-->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Computer Virii ]::::::[OO--[ by [JaSuN] ]--[ jasun@phreaker.net ]:: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: --oOo--> Computer Virii And Other Malicious Programs ]----- --oOo--> -------------------------------------------------- --oOo--> Main Article Introduction ]--- --oOo--> Introduction To Virii ]--- --oOo--> What Can Be Affected ]--- --oOo--> Virus Threat ]--- --oOo--> Types Of Virii ]--- --oOo--> --* Boot Sector ]--- --oOo--> --* File Infecting ]--- --oOo--> --* Multi-Partite ]--- --oOo--> --* Polymorphic ]--- --oOo--> --* Stealth ]--- --oOo--> Worms ]--- --oOo--> Trojan Horses ]--- --oOo--> Logic Bombs ]--- --oOo--> Legal Issues ]--- --oOo--> Conclusion ]--- --oOo--> Disclaimer ]--- --OoO--> ============================================= ]--- Main Article Introduction: ========================== In this article I will explain what different types of destructive computer programs exist and what problems they can sometimes cause. People often get confused with the different terms commonly used, so you should have more of an accurate idea by the time you have finished reading this article. Introduction To Virii: ====================== A virus is a computer program that executes when an infected program is run, therefore only executable files can be infected. That fact alone confuses many people, some people assume that any file can be infected, which is not the case. On Windows based systems, executable files have the extensions of .exe, and .com, although other files can be run such as .bat files which can also be modified to run arbitrary commands or operations. A virus infects other programs with a copy of itself. Each one has the ability to clone itself so that it can multiply, constantly seeking new files to infect. Some of the most harmless Virii do nothing but multiply, replicating and spreading around onto new uninfected computer systems. More dangerous Virii, not only replicate themselves, they also damage or modify other programs. These Virii are more annoying, as they can cause data loss and are more time consuming to remove. When these Virii start causing damage to a system, they have activated their built in payload. Some Virii have a very dangerous payload, others are just designed to be annoying, by displaying a message on screen or playing a funny sound. Virus programs and other malicious programs are often very small, sometimes only a few kilobytes in size. This enables the virus to be easily hidden from Anti-Virus scanners. Virii can infect any computer, it does not make any difference if it is a laptop or a network server. Different Virii exist for different Operating Systems, there are Virii for all of them, although more exist for Windows than any other. Once a virus has been written, it can be distributed very easily be the author, the main means of doing this today would be to use the Internet. Once on the Internet, it will be available to anybody, to either distribute to others with knowledge of what it is, or by accidental means. The Internet is not the only way for the new virus to replicate. It may be given to people on disk, who then use it in their computer, which is on a company network, for example. These factors make it harder to trace the virus back to the author, or the person that actually released it into the pubic domain. Once a virus is active on a host computer, it could spread onto large networks. One of the main protections against this, is using good Anti Virus Software. If the virus is detected before its payload is released or is it able to spread then the results will be better than if the virus had discharged its payload. Virii enter computer systems from external sources, Virii are made to be attractive. An example would be a new application that is available for download from the Internet. People may download it, run the installation program, then the new virus is out on their system. During the time before the virus was undetected by conventional Anti Virus Software, it may have caused a lot of damage. For this reason, it is important to keep the database patterns that the anti viral software uses upto date. A virus can also be programmed to activate straight away or it can be made to lie dormant for a certain period of time, until a certain date or action triggers it. There are also many other variations that can be made to activate a virus or its payload. Timer functions of a virus are provided by the Logic Bomb. There are a lot of ways a virus can spread, although some methods are more common than others. For example, if you download a piece of software from the Internet, then take it into work on a disk without checking it for any infections, you may risk infecting the company network. If the downloaded software was in fact clean, it could still be infected once it is on your computer. Floppy disks were the main method of transporting Virii, today they are not used as much as before, because of the constantly expanding Internet, files can be sent quickly and easily by using email. What Can Be Affected: ===================== There are a number of characteristics that need to be in place for a virus infection to take place. For example, the file must be: ****-> Executable ****-> Stored on a write-enabled disk ****-> Have individual write properties Write protecting a disk can stop some infections, but at some point you will want to write to a disk so you would need to remove the read-only property. At this point the files on the disk are open to being written to. In the case of a Hard Disk Drive, it would not be an option to write protect it, as the operating system will need to write to it. If you wanted to do this, setting the read only properly on executable files would be more appropriate. This is not the only protection, the most important step is the anti virus software. If a virus were to attach itself to a file, then the file size would change, most scanners would notice this, the checksum of the file will change as well, which