How Windows Handle Various Viruses

Topic How windows operating system handles viruses?
? Write down various viruses that can cause serious damage to the computer system.
Submitted By:
SANJEEV KUMAR REG. 11008322 ROLL:RK2R13A36
Submitted To: RAMANPREET KAUR LAMBA
How windows operating system handles viruses? Write down various viruses that can cause serious damage to the computer system.
CSE 316
Acknowledgement
It is a great pleasure for me to acknowledge the assistance and contributions of many individuals in making this dissertation a success. First and foremost, I would like to thank my supervisor, MRS. RAMANPREET KAUR LAMBA , for her assistance, ideas, and feedbacks during the process in doing this dissertation. Without his guidance and support, this dissertation can not be completed on time. Secondly, it is a pleasure to express my thanks to all my friends specially 1. MR. S.K CHAKRAVARTI 2. MR. ABHAY KUMAR 3. MR. SHUBHAM PATEL 4. MR. RAHUL TEHALANI and 5. AJAY KUMAR for sparing their time to participate in this project. I deeply appreciate their helpfulness and willingness in providing the useful information for this project Lastly, I wish to express my sincere gratitude to my family for their encouragement and moral support.
By sanjeev 11008322
CSE 316
INDEX
CONTENTS
1. Overview 2. Introduction
page no:
3.
By sanjeev 11008322
CSE 316
Abstract :
A virus is potentially a destructive program code that attaches itself to a host (either a file or program) and then copies itself and spreads to other hosts. It may contain a damaged routine or payload, which activates when triggered So computer viruses are codes written by some people to cause serious damage to computers, this includes private, business and government computers. Computer viruses are similar to the biological ones in their ability to replicate themselves, infecting a large number of victims and having a lifecycle. The term computer virus was formally defined by Fred Cohen in 1983, while he performed academic experiments on a Digital Equipment Corporation VAX systems Windows operating systems in general, though it provides greater coverage of the operating systems built on the Windows NT kernel, including Windows XP Professional and Windows Server. It begins by presenting the development of the Windows operating system and the design goals. The role of the Memory Manager, especially the Virtual Memory Manager, is discussed. The use of the Device, Processor, and Network Managers in recent versions of Windows is reviewed. The chapter then explains the role of the file system in file management and the challenges for Windows system security today. The chapter concludes by explaining how the current Windows user interface functions. Throughout this chapter, many acronyms are introduced to describe this networked operating system. Windows operating systems are descended from a series of graphical interfaces designed to work with or on top of Microsofts MS-DOS operating system. The Computer virus threat is growing and home users are threatened by them, especially with the increasing dependence on computers to accomplish the vast verity of tasks in our modern lives. The popularity of internet aggravates the threat and gives the virus writers the ideal environment to distribute their viruses, since computer viruses can spread through the universe in a few hours causing distractions to hundreds of thousands of computers around the globe. An abbreviated idea about computer viruses nature, history and development, the damage caused by some well known viruses and the different types of computer viruses is explained, also virus writers types, motivations, their point of view towards ethical and legal issues, and the effect of legal penalties on their practice is explained .The threat of computer viruses towards home users is proved, some solutions to eliminate the threat of computer
By sanjeev 11008322
CSE 316
viruses is highlighted. Home users can protect their systems based on their understanding of the foregoing.
Introduction :
A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. However, the term "virus" is commonly used, albeit erroneously, to refer to many different types of malware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless until executed. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of selfreplicating malware. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss . Due to the increasing dependence on computers to achieve most of our civilized life tasks, from simple word-processing to controlling and monitoring the most sensitive organizations like nuclear reactors and performing surgical operations. Therefore the need to be dependent on computers reliability and functionality is of high concern since any failure in the computer functionality could lead to loss of human lives or costly financially losses. There are many threats to computer functionality and reliability, and
By sanjeev 11008322
CSE 316
computer viruses is the most commune one. The threat of computer viruses are addressed to all computer operators in homes, business, and government, home users and how they can eliminate the threat of computer viruses and protect their systems is of concern. The relation between increasing the awareness and understanding of the nature of computer viruses, and home users ability to protect their systems will be tested. In order to accomplish the foregoing this paper is structured as follows: Firstly the definition of computer viruses, their nature, their history and development, and their different types is discussed. Secondly the threat of computer viruses to home users is proved. Thirdly computer virus writers nature, motivations and their perspective to legal and ethical issues is highlighted. Fourthly, ways to eliminate the threat of computer viruses is discussed. Finally the research occlusions are illustrated. Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk [9]. Viruses are most easily spread by attachments in e-mail messages or instant messaging messages. That is why it is essential that you never open email attachments unless you know who it's from and you are expecting it. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Viruses also spread through download on the Internet. They can be hidden in illicit software or other files or programs you might download.
By sanjeev 11008322
CSE 316
Computer Viruses History and Development :

