2.3 VIRUSES

 A virus is a malware that, when executed tries to replicate itself into other executable code. When it succeeds, the code is said to be infected. The infected code when run can infect new code in turn. The virus are self replicating and parasitic. It replicates by being copied or initiating its copying to other program, computer boot sector or document. Viruses can be transmitted as attachments to an email note, downloaded file or be present on a diskette or CD. Some viruses start their effects as soon as their code is executed; other viruses lie dormant unless circumstances cause their code to be executed by the computer. Generally speaking, viruses hide within computer files rather than sitting out in open, in some obvious, visible and separate form. But viruses must be run in order to allow them to proceed with their destruction work. Until this happens they cannot do any harm. This explains why the most effective technique for fending off viruses is to inspect all files and media that enter the system and then looking for possible signs of infections and then refusing to copy the infected material into memory.

2.3.1 Classification of Viruses

Viruses are classified on the basis of their mode of existence and there are three categories of viruses:

1) Boot Infectors

A boot sector is a sector of a hard disk, floppy disk, or data storage device that contains code for booting programs stored in other parts of the disk.

2) System Infectors Software Vulnerabilities

3) General Executable Programme Infectors

Boot Infectors: As the name suggests, they are characterized by the fact that they physically reside in the boot sector [0 (zero)] sector of the disk. A system infected by such a virus will have the virus residing in a particular area of the disk rather than in a program file.

These viruses get loaded soon after the Power on Self Test and control the system and remains in control at all times. They sometimes have the capability to trap soft booting (i.e., CTRL ALT DEL) and remain in control even if the system is booted from a noninfected floppy, thereby contaminating the clean floppy.

Boot infectors displace information originally residing on the location which they occupy. While writing onto the boot sector, the virus ensures that the boot record is not deleted. Once the virus is loaded, it automatically transfers control to the area where the boot record is available. The reason behind doing this is that the boot record contains instructions to read booting file of an operating system and if these files are not readable, access to the disk is not possible and so the virus becomes ineffective.

Boot infectors, typically create "Bad sectors". Boot infectors are the type which once loaded would stay in the memory until the system is shut off and the disk reformatted.

System Infectors: This second category of viruses deals with the components of the system itself. All machines without exception require an operating system in order to create an environment in which the operator works. For example, in MSDOS, COMMAND.COM contains all the internal commands. If no such command file exists, commands such as COPY, DIR etc. are not loaded onto the memory when the machine is booted. The System Infectors attach themselves to a file such as COMMAND.COM or other memory resident files and manipulate these files.

System infectors differ from Boot infectors in the sense that system infectors gain control after the computer is booted and infects a hard disk or bootable floppies which contain the appropriate system files only. They have another peculiarity that they may activate after a given period of time or may instantly begin subtle modifications in system processing such as, increasing the time to perform system functions, scrambling of data, or modification of systems error messages or information messages.

General Executable Program Infectors: From the infection point of view, these viruses are most dangerous and devastating of the three classes of viruses. They attach themselves to program files and can spread to almost any executable program in any system. These viruses change the original program instructions into a “jump” to its own code and follow that code with a return to the original program. As a result, whenever the program is executed, the virus gets loaded and executed first and then allows the original program to proceed. It remains memory resident and infects each and every program that is loaded for execution.

By attaching themselves to .EXE or COM files, they alter the file size and sometimes multiple infections renders program files too large to be accommodated in the memory.

The major differences between an EXE file and a COM file:

1) EXE file contains a header whereas a COM file does not.

2) EXE program can contain more than one segment. But a COM has to contain only a single segment

2.3.2 Types of Viruses

The virus list has become a non ending entity with new viruses joining the list every other day. We would be discussing some of the most commonly prevalent viruses in the computer industry.

Scores Virus: These viruses are prevalent in Macintosh machines. Scores virus has a built in time trigger that activates at two, four and seven days after the disk has become infected. The consequences are varied ranging form printing problems, system clashes and malfunctioning of disk operations. Data files are not directly affected by this virus, but removal of this virus requires deletion of all files.

Brain Virus: This is one of the first viruses that came into being. Also known as the Pakistani virus, it was developed by the Pakistani brothers to keep track of low cost software that were sold out of their outlet in Lahore. The virus pops up a screen saying "Welcome to the Dungeon". These viruses are known to destroy data and are highly contagious.

