Virus detection, prevention and
recovery:
There are
several precautions one can take in order to safeguard from virus infection.
Even then if the virus still creeps in, one has to follow the detection and
elimination procedures further. The safety measures or precautions for virus
prevention are rightly called the Golden Rules or the Commandments as given
below. While it is difficult to protect the system totally, using these rules
one may prevent from the virus infections to a great extent
The Golden Rules for virus prevention:
1
Always
keep backup of your data/programs.
2
Keep
floppies Write-protected (especially if they are bootable.)
3
Do
not copy anything in your system from any unknown source.
4
Restrict
the use of machine to only authorized users.
5
Never
download mail attachments, unknown content from Internet.
6
Even
after using these precautions, if the virus creeps into your system, it can be
detected in various ways apart from using a virus scanner for it.
This is due to the indicating or
symptoms given out by their existence.
These
include the following.
Virus Symptoms:
1
Computer
system seems to be running too slow than normal
2
Floppy
disk or hard disk is accessed suddenly without any reason. Programs do
something unusual or do not work normally
3
Files,
folders disappear mysteriously or contain garbage.
4
System
crashes often without any reason
5
Computer
does not boot completely at all
6
System
memory or disk space reduces without logical reason.
7
Unusual
error messages appear on screen
8
Programs
take more time to load than normal.
9
Change
in data/program file sizes is observed.
Recovery procedure (virus):
If these symptoms are observed, they
may indicate the presence of virus in your system.
To eliminate virus when observed or
detected in the system, one should carry out some specific steps called as
Recovery procedure. If you use the Anti-virus softwares, they will do this job
for you. Many such products exist including McaFee, Norton, F-prot, AVG &
so on. One must ensure to update these utilities frequently, to stay safe from
the newer viruses, which keep coming. Apart from using the tools, one must
create a Rescue disk that should be a clean, an infected bootable disk with
required set of tools. This can be used to diagnose, detect & eliminate
viruses from the system.
Worms:
General concept: (worms)
Apart from the virus programs
discussed above, there exists one more type of malicious program in computer
world called as a Worm. Unlike its cousin - the virus, worms do not require any
type of carriers. This term was coined from the word Tapeworm, which used to
copy itself in tapes (used in older computer systems) way back in 1000s. Those
days the worm code was considered harmless and was used for just fooling-around
with others. But then, hackers considered this as a tool for destruction
purposes and the development on the other side continued. This gave rise to the
recent Melissa or I Love You worms, which created havoc through the Internet
across the world.
How do they work? (worms)
Worms are normally observed in
Networked environment rather than in stand-alone environments and spreads
itself by replication similar to that in virus. Some of the worms are coded
using the scripting tools such as Java-script, VBScript, and Activex. The
recent developed worms carry out their destruction through widespread use of
Internet. Once lodged on to a system, worms keep replicating themselves by
placing themselves in the memory of various infected systems. They use the
network to copy from one node to other. The destructions caused by worms
include - bringing down your network's speed, using your address book to send
anonymous mails to other hosts, undesirably disclosing your valuable
information to the world, resource eating etc. Worms can choke or congest the
network, thus bringing it to a crawling speed!
Detection, prevention and recovery of
Worms:
Normally, all the recent anti-virus
utilities are capable of detecting most of the worm codes as well as disinfect
them. The indication of worms may be the terrible slowness of the network,
although there are several other reasons for this. Worms do not modify a program
nor attach themselves to it and hence may be seen or detected separately unlike
the virus. Still, some newer type of Worms hide themselves inside the Email
source, HTML scripts, web page sources etc. to remain undetected. As far as the
prevention is concerned, using some safety measures like detection tools, not
opening any content from unknown source, it may be possible to prevent from
their attacks.
Trojan horses:
General concept:
Yet
another type of malicious program observed is a Trojan horse, sometimes simply
called Trojan. The name has a funny history behind it. In the Greek kingdom, a
wooden horse was gifted to the enemy and taken inside their fort. This actually
contained soldiers inside it, which came out and fought with the enemy taking them
by surprise. Our Trojan horse in computer works with a similar principle. Even
if it claims to be a genuine program, in fact it is a malicious one. It is
supposed to do something useful while all it does is totally different and that
is destructive.
How
do they work? (Trojan Horse)
Trojans - as specified, always claim
to be a genuine program. If it were not a genuine program, rather one would not
copy or try it out! It may say it is a new game released, some kind of a
utility program newly developed, or something similar. Once copied/downloaded
on to a host and executed, actually it may do something like formatting hard
disk, erasing files/folders and so on. They may work either like a Time Bomb
(based on some value, number as triggering condition) or like a Logic Bomb
(destructing after satisfying some logical event or condition). It is also
possible that the Trojan horse program may be working normally for some time,
just to fool the user that it is doing something useful.
