how windows handle various viruses

7/29/2019 how windows handle various viruses

1/24

Topic How windows operating system

handles viruses? Write down various virusesthat can cause serious damage to the computer

system.

Submitted By: Submitted To:

SANJEEV KUMAR RAMANPREET KAUR LAMBA

REG. 11008322

ROLL:RK2R13A36


2/24

CSE 316 How windows operating system handles viruses? Write down various virusesthat can cause serious damage to the computer system.

By sanjeev 11008322

Acknowledgement

It is a great pleasure for me to acknowledge the assistance and contributions of many individuals in

making this dissertation a success.

First and foremost, I would like to thank my supervisor, MRS. RAMANPREET KAUR LAMBA , for her

assistance, ideas, and feedbacks during the process in doing this dissertation. Without his guidance

and support, this dissertation can not be completed on time. Secondly, it is a pleasure to express my

thanks to all my friends specially

1. MR. S.K CHAKRAVARTI

2. MR. ABHAY KUMAR

3. MR. SHUBHAM PATEL

4. MR. RAHUL TEHALANI and

5. AJAY KUMAR

for sparing their time to participate in this project. I deeply appreciate their helpfulness and willingness

in providing the useful information for this project Lastly, I wish to express my sincere gratitude to my

family for their encouragement and moral support.


3/24


By sanjeev 11008322

INDEX

CONTENTS page no:

1. Overview

2. Introduction

3.


4/24


By sanjeev 11008322

Abstract :A virus is potentially a destructive program code that attaches itself to a host (either afile or program) and then copies itself and spreads to other hosts. It may contain a

damaged routine or payload, which activates when triggered So computer viruses are

codes written by some people to cause serious damage to computers, this includes

private, business and government computers. Computer viruses are similar to the

biological ones in their ability to replicate themselves, infecting a large number of

victims and having a lifecycle. The term computer virus was formally defined by Fred

Cohen in 1983, while he performed academic experiments on a Digital Equipment

Corporation VAX systems

Windows operating systems in general, though it provides greater coverage of the

operating systems built on the Windows NT kernel, including Windows XP Professional

and Windows Server. It begins by presenting the development of the Windows

operating system and the design goals. The role of the Memory Manager, especially the

Virtual Memory Manager, is discussed. The use of the Device, Processor, and Network

Managers in recent versions of Windows is reviewed. The chapter then explains the role

of the file system in file management and the challenges for Windows system security

today. The chapter concludes by explaining how the current Windows user interface

functions. Throughout this chapter, many acronyms are introduced to describe this

networked operating system. Windows operating systems are descended from a seriesof graphical interfaces designed to work with or on top of Microsofts MS-DOS

operating system. The Computer virus threat is growing and home users are threatened

by them, especially with the increasing dependence on computers to accomplish the

vast verity of tasks in our modern lives. The popularity of internet aggravates the threat

and gives the virus writers the ideal environment to distribute their viruses, since

computer viruses can spread through the universe in a few hours causing distractions to

hundreds of thousands of computers around the globe. An abbreviated idea about

computer viruses nature, history and development, the damage caused by some well

known viruses and the different types of computer viruses is explained, also virus

writers types, motivations, their point of view towards ethical and legal issues, and the

effect of legal penalties on their practice is explained .The threat of computer viruses

towards home users is proved, some solutions to eliminate the threat of computer


5/24


By sanjeev 11008322

viruses is highlighted. Home users can protect their systems based on their

understanding of the foregoing.

Introduction :A computer virus is a computer program that can copy itself and infect a computer

without permission or knowledge of the user. However, the term "virus" is commonly

used, albeit erroneously, to refer to many different types of malware programs. The

original virus may modify the copies, or the copies may modify themselves, as occurs in

a metamorphic virus. A virus can only spread from one computer to another when its

host is taken to the uninfected computer, for instance by a user sending it over a

network or the Internet, or by carrying it on a removable medium such as a floppy disk,

CD, or USB drive. Additionally, viruses can spread to other computers by infecting files

on a network file system or a file system that is accessed by another computer. Viruses

are sometimes confused with computer worms and Trojan horses. A worm can spread

itself to other computers without needing to be transferred as part of a host, and a

Trojan horse is a file that appears harmless until executed. Most personal computers are

now connected to the Internet and to local area networks, facilitating the spread of

malicious code. Today's viruses may also take advantage of network services such as the

World Wide Web, e-mail, and file sharing systems to spread, blurring the line betweenviruses and worms. Furthermore, some sources use an alternative terminology in which

a virus is any form of selfreplicating malware. Some viruses are programmed to damage

the computer by damaging programs, deleting files, or reformatting the hard disk.