Most of computer users whom have had hard times because of computer viruses want believe its all started in 1982 as a joke by a teenager to tease his schoolmates . Richerd Skrenta was in the 7th Grade when he got his first PC for Christmas an Apple II. He started to make use of this tool by doing something different and unexpected. I had been playing jokes on schoolmates by altering copies of pirated games to self-destruct after a number of plays. Id give out a new game, theyd get hooked, but then the game would stop working with a snickering comment from me on the screen (9th grade humor at work here)When they noticed what was going on they prevented him from being near their disks. So, he has to think of away to bass his booby trap to their disks without putting his hands on them physically. I hit on the idea to leave a residue in the operating system of the schools Apple II. The next user who cams by, if they didnt do a clean reboot with their own disk, could then be touched by the code I left behind. I realized that self-propagating programs could be written, but rather than blowing up quickly, to the extent that it laid low it could spread beyond the first person to others as well. I coded up Elk Cloner and gave it a good start in life by infecting everyones disks I could get my hands on While Basit Farooq Alvi and Amjad Farooq Alvi seemed to have a totally different motive to write their virus. Software piracy was the software developer nightmare, so they started to think of a way to protect their effort from being lost.(Paquette,2000, p.2) Basit and Amjad used to run a computer store in Lahore, Pakistan. They decided to create a virus in order to inhabit the American software piracy to protect their business, and they called it (C) Brain virus. In October 1987 (C) Brain virus appeared in the University of Delaware, after one month the Lehigh or COMMAND.COM virus were found at Lehigh University in Pennsylvania, finally in December the Hebrew University at Jerusalem were attacked by the Friday the 13th virus (Highland ,1997, p.416).While in 1989 the 1260 was found on the wild as a result of variable encryption techniques, also in the same year stealth viruses ( which have the ability to avoid detection by employing various techniques), such as Zero Bug, Dark Avenger, and Frodo were found in the wild for the first time (Dwan, 2000,13). So it started to get more serious and virus writers accepted the undeclared challenge, and started to improve their malicious codes to avoid detection. In 1990 the virus writers released a virus called Whale, International Journal of Electrical & Computer
By sanjeev 11008322
CSE 316
Sciences IJECS-IJENS Vol: 10 No: 03 37 which was a self-modifying virus and in 1991 GPI virus was found, the mission of this virus was to steal Novell NetWare passwords. In the same year Michelangelo was discovered in New Zealand (Dwan, 2000, p.13). It seems that this war would never end. In 1995 a new technique was found to cope with the communication revelation and internet popularity, The first reported macro virus Concept, was seen in the wild by AV researcher Sarah Gordon in summertime of 1995. A set of five macros designed only to replicate, Concepts payload displays the virus authors ominous message: Thats enough to prove my point . (Paquette,2000, p.3) . A month later Chernobyl strain CIH hits around 540,000 computers in Turkey and South Korea, the purpose of its payload was to reformat the hard drive and zap a key chip on the computer motherboard (Dwan, 2000, p.14). The increasing dependency on the companies networks or the internet to exchange documents using e-mails on a daily basis gave the macro virus a stabile spreading environment and made them the best example of convoying each age requirements. In the year 2000 a new Millennium had just started and its seemed that the virus writers quiver is still full of surprises. It was an irresistible attractive message containing a love letter Love Bug. All the user had to do in order to infect his system and automatically send copies of the virus to everyone on his e-mail address book was to open the attachment (Ruppe,2000, p.1). The I LOVEYOU virus caused havoc and damage to private, business, and government computers throughout the globe starting from Asia, Australia, Europe to North America (Ruppe,2000, p.1). The Asian Dow Joness computers crashed and the Asian Wall Street Journal were struck, around 30% of British and 80% of Swedish companies e-mail systems were affected, finally in the U.S. at least 350,000 files were found hit (Ruppe,2000, p2-3). In 2001 Pentagon and the White House were forced to halt the public access to their Web sites for a limited period and 250,000 systems were infected in nine hours due to the Code Red worm, which was able to infiltrate hundreds of thousands of computers shortly after its first identification on July 19th (Stenger,2001, p.1). Virus writers were determined to prove their capability to threaten the world by releasing new viruses. In 2002 the top of the virus chart was Klez virus, which was able to have more then five million copies (advisor.com,2002, p.1). Nevertheless we can say that the malware(short form of malicious ware) was started by releasing viruses in the wild, regardless of the virus writers motivations or intentions to write these viruses. When software developers started to notice the need for developing programs to protect computers from viruses, the malwar started between the virus writers and the antivirus companies.
By sanjeev 11008322
CSE 316
Virus Structure
Computer viruses could have two parts at least (search and copy routines) or more depending on how sophisticated it might be, the additional parts will give it a unique characteristic . (Ludwing,2002, p.23-24): Search routine: this routine responsibility is to find a stabile target for infection. Copy routine: to be able to infect the target which was found by search routine, the virus must copy itself to the target and this is the copy routine responsibility. Anti-detection routine: this could be part of the search or copy routines or it could be a stand-alone routine, the mission of this routine is to avoid detection either by the user or the anti-virus programs. Payload routine : this routine vary depending on its porous, it could be a joke, destructive or perform a useful task.
By sanjeev 11008322
CSE 316
Virus Lifecycle
Computer virus and biology one has a similar lifecycle, which consists of the following stages (Cronkhitevand McCullough, 2001, p.19-20) : Birth: bringing the computer virus to life, virus writer (the person who wrote the virus) designs the virus and then creates it using a programming language. Release: in this stage the virus writer sends it out to the wild (the cyberspace, the virtual computer world). Proliferation: the virus target in this stage is to replicate and infect as many victims as possible without drawing any attention. Trigger: in this stage the virus becomes alive when the trigger is reached. The virus writer usually determines the trigger, it could be a specific date, a certain task, or anything else depending on the writers choice.
By sanjeev 11008322
CSE 316
Activation: in this stage the virus has the ability to run its destructive routine. The effect of this could vary from erasing the hard disk content to making limited damage. Detection: this could happen at any stage of the virus lifecycle, detecting the virus in the early stages makes it easer to remove it with out causing any damage. Unfortunately, real life viruses are usually discovered after they have caused havoc and damage.. Elimination: the ability to eliminate the effect of virus varies from one type to the another, and also depends on the available tools. The solution could be simple and inexpensive(e.g., deleting the virus) or complicated and expensive ( e.g., reformatting and restoring the hard disk or buying a new one). Modification: in this stage the virus lifecycle may be repeated with an improved version, this could be done by the original virus writer or some one else.
Types Of Computer Viruses

