system software.
Viruses that infect in a particular way to try to avoid specific
Anti-virus software.
Viruses that don’t infect very often.
Viruses that are programmed to make disassembly difficult.
Viruses that may fall into more than one of the top classes.
- Cavity (Space filler) Viruses
Viruses that attempt to maintain a constant file size when infecting.
Viruses that try to “tunnel” under anti-virus software while infecting.
Viruses that attempt to appear as a benign program to scanners.
Viruses that ride on the alternate data streams in the NT File System.
General Virus Behavior
Although viruses come in many forms, they all potentially have two phases to their
execution, the infection phase and the attack phase.
- When the virus executes it will infect other programs. What is often not clearly understood is precisely when it will infect other programs. Some viruses infect other programs each time they are executed, while others infect only upon a certain trigger. This trigger could be anything from a day or time to an external event or a counter within the virus etcetera. Some viruses are very selective about when they infect programs; this is vital to the virus’s survival. If the virus infects too often, it is more likely to be found before it can spread far. Virus writers want their programs to spread as far as possible before detection. This brings up an important point: It is a serious mistake to execute a program a few times—find nothing infected and presume there are no viruses in the program. The virus simply may not have triggered its infection phase yet!
Many viruses go resident in the memory of your PC just as a terminate and stay resident (TSR) program such as Sidekick(R) does. This means the virus can wait for some external event such as inserting a diskette, copying a file, or executing a program to actually infect another program. This makes these viruses very dangerous since it’s hard to guess what trigger condition they use for their infection. Resident viruses frequently corrupt the system software on a PC to hide their existence.
- The second phase is the attack phase. Many viruses do unpleasant things, such as deleting files or changing random data on your disk, simulating typos or merely slowing your PC down; some viruses do less harmful things such as playing music or creating messages or animation on your screen. Just as the virus’s infection phase can be triggered by some event, the attack phase also has its own trigger. Viruses usually delay revealing their presence by launching their attack only after they have had ample opportunity to spread. This means that the attack may be delayed for years after the initial infection. The attack phase is optional; many viruses simply reproduce and have no trigger for an attack phase. Does this mean that these are “good” viruses? NO, unfortunately not! Anything that writes itself to your disk without your permission is stealing storage and CPU cycles. This is made worse since viruses which “just infect”, with no attack phase, damage the programs or disks they infect. This is not intentional on the part of the virus, but simply a result of the fact that many viruses contain extremely poor quality code. One of the most common viruses, the STONED virus is not intentionally harmful. Unfortunately the author did not anticipate other than 360K floppy disks, with the result that the virus will try to hide its own code in an area on 1.2mb diskettes which causes corruption of the entire diskette.
The Latest Known Viruses: Last update 2/27/2002
02/25/2002
I-Worm.Wargame: This is a virus-worm that spreads via the internet attached to infected E-mails. The worm itself is a Windows PE EXE file about 77kb in length.
02/19/2002
I-Worm.Yamer: This is a virus-worm that spreads via the internet attached to infected E-mails. The worm itself is a Windows PE EXE file about 434kb in length, and written in Delphi.
02/15/2202
Virus-Worm “CoolNow”: A new internet worm going by the name of “CoolNow” that infects computers upon visiting malicious Web sites, and spreads using the popular MSN Messenger Internet-pager. The new virus exploits a security hole in the Internet Explorer browser that Microsoft made public on Feb. 11 along with a bug fix, just two days before the worm appeared. Of great concern is the speed with which instant messages can be sent, and the amount of damage that could be caused by a well placed virus. The Wall Street Journal reported one of the patches Microsoft provided to users to fix security holes in Windows XP is vulnerable to the same type of virus it’s designed to prevent.
01/31/2002
Linux.RST: This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it.
01/28/2002
Myparty: The internet worm “Myparty” Poses as a web-site link. Not everything starting with “www” and ending in “.com” is a website! This virus spreads by E-mail. Appearing as a file attached to an E-mail message file and is a Windows application 30kb in length written in Microsoft Visual C++ and compressed in a XP utility.
01/17/2002
I-Worm.Gigger: This is a dangerous worm! It replicates using Outlook, Outlook Express, and mlRC. Is a worm written in Java Script and Visual Basic Script (VBS). It contains a destructive payload of routines that are able to format the user’s hard disk after reboot, and can delete all files on all available disks.
01/14/2002
The “Donut” Virus: This is the first malicious program to infect .NET files.”Donut” was developed by the notorious Czech hacker going by the pseudonym “Benny”, who is a part of the “29A” virus-writers group. “Benny” is known to be the author of many proof-of-concept viruses, among which are “Stream” (the fist NTS altering data streams infector), “Inta” (the first Windows 2000virus), “HIV”,” Champ”, “Eva”, “Begemont”, etc. The most intriguing aspect about this virus is that the .NET technology, which Microsoft presents as the future substitute for Java, has not yet been officially released and intrinsically is still under development.
01/09/2002
SWScript.LFM Virus: The first malicious program that infects the popular multimedia format, Macromedia Shockwave. A detailed analysis of LFM has shown that the current virus is more proof-of-concept, than presenting a real threat to internet users.
