WHAT IS A VIRUS?
Computer viruses are called viruses because they share some
of the traits of biological viruses. A computer virus passes from computer to
computer like a biological virus passes from person to person. A virus is a
small piece of software that piggy-backs on real programs. Each time the
program runs, the virus runs too, and it has the chance to reproduce (by
attaching to other programs) or wreak havoc.
Computer viruses are mysterious and grab our attention. Every
time a new virus hits, it makes the news if it spreads quickly. On the one
hand, viruses show us how unknowingly vulnerable we are. A properly engineered
virus can have an amazing effect on the world-wide Internet. On the other hand,
they show how sophisticated and interconnected human beings have become.
TYPES OF VIRUSES
When
you listen to the news, you hear about many different forms of electronic
infection. The most common are:
E-mail
Viruses :
An
email virus moves around in email messages, and usually replicates itself by automatically
mailing itself to dozens of people in the victim's email address book.
Worm :
A
worm is a small piece of software that uses computer networks and security
holes to replicate itself. A copy of the worm scans the network for another
machine that has a specific security hole. It copies itself to the new machine
using the security hole, and then starts replicating from there as well.
Polymorphic Viruses :
They are the viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication.
Companion Viruses :
They are the viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file.
Armored Viruses :
They are the viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do.
The
infections in the news right now are worms, so let's take a look at worms and
then go into the details on all of the different types of infection.
Stealth Viruses :
Some viruses are said
to be “stealth” viruses. A stealth virus attempts to hide itself by keeping a
copy of the parts of the disk that it infected, before it infected it.
Trojan Horse :
This is a very general term,
referring to programs that appear desirable, but actually contain something
harmful. The harmful contents could be something simple, for example you may
download what looks like a free game, but when you run it, it erases every file
in that directory. The Trojan’s contents could also be a virus or worm, which
then spread the damage.
Boot Sector Viruses :
Boot sector viruses
generally prefer hard drives; a minority, including the “Stoned” virus, infects
floppies. They are loaded into memory when PC is booted from a drive which
contains an infected disk.
Parasitic Viruses :
Some viruses attach
themselves to other programs, like lampreys; these viruses are known as
parasitic viruses.
WHAT
IS A TROJAN?
Before I start, I want to offer a definition of what a Trojan
is because these devices are often confused with other malicious code. A Trojan
horse is
Ø An
unauthorized program contained within a legitimate program. This unauthorized
program performs functions unknown (and probably unwanted) by the user.
Ø A
legitimate program that has been altered by the placement of unauthorized code
within it; this code performs functions unknown (and probably unwanted) by the
user.
Ø Any
program that appears to perform a desirable and necessary function but that
performs functions unknown (and probably unwanted) by the user.
Where Do
Trojans Come From?
Trojans are created strictly by programmers. One does not get
a Trojan through any means other than by accepting a Trojaned file that was
prepared by a programmer. True, it might be possible for a thousand monkeys
typing 24 hours a day to ultimately create a Trojan, but the statistical
probability of this is negligible. Somewhere on this planet, a programmer is
creating a Trojan right now. That programmer knows exactly what he or she is
doing, and his or her intentions are malefic.
The
Trojan author has an agenda. That agenda could be almost anything, but in the
context of Internet security, a Trojan will do one of two things:
Ø Perform
some function that either reveals to the programmer vital and privileged
information about a system or compromises that system.
Ø Conceal
some function that either reveals to the programmer vital and privileged
information about a system or compromises that system.
Some Trojans does both. Additionally, there is another class
of Trojan that causes damage to the target. So Trojans may perform various
intelligence tasks or tasks that amount to sabotage. One example that satisfies
the sabotage-tool criteria is the PC CYBORG Trojan horse.
Another example is the AOLGOLD Trojan horse. This was
distributed primarily over the Usenet network and through e-mail. The program
was purported to be an enhanced package for accessing America Online. The
distribution consisted of a single, archived file. Unzipping the archive
revealed two files, one of which was a standard INSTALL.BAT file. Executing the INSTALL.BAT file resulted
in 18 files being expanded to the hard disk.
