CHRISTAIN SERVICE UNIVERSITY COLLEGE BSC.COMPUTER SCIENCE LEVEL: 400 INDEX: 1O124297 BAAH GEOFFREY JNR.
E-COMMERCE DIFFERENTIATE BETWEEN THE FOLLOWING MALICIOUS CODESMS 1. VIRUSES 2. WORM 3. MACRO VIRUS 4. MACRO WORMS 5. TROJAN HORSES
Lecturer: Mr. J. K. Panford |
Introduction to Virus: Definition: A computer virus, according to Webster's Collegiate Dictionary, is "a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files, and that usually performs a malicious action (such as destroying data)". A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. Like a human virus, a computer virus can range in severity: some may cause only mildly annoying effects while others can damage your hardware, software or files. A computer virus shares some of these traits. A computer virus must attached on top of some other program or document in order to launch. Once it is running, it can infect other programs or documents. Two categories of viruses, macro viruses and worms, are especially common today. Computer viruses are never naturally occurring; they are always man-made. Once created and released, however, their spread is not directly under human control.
Working of computer virus: A file virus attaches itself to a file or the usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files
can contain embedded executable code such as macros, which may be used by virus or Trojan writers. Recent versions of Microsoft Word are particularly vulnerable to this kind of threat. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malware is not at present common. Types of computer virus: Macro viruses: A macro is a piece of code that can be embedded in a data file. Some word processors (e.g., Microsoft Word) and spreadsheet programs (e.g., Microsoft Excel) allow you to attach macros to the documents they create. In this way, documents can control and customize the behavior of the programs that created them, or even extend the capabilities of the program. For example, a macro attached to a Microsoft Word document might be executed every time you save the document and cause its text to be run through an external spell-checking program. A macro virus is a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Many people do not think that viruses can reside on simple document files, but any application that supports document-bound macros that
automatically execute is a potential haven for macro viruses. By the end of the last century, documents became more widely shared than diskettes, and document-based viruses were more prevalent than any other type of virus. It seems highly likely that this will be a continuing trend. Stealth viruses: A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus's modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence. Polymorphic viruses: A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is selfencryption with a variable key. More sophisticated polymorphic viruses vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g., a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-
string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus. Boot sector viruses: Boot sector viruses infect or substitute their own code for either the DOS boot sector or the Master Boot Record (MBR) of a PC. The MBR is a small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk. Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can spread to every disk that the system reads. Boot sector viruses are typically difficult to remove, as most antivirus programs cannot clean the MBR while Windows is running. In most cases, it takes bootable antivirus disks to properly remove a boot sector virus.
Introduction to Worms: Definition: A worm is a computer program that has the ability to copy itself from machine to machine. Worms use up computer time and network bandwidth when they replicate, and often carry payloads that do considerable damage. A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer
worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. When the worm is launched, it opens a back door into the computer, adds the infected machine to a botnet and installs code that hides itself. The botnets are small peer-to-peer groups rather than a larger, more easily identified network. Experts think the people controlling Storm rent out their micro-botnets to deliver spam or adware, or for denial-of-service attacks Working of computer worms: To understand the working of the worm we will see working of some of the worms that how they attacked and how dangerous they can be. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. The Code Red worm replicated itself more than 250,000 times in approximately nine hours on July 19, 2001. The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that did not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to
infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies. The Code Red worm had instructions to do three things: Replicate itself for the first 20 days of each month Replace Web pages on infected servers with a page featuring the message "Hacked by Chinese" Launch a concerted attack on the White House Web site in an attempt to overwhelm it .Upon successful infection, Code Red would wait for the appointed hour and connect to the www.whitehouse.gov domain. This attack would consist of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91). The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm, advising users of Windows NT or Windows 2000 Web servers to make sure they installed the security patch. . A worm called Storm, which showed up in 2007, immediately started making a name for itself. Storm uses social engineering techniques to trick users into loading the worm on their computers. So far, it's working -- experts believe between one million and 50 million computers have been infected When the worm is launched, it opens a back door into the computer, adds the infected machine to a botnet and installs code that hides itself.
Types of computer Worms: Email Worms Spreading goes via infected email messages. Any form of attachment or link in an email may contain a link to an infected website. In the first case activation starts when the user clicks on the attachment while in the second case the activation starts when clicking the link in the email. Known methods to spread are : - MS Outlook services - Direct connection to SMTP servers using their own SMTP API - Windows MAPI functions This type of worms is known to harvest an infected computer for email addresses from different sources. - Windows Address Book database [WAB] - MS Outlook address book - Files with appropriate extensions will be scanned for email like strings Be aware that during spreading some worms construct new sender addresses based on possible names combined with common domain names. So, the sender address in the email doesn't need to be the originator of the email.
Instant Messaging Worms The spreading used is via instant messaging applications by
sending links to infected websites to everyone on the local contact list. The only difference between these and email worms is the way chosen to send the links. Internet Worms Nasty ones. These ones will scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. Attempt will be made to connect to these machines and gain full access to them. Another way is that the worms scan the Internet for machines still open for exploitation i.e. not patched. Data packets or requests will be send which install the worm or a worm downloader. If succeeded the worm will execute and there it goes again! IRC Worms Chat channels are the main target and the same infection/spreading method is used as above - sending infected files or links to infected websites. Infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place. File-sharing Networks Worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.