There are some types of Trojans, which
include some form of self-destruction which means the Trojan program itself
gets deleted after triggering condition along with other destruction. (Can this
be very much analogous to a human bomb!) Examples of Trojan horse program
include 12 tricks Trojan, actual file name CORETEST.COM (claims as hard disk
benchmarking program!) Nortstop Trojan, filename NORTSTOP. EXE or NORTSTOP.ZIP
(claims to be an antivirus public domain utility!)
Detection, prevention and elimination
of Trojan horse:
One major difference between Trojan
horse and worms or viruses is that the Trojans do not self-replicate. This
reduces the amount of destruction caused by them compared to other malicious
programs. Another limitation of them is that they are available separately.
Hence it is possible to find out that the harm is caused by the running
program, label it as Trojan and discard it. But beware! It is also possible
that the Trojan horse programs may be working like Backdoors and passing the
valuable information from your system back to hackers!
It is hence difficult to detect a
Trojan, unless using some good utility. Now a days, many anti-virus utilities
also check for them as well. Unless one tries out a Trojan program, it is hard
to know whether it is genuine or not. In such case, one can try it (if it is
absolutely necessary) on some separated machines and then using on regular once
confirmed. The prevention mechanism says, never download/copy any content from
unknown source, or when in doubt. The elimination is obviously the deletion of
the program identified as a Trojan.
What
can we do today?
Given that there is no foolproof
method to test a program for hidden bad side effects, we can't be
completely safe, but there are some precautions that are worth taking:
1.
Don't
run software from suspicious sources, like bulletin boards or people who aren't
as careful as you are.
2.
Frequently
run virus checkers. Have the industry employ people whose job it is to keep up
with virus technology and come up with vaccines.
3.
Try
to run programs in the most limited possible environments. For instance, if you
have a PC in order to get real work done, and you also want to play games,
sometimes using shareware or games copied from bulletin boards, have two
machines. If you run a game with a virus, you'll only wipe out your games. A
somewhat more practical way to accomplish this is to have a machine with
multiple disks and a physical switch that connects only one of them at a time.
4.
When
your system puts up a warning saying that something is dangerous, don't do it!
5.
Do
frequent backups, and save old backups for a long time.
6.
Don't
boot off floppies, except in an extreme circumstance, such as the first time
you unpack your machine and turn it on. In those circumstances, be extremely
careful about what floppy you boot from.
3.4
Life Stages of a virus:
Life
Stages of a Virus
There
arc 3 stages to a Virus Life Cycle:
a. Infection Phase
b. Replication Phase.
c. Attack Phase
Infection
Phase:
When
the virus executes it has the potential to infect other programs. What's often
not clearly understood is precisely when it will infect the other programs.
Some viruses infect other programs each time they are executed; other viruses
infect only upon a certain trigger. This trigger could be anything; a day or
time, an external event on your PC, a counter within the virus, etc. Virus
writers want their programs to spread as far as possible before anyone notices
them.
You
can never be sure the virus simply hasn't yet triggered its infection phase.
Many
viruses go resident in the memory of your PC in the same or similar way as
terminate and stay resident (TSR) programs. TSRs are programs that executed
under DOS but stayed in memory instead of ending. This means the virus can wait
for some external event before it infects additional programs. The virus may
silently lurk in memory waiting for you to access a diskette, copy a file, or
execute a progran1, before it infects anything. This makes viruses more
difficult to analyze since it's hard to guess what trigger condition they use
for their infection.
Resident
viruses frequently take over portions of the system software on the PC to hide
their existence. This technique is called stealth. Polymorphic techniques also
help viruses to infect yet avoid detection.
Replication
Phase:
This
is the phase where the virus replicates or duplicates or infects more system
files, so that its strength is increased enough to attack the system and over
come the system's protective resources.
Replication
is an important phase, because with proper replication, the attack phase of the
virus can become that much more lethal. Hence, replication is planned around
some trigger, which the viral code needs to trigger its duplicate. In order to
do this, virus is placed in an executable file or the system sector. Usually in
an executable file, the virus will be able to replicate only if the executable
file is executed. Hence, the system sector is a good bet, since every time if
the system boots and the boot sector is where the viral code is placed, then
the virus gets a chance to replicate every time.