Every year computers technology developers surprise the world with their new inventions, therefore virus writers need to create new generations of viruses to cope with the latest computing techniques. As a result of this competition each year hundreds of new viruses are found in the wild. File-infecting virus: this virus technique is to attach itself to the executable files, which are the files ending with .exe, .com, .all, and .drv , and these are the main program files and drivers. If any of them is infected the virus code will be executed during the run first by loading itself to the memory and deceive the user by allowing the program to execute normally. When the user runs any other applications, the virus replicates itself in order to be attached to that application. The virus should remain undetected until trigger is reached and this depends on the virus writer choices.
By sanjeev 11008322
CSE 316
Boot sector virus: this virus loads itself to the boot sector of the floppy disk or master record of hard disk in order to be loaded to the memory before the operating system is loaded. As soon as the virus becomes residence it will be able to infect each inserted disk to that computer. Macro viruses: the macro language technology was invented by software companies in order to automat repetitive tasks. This virus depends on the macro language in order to infect the data files by attaching themselves to the global template and spreads when the data files is opened. So as we can see virus writers took advantage of a new invention and developed a stabile viruses for each age. These types of viruses are categorized as dangerous ones, because they are easy to write, spread easily, and its hard to eradicate them. The macro viruses effect could be an annoying massage, adding password protection to files, saving files as templates instead of saving them as documents, or moving and replacing the text randomly. Script virus: this type of virus is written using script languages, they spread and infect files by taking advantage of vulnerabilities in the Microsoft Windows operating systems, opening e-mails or accessing Web pages which includes tainted scripts will activate the virus. This type of viruses has the ability to change its signature each time the virus is reproduced in order to remain undetected by antivirus software. Polymorphic virus: this virus has the ability to change each time it replicates using different encryption routines through its additional unique mutation engine. As a result of this invented combination the virus is very difficult to detect. One Half is an example of this virus, it has a distractive effect, its target is to encrypt the hard disk and make it unreadable, another example is Satan Bug.Natas which specialized in attacking the antivirus software. Virus writers are so keen to cope with the technology development, each time antivirus software and software developers come up with a new technology to prevent computer viruses infection, virus writers find their way to surprise the world with a new threat by releasing the suitable virus for each age.
By sanjeev 11008322
CSE 316
Handling viruses by
Firewall
window system :
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques: Packet filters: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
By sanjeev 11008322
CSE 316
Application gateway: Applies security mechanisms to specific applications, such as