The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive.
When the batch file completes, it
prints a crude message on the screen and attempts to run a program named DOOMDAY.EXE. Bugs in the
batch file prevent the DOOMDAY.EXE
program from running. Other bugs in the file cause it to delete itself if it is
run from any drive but the C: drive. The programming style and bugs in the
batch file indicates that the Trojan writer appears to have little programming
experience.
These were both destructive Trojans and performed no
sophisticated collective or penetrative functions. Such Trojans are often seen,
and usually surface, on the Usenet news network.
However, Trojans have been planted by individuals that are
also involved in the legitimate development of a system. These are
inside jobs, where someone at a development firm inserts the unauthorized code
into an application or utility. These can be far more dangerous for a number of
reasons:
Ø These
Trojans are not destructive; their discovery is usually delayed until they are revealed by accident.
Ø Because
most servers that matter run UNIX, some highly trusted sites can be compromised.
By servers that provide hundreds or even thousands of user’s access to the
Internet and other key networks within the Internet. These are generally
governmental or educational sites, which differ from sites maintained, for
example, by a single company. This is a serious issue, to be sure, but is
relevant only to that company. In contrast, the compromise of government or
educational sites can place thousands of computers at risk.
There
are also instances where key UNIX utilities are compromised (and Trojaned) by
programmers who have nothing to do with the development of the legitimate
program. This has happened many times and, on more than one occasion, has
involved security-related programs. For example, following the release of
SATAN, a Trojan found its way into the SATAN 1.0 distribution for Linux.
Reportedly, the file affected was a program called fping . A
programmer obtained physical access to a machine housing the program. He
modified the main ()
function and altered fping
file so that when users ran SATAN, a special entry would be placed in their /etc/passwd file. Through
this user ID, the perpetrator hoped to compromise many hosts. Flatly stated,
the programming was of poor quality. For example, the Trojan provided no
contingency for those systems that made use of shadowed passwords.
As you can see, a Trojan might crop up anywhere. Even a file
originating from a reasonably trusted source could be Trojaned.
Where Might
One Find a Trojan?
Technically, a Trojan could appear almost anywhere, on any
operating system or platform. However, with the exception of the inside job
mentioned previously, the spread of Trojans works very much like the spread of
viruses. Software downloaded from the Internet, especially shareware or
freeware, is always suspected. Similarly, materials downloaded from underground
servers or Usenet newsgroups are also candidates.
Sometimes,
one need not travel down such dark and forbidden alleys to find a Trojan.
Trojans can be found in major, network-wide distributions.
How Often
Are Trojans Really Discovered?
Trojans are discovered often enough that they are a major
security concern. What makes Trojans so insidious is that even after they are
discovered, their influence is still felt. Trojans are similar to sniffers in that
respect. No one can be sure exactly how deep into the system the compromise may
have reached. There are several reasons for this, but I will limit this section
to only one.
As you will soon read, the majority of Trojans are nested
within compiled binaries. That is to say: The code that houses the Trojan is no
longer in human-readable form but has been compiled. Thus, it is in machine
language. These most often are error messages, advisories, option flags, or
other data printed to STDOUT
at specified points within the program.
Because the binaries are compiled, they come to the user as
point-and-shoot applications. In other words, the user takes the file or files
as is, without intimate knowledge of their structure.
When authorities discover that such a binary houses a Trojan,
security advisories are immediately issued. These tend to be preliminary and
are later followed by more comprehensive advisories that may briefly discuss
the agenda and method of operation of the Trojan code. Experienced system administrators
may clearly understand the meaning of such advisories (or even clearly
understand the purpose of the code, which is usually included with the
comprehensive advisory). However, even then, assessment of damages can be
difficult.
