Chapter 3- Computer Security

Chapter 3: COMPUTER SECURITY Computer viruses: The concept of viruses dates back to 1949 when John von Neumann submitted a paper, putting forward the concept of self-replicating program. The idea seemed impossible and was dropped. Subsequently, the first virus-like program appeared from the recreational game called code-wars. The first commercial application of viruses was in 1985, when two Pakistani brothers, in order to keep track of software piracy used Brian virus (also called as Pakistani virus). Hidden in nearly every disk they sold, was an extra program not supplied by the manufacturer (which was self-replicating in nature and would infect an unauthorized user’s computers by destroying its applications). These selfreplicating programs multiplied so fast that today they threat to the smooth operation of the computer. Trojans are similar to viruses. They move around as valid programs. Sometimes getting executed with flashy opening screens describing them as wordprocessor or database package. Thus Trojans are the programs that claim to be doing something but do entirely different things and in that process damage the computer system. Worms travel longer distances by storing themselves in critical areas of the disc from where they get loaded and they get loaded and they have sufficient code with them to transfer themselves outward from the system which they infect. Thus worms are known to damage the entire network. (LANS). Apart from self replication, another destruction caused by viruses is the data loss. The process of infection- To understand how a virus infects the system, we’ll go back to the preliminary working of the computer. On booting, the system first carries ROM instructions. Power On Self Test (POST) which is followed by bootstrap process of reading the boot record and loading the disk O.S. In MS-DOS it involves the loading of IBMDOS.COM and IBMBIO.COM along with some optional files like CONFIG.SYS and AUTOTEXT.BAT. The infection may begin as soon as computer system boots from the disk or executes an infected program. Whatever viruses are present get activated which immediately begin to spread over the entire network. Classification of Viruses- They can be classified on the basis of their mode of existence and we can have following categories of viruses. 1) Boot infectors- As the name suggests, they are characterized by the fact that they physically reside the boot-sector of the disk. Thus the system infected by this virus will have a virus staying in a particular area of the disk rather than in a program file. These viruses get loaded soon after the POST and control the system all the times. Sometimes they have the capability of soft- booting and driven in control even the system is booted on not infected

2)

floppy. Boot infectors display the information originally residing on the location which they occupy. While writing into boot sector, the virus ensures that the boor-record is not deleted. System infectors- This category of viruses deals with components of the system itself. All machines require an operating system in order to create an environment in which the operator works. In MS-DOS, command.com file contains all internal commands. If no such command file exists, then the commands such as COPY, DIR etc. are not loaded onto the memory when the machine is booted. The system infectors attach themselves to a file like command.com or other memory resident files and manipulate those files. The system infectors differ from boot infectors in the sense that the system infectors gain control after the computer is booted and infects the hard disk or bootable floppies which contain appropriate system files. They have another peculiarity that they activate after certain period of time or they may activate instantly.

3) General .com or .exe infectors- From the infection point of view, these viruses are most dangerous. They attach themselves to program files and can spread over to almost any executable program in any system. These viruses change the original program instructions to a ‘jump’ to its own code and follows that code with a return to original program. As a result, whenever a program is executed, the virus gets loaded and executed first and then the original program proceeds. The virus remains in the memory of the system and infects each and every program that is loaded for execution. thus by attaching themselves to a .exe or .com files, these viruses change the size of the file and sometimes render program file is too large to be accommodated in the memory. Examples: Form, Disk Killer, Michelangelo, and Stone virus 4) Program viruses: These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk. Examples: Sunday, Cascade 5) Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.

Examples: Invader, Flip, and Tequila 6) Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory. Examples: Frodo, Joshi, Whale 7) Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect. Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101 8) Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal. dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers. Examples: DMV, Nuclear, Word Concept. Companion virus: A program that attaches to the operating system, rather than files or sectors. In DOS, when you run a file named "ABC", the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run "ABC", and the actual sequence is "ABC.COM", "ABC.EXE" Encrypted virus : A virus whose code begins with a decryption algorithm, and continues with the scrambled or encrypted code of the remainder of the virus. When several identical files are infected with the same virus, each will share a brief identical decryption algorithm, but beyond that, each copy may appear different. A scan string could be used to search for the decryption algorithm. Cf. Polymorphic. File virus :Viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL, OVR, etc. The most common file viruses are resident

viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run. Zoo virus :A virus which is rarely reported anywhere in the world, but which exists in the collections of researchers. A zoo virus has some "escaping" virus collections, and infecting user machines. Its prevalence could increase to the point that it was considered "in the wild."

