Types of Viruses
following
categories as being among the most significant types of viruses:
·
Parasitic
virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable files
and replicates, when the infected program is executed, by finding other
executable files to infect.
·
Memory-resident
virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects
every program that executes.
·
Boot
sector virus: Infects a master boot record or boot record and
spreads when a system is booted from
the disk containing the virus.
·
Stealth
virus: A form of virus explicitly designed to hide itself from detection by antivirus software.
·
Polymorphic
virus: A virus that mutates with every infection, making detection by the "signature" of the virus impossible.
·
Metamorphic
virus: As with a polymorphic virus, a metamorphic virus mutates with every
infection. The difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of detection.
Metamorphic viruses my change their behavior as well as their appearance.
One
example of a stealth virus was
discussed earlier: a virus that uses compression so that the infected program
is exactly the same length as an uninfected version. Far more sophisticated techniques
are possible. For example, a virus can place intercept logic in disk I/O
routines, so that when there is an attempt to read suspected portions of the
disk using these routines, the virus will present back the original, uninfected
program.
A polymorphic virus creates copies during
replication that are functionally equivalent but have distinctly different bit
patterns.
Macro Viruses
In the
mid-1990s, macro viruses became by far the most prevalent type of virus. Macro
viruses
are
particularly threatening for a number of reasons:
·
A macro virus is platform independent. Virtually
all of the macro viruses infect Microsoft Word documents. Any hardware platform
and operating system that supports Word can be infected.
·
Macro viruses infect documents, not executable
portions of code. Most of the information introduced onto a computer system is
in the form of a document rather than a program.
·
Macro viruses are easily spread. A very common
method is by electronic mail.
Macro
viruses take advantage of a feature found in Word and other office applications
such as Microsoft Excel, namely the macro. In essence, a macro is an executable
program embedded in a word processing document or other type of file.
Typically, users employ macros to automate repetitive tasks and thereby save
keystrokes. The macro language is usually some form of the Basic programming
language. A user might define a sequence of keystrokes in a macro and set it up
so that the macro is invoked when a function key or special short combination
of keys is input.
Successive
releases of Word provide increased protection against macro viruses. For
example, Microsoft offers an optional Macro Virus Protection tool that detects
suspicious Word files and alerts the customer to the potential risk of opening
a file with macros. Various antivirus product vendors have also developed tools
to detect and correct macro viruses.
E-mail Viruses
A more
recent development in malicious software is the e-mail virus. The first rapidly
spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro
embedded in an attachment. If the recipient opens the e-mail attachment, the
Word macro is activated. Then
·
The e-mail virus sends itself to everyone on the
mailing list in the user's e-mail package.
·
The virus does local damage.
Worms
A worm is
a program that can replicate itself and send copies from computer to computer
across network connections. Upon arrival, the worm may be activated to
replicate and propagate again. Network worm programs use network connections to
spread from system to system. Once active within a system, a network worm can
behave as a computer virus or bacteria, or it could implant Trojan horse
programs or perform any number of disruptive or destructive actions.
To
replicate itself, a network worm uses some sort of network vehicle. Examples
include the following:
· Electronic
mail facility: A worm mails a copy of itself to other systems.
·
·
Remote execution capability: A worm executes a copy
of itself on another system.
·
·
Remote login capability: A worm logs onto a remote
system as a user and then uses commands to copy itself from one system to the
other.
The new
copy of the worm program is then run on the remote system where, in addition to
any functions that it performs at that system, it continues to spread in the
same fashion.
A network
worm exhibits the same characteristics as a computer virus: a dormant phase, a
propagation phase, a triggering phase, and an execution phase. The propagation
phase generally performs the following functions:
1.
Search for other systems to infect by examining
host tables or similar repositories of remote system addresses.
2.
Establish a connection with a remote system.
3. Copy
itself to the remote system and cause the copy to be run.
As with
viruses, network worms are difficult to counter.
The
Morris Worm
The
Morris worm was designed to spread on UNIX systems and used a number of
different techniques for propagation.
·
It attempted to log on to a remote host as a
legitimate user. In this method, the worm first attempted to crack the local password
file, and then used the discovered passwords and corresponding user IDs. The
assumption was that many users would use the same password on different
systems. To obtain the passwords, the worm ran a password-cracking program that
tried
Each
user's account name and simple permutations of it
A list of
432 built-in passwords that Morris thought to be likely candidates All the
words in the local system directory
·
It exploited a bug in the finger protocol, which
reports the whereabouts of a remote user.
·
It exploited a trapdoor in the debug option of the
remote process that receives and sends mail.
·
If any of
these attacks succeeded, the worm achieved communication with the operating system
command interpreter.
Recent
Worm Attacks
In late
2001, a more versatile worm appeared, known as Nimda. Nimda spreads by multiple
mechanisms:
·
from client to client via e-mail
·
from client to client via open network shares
·
from Web server to client via browsing of
compromised Web sites
·
from client to Web server via active scanning for
and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal
vulnerabilities
·
from client to Web server via scanning for the back
doors left behind by the "Code Red II" worms
The worm
modifies Web documents (e.g., .htm, .html, and .asp files) and certain
executable files found on the systems it infects and creates numerous copies of
itself under various filenames.
In early
2003, the SQL Slammer worm appeared. This worm exploited a buffer overflow
vulnerability in Microsoft SQL server.
Mydoom is
a mass-mailing e-mail worm that appeared in 2004
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.