Lehigh Virus: This virus originated at the Lehigh University Computer Centre. This virus stays in the stack space of COMMAND.COM. With the booting of a PC from an infected disk, the virus is spread through commands such as COPY, TYPE, and DIR etc. On any other disk with COMMAND.COM the virus code gets copied to the other disk and a counter is incremented on the parent. When the counter reaches a value of 4, all files of the disk gets erased. The boot sector gets ruined and also the FAT.

Friday the 13th: This virus attacks not only the COMMAND.COM but also other executable files. When A.COM or .EXE file is executed for the first time after booting, the virus captures a specific interrupt and inserts its own code; after which, whenever any. EXE file is executed, the virus code is written to the end of the file resulting in increase in size of the file by 1808 bytes. In COM files the virus code is written in the beginning of the file.

The increase in size of the EXE and COM files causes the program to become too large to be loaded into the memory. Also after a certain interval of time, delays are inserted resulting in considerable slowing down of the programs. The worst disaster occurs, if the infected. EXE or .COM is executed when the system date is Friday the 13th, all files get deleted.

Sunnyvale Slug: This does a variety of things like displaying a message "Greetings form Sunnyvale. Can you find me?" and also sometimes modifies the COPY Command resulting in deletion of files instead of copying.

Raindrops: This virus infects COM files. It intercepts the load and execute function of MSDOS. It cheeks whether the file is EXE or not, if the file is not an EXE file, the first three bytes of the file are replaced by a jump instruction at the end of the file, where it gets attached after encryption. This results in dropping or showering of characters on the screen like raindrops and is also accompanied by appropriate sound effects.

Happy Birthday 30th: 'This virus gets activated on January 5th, if any of the infected Software Vulnerabilities programs get executed, and will ask the user to type "Happy Birthday 30th". It might destroy all the data stored on a disk, spacing on 1.2 MB floppy. The symptoms of this virus is that the computer memory is reported 6KB less than actual e.g. 634 KB instead of 640 KB.

Storm Worm: The fast spreading threat was identified as an email spamming to Microsoft systems. It starts collecting infected computers into the Storm botnet.

2.3.3 Infection Methods

Antivirus programs can spot a virus in one or two ways. First, the antivirus program may recognize a particular virus's signature, which is nothing more than the specific instructions embedded in the virus that tell it how to behave and act. A virus's signature is like a criminal's fingerprint & each one is unique and distinct. 

A second way antivirus programs can detect a virus is through its behaviour. Antivirus programs can often detect the presence of a previously unknown virus by catching a virus as it tries to infect another file or disk. 

To sneak past an antivirus program, many viruses use a variety of methods to spread: 

  • · Direct infection
  • · Fast infection
  • · Slow infection
  • · Sparse infection
  • · RAMresident infection

Direct infection means that the virus infects a disk, or one or more files, each time you run the infected program or open the infected document. If you don't do either, the virus can't spread at all. Direct infection is the simplest but also the most noticeable way of infecting a computer and can often be detected by antivirus programs fairly easily.

Fast infection means that the virus infects any file accessed by an infected program.

For example, if a virus infects your antivirus program, watch out! Each time an infected antivirus program examines a file, it can actually infect that file immediately after certifying that the file is virusfree.

Slow infection means that the virus only infects newly created files or files modified by a legitimate program. By doing this, viruses attempt to further mask their presence from antivirus programs.

Sparse infection means that the virus takes its time infecting files. Sometimes it infects a file, and sometimes it doesn't. By infecting a computer slowly, viruses reduce their chance of being detected.

RAMresident infection means that the virus buries itself in your computer's memory, and each time you run a program or insert a floppy disk, the virus infects that program or disk. RAMresident infection is the only way that boot viruses can spread. Boot viruses can never spread across a network or the Internet since they can only spread by physically inserting an infected floppy disk into a computer, although they can still infect individual computers attached to a network.

