Virus

Self-replicating program that attach itself to an existing program

and infects a system without permission or knowledge of the
user.

A computer virus is a type of computer program that, when

executed, replicates itself by modifying other computer
programs and inserting its own code. When this replication
succeeds, the affected areas are then said to be "infected" with
a computer virus.

Computer viruses cause billions of dollars' worth of economic

damage each year.
-Wiki
Virus writers use social engineering deceptions* and exploit
detailed knowledge of security vulnerabilities to initially infect
systems and to spread the virus. The vast majority of viruses
target systems running Microsoft Windows, employing a variety
of mechanisms to infect new hosts, and often using complex
anti-detection/stealth strategies to evade antivirus software

Deception* is an act or statement which misleads, hides the truth

 What Damage a VIRUS can cause?

System Failure

Wasting Computer
Resources

Corrupting Data

Stealing Personal
Information

Increasing
Maintenance Cost
Phases/ Life Cycle of Computer
Virus

Dormant

Execution Propagation

Triggering
Dormant phase:
•The virus program is idle during this stage.
•The virus program has managed to access the target user's
computer or software.
• The virus will eventually be activated by the "trigger“.
•Not all viruses have this stage.

Propagation phase:
•The virus starts propagating by multiplying and replicating itself.
•The virus places a copy of itself into other programs or into
certain system areas on the disk.
•The copy may not be identical to the propagating version
•Viruses often "morph" or change to evade detection by anti-virus
software.
•Each infected program will now contain a clone of the virus,
which will itself enter a propagation phase.
Triggering phase:

A dormant virus moves into this phase when it is activated, and

will now perform the function for which it was intended.

The triggering phase can be caused by a variety of system events,

including a count of the number of times that this copy of the
virus has made copies of itself.

The trigger may occur when an employee is terminated from their

employment or after a set period of time has elapsed, in order to
reduce suspicion.
Execution phase:

This is the actual work of the virus, where the "payload" will be
released.

It can be destructive such as-

•Deleting files on disk

•Crashing the system
•Corrupting files
•Popping up humorous or political messages on screen
 Phases of Computer Virus

Replication

Trigge Morph
r

Dormant Phase
Trigge
r

Dormant
Replication

Propagation Morph

Execution
 Classification of Viruses

On the basis of Infection

Targets
1. Resides in binary executables (such as .EXE or .COM files)
2. Resides in data files
1. Microsoft Word documents
2. PDF files
3. Resides in the boot sector of the host's hard drive
 Classification of Viruses

On the basis of its residence location

Resident Virus or Memory-Resident Virus

Installs itself as part of the operating system when executed,
after which it remains in RAM from the time the computer is
booted up to when it is shut down.
Resident viruses overwrite interrupt handling and other functions
of the OS. When OS attempts to access the target file or disk
sector, the virus code intercepts the request and redirects
the control flow to the replication module, infecting the target.

Non-Resident Viruses
A non-memory-resident virus (or "non-resident virus"), when
executed, scans the disk for targets, infects them, and then exits
(i.e. it does not remain in memory after it is done executing).
 Macro Viruses (Document Virus)

A virus written in a macro language and embedded into these

documents so that when users open the file, the virus code is
executed, and can infect the user's computer.

This is one of the reasons that it is dangerous to open unexpected

or suspicious attachments in e-mails.
 Boot Sector Viruses

Boot sector viruses specifically target the boot sector and/or

the Master Boot Record (MBR) of the host's hard disk
drive, solid-state drive, or removable storage media (flash
drives, floppy disks, etc.).

The most common way of transmission of computer viruses in

boot sector is physical media. When reading the VBR of the drive,
the infected floppy disk or USB flash drive connected to the
computer will transfer data, and then modify or replace the
existing boot code. The next time a user tries to start the desktop,
the virus will immediately load and run as part of the master boot
record.
 Email Virus

Viruses that intentionally uses the email system to spread.

While virus infected files may be accidentally sent as email

attachments.

Email viruses are aware of email system functions. They harvest

email addresses from various sources, and may append copies of
themselves to all email sent, or may generate email messages
containing copies of themselves as attachments.
 Stealth
Techniques
To avoid detection by users, some viruses employ different kinds
of deception.

Some old viruses, especially on the DOS platform, make sure that
the "last modified" date of a host file stays the same when the file
is infected by the virus. This approach does not fool
antivirus software, however, especially those which maintain and
date cyclic redundancy checks on file changes.
 Stealth
Techniques
Some viruses can infect files without increasing their sizes or
damaging the files. They accomplish this by overwriting unused
areas of executable files. These are called cavity viruses.

For example, the CIH virus, or Chernobyl Virus, infects Portable

Executable files. Because those files have many empty gaps, the
virus, which was 1 KB in length, did not add to the size of the file.

Some viruses try to avoid detection by killing the tasks associated

with antivirus software before it can detect them (for
example, Conficker). In the 2010s, as computers and operating
systems grow larger and more complex, old hiding techniques
need to be updated or replaced. Defending a computer against
viruses may demand that a file system migrate towards detailed
and explicit permission for every kind of file access
 Stealth
Techniques
Some viruses try to avoid detection by killing the tasks associated
with antivirus software before it can detect them (for
example, Conficker).

Defending a computer against viruses may demand that a file

system migrate towards detailed and explicit permission for every
kind of file access
 Encrypted viruses

•Encryption is used by viruses to evade signature detection

•Virus use simple encryption key to encipher (encode) the body of
the virus.

•The virus consists of a small decrypting module and an encrypted

copy of the virus code.
•In this case, a virus scanner cannot directly detect the virus using
signatures, but it can still detect the decrypting module, which
still makes indirect detection of the virus possible.
Methods of encryption-
1. Using Cryptographic Key
2. Using arithmetic operation like addition or subtraction, Bitwise
rotation, Arithmetic negation
3. Using logical operations like XOR, Logical NOT
Computer Worm
• A self-replicating computer program, similar to a computer virus

• Unlike a virus, it is self-contained and does not need to be part of

another program to propagate itself

• Often designed to exploit computers’ file transmission capabilities

Worm
• A program or algorithm that replicates itself over a computer
network or through e-mail and sometimes performs malicious actions
such as using up the computer and network resources and possibly
destroying data.

• Examples: Klez, Nimda, Code Red

Computer Worm
•In addition to replication, a worm may be
designed to:

•delete files on a host system

•send documents via email
•carry other executables as a payload
Logic Bomb
• “Slag code”

• Programming code, inserted

surreptitiously, designed to
execute (or “explode”) under
particular circumstances
Logic Bomb

•Does not replicate

•Essentially a delayed-action computer virus or Trojan

horse
Backdoors
• A backdoor, which is also sometimes called a
trapdoor, is a hidden feature or command in a
program that allows a user to perform actions he
or she would not normally be allowed to do.
• When used in a normal way, this program
performs completely as expected and advertised.
• But if the hidden feature is activated, the program
does something unexpected, often in violation of
security policies, such as performing a privilege
escalation.

Malware 30
Trojan Horses
• A Trojan horse (or Trojan) is a malware program that
appears to perform some useful task, but which also
does something with negative consequences (e.g.,
launches a keylogger).
• Trojan horses can be installed as part of the payload of
other malware but are often installed by a user or
administrator, either deliberately or accidentally.

Malware 31
Spyware
Spyware software payload Computer user

1. Spyware engine infects

a user’s computer.

2. Spyware process collects

keystrokes, passwords,
and screen captures.

3. Spyware process
periodically sends
collected data to
spyware data collection
agent.

Spyware data collection agent

Malware 32