1)

2) 3)

4)

Types of viruses Scores virus- They exist on Macintosh machines. They have a built-in time trigger that activates at 2nd, 4th and 7th day after the disk has been infected. The consequences are varied ranging from printing problems to system crashes etc. Data files are not affected directly by this virus but removal of it requires deletion of all files. Pakistani (Brain) virus- This is one of the first viruses that came into being. Two Pakistani brothers developed it to keep the track of low cost software that were sold out in Lahore. This virus is known to destroy data files. Lehigh virus- It was originated at Lehigh University computer centre. It stays in the stack place of command.com file. With booting of the Pc form the infected disk, the virus is spread through commands like COPY, TYPE etc. On any other disk with command.com file, the virus code gets copied on the disk and counter is incremented on the parent file. When the counter reaches the value 4, all files on other disk get erased. Boot sector is collapsed and so also file allocation table. Friday the 13th- This virus attacks command.com as well as other executable files. When a .com or .exe file is executed for the first time after booting, the virus captures a specific interval and inserts its own code after which, whenever a .exe file is executed, virus code is written at the end of the file, increasing file size by 1808 bytes.

In .com files, the virus code is written at the beginning of the actual program. Thus increase in the file size causes the program become too large to be loaded in the memory. Also, after certain interval of time, delays are inserted, resulting in slowing down of the program. 5) Raindrops- This virus checks whether the file is .exe or not and if the file is not .exe file, the first three bytes of the file are replaced by jump instruction at the end of the file, where it gets attached after encryption. This results in dropping off the characters on the screen like raindrops and is also accompanied by appropriate sound effects. 6) Happy birthday 30th- This virus gets activated on 5th January; if any of the program gets executed and will ask the user to type ‘Happy Birthday 30th’. It might destroy all the data stored on the disk spacing on 1.2 Mb floppy. Symptom of this virus is that the computer memory is reported to be 64Kb less than the actual memory. A virus basically constitutes of three parts 1. Replicator - The replicator’s job is to ensure the survival of the virus on a system. Most successful viruses do this by not inflicting damage on the system but by appending themselves to legitimate programs in the machine. Each time the program is run then the virus will 'wake up' and start to reproduce. As said earlier, this is the most important part of the virus code. 2.Concealer - This part of the virus has the job of hiding the virus. It uses a number of methods to do this but the point is if you don't know a virus is there then you wont try and kill it. Today's viruses use advance techniques to stop being caught from Antivirus software. 3.Payload - The payload of a virus can be practically anything, in fact if it can be programmed then it can be the payload. If a virus is going to have a long life then any damage it causes must either be very slight or not take place for a long period after infection. If an obvious payload gets delivered soon after infection then the user is soon going to notice and will go virus hunting. This does not help the long life or wide spread of a virus. 10 virus symptoms 1. Programs take longer to load. Memory-intensive operations take a lot of time to start. 2. A change in dates against the filenames in the directory. When the virus modifies a file the operating system changes the date stamp. 3. The floppy disk or hard disk is suddenly accessed without logical reason.

4. Increased use of disk space and growth in file size-the virus attaches itself to many files. 5. Abnormal write-protect errors. The virus trying to write to a protected disk. 6. Strange characters appear in the directory listing of filenames. 7. Strange messages like "Type Happy Birthday Joshi" (Joshi Virus) or "Driver Memory Error" (kak.worm) appear on the screen and in documents. 8. Strange graphic displays such as falling letters or a bouncing ball appear on screen. 9. Programs may hang the computer or not work at all. 10. Junk characters overwrite text in document or data files. Tips to protect your computer from malicious programs 1) Common Sense 2) Listed below are some of the steps recommended by experts to safeguard your PC from viruses. These are a compilation of my past experiences and magazine sources. 3) Write-protect your floppy disks when using them on other computers. 4) Remove floppy disks from drives while booting. 5. Change a setting in the BIOS that enables your PC to boot from the C-drive first. 6. Use a good anti-virus program to scan floppy disks before copying files. Recommended ones are Norton Antivirus and 7. Install software only from original write-protected disks with the publisher’s label. 8. Do not install pirated software, especially computer games. Purchase or

obtain files or software only from trusted sources. 9. Activate watch-guard programs (monitors) that look out for suspicious activity. 10. Use the update service offered by software vendors and update the antivirus software every month. 11. Scan the entire hard disk twice a month. 12. Scan files downloaded from the Internet or those transferred through a network.