2.3.4 Prevention and Cure

Even though the computer industry has found somewhat plausible solution to the virus problem in the form of vaccines, it is always advisable to follow the dictum "Prevention is better than cure". Moreover, the viruses are made faster than the vaccines. It is a good practice to follow some simple precautionary measures which can reduce the possibility of a virus attack. The precautionary measures are:

  • · The CHKDSK command can be incorporated to the AUTOEXEC.BAT to check the disk. If the numbers of hidden files increase, the matter should be looked into.
  • · The use of pirated software should be stopped.
  • · Write protect tags should be used on the original software diskettes.
  • · Proper backup of all data and program files should he kept.
  • · copying of files should be done carefully; a better practice is to write the COPY command in a batch file with CHKDSK command.
  • · Used floppies should be reformatted.
  • · avoid letting the system to be used by unauthorised users.
  • · restrict the use of outside floppies

CURE

The viruses are not simplified used. Viruses can be cured with antiviral programs.

The antiviral programs perform one or more of the following functions:

  • · Prevention
  • · Detection
  • · Vaccination
  • · Inoculation
  • · Identification, and/or
  • · Damage control.

A good antiviral utility is one which checks whether the system has been infected or not. These programs stop the virus from infecting the system. They do not allow the modification of executable files, so that a file virus cannot get a foothold.

Some of them refuse to let any program make itself resident in RAM unless allowed by the user. Others do not allow the user to run a program unless it is on a list of approved and tested applications. The detectors warn the user of the presence of a virus after it is loaded into the machine or disk. These programs maintain a file with a list of checksum values of the executable files. The identifiers rely on the fact that when the virus replicates, it makes a copy of itself.

The vaccinators inject some code into the executable files. When the vaccinated file is run, the injected code performs an integrity check on the program being executed and warns if any changes have been made. 

The inoculators insert the virus signature into infected areas or files at appropriate locations. When the virus performs their selfdetection, they find their signature and believe that the memory/disk/file is already infected and so do not infect.

The better equipped antiviral programs control damages. They may be preventive or restorative. Preventive techniques include stopping attempts at direct access such as formatting and deleting, or even write protecting the hard disk while testing unfamiliar software. The restorative process is achieved by maintaining a copy of the CMOS information, boot sector information, the file allocation table etc. in a safe area like a floppy.

As a virus can hide itself in many different ways, it is difficult to detect all viruses with just one antiviral program. Moreover, the virus writers keep altering the viral code, so that it cannot be detected by any existing antiviral programs. The point to remember is that there is no cent percent foolproof antivirus program available and, in principle there never will be.

Comments

Post a Comment

Popular posts from this blog

3.8 SECURE NETWORK DEVICES

 In this unit, we have already learnt that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around, your front door (or, firewall). Just as castlesweren't built with moats only in the front, your network needs to be protected at all of its entry points. Secure Modems, DialBack Systems If modem access is to be provided, this should be guarded carefully. The terminal server, or network device that provides dialup access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully. There are some remote access systems which have the feature of a twopart procedure to establish a connection. The first part is the remote user di...
Read more

3.5 SECURITY ISSUES FOR SMALL AND MEDIUM SIZED BUSINESSES

 Small and medium sized businesses use the Internet and networked applications to reach new customers and serve their existing ones more effectively. At the same time, new security threats and legislation puts increased pressure on business networks to be reliable and secure. Business Challenges According to recent studies, security is the biggest challenge facing small and mediumsized businesses. Everchanging security threats from both inside and outside the business network can wreak havoc on business operations, affecting profitability and customer satisfaction. Small and mediumsized businesses must also comply with new regulations and laws created to protect consumer privacy and secure electronic information. Security issues for small and medium – sized businesses are classified into 5 basic categories: Worms and Viruses As per research, Computer worms and viruses remain the most common security threat, with 75 percent of small and medium businesses affected by it.. Worms and v...
Read more

3.4 TOPOLOGIES

Image
 In computer networking, topology refers to the layout of connected devices. You can think of a topology as a structure of a network. This shape does not necessarily correspond to the actual physical layout of the devices on the network. Network Topology is the study of the arrangement or mapping of the elements (links, nodes, etc.) of a network interconnection between the nodes. It also determines the strategy for physically expanding the network, in future Topologies can be physical or logical. Physical Topology means the physical design of a network including the devices, location and cable installation. Logical Topology refers to the fact that how data actually transfers in a network as opposed to its design. Following are the considerations for choosing a Topology: · Costing: Some kind of topology may be less expensive compared to others in terms of installation (for example Bus topology). · Length of cable: It is needed to connect machines in a network. · Network scalability:...
Read more