FTP and Telnet servers. This is very effective, but can impose performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.
World top 10 viruses and their Hazards : 1. I LOVE YOU :
2. The Swiss Amiga Virus
The story of the so-called \Swiss" Amiga viruses is fairly interesting for a number of reasons. The _rst reason is the name. It is called Swiss because someone at _rst thought
By sanjeev 11008322
CSE 316
it was launched from Switzerland, but the last time I heard of people searching for the source, they thought it was from Germany or Canada. Nothing is quite as exciting as closing right in on a perpetrator. To understand how this particular virus works, you have to understand how Amigas work. Not the technical aspects, but rather how people share information when they use Amigas. Amigas have very strong user groups. For example, it's not unusual for an Amiga user group to have hundreds of people, with meetings twice a week. So they have several hundred people meeting twice a week, exchanging disks with each other, giving talks, and doing all sorts of computer related social activities. Sharing is very prevalent under these circumstances. This virus enters one of the system _les on an Amiga, and eventually destroys the information on the disk in a similar way to the PC based viruses we have discussed. When I _rst heard about this virus, I called up the person at Commodore (the manufacturer of the Amiga) in charge of defending against it; the chief systems programmer. He said \I have it under control, it's no big deal", and he wrote a program that looked for the _rst byte of the virus in that particular _le. If the _rst byte of that virus was present, it said \this is an infected program, restore from backups to repair the problem" or some such thing. So, he sent this defense out, and about a week later there was a new version of the virus that started with a di_erent _rst byte. So I called the guy up and said \Wouldn't you like to do something better?" He said \No, no, we have it under control . . . ", and then he sent out a program that looked for either of those two _rst bytes. The third round involved a copy of the virus that evolved through any of ten di_erent _rst bytes, so I called him again and he said \No, no, I've got it under control . . . " This time he wrote a program that checked to see whether the _rst byte was not the legitimate byte of the Amiga program. About a week later, there was a version of the virus that had the same _rst byte as the legitimate Amiga program, but a di_erent second byte. That was the last time I bothered calling this guy up. I _gure that by now, they're up to about the tenth or eleventh byte, and still battling it out.
The Mainframe Christmas Card Virus

In 1987, we also had the Christmas card virus that spread throughout mainframes of the world by way of computer mail. It was created by a student in Germany as a Christmas card. In order to understand how this virus worked, you have to understand that part of the corporate culture in IBM was for people to send each other Christmas cards via computer mail. As a result, when someone you knew sent you a Christmas card you would normally read it without hesitation. So this person in Germany created a
By sanjeev 11008322
CSE 316
Christmas card and sent it to the only two people he knew. The _rst recipient looked at it and said \I don't know this guy, I'm not going to look at this Christmas card". It was Friday afternoon, and the second recipient went home. On Monday, he came in and read his Christmas card, and it put a fairly poor looking Christmas card on the screen and said \Merry Christmas". But, unbeknownst to the recipient, it also did something else. It looked through his list of outgoing mail recipients (the people he normally sends mail to), and sent a copy of this Christmas card in his name to everybody on that list. Naturally, when they got this Christmas card from their friend, they said \Oh great, I'll read it" and they read it, and it sent copies to everybody on their outgoing mailing lists in their names, and on and on. At it's peak there were something like 500,000 copies per hour. It brought down most of the computers in the European Research Network (ERN), the IBM internal network (VNET), and the American version of ERN (BITNET). It brought them down for about two hours and then, because of a limit in the network protocol, brought the network down again. For about eight weeks afterwards, they had what the people at IBM called minor aftershocks". That's when a couple thousand copies appear here or there in the network.
The MacMag Virus