Others are not designed to do any damage, but simply replicate themselves and perhaps

make their presence known by presenting text, video, or audio messages. Even these

benign viruses can create problems for the computer user. They typically take up

computer memory used by legitimate programs. As a result, they often cause erratic

behavior and can result in system crashes. In addition, many viruses are bug-ridden, and

these bugs may lead to system crashes and data loss .

Due to the increasing dependence on computers to achieve most of our civilized life

tasks, from simple word-processing to controlling and monitoring the most sensitive

organizations like nuclear reactors and performing surgical operations. Therefore the

need to be dependent on computers reliability and functionality is of high concern since

any failure in the computer functionality could lead to loss of human lives or costly

financially losses. There are many threats to computer functionality and reliability, and


6/24


By sanjeev 11008322

computer viruses is the most commune one. The threat of computer viruses are

addressed to all computer operators in homes, business, and government, home users

and how they can eliminate the threat of computer viruses and protect their systems is

of concern. The relation between increasing the awareness and understanding of the

nature of computer viruses, and home users ability to protect their systems will betested. In order to accomplish the foregoing this paper is structured as follows: Firstly

the definition of computer viruses, their nature, their history and development, and

their different types is discussed. Secondly the threat of computer viruses to home users

is proved. Thirdly computer virus writers nature, motivations and their perspective to

legal and ethical issues is highlighted. Fourthly, ways to eliminate the threat of

computer viruses is discussed. Finally the research occlusions are illustrated.

Computer viruses are small software programs that are designed to spread from one

computer to another and to interfere with computer operation. A virus might corrupt or

delete data on your computer, use your e-mail program to spread itself to othercomputers, or even erase everything on your hard disk [9]. Viruses are most easily

spread by attachments in e-mail messages or instant messaging messages. That is why it

is essential that you never open email attachments unless you know who it's from and

you are expecting it. Viruses can be disguised as attachments of funny images, greeting

cards, or audio and video files. Viruses also spread through download on the Internet.

They can be hidden in illicit software or other files or programs you might download.


7/24


By sanjeev 11008322

Computer Viruses History and Development :

Most of computer users whom have had hard times because of computer viruses want

believe its all started in 1982 as a joke by a teenager to tease his schoolmates .

Richerd Skrenta was in the 7th Grade when he got his first PC for Christmas an Apple II.

He started to make use of this tool by doing something different and unexpected. I had

been playing jokes on schoolmates by altering copies of pirated games to self-destruct

after a number of plays. Id give out a new game, theyd get hooked, but then the game

would stop working with a snickering comment from me on the screen (9th grade

humor at work here)When they noticed what was going on they prevented him from

being near their disks. So, he has to think of away to bass his booby trap to their disks

without putting his hands on them physically. I hit on the idea to leave a residue in the

operating system of the schools Apple II. The next user who cams by, ifthey didnt do a

clean reboot with their own disk, could then be touched by the code I left behind. I

realized that self-propagating programs could be written, but rather than blowing up

quickly, to the extent that it laid low it could spread beyond the first person to others as

well. I coded up Elk Cloner and gave it a good start in life by infecting everyones disks Icould get my hands on While Basit Farooq Alvi and Amjad Farooq Alvi seemed to have a

totally different motive to write their virus. Software piracy was the software developer

nightmare, so they started to think of a way to protect their effort from being

lost.(Paquette,2000, p.2) Basit and Amjad used to run a computer store in Lahore,

Pakistan. They decided to create a virus in order to inhabit the American software piracy

to protect their business, and they called it (C) Brain virus. In October 1987 (C) Brain

virus appeared in the University of Delaware, after one month the Lehigh or

COMMAND.COM virus were found at Lehigh University in Pennsylvania, finally in

December the Hebrew University at Jerusalem were attacked by the Friday the

13th virus (Highland ,1997, p.416).While in 1989 the 1260 was found on the wild as a

result of variable encryption techniques, also in the same year stealth viruses ( which

have the ability to avoid detection by employing various techniques), such as Zero Bug,

Dark Avenger, and Frodo were found in the wild for the first time (Dwan, 2000,13).