Trojan Horse: Definition: A Trojan horse is a computer program which carries out malicious operations without the user's knowledge. The name "Trojan horse" comes from a legend told in the Iliad (by the writer Homer) about the siege of the city of Troy by the Greeks. Legend has it that the Greeks, unable to penetrate the city's defences, got the idea to give up the siege and instead give the city a giant wooden horse as a gift offering. The Trojans (the people of the city of Troy) accepted this seemingly harmless gift and brought it within the city walls. However, the horse was filled with soldiers, who came out at nightfall, while the town slept, to open the city gates so that the rest of the army could enter. Thus, a Trojan horse (in the world of computing) is a hidden program which secretly runs commands, and usually opens up access to the computer running it by opening a backdoor. For this reason, it is sometimes called a Trojan by analogy to the citizens of Troy. A Trojan horse may, for example: steal passwords; copy sensitive date; carry out any other harmful operations;
Working of Trojan horse: Trojans work similar to the client-server model. The attacker deploys the client to connect to the server, which runs on the remote machine when the remote user unknowingly executes the Trojan on the machine. The typical protocol used by most Trojans is the TCP/IP & UDP protocol. It will usually try to remain in a stealth mode, or hidden on the computer. When Trojan is activated, the server starts listening on default or configured ports for incoming connections from the attacker. It is usual for Trojans to also modify the registry and/or use some other auto starting method. When the remote machine is on a network with dynamically assigned IP address or when the remote machine uses a dial-up connection to connect to the internet in that case Trojans can configure the features like mailing the victim’s IP, as well as messaging the attacker via instant messaging application or Internet Relay Chat (IRC). DSL users on the other hand, have static IPs so the infected IP is always known to the attacker. Most of the Trojans use auto-starting methods so that the servers are restarted every time the remote machine reboots or starts. This is also notified to the attacker. Some of the well known system files targeted by Trojans are Autostart Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat, & Config.sys. Modes of Transmission Trojan can infect the target system with different modes of Transmission. Common transmission mode is as follows:
Instant Message IRC (Internet Relay Chat) Attachments Physical Access Browser and E-mail Software Bugs NetBIOS (File Sharing)
Instant message People can also get infected while chatting / talking / video messaging over any Instant Messenger Application. It is a risk that the user undertakes when it comes to receiving files no matter from whom or where it comes. IRC In Internet Relay Chat, the threat comes from exchange of files no matter what they claim to be or where they come from. It is possible that some of these are infected files or disguised files. Attachments Any attachment, even if it is from a known source should be screened as it is possible that the source was infected earlier and is not aware of it. Physical Access Physical access to a target machine is perhaps the easiest way for an attacker to infect a machine. Browser and E-mail Software Bugs
Having outdated applications can expose the system to malicious programs such as trojans without any other action on behalf of the attacker. NetBIOS (File Sharing) If port 139 is opened, the attacker can install trojan.exe and modify some system file, so that it will run the next time the system is rebooted.
Types of Trojan horse: Trojan horses are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: Remote Access Trojans Data Sending Trojans Destructive Trojans Proxy Trojans FTP Trojans Denial-of-service attack (DoS) Trojans Security software disabler Trojans Remote Access Trojans The attacker gains full control over the systems that the Trojan infects, and gains full access to files, private conversations, accounting data and so on. The remote access Trojans acts as a server, and listens on a port that is not supposed to be available to the internet. Attacker in the same network located behind the
firewall can easily access the Trojans. Example: Back Orifice and, NetBus. Data Sending Trojans Data Sending Trojans provide hackers with passwords or other confidential data such as credit card numbers and audit sheets. This Trojans look for particular information in certain locations.Example: Badtrans.B email virus
Destructive Trojans: The sole purpose of the Destructive Trojans is to delete files on the target system. Destructive Trojans are generated on the basis of a fixed time and data much like the logic bomb. Example: dll, .ini, or .exe files. Proxy Trojans: Proxy Trojans convert the user’s computer into a proxy server. This makes the computer accessible to the entire world or only the specified attacker. The attacker has full control over the user’s system, and can also launch attacks on other systems from the affected user’s network. Generally it is used for Telnet, ICQ or IRC in order to purchase goods using stolen credit cards, other illegal activities. FTP Trojans: FTP Trojans are used for FTP transfers and allowing the attackers to connect to the victim’s system via FTP. Denial-of-Service (DoS) Attack Trojans:
This type of Trojans empowers the attacker to start a distributed Denial of Services (DDoS) attack, if there are a fair number of victims on the network at that specific time. Example: WinTrinoo, CNN, E*Trade Security Software Disablers: These are designed to disturb the functions of anti-virus software or firewalls. After these programs are disabled, the hacker can easily attack the victim’s system. Hazards of Trojan A botnet also known as a zombie army is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions including spam or viruses to other computers on the Internet such computer is referred to as a zombie - in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator. An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army “controller” can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.
THE MAIN DIFFRENCES BETWEEN VIRUS, WORM AND TROJAN HORSE
• Virus cannot replicate themselves but worm and trojan can do that. •
A virus cannot be spread without a human action such as running an infected file or program but worm and Trojan have the capabilities to spread themselves automatically from computer to computer through network connections.
•
Viruses do not consume system memory but worm consumes too much system memory and network bandwidth because of their copying nature.
•
Trojans are used by malicious users to access your computer information but viruses and worms can’t do so, they simply infect your computer