Understanding Computer Viruses

Questions and Answers

What is the general purpose of malware?

• To enhance user experience
• To improve computer performance
• To provide additional features to software
• To infiltrate or damage a computer system without consent (correct)

Which of the following is a type of malware?

• Spyware (correct)
• Firewall
• Operating System
• Antivirus

What does a computer virus primarily do?

• Enhances network speed
• Updates software automatically
• Cleans computer hardware
• Self-replicates (correct)

What is a common way for email viruses to spread?

By automatically mailing copies to hundreds of people (B)

What action is triggered when conditions are met in logic and time bombs?

A certain function, like printing a message or deleting files (A)

What are 'bait files' used for regarding computer viruses?

To act as a sample for anti-virus software (C)

What action does a virus take when employing a stealth/rootkit?

It hides itself by intercepting anti-virus software requests (C)

What is the main goal of a rootkit?

To conceal running processes and files (A)

What does it mean when a virus is called a 'companion' virus?

It has the same file names as legitimate files (A)

What is the primary method to avoid stealth?

Booting from a medium known to be clean (D)

What is a primary function of viruses that utilize self-modification techniques?

Making detection by signatures difficult (B)

If a virus is encrypted with a variable key, which part remains constant?

The decrypting module (B)

What is the purpose of a polymorphic engine in a virus?

To enable polymorphic code (B)

In metamorphic code, what action do viruses take to avoid detection?

They rewrite themselves completely (D)

What is a requirement for a virus to replicate itself?

Permission to execute code and write to memory (D)

What is the role of the 'finder module' in nonresident viruses?

To find new files to infect (A)

How do resident viruses operate?

They load into memory and infect new hosts when files are accessed (C)

What is a characteristic of 'fast infector' viruses?

They infect as many files as possible (C)

Which of these file types can be host types for a virus?

Binary executable files (.exe) (A)

How does a computer worm spread?

By sending copies of itself over a network (C)

What's a characteristic of email worms?

They arrive via email where the message contains the worm code (B)

What is a typical target of IRC worms?

Chat channels (C)

What is the action of 'file-sharing networks worms'?

Copying itself into a shared folder (D)

What is a typical payload of worms that can be installed on a computer?

A backdoor program (C)

Antivirus software typically uses what techniques to accomplish its primary mission?

Examining files and identifying suspicious behavior (D)

What are the common work modes of antivirus software?

Static file scanning and real-time scanning (A)

What action does an anti-virus take after identifying a virus by using its virus dictionary?

It attempts to repair, quarantine, or delete the infected file (D)

For anti-virus effectiveness, what action should a user to do?

Update virus dictionary entries (B)

What is a disadvantage of using the 'suspicious behavior' approach in antivirus software?

It can have a high rate of false positives (B)

What is the anti-virus technique of heuristic analysis?

Emulating code (D)

What type of security mechanism runs programs safely in a contained environment?

Sandbox (D)

What is a limitation of antivirus software?

They are reactive (C)

What can malware do if it has sufficient system permissions?

Change antivirus settings (B)

What do retro viruses attack?

Security programs (D)

What characteristic should security tools exhibit to evade antivirus detection?

Metamorphic (C)

What problem might security systems designed at the network level run into?

Malware shutting down the security systems (D)

What kind of virus is Win32/Simile?

A metamorphic virus (D)

What is a known component of SQL slammer worms regarding its disk size?

376 bytes (C)

How is a computer infected by SQL slammer worm?

By using an unpatched copy of Microsoft SQL server Resolution (C)

What characteristic defines malware?

It is designed to infiltrate and potentially damage systems without consent. (A)

Why might a virus writer create a computer virus?

As a form of artistic expression or a research project. (B)

What is the key characteristic of boot sector viruses?

They modify or hide in the boot sector of a disk. (B)

How do companion viruses trick users into executing them?

By having filenames similar to legitimate files and relying on the order in which DOS executes files. (D)

Which of the following is a primary characteristic of macro viruses?

They are commonly written in scripting languages for programs like Microsoft Word and Excel. (C)

Why do viruses avoid infecting anti-virus files?

