Report

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Seminar Report on Study of Viruses and Worms

H.Shravan Kumar(05329018)
KReSIT,
I.I.T. Bombay.
Email: [email protected]

Guide: Prof. Bernard Menezes.

Abstract— One of the most high profie threats to information II. P RELIMINARIES
integrity is the computer virus. In this paper, I am presenting
what are viruses, worms, and Trojan horses and their differ- A. Virus:
ences, different strategies of virus spreading and case studies of
Slammer and Blaster worms. A self-replicating program. Some definitions
also add the constraint saying that it has to attach itself to a
I. I NTRODUCTION host program to be able to replicate. Often Viruses require a
host, and their goal is to infect other files so that the virus can
The internet consists of hundreds of millions live longer. Some viruses perform destructive actions although
of computers distributed around the world. Millions of people this is not necessarily the case.Many viruses attempt to hide
use the internet daily, taking full advantage of the available from being discovered.
services at both personal and professional levels. The internet A virus might rapidly infect every file on in-
connectivity among computers on which the World Wide Web dividual computer or slowly infect the documents on the
relies, however renders its nodes on easy target for malicious computer, but it does not intentionally try to spread itself
users who attempt to exhaust their resources or damage the from that computer (infected computer) to other. In most
data or create a havoc in the network. cases, that’s where humans come in. We send e-mail document
Computer Viruses, especially in recent years, attachments, trade programs on diskettes, or copy files to file
have increased dramatically in number. One of the most high- servers. When the next unsuspecting user receives the infected
profile threats to information integrity is the Computer Virus. file or disk, they spread the virus to their computers, and so
Surprisingly, PC viruses have been around for two-thirds of the on.
IBM PC’s lifetime, appearing in 1986. With global computing
on the rise, computer viruses have had more visibility in B. Worms:
the past few years. In fact, the entertainment industry has
helped by illustrating the effects of viruses in movies such as Worms are insiduos because they rely less (or
”Independence Day”, ”The Net”, and ”Sneakers”. Along with not at all) upon human behaviour in order to spread themselves
computer viruses, computer worms are also increasing day by from one computer to others. The computer worm is a program
day. So, there is a need to immunise the internet by creating that is designed to copy itself from one computer to another,
awareness in the people about these in detail. In this paper I leveraging some network medium: e-mail, TCP/IP, etc. The
have explained the basic concepts of viruses and worms and worm is more interested in infecting as many machines as
how they spread. possible on the network, and less interested in spreading many
The basic organisation of the paper is as fol- copies of itself on a single computer (like a computer virus).
lows. In section 2, give some preliminaries: the definitions of The prototypical worm infects (or causes its code to run on)
computer virus, worms, trojan horses, as well as some other target system only once; after the initial infection, the worm
malicious programs and also basic characteristics of a virus. attempts to spread to other machines on the network.
In section 3, detailed description: describe Malicious Code Some researchers define worms as a sub-type
Environments where virus can propagate, Virus/Worm types of Viruses. In early years the worms are considered as the
overview where different types have been explained, and Cate- problem of Mainframes only. But this has changed after the
gories of worm where the different forms of worm is explained Internet become wide spread; worms quickly accustomed to
in broad sense. In section 4, File Infection Techniques which windows and started to send themselves through network
describe the various methods of infection mechanisms of a functions.
virus. In section 5, Steps in Worm Propagation describe the Some categories that come under worms are
basic steps that a normal worm will follow for propagation. Mailers and Mass-Mailer worms
In section 6 Case studies: two case studies of Slammer worm Octopus
and blaster worm are discussed. Rabbits
C. Trojan Horses: ability of virus program to repeatedly spread and reoccur
A Trojan Horse is a one which pretend to be through the networked system from a single copy.