So it started to get more serious and virus writers accepted the undeclared challenge,

and started to improve their malicious codes to avoid detection. In 1990 the virus

writers released a virus called Whale, International Journal of Electrical & Computer


8/24


By sanjeev 11008322

Sciences IJECS-IJENS Vol: 10 No: 03 37 which was a self-modifying virus and in 1991 GPI

virus was found, the mission of this virus was to steal Novell NetWare passwords. In the

same year Michelangelo was discovered in New Zealand (Dwan, 2000, p.13). It seems

that this war would never end. In 1995 a new technique was found to cope

with the communication revelation and internet popularity, The first reported macrovirus Concept, was seen in the wild by AV researcher Sarah Gordon in summertime of

1995. A set of five macros designed only to replicate, Concepts payload displays the

virus authors ominous message: Thats enough to prove my point .

(Paquette,2000, p.3) .

A month later Chernobyl strain CIH hits around 540,000 computers in Turkey and South

Korea, the purpose of its payload was to reformat the hard drive and zap a key chip

on the computer motherboard (Dwan, 2000, p.14). The increasing dependency on the

companies networks or the internet to exchange documents using e-mails on a daily

basis gave the macro virus a stabile spreading environment and made them the bestexample of convoying each age requirements. In the year 2000 a new Millennium had

just started and its seemed that the virus writers quiver is still full of surprises. It was an

irresistible attractive message containing a love letter Love Bug. All the user

had to do in order to infect his system and automatically send copies of the virus to

everyone on his e-mail address book was to open the attachment (Ruppe,2000, p.1).

The I LOVEYOU virus caused havoc and damage to private, business, and government

computers throughout the globe starting from Asia, Australia, Europe to North America

(Ruppe,2000, p.1). The Asian Dow Joness computers crashed and the Asian Wall Street

Journal were struck, around 30% of British and 80% of Swedish companies

e-mail systems were affected, finally in the U.S. at least 350,000 files were found hit

(Ruppe,2000, p2-3). In 2001 Pentagon and the White House were forced to halt the

public access to their Web sites for a limited period and 250,000 systems were infected

in nine hours due to the Code Red worm, which was able to infiltrate hundreds of

thousands of computers shortly after its first identification on July 19th

(Stenger,2001,

p.1). Virus writers were determined to prove their capability to threaten the world by

releasing new viruses. In 2002 the top of the virus chart was Klez virus, which was able

to have more then five million copies (advisor.com,2002, p.1). Nevertheless we can say

that the malware(short form of malicious ware) was started by releasing viruses in the

wild, regardless of the virus writers motivations or intentions to write these viruses.When software developers started to notice the need for developing programs to

protect computers from viruses, the malwar started between the virus writers and the

antivirus companies.


9/24


By sanjeev 11008322

Virus StructureComputer viruses could have two parts at least (search and copy routines) or more

depending on how sophisticated it might be, the additional parts will give it a unique

characteristic .

(Ludwing,2002, p.23-24):

Search routine: this routine responsibility is to find a stabile target for infection.

Copy routine: to be able to infect the target which was found by search routine, the virusmust copy itself to the target and this is the copy routine responsibility.

Anti-detection routine:this could be part of the search or copy routines or it could be astand-alone routine, the mission of this routine is to avoid detection either by the user or

the anti-virus programs.

Payload routine :this routine vary depending on its porous, it could be a joke,destructive or perform a useful task.


10/24


By sanjeev 11008322

Virus LifecycleComputer virus and biology one has a similar lifecycle, which consists of the following

stages (Cronkhitevand McCullough, 2001, p.19-20) :

Birth: bringing the computer virus to life, virus writer (the person who wrote the virus)

designs the virus and then creates it using a programming language.

Release: in this stage the virus writer sends it out to the wild (the cyberspace, the virtual

computer world).

Proliferation: the virus target in this stage is to replicate and infect as many victims as

possible without drawing any attention.

Trigger: in this stage the virus becomes alive when the trigger is reached. The virus

writer usually determines the trigger, it could be a specific date, a certain task, or

anything else depending on the writers choice.


11/24


By sanjeev 11008322

Activation: in this stage the virus has the ability to run its destructive routine. The effect

of this could vary from erasing the hard disk content to making limited damage.