To prevent detection by the anti-virus software. (A)

How can a virus use stealth to hide itself on a system?

By intercepting anti-virus software requests and providing uninfected versions of files. (C)

What is the purpose of a rootkit?

To conceal running processes, files, or system data. (B)

What is a reliable method for avoiding stealth techniques employed by rootkits?

Booting from a clean, trusted medium. (A)

How do self-modifying viruses complicate detection?

By altering their code on each infection, making signature-based detection difficult. (C)

In a virus that uses encryption with a variable key, what component remains constant?

The decrypting module. (C)

What is the function of a polymorphic engine in a virus?

To alter the virus's decryption module on each infection. (B)

How do metamorphic viruses avoid detection?

By rewriting themselves completely each time they infect a new executable. (C)

For a virus to successfully replicate, what action must it be permitted to perform?

Execute code and write to memory. (A)

What action characterizes how resident viruses operate?

They load into memory and infect new hosts as they are accessed. (C)

What potentially problematic situation is caused by 'fast infector' viruses?

They can 'piggy-back' on virus scanners and infect all scanned files. (A)

Which type of file is a potential host for a virus?

Binary executable files (.exe, .com). (D)

What is the main difference between a worm and a virus, concerning harm?

Worms always harm the network, whereas viruses always infect or corrupt files on a targeted computer. (D)

How does a file-sharing network worm spread to other computers?

By copying itself into a shared folder on the local machine. (D)

What action is a common payload for worms, after infecting a system?

Installing a backdoor to allow unauthorized access. (C)

What is the role of the 'virus dictionary' in antivirus software?

To provide definitions of known viruses for scanning purposes. (A)

How does dictionary-based antivirus software typically detect viruses?

By examining files when the OS creates, opens, closes or e-mails them. (C)

Why does antivirus software require periodic updates of its virus dictionary?

To include information about newly discovered viruses. (C)

Why is 'suspicious behavior' an important detection method for brand-new viruses?

It can detect viruses that are not yet defined in virus dictionaries. (D)

What is a potential drawback of relying solely on suspicious behavior analysis for virus detection?

It can lead to a large number of false positives, desensitizing users to warnings. (C)

What is the primary function of heuristic analysis in antivirus software?

To emulate code execution and identify potentially malicious behavior. (D)

In the context of antivirus software, what is a 'sandbox'?

A virtual test environment for safely running programs. (A)

Why might sandbox analysis not always detect a virus?

Viruses can be nondeterministic, leading to different actions in each run. (D)

Why are reactive approaches considered a weakness of antivirus software?

Its effectiveness depends on the program and definitions. (C)

Why is the inability of antivirus software to protect itself considered a security weakness?

It allows malware to change antivirus settings and configurations. (D)

What is the meaning of "installation process" in relation to why antivirus software might not disinfect malware files?

Malware includes writing configuration files for other software, registry keys etc. (C)

What is the primary target of retro viruses?

Security programs like antivirus software. (C)

What characteristic should tools have in order to evade antivirus detection?

Polymorphic or metamorphic code. (C)

What is the issue regarding network intrusion detection systems, concerning malware?

Malware could exploit or shut down the system. (C)

What is a significant factor regarding the efficiency of the SQL slammer worm?

Its compact and small code helps avoid writing to disk, increasing memory use. (D)

Flashcards

Malware

Software designed to infiltrate or damage a computer system without the owner's consent.

Computer Virus

A self-replicating computer program that alters a computer's operation without permission.

Boot Sector Virus

A virus that alters or hides in boot sector of a drive.

Companion Viruses

Viruses that create new files with similar names to legitimate files.

Email Viruses

Viruses that use e-mail messages to spread copies of themselves.

Logic/Time Bombs

Code that lies inert until specific conditions are met, triggering a function like deleting files.

Macro Viruses

Viruses written in scripting languages for programs like Word/Excel spread in Microsoft Office.

Stealth/Rootkit Virus

A virus avoids detection by hiding or modifying itself when scanned.