useful programs but do some unwanted action. Most trojans III. D ETAILED D ESCRIPTION
activate when they are run and sometimes destroy the struc-
A. Malicious Code Environments
ture of the current drive (FATs, directories, etc.) obliterating
themselves in the process. These does not require a host and It is important to know about the partic-
does not replicate. ular execution environments to understand about Computer
A special type is the backdoor trojan, which Viruses. A successful penetration of the system by a viral
does not do anything overtly destructive, but sets your com- code occurs only if the various dependencies of malicious code
puter open for remote control and unauthorised access. match a potential environment. The following are some of the
various malicious code environments
D. Others: 1) Computer Architecture Dependency
There are other types of malicious programs 2) CPU Dependency
apart from Viruses, Worms and Trojan Horses. Some of them 3) Operating System Dependency and Operating System
are described below. version Dependency
1) Logic Bombs:: A logic bomb is a programmed malfunc- 4) File System Dependency
tion of a legitimate application. These are intentionally inserted 5) File Form Dependency
in otherwise good code. They remains hidden with only their 6) Interpreted Environment Dependency
effects are being visible. These are not replicated. Bugs do 7) Vulnerability Dependency
everything except make more bugs. 8) Date and Time Dependency
2) Germs:: These are first-generation viruses in a form that 9) Just-In-Time Dependency
the virus cannot generate to its usual infection process. When 10) Achieve Format Dependency
the virus is compiled for the first time, it exists in a special 11) File Format Extension Dependency
form and normally does not have a host program attached to 12) Network Protocol Dependency
it. Germs will not have the usual marks that the most viruses 13) Source Code Dependency
use in second-generation form to flag infected files to avoid 14) Self Contained Environment Dependency
reinfecting an already infected object.
B. Virus/Worm types overview
3) Exploits:: Exploit is specific to single vulnerability or set
of vulnerabilities. Its goal is to run a program (possibly remote, These are the main categories of Viruses and
networked) system automatically or provide some other form worms:
of more highly previliged access to the target system. 1) Binary File Virus and Worm – File virus infect exe-
cutables (program files). They are able to infect over
E. Characteristics:
networks. Normally these are written in machine code.
The following are some of the characteristics File worms, are also written in machine code, instead of
of Viruses: infecting other files, worms focus on spreading to other
1) Size - The sizes of the program code required for machines.
computer viruses are very small. 2) Binary Stream Worms – Stream worms are a group of
2) Versatility - Computer viruses have appeared with the network spreading worms that never manifest as files.
ability to generically attack a wide variety of applica- Instead, they will travel from computer to computer as
tions. just pieces of code that exist only in memory.
3) Propagation - Once a computer virus has infected a 3) Script File Virus and Worm – A script virus is techni-
program, while this program is running, the virus is able cally a file virus, but script viruses are written as human
to spread to other programs and files accessible to the readable text. Since computers cannot understand text
computer system. instructions directly, the text first has to be translated
4) Effectiveness - Many of the computer viruses have from text to machine code. This process is called ”In-
far-reaching and catastrophic effects on their victims, terpretation”, and is performed by separate programs on
including total loss of data, programs, and even the computer.
operating systems. 4) Macro Virus – Macro Viruses infect data files, or files
5) Functionality - A wide variety of functions has been that are normally perceived as data files, like documents
demonstrated in virus programs. Some virus programs and spreadsheets. Just about anything that we can do
merely spread themselves to applications without attack- with ordinary programs on a computer we can do with
ing data files, program functions, or operating system macro instructions. Macro viruses are more common
activities. Other viruses are programmed to damage or now-a-days. These can infect over the network.
delete files, and even to destroy systems. 5) Boot Virus – The first known successful computer
6) Persistence - In many cases, especially networked opera- viruses were boot sector viruses. Today these are rarely
tions, eradication of viruses has been complicated by the used. These infect boot sectors of hard drives and floppy
disks and are not dependent on the actual operating be disinfected from a system. Infected files must be
system installed. These are not able to infect over deleted and should be restored from backups. These
networks. These take the boot process of personal com- don’t change the size of the host.
puters. Because most computers don’t contain Operating 2) Random Overwriting Viruses – This is another rare
System in their Read Only Memory (ROM), they need variation of the overwriting method does not change
to load the system from somewhere else, such as from the code at the top of the file but it chooses a random
a disk or from the network (via a network adapter). location in the host program and overwrites that location.
6) Multipartite Viruses – Multipartite Virus infect both In this case it may be possible that the code is not even
executable files and boot sectors, or executable and data get control during the execution. In both cases , the host
files. These are not able to infect over the networks. program is lost during the virus attack, and often crashes
before the virus code executes.