Detection: this could happen at any stage of the virus lifecycle, detecting the virus in the

early stages makes it easer to remove it with out causing any damage. Unfortunately,real life viruses are usually discovered after they have caused havoc and damage..

Elimination: the ability to eliminate the effect of virus varies from one type to the

another, and also depends on the available tools. The solution could be simple and

inexpensive(e.g., deleting the virus) or complicated and expensive ( e.g., reformatting

and restoring the hard disk or buying a new one).

Modification: in this stage the virus lifecycle may be repeated with an improved version,

this could be done by the original virus writer or some one else.

Types Of Computer VirusesEvery year computers technology developers surprise the world with their new

inventions, therefore virus writers need to create new generations of viruses to cope

with the latest computing techniques. As a result of this competition each year

hundreds of new viruses are found in the wild.

File-infecting virus: this virus technique is to attach itself to the executable files, whichare the files ending with .exe, .com, .all, and .drv , and these are the main program files

and drivers. If any of them is infected the virus code will be executed during the run first

by loading itself to the memory and deceive the user by allowing the program to

execute normally. When the user runs any other applications, the virus replicates itself

in order to be attached to that application. The virus should remain undetected until

trigger is reached and this depends on the virus writer choices.


12/24


By sanjeev 11008322

Boot sector virus: this virus loads itself to the boot sector of the floppy disk or master

record of hard disk in order to be loaded to the memory before the operating system is

loaded. As soon as the virus becomes residence it will be able to infect each inserted

disk to that computer.

Macro viruses: the macro language technology was invented by software companies in

order to automat repetitive tasks. This virus depends on the macro language in order to

infect the data files by attaching themselves to the global template and spreads when

the data files is opened. So as we can see virus writers took advantage of a new

invention and developed a stabile viruses for each age. These types of viruses are

categorized as dangerous ones, because they are easy to write, spread easily, and its

hard to eradicate them. The macro viruses effect could be an annoying massage, adding

password protection to files, saving files as templates instead of saving them as

documents, or moving and replacing the text randomly.

Script virus: this type of virus is written using script languages, they spread and infect

files by taking advantage of vulnerabilities in the Microsoft Windows operating systems,

opening e-mails or accessing Web pages which includes tainted scripts will activate the

virus. This type of viruses has the ability to change its signature each time the virus is

reproduced in order to remain undetected by antivirus software.

Polymorphic virus: this virus has the ability to change each time it replicates using

different encryption routines through its additional unique mutation engine. As a result

of this invented combination the virus is very difficult to detect. One Half is an example

of this virus, it has a distractive effect, its target is to encrypt the hard disk and make it

unreadable, another example is Satan Bug.Natas which specialized in attacking the

antivirus software. Virus writers are so keen to cope with the technology development,

each time antivirus software and software developers come up with a new technology

to prevent computer viruses infection, virus writers find their way to surprise the world

with a new threat by releasing the suitable virus for each age.


13/24


By sanjeev 11008322

Handling viruses by window system :FirewallA system designed to prevent unauthorized access to or from a private network. Firewalls

can be implemented in both hardware and software, or a combination of both. Firewalls

are frequently used to prevent unauthorized Internet users from accessing private

networks connected to the Internet, especially intranets. All messages entering or leaving

the intranet pass through the firewall, which examines each message and blocks those

that do not meet the specified security criteria. There are several types of firewall

techniques:

Packet filters:Looks at each packet entering or leaving the network and accepts orrejects it based on user-defined rules. Packet filtering is fairly effective and transparent to

users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.


14/24


By sanjeev 11008322

Application gateway: Applies security mechanisms to specific applications, such asFTP and Telnet servers. This is very effective, but can impose performance degradation .

Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is

established. Once the connection has been made, packets can flow between the hostswithout further checking.

Proxy server:Intercepts all messages entering and leaving the network. The proxyserver effectively hides the true network addresses. In practice, many firewalls use two or

more of these techniques in concert. A firewall is considered a first line of defense in

protecting private information. For greater security, data can be encrypted.

World top 10 viruses and theirHazards :1. I LOVE YOU :

2. The Swiss Amiga Virus

The story of the so-called \Swiss" Amiga viruses is fairly interesting for a number of

reasons. The _rst reason is the name. It is called Swiss because someone at _rst thought


15/24


By sanjeev 11008322

it was launched from Switzerland, but the last time I heard of people searching for the

source, they thought it was from Germany or Canada. Nothing is quite as exciting as

closing right in on a perpetrator.