is another thing to look out for. Some Virii will cause the checksum to report as being what it should be, so that test can be bypassed. Another difficult location to detect a virus would be on the first physical sector of a Hard Disk Drive, known as the (FAT) File Allocation Table. Virus Threat: ============= Some people have never encountered a virus infection or seen any evidence of what an infection has done to anybody. Some people that use anti-virus scanning software, have never had a warning about an infection either. So is this problem just over speculated or is the threat as big as the anti-virus scene makes it out to be? There are Virii out there, the threat is large if you don't take the correct precautions. The real problem is that once a virus is released into the computing world, it is still a problem as long as one copy exists. As Virii replicate, one copy of a virus can literally turn into thousands. If the threat is so big, where are all the reports of virus attacks? There are a few that hit the news, most never make it into the headlines unless they cause a lot of damage or spread rapidly. Most companies don't like to report their encounters with Virii, as they don't want it to be broadcast publicly. There are opinions that anti-virus companies release the Virii into the community to help sell their products. Some people will agree with this, but if you are into the virus scene, you will know that this in the most part is not true, as if you are in the scene you will know people that code and release Virii, either for educational purposes or to cause infections. Either way, the virus programmers will continue to release Virii and the anti-virus community will continue to make a large amount of money from it. Usually, the virus programmers get a sense of power, when they know that their new virus is out there, undetected by commercial software. In one respect, it is a fight between the virus programmers to beat the anti-virus companies by trying to release a virus that stays undetected for a long period of time. Types Of Virii: =============== There are a number of types of Virii that can infect computer systems. The more common types are: ****-> Boot Sector ****-> File Infecting ****-> Multi-Partite ****-> Polymorphic ****-> Stealth Boot Sector Virii: ================== Boot sector Virii infect the boot sector, which is also known as the master boot record. Firstly, the original boot sector would be overwritten or moved, if moved it would be placed on another sector of the hard disk, which would then be marked as bad, so it would not be used in the future. A boot sector virus can be difficult to detect, since they are usually programmed well. As the boot sector is the first thing read from a hard disk on booting the computer, it is usually more difficult to detect boot sector Virii. Out of all the Virii infections that are reported, three out of every four are boot sector Virii. The only real way to become infected with a boot sector virus is to boot the computer with an infected floppy disk in the floppy drive. The boot sector is protected more now, by using built in protection in the BIOS, it will warn you if anything tries to modify the boot sector. As the boot sector is only usually modified when a new operating system is installed, if your BIOS warns you that the boot sector is about to be modified you should run a complete anti virus scan and make sure you have the latest updates for you scanner. File Infecting Virii: ===================== These Virii only infect executable files, which have the extensions of .exe and .com, they are also usually memory resident. Some file infecting Virii are programmed to only infect *.com or *.exe and others are designed to only infect files with certain letters in them, for example. In comparison to boot sector Virii, they act in much the same way by moving the original code to another part of the file and replacing it with its own infection code. The size of the infected file would increase after that process, which enables detection to become easier in same cases as anti-virus software could alert you that the size of the file has changed, even if it does not detect that it is infected with a known virus. Sometimes the virus would change the extension of the infected file, to hide it from detection until a later date, as some anti-virus scanner software only checks files with the extensions of .exe or .com. Most newer software is more advanced and you can configure it to scan whichever file types that you want. Polymorphic Virii: ================== Polymorphic Virii are probably the most advanced Virii of all. They can change their appearance with each infection, which makes it more difficult to detect them. Also, they usually have an encryption routine to help hide themselves and it also acts as an anti-debugging mechanism, to stop an-Virii companies finding out how it infects and it also stops people from taking the code without permission from the author and using it in their own Virii. Not only do they have the ability to encrypt, they can also change the encryption algorithm with each infection as well as the way they infect. As this makes detection more difficult, anti-virus software must be able to perform algorithmic scanning as well as string based scanning methods to successfully detect an infection from a Polymorphic virus. Stealth Virii: ============== These Virii attempt to hide, without being noticed from the Operating System and any installed anti-virus scanning software. To achieve this, the virus must stay resident in memory (TSR). By staying in memory, it can make changes to files and directories easily. As the virus is memory resident, there will be less memory available to the system, although this type of virus is usually small, so would not take up memory. Good anti-virus software will detect and remove resident Virii from memory, which needs to be completed before the disk based components of the virus can be removed. Multi-Partite Virii: ==================== These type