C. Categories of Worm
3) Appending Viruses – In this technique the virus code
Worms are broadly categorised into three is appended at the end of the program and the first
types. They are: instruction of the code is changed to a jump or call
1) E-mail (and other application) worms – These worms instruction which will be pointing to the starting address
when executed on a local system, take advantage of the of the viral code.
user’s e-mail capabilities to send themselves to others. 4) Prepending Viruses – A common virus infection tech-
The first e-mail worm was found in 1987, with the nique uses the principle of inserting virus code at the
Christmas tree trojan horse. At the early stages these front of host programs. Such viruses are called Prepend-
were using local mail programs and/or mail Api’s on a ing Viruses. This is a simple infection technique and is
compromised machine to send out copies of themselves often successful. Virus writers wrote much of this kind
to one or more addresses. Later e-mail worms contained on various operating systems, causing major outbreaks
their own SMTP engines so that they were not (as) in many.
dependent on the mail capabilities of the compromised 5) Classical Parasitic Virus – This is a variation of prepen-
machine. Soon after they started using spoof mail head- der technique. These overwrite the top portion of the
ers. program with virus code and the top portion is being
2) Windows file sharing worms – These take the advantage copied at the end of the program.
of the Microsoft Windows peer-to-peer service that 6) Cavity Viruses – These typically don’t increase the size
is enabled whenever Windows determines networking of the program they infect. Instead they will overwrite
hardware is present in a system. It uses Server Message a part of the code that can be used to store the virus
Block (SMB) protocol and sometimes the Common code safely. Normally these overwrite areas of files
Internet File System (CIFS), which was originally de- that contain zeros in binary files. These are often slow
signed for trusted workgroups. File sharing worms are spreaders in DOS systems.
rarely seen in isolation as they are usually created along 7) Compressing Viruses – This is a special technique where
with other attacks also as well configure firewall can the content of host program is compressed. Compressor
stop the file sharing outside of the organisation. These Viruses are sometimes beneficial because such viruses
are growing recently over the past two years. might compress the infected program to a much shorter
3) Traditional worms – These do not require user interven- size saving disk space.
tion. These often uses direct connections over TCP-IP 8) Amoeba Infection Technique – This is a rarely seen
based protocols to exploit vulnerabilities in operating infection technique where the head part of the viral code
systems and applications. Most of the traditional worms is stored at the starting of the host program and the tail
have exploited Unix-based operating systems such as part is stored after the end of the host program.
Linux. Recently only these are affecting Microsoft oper-
V. S TEPS IN W ORM P ROPAGATION
ating systems. These exploit the vulnerabilities to prop-
agate, and the time between the time of announcement Each Worm has a few essential components, such as tar-
of a vulnerability and its exploitation by a worm has get locator, infection propagation modules, and a couple of
been shrinking. nonessential modules, such as remote control, update interface,
life cycle-manager, and payloads.
IV. F ILE I NFECTION T ECHNIQUES OF VIRUSES 1) Target Locator:- For a worm to propagate first it must
The following are the common strategies that discover the existence of a machine. There are many
virus writes used over the years to invade into the new host techniques by which a worm can discover new ma-
systems: chinesto exploit. They are
1) Overwriting Viruses – These locate another file on the a) Scanning: This entails probing a set of addresses to
disk and overwrite with their own copy. This is the identify the vulnerable hosts. Two simple forms of
easiest approach and these can do a great damage when scanning are Sequential scanning (working through
they overwrite all the files in the system. These cannot an address block using ordered set of addresses)
and Random scanning (trying addresses out of a attack against a particular website. These can utilise the
block in pseudo-random fashion). compromised systems as a ”super computer”. Recently
b) Pre-generated Target Lists: An attacker could ob- it is becoming popular to install an SMTP (Simple Mail
tain a target list in advance, creating a ”hit-list” of a Transfer Protocol) spam relay as the payload of a worm.
probable victims with good network connections. 6) Self-Tracking:- Many virus authors are interested in
This list is being created well before the release seeing how many machines the virus can infect and also
of worm. There are some scanning techniques that they want others to track the path of virus infections.