To understand how this particular virus works, you have to understand how Amigas

work. Not the technical aspects, but rather how people share information when theyuse Amigas. Amigas have very strong user groups. For example, it's not unusual for an

Amiga user group to have hundreds of people, with meetings twice a week. So they

have several hundred people meeting twice a week, exchanging disks with each other,

giving talks, and doing all sorts of computer related social activities. Sharing is very

prevalent under these circumstances. This virus enters one of the system _les on an

Amiga, and eventually destroys the information on the disk in a similar way to the PC

based viruses we have discussed. When I _rst heard about this virus, I called up the

person at Commodore (the manufacturer of the Amiga) in charge of defending against

it; the chief systems programmer. He said \I have it under control, it's no big deal", and

he wrote a program that looked for the _rst byte of the virus in that particular _le. If the_rst byte of that virus was present, it said \this is an infected program, restore from

backups to repair the problem" or some such thing. So, he sent this defense out, and

about a week later there was a new version of the virus that started

with a di_erent _rst byte. So I called the guy up and said \Wouldn't you like to do

something better?" He said \No, no, we have it under control . . . ", and then he sent out

a program that looked for either of those two _rst bytes. The third round involved a

copy of the virus that evolved through any of ten di_erent _rst bytes, so I called him

again and he said \No, no, I've got it under control . . . " This time he wrote a program

that checked to see whether the _rst byte was not the legitimate byte of the Amiga

program. About a week later, there was a version of the virus that had the same _rst

byte as the legitimate Amiga program, but a di_erent second byte. That was the last

time I bothered calling this guy up. I _gure that by now, they're up to about the tenth or

eleventh byte, and still battling it out.

The Mainframe Christmas Card Virus

In 1987, we also had the Christmas card virus that spread throughout mainframes of the

world by way of computer mail. It was created by a student in Germany as a Christmas

card. In order to understand how this virus worked, you have to understand that part of

the corporate culture in IBM was for people to send each other Christmas cards via

computer mail. As a result, when someone you knew sent you a Christmas card you

would normally read it without hesitation. So this person in Germany created a


16/24


17/24


By sanjeev 11008322

punishment, MacMag was kicked o_ of CompuServ \forever", which I guess is as big a

punishment as they can come up with. CompuServ and most of the rest of the

community thought the attack was all over, until .About two months later (so the story

goes), a man was visiting his friend who was a contract programmer. He showed his

friend a copy of a game called \Frogger". The programmer tried Frogger once, andsaid \This is really a dumb game, in fact, this is the dumbest game I've ever seen. I'm

never going to run this game again". However, once was enough. This particular

programmer, it just so happens, wrote training software for several companies,

including such industry leaders as Lotus, Ashton-Tate, and Aldus. Over the next couple

of weeks, he distributed copies of his newest training software to one or more of these

companies, and the virus that came in Frogger spread. Aldus subsequently released

about 5,000 copies of their newest program \Freehand" which

were infected. This was the _rst (but not the last) time that a virus was released in a

legitimate, shrink wrapped, commercial software distribution.

The Scores Virus

The so-called \Scores" virus operates on Apple MacIntosh computers, and was

apparently written by a disgruntled ex-employee of Electronic Data Systems, a Texas

_rm that does computer security work world-wide. The reason we believe this, is that it

directs its attacks against programs written by particular programmers from EDS, and

through an anonymous source, I heard some further details that were convincing.

The Scores virus does absolutely nothing for about four days after its initial infection.

For the next four days, it infects, but does no other damage. The 4 day time period maybe because of a procedural defense at EDS, which a 4 day wait bypasses, but nobody is

certain of this except the attacker. From then on, whenever you run an infected

program, it operates as follows: For the _rst 15 minutes of operation it does nothing.

For the next 15 minutes, it prevents saving anything. Finally (mercifully), the system

crashes. So if you are running an editor written by one of these authors at EDS, for the

_rst 15 minutes everything works great. After that, when you try to save the _le, it says

(in e_ect) \Sorry, I can't save that". The user typically responds with something like

\What do you mean you can't save it? Save it!", and for the next several minutes, a

frantic e_ort to save the _le is made, until _nally the system crashes, and the changes

are lost. Needless to say, it is a very disconcerting experience for the user when it

happens. the _rst time, but things get worse .It takes about 2 hours to completely get

rid of the Scores virus from a MacIntosh with a hard disk (from the details I have heard),

but as I have mentioned, there is another side e_ect. Over the four day period of

reproduction without damage, the virus tends to get into oppy disks and backups,

spread over networks, etc. As a result, many organizations have the Scores virus for a


18/24


By sanjeev 11008322

long time. One administrator from a government agency described curing this virus from

all of the computers in one network once a week for a year.