In 1988, the MacMag virus was the _rst computer virus to be used for advertising purposes, which I guess means that the technology matured. MacMag is (was?) a Canadian Magazine for MacIntosh users, and in 1988, they apparently commissioned a professor from a University in the United States to write a computer virus for them. The press, in keeping with the wishes of the computer security community, did not reveal the name of this particular professor, and I understand the professor was rather upset, because he _gured this was his way to fame and fortune. The security community took the position that to reveal the name would glorify the attacker, and the press went along this time. Of course today, it could be the road to jail and ruin, because it is now illegal to covertly introduce viruses into systems in most places. The MacMag virus modi_ed a system _le on the Mac II computer so as to put a message on the screen on a particular date saying something like \Happy 2nd Anniversary to the Mac II, our wishes for world peace", and it was signed \MacMag". In order to launch the attack, MacMag placed a copy on `CompuServ'. CompuServ is one of these service networks in the United States where you can make airline reservations, look up bibliographic database information, etc. You can also store programs there for other people in the network to retrieve if they wish to do so. Within two days, somebody that picked up a copy of this virus, detected its presence, and notised the people at CompuServ. At about that time, I found out about this attack, so I called up CompuServ and said \Gee, would you like some help to get rid of this virus?" They said \No, no, we have it under control.", and they had their favorite contract software house write a special purpose program to delete this virus, announced it on the bulletin board, and told everyone to use it. As
By sanjeev 11008322
CSE 316
punishment, MacMag was kicked o_ of CompuServ \forever", which I guess is as big a punishment as they can come up with. CompuServ and most of the rest of the community thought the attack was all over, until .About two months later (so the story goes), a man was visiting his friend who was a contract programmer. He showed his friend a copy of a game called \Frogger". The programmer tried Frogger once, and said \This is really a dumb game, in fact, this is the dumbest game I've ever seen. I'm never going to run this game again". However, once was enough. This particular programmer, it just so happens, wrote training software for several companies, including such industry leaders as Lotus, Ashton-Tate, and Aldus. Over the next couple of weeks, he distributed copies of his newest training software to one or more of these companies, and the virus that came in Frogger spread. Aldus subsequently released about 5,000 copies of their newest program \Freehand" which were infected. This was the _rst (but not the last) time that a virus was released in a legitimate, shrink wrapped, commercial software distribution.
The Scores Virus