just see for particular criteria such as the operating
VI. C ASE S TUDIES
system that the machine is running, what are the
servers running, what is the version of operating A. Slammer Worm
systems etc. Stealthy scans, Distributed scanning, Slammer worm sometimes called as Sapphire was the fastest
DNS searches, Just listen and also there are some computer worm in history till now. It began his journey on Jan-
public surveys that list such as Netcraft Survey. uary 25, 2003. It began spreading through the Internet infected
c) Externally Generated Target Lists: An externally more than 90 percent of vulnerable hosts within 10 minutes,
generated list is one which is maintained by a causing a significant disruption to financial, transportation,
separate server, such as a matchmaking service;s and government institutions and precluding any human-based
metaserver. This can also be used to speed the response.
worm propagation. This worm has not yet in the 1) Vulnerability: Microsoft’s database server SQL Server
wild. or Microsoft SQL Server Desktop Engine(MSDE) 2000 ex-
d) Internal Target Lists: Many applications contain hibits two buffer overrun vulnerabilities that can be exploited
information about the other hosts providing vulner- by a remote attacker without ever having to authenticate to the
able services. Such target lists can be used to create server. These are being attacked based on the Stack overflow
’topological’ worms, where the worm searches for and heap overflow techniques.
the local information to fine new victims by trying 2) Target Selection: It used random scanning for selecting
to discover the local communication topology. IP addresses, there by selecting vulnerable systems. Random
e) Passive: These does not seek out victim machines. scanning worms intially spread exponentially, later infection
Instead, they either wait for potential victims to slows as the worms continually retry infected or immune
contact the worm or rely on user behaviour to addresses. Slammer is bandwidth-limited, in contrast to Code
discover new targets. Although potentially slow Red which is latency-limited.
these worms produce no anomalous traffic pat- 3) Infection Propagator: It carries only 376 bytes of code
terns during the target discovery, which potentially where there is a simple, fast scanner. Along with the headers
makes them high stealthy. of the protocol it will of total size of 404 bytes. It used UDP
protocol for propagation so it can transmit the entire packet
2) Infection Propagator:- A very important strategy of the in a single transfer. It uses 1434 port to transfer packets. It
worm uses to transfer itself to a new node and get control doesnot write itself into the system. It exists only as network
on remote machine. Most worms will assume that one packets and in running processes on the infected computers.
has a copy of certain window machine and send a worm 4) Payload: This does not contain any additional malicious
with such compatible system. content in the form of backdoors, etc. The speed at which
3) Remote Control and Update Interface:- Another impor- it attempts to re-infect systems to create a denial-surface of
tant component of a worm is remote control using a attack.
communication module. Without such a module, the 5) Network Propagation: When the SQL server receives a
worm’s author cannot control the worm network by malicious request, the overrun in the server’s buffer allows the
sending control messages to the worm copies. such worm code to be executed. After the worm has entered into
remote control can allow the attacker to use the worm the vulnerable system,, first it gets the addresses to certain
as a DDoS (distributed denial of service) tool on the functions then start an infinite loop to scan for the other
zombie network against several unknow targets. The vulnerable hosts on the internet. This performs pseudo-random
attacker is interested in changing the behaviour of the number generation formula using the GetTickCount() value to
worm and even sending new infection strategies to as generate an IP address that is used as target thereby, spreading
many compromised nodes as possible. furher into the network and infecting the vulnerable machines.
4) Life-Cycle Manager:- Some writers prefer to run a These don’t check for the multiple instances of the worm
version of a computer worm for a preset period of time. affected the system.
On the other hand, many worms have bugs in their life- This could have been a great damage if it would
cycle manager component and continue to run without have carried any malicious code with it. There are few wrong
ever stopping. things that this wormauthor did such as in the pseudo random
5) Payload:- This is optional but common component of number generation algorithm the author used the following
a worm. An increasingly popular payload is a DDoS equation x1 = (x  214013 + 2531011)mod232 here the author
substituted a different value for 2531011 increment value:hex file is transfered. After that if TFTP requests are not blocked,
0xFFD9613C. This value is equivalent to -2531012 when on UDP port 69 the worm code is being downloaded. Infected
interpreted as a twos-complement decimal. host stops TFTP daemon after transmission or after 20 secs
6) Prevention: This can be prevented using a firewall which of inactivity. If successful it sends a command mblast.exe on
blocks 1434 port as the worm infects through this port only. the already open TCP connection to port 4444 of the victim.