The Internet Virus

The \Internet Virus", commonly called the \Internet Worm" (it turns out that worms area special caseof viruses), was launched in 1988 in the Internet. The Internet is a networkthat, at that time, intercon- nected about 100,000 to 200,000 computers around the

world, is used by Universities and other research organizations, and provides

connectivity to many other networks. I can't remember the names of half the

networks it is connected to, but among the connected networks in 1988 were the ARPA-

net (Advanced Research Projects Agency) and the DOD-net (US Department of Defense).

In the Internet attack, a graduate student at Cornell University designed and launched a

computer virus that replicated and moved from machine to machine in the Internet. It

entered about 60,000 to 70,000 computers, but was designed to only replicate in 6,000

of them. In a matter of a few hours, it spread throughout the network causing

widespread denial of services. According to the author, it was not intended to deny

services, but due to an error in programming it replicated too quickly.

This virus was designed speci_cally to work in a particular version of a particular

operating system and, even though it would be very simple to make it work on other

versions, special code was in place to prevent its undue spread. It replicated by `fork'ing

processes and tried to move from system to system by exploiting a (de)bug in the

computer mail protocol. It turned out that if you had debugging turned on

in the mail protocol on your machine, then if somebody wanted to, they could issue

commands as if they were the `Superuser' on your computer. It also turns out that mostof the systems in the Internet had this switch turned on at compile time, and in many

cases, they could not turn it back o_ because they didn't have the source code to the

mail program for recompilation, and the designers didn't provide any

mechanism for overriding the debugging mode.

This particular virus also crossed the boundaries between the ARPA-net and the DOD-

net, which were supposedly secured against all such intrusions. In the next few days,

several viruses apparently crossed this boundary, and the link was then severed.

The AIDS DiskIn late 1989, a well funded group purchased a mailing list from a PC magazine, and

distributed between 20,000 and 30,000 copies of an infected disk to the people on this

list. The disk was a very poor virus, but it caused a great deal of damage because there

were so many copies mailed, and the recipients used the disk widely despite procedural

policies in place prohibiting such use. The disk was advertised as a program to evaluate

a person's risk of getting AIDS based on their behavior. Included in the distribution was a


19/24


By sanjeev 11008322

description of the fact that this was a limited use distribution, and that it would cause

damage to the system if it was used without paying royalties.

The disk infected the host system by adding a line to the \AUTOEXEC.BAT" system

startup _le which, although it appeared to be a comment, was actually a peculiar

program name. After running this program a number of times, the virus would encryptdirectory information so that _le names became unusable. If you continued to use the

system it would eventually try to convince you to put in a oppy disk to make a copy for a

friend. The alleged perpetrator was eventually caught by tracing the mailing list

purchase process back to the buyer. The last I heard, the person they caught was in the

middle of extradition hearings to England, where the virus caused enough damage to

warrant prosecution.

The Datacrime Virus

The Datacrime" virus was the most widely announced and least widely spread well

known virus in recent memory. It was rumored to exist as early as 6 months before it

was to cause damage, and was eventuallythe subject of the _rst NIST National Computer

Virus Alert in the United States. This virus only caused minor damage in a few instances

in Europe, and never took hold in the United States. Perhaps coincidently, IBM

introduced its antivirus program to the world on exactly the same day as NIST

announced its _rst national computer virus alert. Not a single incident was reported or

detected in the US as far as I can tell, but IBM sure sold a lot of virus detection software.