13. Prepare a rescue disk with critical system files. Preferably, it should be bootable. 14. Keep the original CD-ROM or diskettes containing the operating system handy. Look for an unexpected file extension on any attachment Structure of Viruses Here is a simple structure of a virus. In the infected binary, at a known byte location in the file, a virus inserts a signature byte used to determine if a potential carrier program has been previously infected. V() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; } void infectExecutable() { file = chose an uninfected executable file; prepend V to file; } void doDamage() { ... } int triggered() { return (some test? 1 : 0); } The above virus makes the infected file longer than it was, making it easy to spot. There are many techniques to leave the file length and even a check sum unchanged and yet infect. For example, many executable files often contain long sequences of zero bytes, which can be replaced by the virus and re-generated. It is also possible to compress the original executable code like the typical Zip programs do, and uncompress before execution and pad with bytes so that the check sum comes out to be what it was. Virus Detection

Known viruses are by far the most common security problem on modern computer systems. Several web sites maintain complete lists of known viruses. There are thousands. Visit, e.g., www.cai.com/ virusinfo/ encyclopedia/. In the month of July 2000, there were 200+ "PC Viruses in the Wild" (www. wildlist. org). Virus detection programs analyze a suspect program for the presence of known viruses. Fred Cohen has proven mathematically that perfect detection of unknown viruses is impossible: no program can look at other programs and say either "a virus is present" or "no virus is present", and always be correct. But, in the real world, most new viruses are sufficiently like old viruses that the same sort of scanning that finds known viruses also finds the new ones. And there are a large number of heuristic tricks that anti-virus programs use to detect new viruses, based either on how they look, or what they do. These heuristics are only sometimes successful, but since brand-new viruses are comparatively rare, they are sufficient to the purpose. Virus scanners are sometimes classified by their "generation." The first generation virus scanners used previously obtained a virus signature, a bit pattern, to detect a known virus. They record and check the length of all executables. The second generation scans executables with heuristic rules, looking, e.g., for fragments of code associated with a typical virus. They also do integrity checking by calculating a checksum of a program and storing somewhere else the encrypted checksum. The third generation use a memory resident program to monitor the execution behavior of programs to identify a virus by the types of action that the virus takes. The fourth Generation Virus Detection combines all previous approaches and includes access control capabilities. Trojan Horses:Trojans are malicious programs created to perform unexpected operations. On your computer. The name comes from the famous Trojan horse that was used in Trojan war. The idea behind it is to trick a person into running the file. It is usually sent to them in e-mail and promoted as some game or funny program that the recipient is likely to run. When the Trojan file is run, it usually installs itself so that it will be loaded automatically or it places itself in the place of common application that is likely to get run such as NOTEPAD is windows. Automatic loading is done by modifying start-up files such as registry or startup applications directory.

The range of Trojan horses is unlimited, but the most common steal passwords for popular internet services like America Online and install backdoor servers that open your computer to hackers while you are online. They can also have timed payloads that will erase hard drives or corrupt the data. Password stealers usually give themselves away by causing difficulty logging onto your account or complaints that you have been sending spam or other forms of unwanted e-mail when you have nothing to do with it. Backdoor servers will be hard for you to detect unless you happen to notice your internet connection slowing down or strange things are happening when you use your computer. A backdoor server is opening a connection on your computer so that someone, (anyone in the world), can connect and control your computer while you are online. They can read, copy, delete and write files. They can open and close your CD-tray. There are hundreds of tricks they can play with you. How does a Trojan affect a computer: In order to gain access to a user’s computer, the victim has to be induced to install the Trojan himself. The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it. By installing it, the user also installs the Trojan. The most common sources of infection are as follows: • • • •

Executing any files from suspicious or unknown sources. Opening an email attachment from an unknown source. Allowing a "friend" access to your computer while you are away. By executing files received from any online activity client such as ICQ.

Virtually every Trojan virus is comprised of two main parts. The "server" and the "client". It is the server part that infects a user’s system. In order to find infected machines, intruders scan the Internet by using a port scanner. Technically speaking, the attacker sends request packets across the Internet using the client part of the Trojan. An infected machine responds with a signal to tell the attacker that it is infected. The attacker subsequently establishes a link between the two machines. This whole process may only take a few seconds at the most. Once that has happened, the intruder can take control of the user’s machine in the same way as if he were sitting right in front of it. Any commands that he performs on the user’s machine are completely invisible to the user who may be working on an entirely different application at the time. In this situation, the intruder becomes the master and the user, the slave. The Trojan itself is a "backdoor" to the user’s machine in a similar way as the backdoor to your house. It allows a remote user unauthorized access to