The so-called \Scores" virus operates on Apple MacIntosh computers, and was apparently written by a disgruntled ex-employee of Electronic Data Systems, a Texas _rm that does computer security work world-wide. The reason we believe this, is that it directs its attacks against programs written by particular programmers from EDS, and through an anonymous source, I heard some further details that were convincing. The Scores virus does absolutely nothing for about four days after its initial infection. For the next four days, it infects, but does no other damage. The 4 day time period may be because of a procedural defense at EDS, which a 4 day wait bypasses, but nobody is certain of this except the attacker. From then on, whenever you run an infected program, it operates as follows: For the _rst 15 minutes of operation it does nothing. For the next 15 minutes, it prevents saving anything. Finally (mercifully), the system crashes. So if you are running an editor written by one of these authors at EDS, for the _rst 15 minutes everything works great. After that, when you try to save the _le, it says (in e_ect) \Sorry, I can't save that". The user typically responds with something like \What do you mean you can't save it? Save it!", and for the next several minutes, a frantic e_ort to save the _le is made, until _nally the system crashes, and the changes are lost. Needless to say, it is a very disconcerting experience for the user when it happens. the _rst time, but things get worse .It takes about 2 hours to completely get rid of the Scores virus from a MacIntosh with a hard disk (from the details I have heard), but as I have mentioned, there is another side e_ect. Over the four day period of reproduction without damage, the virus tends to get into oppy disks and backups, spread over networks, etc. As a result, many organizations have the Scores virus for a
By sanjeev 11008322
CSE 316
long time. One administrator from a government agency described curing this virus from all of the computers in one network once a week for a year.
The Internet Virus The \Internet Virus", commonly called the \Internet Worm" (it turns out that worms are
a special caseof viruses), was launched in 1988 in the Internet. The Internet is a network that, at that time, intercon- nected about 100,000 to 200,000 computers around the world, is used by Universities and other research organizations, and provides connectivity to many other networks. I can't remember the names of half the networks it is connected to, but among the connected networks in 1988 were the ARPAnet (Advanced Research Projects Agency) and the DOD-net (US Department of Defense). In the Internet attack, a graduate student at Cornell University designed and launched a computer virus that replicated and moved from machine to machine in the Internet. It entered about 60,000 to 70,000 computers, but was designed to only replicate in 6,000 of them. In a matter of a few hours, it spread throughout the network causing widespread denial of services. According to the author, it was not intended to deny services, but due to an error in programming it replicated too quickly. This virus was designed speci_cally to work in a particular version of a particular operating system and, even though it would be very simple to make it work on other versions, special code was in place to prevent its undue spread. It replicated by `fork'ing processes and tried to move from system to system by exploiting a (de)bug in the computer mail protocol. It turned out that if you had debugging turned on in the mail protocol on your machine, then if somebody wanted to, they could issue commands as if they were the `Superuser' on your computer. It also turns out that most of the systems in the Internet had this switch turned on at compile time, and in many cases, they could not turn it back o_ because they didn't have the source code to the mail program for recompilation, and the designers didn't provide any mechanism for overriding the debugging mode. This particular virus also crossed the boundaries between the ARPA-net and the DODnet, which were supposedly secured against all such intrusions. In the next few days, several viruses apparently crossed this boundary, and the link was then severed.
The AIDS Disk

In late 1989, a well funded group purchased a mailing list from a PC magazine, and distributed between 20,000 and 30,000 copies of an infected disk to the people on this list. The disk was a very poor virus, but it caused a great deal of damage because there were so many copies mailed, and the recipients used the disk widely despite procedural policies in place prohibiting such use. The disk was advertised as a program to evaluate a person's risk of getting AIDS based on their behavior. Included in the distribution was a
By sanjeev 11008322
CSE 316
description of the fact that this was a limited use distribution, and that it would cause damage to the system if it was used without paying royalties. The disk infected the host system by adding a line to the \AUTOEXEC.BAT" system startup _le which, although it appeared to be a comment, was actually a peculiar program name. After running this program a number of times, the virus would encrypt directory information so that _le names became unusable. If you continued to use the system it would eventually try to convince you to put in a oppy disk to make a copy for a friend. The alleged perpetrator was eventually caught by tracing the mailing list purchase process back to the buyer. The last I heard, the person they caught was in the middle of extradition hearings to England, where the virus caused enough damage to warrant prosecution.
The Datacrime Virus

The Datacrime" virus was the most widely announced and least widely spread well known virus in recent memory. It was rumored to exist as early as 6 months before it was to cause damage, and was eventuallythe subject of the _rst NIST National Computer Virus Alert in the United States. This virus only caused minor damage in a few instances in Europe, and never took hold in the United States. Perhaps coincidently, IBM introduced its antivirus program to the world on exactly the same day as NIST announced its _rst national computer virus alert. Not a single incident was reported or detected in the US as far as I can tell, but IBM sure sold a lot of virus detection software. 2.3.13 Early Evolutionary Viruses In late 1989, the _rst seriously evolutionary virus to appear in the real world began spreading in Europe. Earlier viruses had evolved in minor ways, simple self-encryption had been used before, and experimental viruses with no association between evolutions had been demonstrated, but this virus was the _rst one to be released into the world with many of these properties. This virus replicates by inserting a pseudo-random number of extra bytes into a decryption algorithm that in turn decrypts the remainder of the virus stored in memory. The net e_ect is that there is no common sequence of more than a few bytes between two successive infections. This has two major implications. The _rst problem is that it makes false positives high for pattern matching defenses looking for the static pattern of this virus, and the second problem is that special purpose detection mechanisms were simply not designed to handle this sort of attack. Since the _rst evolving real-world virus appeared, authors have improved their evolution techniques substantially. One author even created a set of evolutionary subroutines called the `Mutating Engine' (often referred to as MtE) which can be integrated with other viruses to form a highly evolutionary form. After over a full year of analysis and response, the best virus scanning programs still hadn't achieved a detection rate over 95% on a sample of several thousand mutations created by Vesselin Bontichev (a well
By sanjeev 11008322
CSE 316
known Bulgarian malicious virus defender) to test their quality. This brings up an important point about virus detection rates that I will defer to our discussion on epidemiology.
Simulation (Stealth) Viruses