2.3.13 Early Evolutionary Viruses In late 1989, the _rst seriously evolutionary virus to

appear in the real world began spreading in Europe.Earlier viruses had evolved in minor ways, simple self-encryption had been used before,

and experimental viruses with no association between evolutions had been

demonstrated, but this virus was the _rst one to be released into the world with many

of these properties. This virus replicates by inserting a pseudo-random number of extra

bytes into a decryption algorithm that in turn decrypts the remainder of the virus stored

in memory. The net e_ect is that there is no common sequence of more than a few

bytes between two successive infections. This has two major implications. The _rst

problem is that it makes false positives high for pattern matching defenses looking for

the static pattern of this virus, and the second problem is that special purpose detection

mechanisms were simply not designed to handle this sort of attack.Since the _rst evolving real-world virus appeared, authors have improved their evolution

techniques substantially. One author even created a set of evolutionary subroutines

called the `Mutating Engine' (often referred to as MtE) which can be integrated with

other viruses to form a highly evolutionary form. After over a full year of analysis and

response, the best virus scanning programs still hadn't achieved a detection rate over

95% on a sample of several thousand mutations created by Vesselin Bontichev (a well


20/24


By sanjeev 11008322

known Bulgarian malicious virus defender) to test their quality. This brings up an

important point about virus detection rates that I will defer to our discussion on

epidemiology.

Simulation (Stealth) Viruses

The simulation virus that appeared in late 1989 represented a major step toward attacks

meant to bypass virus defenses. In essence, this virus simulates all of the DOS system

calls that would lead to its detection, causing them to return the information that would

be attained if the attack were not present. It is presently spreading widely throughout

the world, and because it does no obvious damage, it is generally going undetected.

Since that _rst simulation virus, researchers have decided to use the term `stealth' to

indicate viruses that use sophisticated hiding techniques to avoid detection. The term

stealth is derived from the US `stealth' aircraft that were so successful at avoiding radardetection in the Gulf War in the early 1990s.

Hiding techniques have their biological analogy, the most commonly known example

being the chameleon which changes its color to match the background. Many insects

blend into their background and thus avoid predators, and a common feature of

invasive micro-organisms is the presence of chemical sequences identical to those of

their hosts, which enable them to pass as if they were native cells instead of invaders.

Now there is a very important di_erence between biological stealth techniques and the

techniques of modern malicious viruses that I think I should mention before you get any

misimpressions. There is a tendency to anthropomorphize hiding techniques as if to

indicate that a conscious e_ort is made by an organism to hide by creating matchingchemical sequences. In biological systems, except for higher forms of animals, there is

apparently no evidence that there is intent behind the hiding techniques. Rather,

random variations caused some color di_erences or chemical sequences, and it just

happened that those creatures didn't die as often as others because of their stealthy

characteristics, and so they survived to reproduce.

The stealth techniques we see in modern computer viruses are quite di_erent in that

they are intentionally designed to hide by exploiting weaknesses in the operating

environment. For that reason, all current stealth viruses are designed to attack PC and

MacIntosh operating systems, which are inherently vulnerable. Against the stronger

defense techniques now available, current stealth attacks fail completely when

operating system protection such as that provided in Unix, MVS, and VMS is in use.

There are ways of hiding in most modern timesharing systems with these protections in

place, but none of the real-world viruses we have seen have done this yet. For example,

an infected program could start a background process to perform infection so as to

reduce the time e_ects associated with infection, and give the memory resident process


21/24


By sanjeev 11008322

a name similar to the name of other common memory resident programs so that it

would not be easily di_erentiated when looking at operating processes.

The Bulgarian Viruses

In early 1990, a research institute in Bulgaria released a set of 24 viruses to the rest ofthe world research community. They had not previously been known outside of

Bulgaria. Astonishingly, none of these had been detected in Western Europe until these

samples were provided. With the fall of the Iron Curtain, the ow of people and

information between the former Soviet Bloc countries and the rest of the world

dramatically increased. Along with this openness, came the open exchange of viruses,

and a whole new set of problems were created for defenders on both sides of the

former partition.

Some TrendsAlthough many of these viruses have not spread widely, the number of widespreadviruses is on the increase, and the incidence level is increasing quickly. For example, in a

recent visit to Taiwan, I was surprised to learn that of 50 companies represented at a

seminar, on the average they experienced about 10 viruses per year! This is particularly

important in light of the fact that most 3 of the world's PCs are manufactured in Taiwan,

and several incidents of widespread dissemination of viruses from manufacturers have

been reported. Another interesting trend is that only about 10% of the known viruses

are responsible for 90% of the incidents. According to several minor studies, this has

been true for several years, and according to a recent larger scale study done by IBM of