Bait Files

Files created by antivirus software used to detect viruses.

Self-Modification

Modifying the way it looks to avoid detection.

Encryption Viruses

Viruses that contains decrypting module and an encrypted copy of the virus code.

Polymorphic Code

A virus with polymorphic engine to modify the decryption module on each infection.

Metamorphic Code

Rewrites itself completely each time it infects new files.

Resident vs. Nonresident Viruses

Two types of virus replication strategies.

Fast Infectors

Infects many files as possible.

Slow Infectors

Infects hosts infrequently to avoid detection.

Computer Worm

A self-replicating program that uses a network to send copies of itself, without attaching to an existing program.

Email Worms

Spreads through email messages.

Instant Messaging Worms

Spreads via instant messaging applications.

IRC Worms

Spreads via chat channels.

File-Sharing Networks Worms

Places copy of itself in a shared folder.

Internet Worms

Targets low level TCP/IP ports directly.

Payloads

Code that designed to do more than spread the worm, deletes files, encrypt files, or send documents.

Antivirus Software

Examines files for known viruses and identifies suspicious behavior.

"Static" File Scanning

Useful for when you have to scan a file to check.

Real-Time Dynamic Scanning

Preventing the computer from getting infected in the first place.

Signature

Characteristic byte-pattern that is part of a certain virus family.

Metamorphic/Polymorphic Code

Virus's Technology to avoid the Dictionary Approach.

Suspicious Behavior Approach

Monitors the behavior of programs, not just their code.

Heuristic Analysis

Emulate the beginning of the code of each new executable.

Sandbox

A security mechanism to run programs safely.

Retro Viruses

Techniques to avoid detection.

Rootkit

Software that is intended to conceal running processes and data from the operating system.

Virtualised Rootkit

A rootkit that modifies the boot sequence of the machine.

Kernel level Rootkit

Rootkits that add additional code and/or replace a portion of kernel code.

Library Level Rootkit

Rootkits for replacing or patching system calls.

Application Level Rootkit

Applies regular application binaries.

Black Antivirus

Antivirus used towards bad purposes.

Win32/Simile

A computer virus that infects assembly language for Microsoft Windows.

SQL slammer worm

A computer worm that caused a denial of service on some Internet hosts.

Network Shield

Anti-virus software, acts as a lightweight Intrusion Detection System.

Reactive Approach

The inability to protect themself.

Study Notes

• Malware is software designed to infiltrate or damage a computer system without the owner's consent.
• Types of malware include spyware, adware, Trojan horses, Worms, and viruses.

Computer Virus

• A computer virus is a self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user.
• Some virus writers consider their creations to be works of art or a creative hobby.
• Viruses have been written as research projects, pranks, vandalism, or to attack the products of specific companies.
• Some viruses were intended as "good viruses" to spread improvements to other programs.
• "Good viruses" or rare though, still consume system resources, and may accidentally damage systems.

Types of Viruses

• Boot sector viruses alter or hide in the boot sector of a bootable disk or hard drive.
• Boot sector viruses contain code for bootstrapping programs (usually activates, but not necessarily, operating systems).
• Boot sector infector viruses replace the bootstrap code in the boot sectors with viral code.
• The BIOS on IBM PC compatible machines is ignorant of whether a disk has in fact been high-level formatted and has an operating system installed in it.
• Companion viruses create new files, typically .COM, but can use other extensions such as ".EXD," that have the same file names as legitimate .EXE files.
• For companion viruses, if the user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the extension that comes first in alphabetical order and run the virus.
• Email viruses use email messages as a mode of transport.
• Email viruses copy themselves by automatically mailing copies to hundreds of people in the victim's address book.
• Logic and time bombs employs code that lies inert until specific conditions are met.
• Macro viruses are written in the scripting languages for Microsoft programs, such as Word and Excel, and are spread in Microsoft Office by infecting documents and spreadsheets.
• Cross-site scripting viruses utilize cross-site scripting vulnerabilities to replicate.