The simulation virus that appeared in late 1989 represented a major step toward attacks meant to bypass virus defenses. In essence, this virus simulates all of the DOS system calls that would lead to its detection, causing them to return the information that would be attained if the attack were not present. It is presently spreading widely throughout the world, and because it does no obvious damage, it is generally going undetected. Since that _rst simulation virus, researchers have decided to use the term `stealth' to indicate viruses that use sophisticated hiding techniques to avoid detection. The term stealth is derived from the US `stealth' aircraft that were so successful at avoiding radar detection in the Gulf War in the early 1990s. Hiding techniques have their biological analogy, the most commonly known example being the chameleon which changes its color to match the background. Many insects blend into their background and thus avoid predators, and a common feature of invasive micro-organisms is the presence of chemical sequences identical to those of their hosts, which enable them to pass as if they were native cells instead of invaders. Now there is a very important di_erence between biological stealth techniques and the techniques of modern malicious viruses that I think I should mention before you get any misimpressions. There is a tendency to anthropomorphize hiding techniques as if to indicate that a conscious e_ort is made by an organism to hide by creating matching chemical sequences. In biological systems, except for higher forms of animals, there is apparently no evidence that there is intent behind the hiding techniques. Rather, random variations caused some color di_erences or chemical sequences, and it just happened that those creatures didn't die as often as others because of their stealthy characteristics, and so they survived to reproduce. The stealth techniques we see in modern computer viruses are quite di_erent in that they are intentionally designed to hide by exploiting weaknesses in the operating environment. For that reason, all current stealth viruses are designed to attack PC and MacIntosh operating systems, which are inherently vulnerable. Against the stronger defense techniques now available, current stealth attacks fail completely when operating system protection such as that provided in Unix, MVS, and VMS is in use. There are ways of hiding in most modern timesharing systems with these protections in place, but none of the real-world viruses we have seen have done this yet. For example, an infected program could start a background process to perform infection so as to reduce the time e_ects associated with infection, and give the memory resident process
By sanjeev 11008322
CSE 316
a name similar to the name of other common memory resident programs so that it would not be easily di_erentiated when looking at operating processes.
The Bulgarian Viruses