As I was writing this paper I was warned of yet another virus! “Eternal Damnation”. This worm almost entirely based on Sircam, contains messages similar to those of its predecessor. The attachment is a modified version of Sircam, which after sending itself to all the user’s contacts, opens the default browser to and, using private information found on the user’s machine, automatically sells their soul to Satan, with a legally binding virtual contract. The user may then be directed to a random porn site or to “So you’ve just sold your soul to Satan” homepage.
Hoax or Reality? The afore mentioned viruses are and /or were real. But many others are hoaxes, merely meant to put a panic into the Computer users of the world, and they are just too numerous to list. Some of these are the result of hackers while others are due to security companies trying to drum up business. Every time a virus is reported real or not, antivirus software sales soar, as do calls to security companies. No matter how much Web sites prepare, they can still be caught off guard. That was readily apparent when the sites with the best infrastructure and security – such as Yahoo!, Amazon.com and E*TRADE – were made inaccessible for hours. The sites were eventually able to counter the attacks by installing filters. But even officials at the companies acknowledged that those were only stopgap measures and might not deflect future attacks. If this is the case and large corporations can’t protect themselves, how can the average user protect themselves?
Virus Protection and PC Security:
More than 52 thousand incidents including Web site attacks, malicious viruses, and network intrusions, were reported in 2001. This according to Computer Emergency Response Team. “CERT”, a computer security clearing house that is federally funded. This is up from 21,756 the previous year, according to CERT. CERT counts all reports related to any one particular virus as a single incident, which causes incidents reported to appear much smaller than they actually are. Roughly one new virus or variant every other day was reported in 2001.The reason why awareness has increased is that people are starting to understand that denial- of- service attacks can be used to leverage other attacks that might at some point provide privileged access. A survey conducted by Digital Marketing Services found that 97 percent, or nearly all of its 1,014 online respondents are vulnerable to Internet security threats since they do not adhere to all of the key practices that protect their systems from attack. The market for computer and network security products continues to grow as the popularity of the Internet continues to expand worldwide, it is expected that malicious code will cause over $21 billion in economic damages in 2002, and over $54 billion by the year 2006. Antivirus solutions are expected to approach $1.5 billion by year end 2002, and grow to over $5.2 billion by 2006. Anti-Spam revenues are expected to top $88 million in 2002, and surpass $180 million by 2006. The study expects Content Filtering revenues above $460 million in 2002, and increase to almost $1.2 billion by 2006.
More cyber attacks originate in the United States than in any other country, but the number of attacks that appear to come from Israel is nearly double that of any other nation based on the number of Internet users, according to a study released on January 28, 2002.
While Anti Virus software exists, viruses will always be a threat to software alone, but if used in conjunction with anti virus hardware the threat would drastically be reduced. Though not available to users at this time it is being developed.
Some of the anti virus software available are McAfee, Norton, and Dr. Watson to name just a few. But as long as users don’t follow anti virus guidelines all the software in the world would be useless.
Hackers:
A brief history of hacking
Prehistory (before 1969)
In the beginning there was the phone company – the brand- new Bell Telephone, to be precise. And there were nascent hackers. Of course in 1878 they weren’t called hackers yet. Just practical jokers, teenage boys hired to run the switchboards who had an unfortunate predilection for disconnecting and misdirecting calls (“You’re not my cousin Mabel?! Operator! Who’s that snickering on the line? Hello?”). Now you know why the first transcontinental communications network hired female operators.
Flash forward to the first authentic computer hackers, circa the 1960’s. Like the earlier generation of phone pranksters, MIT geeks had an insatiable curiosity about how things worked. In those days computers were mainframes, locked away in temperature – controlled, glassed- in lairs. It cost megabucks to run those slow- moving hunks of metal; programmers had limited access to the dinosaurs. So the smarter ones created what they called “hacks” – programming shortcuts – to complete computing tasks more quickly. Sometimes their shortcuts were more elegant than the original program.
Maybe the best hack of all time was created in 1969, when two employees at Bell Labs’ think tank came up with an open set of rules to run machines on the computer frontier. Dennis Ritchie and Ken Thompson called their new standard operating system UNIX. It was a thing of beauty.
Hackers View Latest Attacks with Scorn
Longtime members of the computer hacker community- many of whom are now becoming well- regarded security consultants – are looking on the recent spate of attacks on the World Wide Web sites with distaste. The recent attacks are crude and amateurish say long time hackers. A denial- of- service attack is akin to killing an ant with a baseball bat- a crude and amateurish way of taking down a web site. Most hackers would rather infiltrate the site’s security. Some deface Web pages with jokes, messages, or political statements but others seek to obtain sensitive data. Still others do nothing at all once they’ve broken into a system, treating the exercise as a test of skill. These attacks are worthless and childish; there is no grace, no skill and no intellect behind these attacks. There is definitely software out there that can filter out these attacks; unfortunately sites don’t want to use it because it makes the pages load slower. It all boils down to profit versus protection. Which would you prefer?