5) Payload: The payload of the worm for RPC step is as
follows– 72 bytes for RPC, 1460 bytes for ”request” and a 244
bytes of TCP packet, Along with these there is 40-48 bytes
for TCP/IP which makes the worm to 1976 to 2016 bytes.
The worm code is of 6176 bytes. along with the overhead of
headers it will come to 6592 bytes on the IP layer.
6) Prevention: This can be prevented by using the firewall
that blocks traffic to incoming to port 135/TCP or 4444 port or
TFTP port and by applying the operating system patch against
the RPC vulnerability.

Fig. 1. Overview of Slammer

B. Blaster Worm
It is a multi stage worm first observed on August 11, 2003.
It affected between 200,000 and 500,000 computers.
1) Vulnerability: It exploited a remote procedure call (RPC)
vulnerability of Microsoft Windows 2000 and Windows XP
operating systems which were made public in July 2003.
2) Intialization: The worm when launched, opens a mutex
called ”BILLY” that is used to prevent multiple infections of Fig. 2. Overview of Blaster
the same machine and sets a registry key which ensures that
it is started every time the system reboots.
3) Target Selection: In the intialization phase it decides VII. C ONCLUSION
whether it will exploit code for Microsoft XP with 80% I have gone through the basic definitions of Viruses and
probability or the one for Windows 2000. It first scans with Worms, then discussed in about the different malicious code
60%, an IPv4 address of the form X.Y.Z.0 with X, Y, Z environments. After that I have discussed about the different
are chosen at random. With 40% probability, and address types of viruses and worms, then discussed in detail about
of the form X.Y.Z1.0 derived from the infected computer’s the various ways of virus and worm propagation techniques. I
local address X.Y.Z.U is chosen. Z1 is set to Z unless Z1 is have also looked into two case studies of slammer and blaster
greater than 20, in which case a random values less than 20 is worms.
subtracted from Z to get Z1. The destination IP is incremented The ability of attackers to rapidly gain control of vast numbers
after each scan. of internet hosts poses an immense risk to overall security of
4) Infection Propagator: If TCP connection to a destination the internet. Now-a-days the virus writers are more concen-
135 port is opened, the exploit code is sent to victim. If the trating on writing worms as they have got great capability to
machine was vulnerable it can start listening on 4444/TCP spread over the network in few minutes. There are various up-
and allows remote command execution. unpatched windows coming techniques in worm propagation such as polymorphic
automatically reboots XP. Next it intiates a TCP connection worms which are really a big threat to the internet community.
to 4444 port, if successful, using TFTP( Trivial File Transfer Worms can be written such that they can be affected only to
Protocol - which is a smaller version of FTP) the mblast.exe a particular region or country. There are worms which will
keep quiet for a specific amount of time and attack at random
times.
These worms can also be used to create Distributed Denial of
Service (DDoS) which is a real threat to the websites and the
network traffic.
VIII. ACKNOWLEDGEMENT
I would like to thank my guide Prof. Bernard Menezes,
for his continuous support through out this work. I would
also thank Peter Szor for his excellent book of ”The Art
of Computer Viruses and Defence”. I would also thank one
and all who helped me in doing this work either directly or
indirectly.
R EFERENCES
[1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England:
Addison Wesely Professional, 2005.
[2] Norman, Norman book on Computer Virus, Norman ASA, 2003.
[3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of
Computer Virus on the Internet: An Overview, IEEE Computer Society
2004, 601-606.
[4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and
Trends, Washington, DC, USA: WORM-2003.
[5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and
Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy,
2003.
[6] Thomas Subendorfer, Arno Wagner, Theus Hossmann, and Bernhard
Plattner, Flow-Level Traffic Analysis of the Blaster and Sobig Worm
Outbreaks in an Internet Backbone, Springer-Verlag Berlin Heidelberg
2005.
[7] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham,
A Taxonomy of Computer Worms, Washington, DC, USA: WORM-2003.
[8] H. Kopka and P. W. Daly, A Guide to LATEX, 3rd ed. Harlow, England:
Addison-Wesley, 1999.

You might also like