In early 1990, a research institute in Bulgaria released a set of 24 viruses to the rest of the world research community. They had not previously been known outside of Bulgaria. Astonishingly, none of these had been detected in Western Europe until these samples were provided. With the fall of the Iron Curtain, the ow of people and information between the former Soviet Bloc countries and the rest of the world dramatically increased. Along with this openness, came the open exchange of viruses, and a whole new set of problems were created for defenders on both sides of the former partition.
Some Trends
Although many of these viruses have not spread widely, the number of widespread viruses is on the increase, and the incidence level is increasing quickly. For example, in a recent visit to Taiwan, I was surprised to learn that of 50 companies represented at a seminar, on the average they experienced about 10 viruses per year! This is particularly important in light of the fact that most 3 of the world's PCs are manufactured in Taiwan, and several incidents of widespread dissemination of viruses from manufacturers have been reported. Another interesting trend is that only about 10% of the known viruses are responsible for 90% of the incidents. According to several minor studies, this has been true for several years, and according to a recent larger scale study done by IBM of Fortune 500 companies, only 15% of the known viruses were detected in the real-world. They also report that 33% of incidents are caused by the two most prevalent viruses (`Stoned' and `Form'), and the 10 most prevalent viruses are responsible for 66% of incidents. These numbers represent very substantial growth, but don't reect the recent advances in attack technology. Several virus generating programs are currently available, both from semi-legitimate software houses, and from other less identi_able sources. Some of these virus generators are capable of generating millions of di_erent viruses automatically. Some even allow the user to select di_erent infection techniques, triggering mechanisms, and damage using a menu. Even simple evolution is available in some of these generators. A far more interesting program has been developed to perform automated evolution of existing programs so as to create numerous equivalent but di_erent programs. This program exploits knowledge of program structure, equivalence of large classes of instructions, and sequential independence of unrelated instructions to replace the sequence of instructions comprising a program with a behaviorally equivalent instruction sequence that is substantially di_erent in appearance and operation from the original. In one of the
By sanjeev 11008322
CSE 316
appendices, several examples of evolutionary and hiding techniques are shown, and a good case is made to show that detection by looking for viruses is quite di_cult and time consuming if these techniques are applied.The _gure 80% appears in their o_cial government documents.
2.3.18 Cruncher
The `Cruncher' virus is a real-world version of the compression virus described earlier, but with an interesting twist. For the decompression process, it uses a very common decompression program; and the virus is added to the _le being infected before compression. The net e_ect is that when we look at the _le, it looks like a legitimate compressed executable program. If we try to scan for the virus, we are in great di_culty because the compression algorithm is adaptive in that it generates codings for subsequent bits based on occurrence rates earlier in the _le. Since this particular virus is placed at the end of the _le, we can't detect it until we decompress the entire _le! No _nite number of `scan' strings exist for detecting the virus because the virus is compressed with the adaptive compression algorithm. This virus _rst appeared in January of 1993, and as of this writing is not detected by any virus scanners. It is not likely to be reliably detected by them soon, unless they dramatically increase run times.
Conclusions :
The number of computer viruses found in the world is increasing each year. Every time software and antivirus software developers invent new technology to prevent virus infection, computer virus writers thrilled the world with their ability to go around the new technology and develop the right virus for each age. Macro viruses were their ideal proof of their intention to accept the challenge and cope with the new technology developments. Script viruses were another prove, they have the ability to encrypt each time its reproduced to have a different signature in order to deceive the antivirus and remain undetected . The antivirus developers reaction to this challenge is to develop their programs to detect the pattern in the decryption of the virus, virus writers reaction was creating polymorphic viruses So the malware will go on between software and antivirus software developers and virus writers.
By sanjeev 11008322
CSE 316
Computer virus writers are not a homogenous group, their motivations could be the need to express their dissatisfaction with their social level, draw attention, become famous and well known, to achieve their revenge, or to prove their technical ability. It seems that the virus writers desire to accomplish their goal conceals their vision from viewing the ethical and legal issues. Another reason could be their dissatisfaction with their society, since the ethics and legal codes belongs to it, and they want revenge for everything in their society including the ethics and legal codes. The legal penalties are not deterring virus writers, but seems to encourage the writers to accept the challenge of writing and releasing a virus to cause the maximum destruction and get away with it or cause serious damage and become famous. By comparing the increasing number of home users with the increasing number of computer viruses each year, we can easily realize the growing threat of computer viruses towards home users. The increasing awareness of computer viruses and basic IT security principles will help home users to eliminate the threat of computer viruses. Being largely misunderstood, viruses easily generate myths. Some people think it's funny to generate hoaxes. By careful checking you can usually spot them. Silly tricks and poor policies are no substitute for individual protection methods. Any product that advertises itself as a "quick and easy cure" for "all viruses past, present, and future" is more likely than not exercising its advertising imagination. Keep in mind that not everything that goes wrong with a computer is caused by a computer virus or worm. Both hardware and software failure is still a leading cause of computer problems.
References
Webs:
http://www.ebusinessadvisor.com/Articles.nsf/dp/29DD4BBF288F4FD488256C7C0061 0777
By sanjeev 11008322
CSE 316
BOOKS :
Kemmerer R A, Vigna G, Hi DRA: Intrusion Detection for internet Security, Proceedings of the IEEE, Vol 93, issue 10, Pg 1848-1857, Oct 2005
By sanjeev 11008322

How Windows Handle Various Viruses

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How Windows Handle Various Viruses

Uploaded by

Copyright:

Available Formats

Topic How windows operating system handles viruses?

Submitted To: RAMANPREET KAUR LAMBA

Computer Viruses History and Development :

Types Of Computer Viruses

Application gateway: Applies security mechanisms to specific applications, such as

World top 10 viruses and their Hazards : 1. I LOVE YOU :

2. The Swiss Amiga Virus

The Mainframe Christmas Card Virus

The MacMag Virus

The Scores Virus

The AIDS Disk

The Datacrime Virus

Simulation (Stealth) Viruses

The Bulgarian Viruses

You might also like