Virus Detection

• A virus needs to infect hosts in order to spread further.
• Avoiding bait files and other undesirable hosts, many anti-virus programs perform an integrity check of their own code.
• Bait files (or goat files) are files that are specially created by anti-virus software.
• Anti-virus professionals can use bait files to take a sample of a virus.
• Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods.
• Some anti-virus software employs bait files that are accessed regularly.
• A virus can hide itself - Stealth\Rootkit - by intercepting the anti-virus software's request to read the file and passing the request to the virus, instead of the OS.
• The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean".
• Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses.

Rootkit

• A rootkit is a set of software tools intended to conceal running processes, files, or system data from the operating system.
• Virtualized rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system.
• Once loaded into memory, a virtualized rootkit loads the original operating system as a Virtual Machine, enabling the rootkit to intercept all hardware calls made by the guest OS.
• Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system.
• Library level rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker.
• Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
• A reliable method to avoid stealth is to boot from a medium that is known to be clean, then shut down the computer and check storage by booting from an alternative media (e.g. rescue CD-ROM or USB flash drive).

Virus Self-Modification

• Some viruses employ techniques that make detection by means of signatures difficult or impossible.
• These viruses modify their code on each infection with each infected file containing a different variant of the virus.
• Viruses may exchange subroutines in their code for others that would perform the same action. For example, 2+2 can be swapped for 1+3.
• A more advanced method is the use of simple encryption to encipher the virus.
• The virus consists of a small decrypting module and an encrypted copy of the virus code.
• The virus is encrypted with a different key for each infected file with the decrypting module remains constant.
• Polymorphic code has a polymorphic engine (also called a mutating engine or mutation engine) somewhere in its encrypted body.
• Anti-virus software can detect polymorphic code by decrypting the viruses using an emulator or by statistical pattern analysis of the encrypted virus body.
• Metamorphic code avoids detection by emulation by rewriting themselves completely each time they are to infect new executables.
• This rewrite is done by translating its own code into a temporary representation, and then back to normal code again.
• W32/Simile consisted of over 14000 lines of Assembly language code, and 90% of it was the metamorphic engine.

Replication

• In order to replicate itself, a virus must be permitted to execute code and write to memory.
• Many viruses will attach themselves to executable files.
• Nonresident viruses search for other hosts to infect and transfer control when infected.
• Nonresident viruses consist of a finder module and a replication module.
• Resident viruses do not search for hosts when they are started. They load themselves into memory on execution and transfer control to the host program.
• Fast infectors are designed to infect as many files as possible, every potential host file that is accessed, creating a problem for anti-virus software because a virus scanner will access every file.
• Slow infectors are designed to infect hosts infrequently to avoid detection.
• Slow infecters' actions are limited and will not trigger anti-virus software.

Host Types

• Binary executable files like COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux
• Volume Boot Records of floppy disks and hard disk partitions
• The master boot record (MBR) of a hard disk
• General-purpose script files in MS-DOS, Microsoft Windows, VBScript files, and shell script files on Unix-like platforms.
• Application-specific script files (such as Telix-scripts)
• Documents that can contain macros

Computer Worm

• A computer worm is a self-replicating computer program that uses a network to send copies of itself to other nodes (computer terminals on the network).
• It does this without any user intervention and it does not need to attach itself to an existing program.
• Worms always harm the network, whereas viruses always infect or corrupt files on a targeted computer.
• Email Worms spread via email messages, typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website.
• Instant messaging worms are spread via instant messaging applications by sending links to infected websites to everyone on the local contact list.
• IRC worms use Chat channels as the main target.
• File-sharing networks worms copy themselves into a shared folder, the worm will place a copy of itself in a shared folder under a harmless name and wait to be downloaded.
• Internet worms target low level TCP/IP ports directly, an example is Blaster which exploited a vulnerability in Microsoft's RPC on port 135.
• Payloads are code designed to do more than spread the worm, it might delete files on a host system (e.g. the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via email.