your computer in the same way that a thief who obtains a key to your backdoor, he can enter your house, steal its contents and leave again whenever he likes and without your knowledge. Once infected, the computer becomes accessible to any remote user, usually referred to as a "cracker" or "intruder” that has the client part of the Trojan. That person can perform any action that the user can. For example, if the user keeps his credit card details on the computer, the intruder can steal that information. He may not necessarily make use of the credit card himself, but he can certainly sell the information to a third party who can then go on a spending spree at the user’s expense. The intruder can also steal passwords in order to gain access to restricted information or to password protected web sites as well. In addition, the intruder can cause the system to reboot without warning, shutdown without warning, eject the CD-ROM tray, delete files, add files, make use of the user’s email client, etc. etc. The possibilities are endless. Types of Trojan 1) Remote Access Trojans: These are the probably the most popular and very likely the most dangerous of the many Trojan classes currently available. It is these types that work in the server/client mode. The server part installs itself on the unsuspecting user’s computer and the client remains on the attacker’s system. Once an infected machine has been discovered, the intruder establishes a link between the two. He can subsequently perform any action the user can and more. For example, let’s assume that the user has valuable data stored in a folder called "ABC" on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop the folder called ABC from the user’s C: drive onto his own. A few of the most popular Remote Access Trojans, are Net-bus, Sub-seven, Back Orifice (The Cult of the Dead Cow – CDC), etc. 2) Mail Trojans: Another popular type of Trojan in hackers’ circles is the mail Trojan. It works in server mode only and its main function is to record certain data such as the keystrokes the user enters when passwords are typed, the web sites he regularly visits and files in general. An infected machine will automatically send the information by email to the attacker. These are very difficult to spot because the email client is part of the Trojan itself. 3) FTP Trojans: This particular class of Trojan works in server mode only. It allows FTP access to an infected machine and can download or upload files at the intruder’s whim. 4) Telnet Trojans: Telnet Trojans run in server mode only and allow an intruder to execute DOS commands on a remote machine.

5) Key logger Trojans: These Trojans record the keystroke input on an infected machine and then stores the information in a special log file that the intruder can access in order to decipher passwords.

6) Fake Trojans: This type of Trojan uses fake dialog boxes and other bogus windows that purport to show that the user has attempted to perform an illegal operation. By displaying a dialog box, its sole purpose is to get the user to enter his user name and password. That information is then stored on file so that the intruder can use it at a later date. How to prevent yourself from Trojans? •

•

•

•

•

•

NEVER download blindly from people or sites which you aren't 100% sure about. In other words, as the old saying goes, don't accept candy from strangers. If you do a lot of file downloading, it's often just a matter of time before you fall victim to a Trojan. Even if the file comes from a friend, you still must be sure what the file is before opening it, because many Trojans will automatically try to spread themselves to friends in an email address book or on an IRC channel. There is seldom reason for a friend to send you a file that you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully updated antivirus program. Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking "Susie. jpg" might really be "susie.jpg.exe" - an executable Trojan! To reduce the chances of being tricked, unhide those pesky extensions. NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything which is extremely reckless. For example, never turn on "auto DCC get" in MIRC, instead ALWAYS screen every single file you get manually. Likewise, disable the preview mode in Outlook and other email programs. Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to Trojan infection or other serious harm. Don't be lulled into a false sense of security just because you run anti-virus programs. Those do not protect perfectly against many viruses and Trojans, even when fully up to date. Anti-virus programs should not be your front

line of security, but instead they serve as a backup in case something sneaks onto your computer. • Finally, don't download an executable program just to "check it out" - if it's a Trojan, the first time you run it, you're already infected! Computer worm: It is a self content program that is able to spread functional copies of itself or its segments to other computer systems. Unlike viruses, worms do not need to attach themselves to a host program. There are two types of worms. • Host computer worms • Network worms Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computer. The original worm terminates itself after launching a copy on another host. So there is only one copy of the worm, running somewhere on a network, at a given moment. Host computer worms are also called as ‘rabbits’. Network worms consist of multiple segments each running on different machines (and possibly performing different actions) and using the network for several different communication purposes. A network that has one main segment which co-ordinates the work of other segments are sometimes called as octopuses. There are three world famous worms as follows1) the Internet worm (1988): On 22nd November 1988, Cornell university science graduate accidentally released this worm on a very large Network (called Arpanet). The worm managed to infect 3000 computers in its 8 hours of activity. It disabled all those machines by making copies of itself so that many machines had to be taken completely off the network till all the copies of worm could be totally removed. Although entire process took the scientists 2-3 days, no data was lost in any of the infected computers and no permanent damage was done to any of the computers. 2) The SPAN Network worm (1989): On 16th October 1989, a worm named ‘WANK’ infected many VAX and RMS computers on a network. This worm (if found that it has system privileges), would then change the message to ‘worms against nuclear killers’. The message was then graphically displayed as first three letters of each word and last three letters of last word. 3) Christmas tree worm (1987): This was mainframe worm and managed to paralyze IBM network on Christmas day 1987. It was written in a language called EXEC. It asked the user to type the word ‘Christmas’ on the screen and then it would drew a Christmas tree and sent itself to all those people, whose names were stored in user files and in this way, propagating itself.