of Virii infect the boot sector and executable files. They are also the most difficult to detect, as they can combine techniques from the other types of Virii. The damage caused from an infection from one of these types of Virii can be the most damaging, sometimes causing a total loss of data on computer systems. Some of the more advanced Virii, can also spread over a network, which when combined with the other techniques used to avoid detection and removal, can cause a company network to grind to a halt. For this reason, it is always a good idea to keep important data backed up, as it is better to be safe than sorry. Introduction To Worms: ====================== Apart from Virii, there are a number of other programs that are designed to be destructive to computer systems. Worms are also programmed to alter or destroy data, but their main difference from Virii is that they can be programmed to exploit holes in various operating systems in order to gain access to the system. In that sense, they do replicate to other hosts but they do not spread in the same way as Virii do by simply spreading onto floppy disks. The damage that worms can cause can be just as serious as a virus attack, especially if not discovered in time. For example, a worm could be programmed to exploit mountd, to gain access to a vulnerable host. Firstly, the worm would have to be released on a system, once on that system, it could scan an IP subnet and find hosts that are open to being exploited. Once into a system, it could then patch the hole that allowed it to gain access originally, then proceed to backdoor the system and run a scan on another IP class. It could also email a list of exploited hosts hosts to an account that had been set-up by the author, or another individual that releases it. This process of replication could continue, as long as there are hosts to exploit. Considering that a lot of systems are not patched against new exploits straight away, it would be quite a field day for a new worm that uses that new hole to gain access. Introduction To Trojan Horses: ============================== A Trojan Horse is a destructive program that has been concealed inside another genuine piece of software. In addition to this, a worm or virus would be hidden inside a Trojan Horse. The main reason a Trojan Horse is not a virus, is because they do not replicate like Virii. There is a long history behind the origin of the Trojan Horse. When Greek warriors built a large, attractive wooden horse they were able to hide their warriors inside. They left it outside the gates of the city of Troy. When the Trojans saw it, they thought it was part of a peace offering and gladly opened the gates and took it into their city. Once inside the Greek warriors jumped out and started fighting with the Trojans and destroying their city. Trojan Horse software works in the same way. The software package might look good and seem genuine, which gives the user the piece of mind they want, so they download and run the executable. The software package itself is legitimate but the Trojan Horse is lurking inside and will be able to get out once the executable is run. Once out, it could continue with what it was programmed to do, at this point it may act like some Virii and wait until a certain date or other activation method, before proceeding to release its payload. Trojan Horses can also be programmed to self-destruct, leaving no trace of their existence, apart from the damage that they have caused if not discovered in time. A Trojan Horse is particularly good for the once common banking crime known as Salami Slicing, in which small sums of money are transferred from a number of accounts into another account operated by an intruder. Due to increasing security, that and other schemes are harder to complete successfully as time goes on. Introduction To Logic Bombs: ============================ A Logic Bomb is similar to a Trojan Horse. Each has the ability to damage or destroy data, the difference is that a Logic Bomb has a timing device so that it can be programmed to go off at a particular date or time. For example, the Michelangelo virus is embedded inside a Logic Bomb. Logic Bombs can still be very destructive on their own, as they usually are developed in much the same manner as Virii are, even if they lack the ability to replicate as Virii can. Logic Bombs are timed to do maximum damage. Once example of this would be an ex-employee, that wants to cause some damage to the company network. They could install a Logic Bomb on the network computers and set it to activate months after they have left. Legal Issues: ============= There are a number of legal issues related to Virii and other malicious programs. To program and virus and put it up on your website for educational purposes in source/binary form should not be illegal. Of course, people will download it and then distribute it to people to cause damage to their systems, this would be illegal. Regardless or being illegal or not, people will still continue to write and distribute Virii and other infecting programs that allow unauthorised access to computer systems. Conclusion: =========== I hope that you enjoyed reading this article and that you actually learned some new information from it. If you have any comments or suggestions about this article, please feel free to send me an email: jasun@phreaker.net I hope this gave you a little insight into the world of the virus and other related programs. Look out for more articles from me in the future. I have made this information as accurate as possible to my knowledge, but don't complain if I made an error, most of this was written at times around 4am in the morning. Disclaimer: =========== This document is for educational *INTERNAL USE ONLY* It is for educational purposes only, the information contained within it must not be used to cause damage to any person/system. What you do with this information is your business, but anything that arises from its misuse cannot be held against anybody, apart from yourself.