In some cases, the damage seems simple enough to assess. The
fix is pretty straightforward: Replace the binary with a clean version and have
all users change their passwords. This being the whole of the Trojan’s
function, no further damage or compromise is expected
But suppose the Trojan is more complex. Suppose, for example,
that its purpose is to open a hole for the intruder, a hole through which he
gains root access during the wee hours. This type of case might call for
reinstallation of the entire operating system.
Conversely, Trojans may be found in executable files that are
not compiled. These might be shell scripts, or perhaps programs written in
Perl, JavaScript, VBScript, and so forth. There have been few verified cases of
this type of Trojan. The cracker who places a Trojan within a noncompiled
executable is risking a great deal. The source is in plain, human-readable
text. The more complex the structure of the distribution, the less likely it is
that a human being, using normal methods of investigation, would uncover a
Trojan.
Users who know little about their operating system are less
likely to venture deep into the directory structure of a given distribution,
looking for mysterious or suspicious code. The reverse is true if the user
happens to be a programmer. However, the fact that a user is a programmer does
not mean he or she will instantly recognize a Trojan. Thus, if the Trojan
exists in a scripting language, the programmer must first be familiar with that
language before he or she can identify objectionable code within it. It is
equally true that if the language even slightly resembles a language that the
programmer normally uses, he or she may be able to identify the problem. And of
course, anyone who writes programs in a shell language or awk would likewise recognize
questionable code in a Perl program.
What Level of
Risk Do Trojans Represent?
Trojans represent a very high level of risk, mainly for
reasons already stated:
Ø Trojans
are difficult to detect.
Ø In
most cases, Trojans are found in binaries, which remain largely in
non-human-readable form.
Ø Trojans
can affect many machines.
Trojans are a perfect example of the type of attack that is
fatal to the system administrator who has only a very fleeting knowledge of
security. In such a climate, a Trojan can lead to total compromise of the
system. The Trojan may be in place for weeks or even months before it is
discovered. In that time, a cracker with root privileges could alter the entire
system to suit his or her needs. Thus, even when the Trojan is discovered, new
holes may exist of which the system administrator is completely unaware.
How Does One
Detect a Trojan?
Detecting Trojans is less difficult than it initially seems.
But strong knowledge of your operating system is needed. If your environment is
such that sensitive data resides on your server, you will want to take advanced
measures. Conversely, if no such information exists on your server, you might
feel comfortable employing less stringent methods. The choice breaks down to
need, time, and interest. The first two of these elements represent cost. Time
always costs money, and that cost will rise depending on how long it has been
since your operating system was installed. This is so because in that length of
time, many applications that complicate the reconciliation process have
probably been installed. For example, consider updates and upgrades. Sometimes,
libraries (or DLL files) are altered or overwritten with newer versions. If you
were not the person who performed the upgrade or update, and the program is
sufficiently obscure, you might end up chasing a phantom Trojan.
Most forms of protection against Trojans are based on a
technique sometimes referred to as object
reunion. It is a fancy way of asking “Are things still just the way I
left them?” Here is how it works: Objects
are either files or directories. Reunion
is the process of comparing those objects against themselves at some earlier
date. For example, take a backup tape and compare the file PS as it existed in
November 1995 to the PS that now resides on your drive. If the two differ, and
no change has been made to the operating system, something is amiss. This
technique is invariably applied to system files that are installed as part of
the basic operating system.
Object reconciliation can be easy understood if you recognize
that for each time a file is altered in some way, that file’s values change.
For example, one way to clock the change in a file is by examining the date it
was last modified. However, this date can be easily manipulated. How difficult
is it? Change the global time setting, apply the desired edits, and archive the
file. For this reason, time is the least reliable way to reconcile an object.
Also, the last date of modification reveals nothing if the file was unaltered
Another way to check the integrity of a file is by examining
its size. When editing plain text files, it is simple to start out with a size
of, say, 1,024KB and end up with that same size. It takes cutting a bit here
and adding a bit there. But the situation changes radically when you want to
alter a binary file. Binary files usually involve the inclusion of special
function libraries and other modules without which the program will not work.