Fortune 500 companies, only 15% of the known viruses were detected in the real-world.They also report that 33% of incidents are caused by the two most prevalent

viruses (`Stoned' and `Form'), and the 10 most prevalent viruses are responsible for 66%

of incidents. These numbers represent very substantial growth, but don't reect the

recent advances in attack technology. Several virus generating programs are currently

available, both from semi-legitimate software houses, and from other less identi_able

sources. Some of these virus generators are capable of generating millions of

di_erent viruses automatically. Some even allow the user to select di_erent infection

techniques, triggering mechanisms, and damage using a menu. Even simple evolution is

available in some of these generators. A far more interesting program has been

developed to perform automated evolution of existing programs so as to create

numerous equivalent but di_erent programs. This program exploits knowledge of

program structure, equivalence of large classes of instructions, and sequential

independence of unrelated instructions to replace the sequence of instructions

comprising a program with a behaviorally equivalent instruction sequence that is

substantially di_erent in appearance and operation from the original. In one of the


22/24


By sanjeev 11008322

appendices, several examples of evolutionary and hiding techniques are shown, and a

good case is made to show that detection by looking for viruses is quite di_cult and time

consuming if these techniques are applied.The _gure 80% appears in their o_cial

government documents.

2.3.18 Cruncher

The `Cruncher' virus is a real-world version of the compression virus described earlier,

but with an interesting twist. For the decompression process, it uses a very common

decompression program; and the virus is added to the _le being infected before

compression. The net e_ect is that when we look at the _le, it looks like a legitimate

compressed executable program. If we try to scan for the virus, we are in great

di_culty because the compression algorithm is adaptive in that it generates codings for

subsequent bits based on occurrence rates earlier in the _le. Since this particular virus is

placed at the end of the _le, we can't detect it until we decompress the entire _le! No

_nite number of `scan' strings exist for detecting the virus because the virus is

compressed with the adaptive compression algorithm. This virus _rst appeared in

January of 1993, and as of this writing is not detected by any virus scanners.

It is not likely to be reliably detected by them soon, unless they dramatically increase

run times.

Conclusions :The number of computer viruses found in the world is increasing each year. Every time

software and antivirus software developers invent new technology to prevent virus

infection, computer virus writers thrilled the world with their ability to go around the

new technology and develop the right virus for each age. Macro viruses were their ideal

proof of their intention to accept the challenge and cope with the new technology

developments. Script viruses were another prove, they have the ability to encrypt each

time its reproduced to have a different signature in order to deceive the antivirus andremain undetected . The antivirus developers reaction to this challenge is to develop

their programs to detect the pattern in the decryption of the virus, virus writers reaction

was creating polymorphic viruses So the malware will go on between software and

antivirus software developers and virus writers.


23/24


By sanjeev 11008322

Computer virus writers are not a homogenous group, their motivations could be the

need to express their dissatisfaction with their social level, draw attention, become

famous and well known, to achieve their revenge, or to prove their technical ability. It

seems that the virus writers desire to accomplish their goal conceals their vision from

viewing the ethical and legal issues. Another reason could be their dissatisfaction withtheir society, since the ethics and legal codes belongs to it, and they want revenge for

everything in their society including the ethics and legal codes. The legal penalties are

not deterring virus writers, but seems to encourage the writers to accept the challenge

of writing and releasing a virus to cause the maximum destruction and get away with it

or cause serious damage and become famous. By comparing the increasing number of

home users with the increasing number of computer viruses each year, we can easily

realize the growing threat of computer viruses towards home users. The increasing

awareness of computer viruses and basic IT security principles will help home users to

eliminate the threat of computer viruses.

Being largely misunderstood, viruses easily generate myths. Some people think it's

funny to generate hoaxes. By careful checking you can usually spot them. Silly tricks and

poor policies are no substitute for individual protection methods. Any product that

advertises itself as a "quick and easy cure" for "all viruses past, present, and future" is

more likely than not exercising its advertising imagination. Keep in mind that not

everything that goes wrong with a computer is caused by a computer virus or worm.

Both hardware and software failure is still a leading cause of computer problems.

ReferencesWebs:

http://www.ebusinessadvisor.com/Articles.nsf/dp/29DD4BBF288F4FD488256C7C00610777


24/24


By sanjeev 11008322

BOOKS :

Kemmerer R A, Vigna G, Hi DRA: Intrusion Detection for internet Security, Proceedingsof the IEEE, Vol 93, issue 10, Pg 1848-1857, Oct 2005

Documents

how windows handle various viruses