Types of Viruses
following categories as being among the most significant types of viruses:
· Parasitic virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect.
· Memory-resident virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes.
· Boot sector virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
· Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software.
· Polymorphic virus: A virus that mutates with every infection, making detection by the "signature" of the virus impossible.
· Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses my change their behavior as well as their appearance.
One example of a stealth virus was discussed earlier: a virus that uses compression so that the infected program is exactly the same length as an uninfected version. Far more sophisticated techniques are possible. For example, a virus can place intercept logic in disk I/O routines, so that when there is an attempt to read suspected portions of the disk using these routines, the virus will present back the original, uninfected program.
A polymorphic virus creates copies during replication that are functionally equivalent but have distinctly different bit patterns.
In the mid-1990s, macro viruses became by far the most prevalent type of virus. Macro viruses
are particularly threatening for a number of reasons:
· A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports Word can be infected.
· Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program.
· Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in Word and other office applications such as Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically, users employ macros to automate repetitive tasks and thereby save keystrokes. The macro language is usually some form of the Basic programming language. A user might define a sequence of keystrokes in a macro and set it up so that the macro is invoked when a function key or special short combination of keys is input.
Successive releases of Word provide increased protection against macro viruses. For example, Microsoft offers an optional Macro Virus Protection tool that detects suspicious Word files and alerts the customer to the potential risk of opening a file with macros. Various antivirus product vendors have also developed tools to detect and correct macro viruses.
A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in an attachment. If the recipient opens the e-mail attachment, the Word macro is activated. Then
· The e-mail virus sends itself to everyone on the mailing list in the user's e-mail package.
· The virus does local damage.
A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
To replicate itself, a network worm uses some sort of network vehicle. Examples include the following:
· Electronic mail facility: A worm mails a copy of itself to other systems.
· Remote execution capability: A worm executes a copy of itself on another system.
· Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other.
The new copy of the worm program is then run on the remote system where, in addition to any functions that it performs at that system, it continues to spread in the same fashion.
A network worm exhibits the same characteristics as a computer virus: a dormant phase, a propagation phase, a triggering phase, and an execution phase. The propagation phase generally performs the following functions:
1. Search for other systems to infect by examining host tables or similar repositories of remote system addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
As with viruses, network worms are difficult to counter.
The Morris Worm
The Morris worm was designed to spread on UNIX systems and used a number of different techniques for propagation.
· It attempted to log on to a remote host as a legitimate user. In this method, the worm first attempted to crack the local password file, and then used the discovered passwords and corresponding user IDs. The assumption was that many users would use the same password on different systems. To obtain the passwords, the worm ran a password-cracking program that tried
Each user's account name and simple permutations of it
A list of 432 built-in passwords that Morris thought to be likely candidates All the words in the local system directory
· It exploited a bug in the finger protocol, which reports the whereabouts of a remote user.
· It exploited a trapdoor in the debug option of the remote process that receives and sends mail.
· If any of these attacks succeeded, the worm achieved communication with the operating system command interpreter.
Recent Worm Attacks
In late 2001, a more versatile worm appeared, known as Nimda. Nimda spreads by multiple mechanisms:
· from client to client via e-mail
· from client to client via open network shares
· from Web server to client via browsing of compromised Web sites
· from client to Web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities
· from client to Web server via scanning for the back doors left behind by the "Code Red II" worms
The worm modifies Web documents (e.g., .htm, .html, and .asp files) and certain executable files found on the systems it infects and creates numerous copies of itself under various filenames.
In early 2003, the SQL Slammer worm appeared. This worm exploited a buffer overflow vulnerability in Microsoft SQL server.
Mydoom is a mass-mailing e-mail worm that appeared in 2004