Thus, to alter a binary file is a more complicated process. Therefore, size is
probably a slightly more reliable index than time. Briefly, before I continue,
let me explain the process by which a file becomes Trojaned.
The most common scenario is when a known file is the object of the attack. It comes from the
vendor. These files are written to your drive on the first install, and they
have a date and time on them. They also are of a specified size. If the times,
dates, or sizes of these files differ from their original values, this raises
immediate suspicion.
Evil programmers know this. Their job, therefore, is to
carefully examine the source code for the file for items that can be excluded.
The unauthorized code is written into the source, and the file is recompiled.
The cracker then examines the size of the file. Perhaps it is too large or too
small. The process then begins again, until the attacker has compiled a file
that is as close to the original size as possible. This is a time-consuming
process. If the binary is a fairly large one, it could take several days.
When the file has been altered, it is placed where others can
obtain it. In the case of operating-system distributions, this is generally a
central site for download. From there, the file finds its way into workstations
across the void.
For reasons that must now seem obvious, the size of the file
is also a poor index by which to measure its alteration. So, to recount: Date,
date of last access, time, and size are all indexes without real meaning. None
of these alone is suitable for determining the integrity of a file. In each,
there is some flaw—usually inherent to the platform—that makes these values
easy to alter. Thus, generating a massive database of all files and their
respective values has only very limited value.
There are other indexes, such as checksums, that one can
check. In the checksum system, the data elements of a file are added together
and run through an algorithm. The resulting number is a checksum, a type
of signature for that file. On the SunOS platform, one can review the checksum
of a particular file using the utility sum. Sum calculates the checksums of
files provided on the argument line.
Most system administrators suggest that if you rely on a
checksum system, your checksum list should be kept on a separate server or even
a separate medium, accessible only by root and other trusted users. In any
event, checksums work nicely for checking the integrity of a file transferred,
for example, from point A to point B, but that is the extent of it.
Some Practical Tips to Avoid Getting Infected :
v
Never download blindly from people or sites which
you aren’t 100% sure about.
In other words, as the old saying goes, don’t accept candy from strangers. If
you do a lot of file downloading, it’s often just a matter of
time before you fall victim to a Trojan.
v
Even if the file comes from a friend, you still must
be sure what the file is before opening it, because many Trojans will automatically try to
spread themselves to friends in an email address book or on an IRC channel.
There is seldom reason for a friend to send you a file that you didn’t ask for.
When in doubt, ask them first, and scan the attachment with a fully updated
anti-virus program.
v
Beware of hidden file extensions! Windows by default hides the last
extension of a file, so that innocuous-looking “susie.jpg” might really be
“susie.jpg.exe” - an executable Trojan! To reduce the chances of being tricked,
unhide those pesky extensions.
v
NEVER use features in your programs that
automatically get or preview files. Those features may seem convenient, but they let anybody send you anything
which is extremely reckless.
v
Never
blindly type commands that others tell you to type, or go to web addresses
mentioned by strangers, or run pre-fabricated programs or scripts. If you do
so, you are potentially trusting a stranger with control over your computer,
which can lead to Trojan infection or other serious harm.
v
Don’t be lulled into a false sense of security just
because you run anti-virus programs. Anti-virus programs should not be your front line of security, but
instead they serve as a backup in case something sneaks onto your computer.
v
Finally,
don’t download an executable program just to “check it out” - if it’s a Trojan,
the first time you run it, you’re already infected!
CONCLUSION
The
computer virus problem is not going to disappear soon. It is going to be with
us in the years to come and it is going to become even worse. Those people who
have their own pc should take care of all of these and protect their pc from
these malicious programs and protect your valuable data. Carefully handle the
files that you are downloading from the internet. Do and follow the tricks and
methods and suggestions given in this paper.
REFERENCE
1.
www.howstuffworks.com
2.
www.macvirus.com
3.
The Littlie Black Book
Of Computer Viruses - Mark Ludwig
4.
Computer Knowledge
Virus Tutor
5.
Computer virus –Mark
Minasi
EmoticonEmoticon