Antivirus Software

• Antivirus software uses two different techniques - examining (scanning) files to look for known viruses matching definitions in a virus dictionary and identifying suspicious behavior from any computer program.
• Anti-virus programs have two basic modes: "static" file scanning and real-time "dynamic" scanning.
• Anti-virus software examines a file using these actions: attempt to repair file, quarantine file, delete file.
• The virus dictionary approach requires periodic downloads of updated virus dictionary entries.
• Users identify new viruses and send their infected files to the authors of antivirus software to include in their dictionaries.
• Dictionary-based antivirus software examines files when the computer's operating system creates, opens, closes or emails them.
• A system administrator can schedule the antivirus software to examine all files on the user's hard disk regularly.
• Virus's Technology to avoid the Dictionary Approach is Metamorphic code, Polymorphic code and Oligomorphic engine.
• Previous technology weakness are Polymorphism where a small portion of it is left unencrypted. Anti-virus software targets this small unencrypted portion of code, or by statistical pattern analysis of the encrypted virus body.
• The suspicious behavior approach doesn't attempt to identify known viruses, but instead monitors the behavior of all programs through a number of means.
• Heuristic analysis, anti-virus software tries to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable for self-modifying code.
• Heuristic scanners have a higher rate of false positives due to signature scanners, but are able to detect unknown viruses.
• Sandbox, A sandbox is a security mechanism for safely running programs by emulating the operating system and runs the executable and analyzes for malicious activity.
• Sandbox detection is mostly used on on-demand scans

Weaknesses of Antivirus Software

• Antivirus is only as good as the definition files, so it is reactive. Problems arise is detecting new/modified code, rootkits and software misuse.
• Malware can change anti-virus settings and configuration with sufficient system permissions.
• Malware changes system files, system configuration files, and registry files that are still present after antivirus scans.
• The industry is moving to “Removal Tool" in cases where an infection happens.

Retro Viruses

• Retro viruses target security programs using an "Attack is the best defense strategy."
• Malware, instead of hiding from detection by security SW, targets these SW as its (part of) malicious action.

Black Antivirus

• A (white) antivirus is used for the good purposes, and Black Antivirus is the same antivirus, but for the "bad" purposes.
• The "virus definition database" defines security tools which defend and protect computer systems.
• These security tools need to be a polymorphic or even metamorphic.

Black Intrusion Detection System

• Malware can use the IDS system to "shut down" security systems at the network level.
• Such malware will target internal corporate LAN and carry its own IDS engine or change the existing one (if possible).
• Malware carries its own engine and use MAC and ARP poisoning to sniff data.
• Any communication that passes the wire for an attack is subject to discovery.
• Covert-channels may be the solution.

Win32/Simile

• Win32/Simile - A metamorphic computer virus written in assembly language for Microsoft Windows (most recent version in early March 2002).
• It was written by the virus writer Mental Driller.
• Checks the current date and if the host file (.dll) import the file User32, then on the 17th of March, June, September, or December, a message is displayed.
• On May 14, a message saying "Free Palestine!" will be displayed if the system is set to Hebrew.
• It rebuilds itself in a complex metamorphic process that accounts for 90% of code.
• It searches for executable files in folders on all fixed and remote drives.
• The virus contains checks to avoid infecting "goat" or "bait" files.
• The infection process uses the structure of the host and random factors.
• It contains no destructive payload.

SQL Slammer Worm

• SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, infecting 75,000 victims within ten minutes.
• It exploited two buffer overflow bugs in Microsoft's SQL Server and Desktop Engine database products.
• It is a small (376 bytes) piece of code that generates random IP addresses and sends itself out to those addresses.
• If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server, the host is infected and spraying worm over the internet.
• It does not contain code to write to disk, only stays in memory.

Example AntiVirus Features

• Standard Shield and Real-time protection
• IM shield for Instant Messenger protection
• P2P shield for P2P protection
• Internet Mail and E-mail protection
• Outlook/Exchange - Microsoft Outlook/Exchange protection
• Web Shield and HTTP protection (local transparent proxy)
• Script blocker for script checker
• Network Shield basic protection against network worms/Intrusion Detection System (IDS)
• Audible alarms such as "Caution, a virus has been detected!"
• Boot-time scan to remove startup files.