memory resident and reinfected already infected files
• 1988: first anti-virus virus was written• 1988 Cascade virus, first encrypted
virus
And more viruses
• Polymorphism - encrypted viruses where the decryption routine code is variable
• Armoring - used to prevent anti-virus researchers from dissembling a virus
• Multipartite - infects both programs and boot sectors.
Email Viruses
• Moves around in an email message• Replicates itself automatically
WormsWormsWorms
Worms• Program that has the ability to
copy itself from machine to machine.
• Small piece of software that uses computer networks and security holes to replicate itself
• Copies to another computers that has the same specific security hole
2001 Code Red Worm
• Slowed down the internet• The worm scanned for Windows NT
or Windows 2000 that didn’t have security patch installed.
• Copied itself to that server and scanned again
Code Red Designed to:
• Replicate itself the first 20 days of each month
• Replace Web pages on infected servers with the page “Hacked by Chinese”
• Overwhelm the White House Server
How does Code Red Work
• Unpatched systems had a “buffer overflow” which allowed embedded code to run.
• It created a sequence of random IP addresses to find other servers.
• Inspect the time clock and wait for appointed time and send 100 connections to www.whitehouse.gov
Morris: Internet Worm
• Infected more than 6000 computer systems, including NASA research
• Used errors inn operating systems to propagate.
• Total losses were 96 million dollars
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
VV II RR UU SSHHOO RR SS EETT RR OO JJ AA NN
Trojan Horses
• A computer program• Claims to do one thing, but does
damage when you run it (could erase your hard drive)
• They do not replicate automatically
1989 Trojan Horse: AIDS
• 20000 copies of diskettes shipped marked “AIDS Information Diskette v2”
• After 90 boot-ups it encrypted all the filenames on your HD, making them invisible and left one file: Send $189 to…
Virus Hoaxes
• 1988 Mike RoChenle uploaded a message to BBS systems describing a virus that spread on 2400 baud connection. Many users switched to 1200 baud.
• Other hoaxes: Goodtimes, Aol4Free
1990 DiskKiller Virus
• PC Today (GB version) shipped diskette with magazine that was infected with DiskKiller
• Over 50000 copies were sold• Who is responsible here?
1992 Michelangelo Virus
• Anti-virus companies made a big deal of this virus, bringing it into the news
• One US anti-virus company announced on March6 data on over 5 million computers will be destroyed
• Reality: about 10000 computers infected
Other Key Dates
• 1992: First Windows Virus released• 1994: Virus gets on master disk of
CD when preparing a batch of CDs-can only destroy the CDs.
• 1994: “OneHalf” a popular Russian virus
Latest Viruses
• W32.Zafi.B.Iworm
• W32.Sasser.A.Worm
And so it continues
• 1995: Concept virus for Word• 1996: Windows95 virus• 1996: Excel/Word virus that was
based on Macros (Basic programs)• 1997: Office 97 Viruses• 1997: Homer, first network worm
virus using FTP
• 1998 “Red Team” virus infects Windows EXE-files and sends infected files through email.
• 2000: I love you virus, when opened, sent to everyone in your address book.
Protect Yourself against Viruses
• Run secure OS like UNIX or use virus protection software
• Never run macros unless you know their source.
• Never run executable attachments• Show extensions• Backup
Why do we have viruses?
• Psychology that drive vandals• The thrill of watching things blow-
up• Bragging rights• Started when PCs were common,
then had BBC, then floppy disk, then Internet.
© 2004 By Defaulthttp://www.powerpointbackgrounds.com
Attachments
Virus ProtectionScanning
Backup
Show Extensions
Worms
Latest Version
Integrity Checking
Interception
Source?
DownloadsEmailTrojan Horses
Scanning
• Scanning: looks for know viruses by characteristics similar to existing viruses or signature recognition
• Dangerous to depend on old SW• False alarms• Needs a clean boot
Integrity Checking
• Record information about your system to check against later
• Compares your system to the “base”information to detect changes
Interception
• Pop up warnings when a request is made to install itself as a resident program
• Useful for simple logic bombs and Trojan horses
Sources
• Slade, Robert. Earliest History of Viral Programs. http://www.cknow.com/vtutor/vtsladeearly.htm
• What is a computer virus? http://www.avp.ch/avpve/entry/entry2.htm
• The History of Computer Viruses-A Timeline. http://www.exn.ca/nerds/20000504-55.cfm
• Computer Knowledge Virus Tutorial. http://www.cknow.com/vtutor/index.htm