Attack
Phase:
Many
viruses do unpleasant things such as deleting files or changing random data on
your disk, simulating typos or merely slowing your PC down. Just as the
infection phase can be triggered by some event, the attack phase also has its
own trigger.
Viruses
often delay revealing their presence by launching their attack only after they
have had ample opportunity to spread. This means the attack could be delayed
fur days, weeks, months, or even years after the initial infection.
Usually,
viruses can be also triggered to attack under the arrival of a specific time.
In that case, the virus constantly checks whether the pre-decided time of
attack has arrived or not. If it has, then the virus unleashes the attack phase
and starts doing what it is meant to do.
3.5 Structure of Viruses
A virus
can be pre-pended or post-pended to an executable program, or it can be
embedded in some other fashion. The key to its operation is that the infected
program, when invoked, will first execute the virus code and then execute the
original code of the program.
Program V: =
{ goto main ;
1234567;
subroutine infect- executable : =
{
loop;
file : = get- random- executable-file:
if(first-line-of-file=1234567)
then goto loop
else prepend V to file;
}
subroutine do-damage :=
{ whatever damage is to be done}
subroutine trigger-pulled :=
{Return true if some condition holds}
Main: main-program: =
{Infect executable;
if trigger pulled then do
damage;
goto next;}
next:
}
In this case, the virus code, V, is
prepended to infected programs, and it is assumed that the entry point to the
program, when invoked is the first line of the program.
An infected program begins with the
virus code and works as follows. The first line of code is a jump to the main
virus program. The second line is a special marker that is used by the virus to
determine whether or not a potential victim program has already been infected
with this virus. When the program is invoked, control is immediately
transferred to the main virus program. The virus program first seeks out
uninfected executable files and infects them.
Next, the virus may perform some
action, usually detrimental to the system. This action could be performed every
time the program is invoked, or it could be a logic bomb that triggers only
under certain conditions. Finally, the virus transfers control to the original
program. If the infection phase of the program is reasonably rapid, a user is
unlikely to notice any difference between the execution of an infected and
uninfected program.
Here
is a simple structure of a virus. In the infected binary, at a known byte
location in the title, a virus inserts a signature byte used to determine if a
potential carrier program has been previously infected.
V()
{
infectExecutable( ) ;
if(triggered( ))
{
doDamage( );
}
jump
to main of infected program;
}
void infectExecutable( )
{
file = chose an uninfected executable
file;
prepend V to file/void doDamage( )
{
int triggered( )
{
return
(some test? 1: 0);
}
}
}
The above virus makes the infected
file longer than it was, making it easy to spot. There are many techniques to
leave the tile length and even a check sum unchanged and yet infect. For
example, many executable tiles often contain long sequences of zero bytes,
which can be replaced by the virus and re-generated. It is also possible to
compress the original executable code like the typical Zip programs do, and
uncompress before execution and pad with bytes so that the check sum comes out
to be what it was.
A virus such as the one just described
is easily detected because an infected version of a program is longer than the
corresponding uninfected one. A way to thwart such a simple means of detecting
a virus is to compress the executable file so that both the infected and
uninfected versions are of identical length.
Program CV: =
{goto main;
01234567;
Subroutine infect-executable: =
{Loop:
File: = get-random-executable-file;
if(first-line-of-file = 01234567) then
goto loop;
(1) Compress file;
(2) prepend CV to file;
}
Main: main-program: =
{If ask-permission then
infect-executable;
(3) Uncompress rest-of-file;
(4) Run uncompressed file;}
}
Figure: Logic for a Compression Virus
3.6
Components of Virus:
There
are 3 parts:
a. Infector
b. Replicator
c. Payload
a.
Infector:
This
is the section of the viral code, which infects some part of the system when
triggered for the first time. That happens when the virus enters a system
first. The infector part may decide to infect a file system or a system sector
or an application.
b.
Replicator:
The
Replicator is that section of the virus, which has the Job of making the virus
replicate or duplicate such that every time the viral code is triggered or executed,
the virus gets a chance to replicate. Usually the infection at a proper place
like the system sector leaves a better chance of replication more number of
times. Replicators are crucial in deciding the strength of the virus overall.
c.
Payload:
This
the section, which can determine the amount of damage or harm the virus can
cause to the system or its resources. Usually it is a direct implication of the
Replicator. Because replicator will be able to replicate a specific number of
times, so the payload will be greater. Depending on how much the payload is,
the virus goes into the attack phase. Usually a higher payload means that the
virus can easily overcome the system and its resources can be easily overcome
by the virus.
No comments:
Post a Comment