Chapter 3: COMPUTER SECURITY

Computer viruses:
The concept of viruses dates back to 1949 when John von
Neumann submitted a paper, putting forward the concept of self-replicating
program. The idea seemed impossible and was dropped. Subsequently, the first
virus-like program appeared from the recreational game called code-wars. The
first commercial application of viruses was in 1985, when two Pakistani brothers,
in order to keep track of software piracy used Brian virus (also called as Pakistani
virus). Hidden in nearly every disk they sold, was an extra program not supplied
by the manufacturer (which was self-replicating in nature and would infect an
unauthorized user’s computers by destroying its applications). These self-
replicating programs multiplied so fast that today they threat to the smooth
operation of the computer.
Trojans are similar to viruses. They move around as valid programs.
Sometimes getting executed with flashy opening screens describing them as word-
processor or database package. Thus Trojans are the programs that claim to be
doing something but do entirely different things and in that process damage the
computer system.
Worms travel longer distances by storing themselves in critical areas
of the disc from where they get loaded and they get loaded and they have
sufficient code with them to transfer themselves outward from the system which
they infect. Thus worms are known to damage the entire network. (LANS).
Apart from self replication, another destruction caused by viruses is
the data loss.
The process of infection- To understand how a virus infects the system,
we’ll go back to the preliminary working of the computer. On booting, the system
first carries ROM instructions. Power On Self Test (POST) which is followed by
bootstrap process of reading the boot record and loading the disk O.S. In MS-DOS
it involves the loading of IBMDOS.COM and IBMBIO.COM along with some
optional files like CONFIG.SYS and AUTOTEXT.BAT. The infection may begin
as soon as computer system boots from the disk or executes an infected program.
Whatever viruses are present get activated which immediately begin to spread over
the entire network.
Classification of Viruses- They can be classified on the basis of their mode
of existence and we can have following categories of viruses.
1) Boot infectors- As the name suggests, they are characterized by
the fact that they physically reside the boot-sector of the disk.
Thus the system infected by this virus will have a virus staying in
a particular area of the disk rather than in a program file. These
viruses get loaded soon after the POST and control the system all
the times. Sometimes they have the capability of soft- booting
and driven in control even the system is booted on not infected
 floppy. Boot infectors display the information originally residing
on the location which they occupy. While writing into boot
sector, the virus ensures that the boor-record is not deleted.
2) System infectors- This category of viruses deals with components
of the system itself. All machines require an operating system in
order to create an environment in which the operator works. In
MS-DOS, command.com file contains all internal commands. If
no such command file exists, then the commands such as COPY,
DIR etc. are not loaded onto the memory when the machine is
booted. The system infectors attach themselves to a file like
command.com or other memory resident files and manipulate
those files. The system infectors differ from boot infectors in the
sense that the system infectors gain control after the computer is
booted and infects the hard disk or bootable floppies which
contain appropriate system files. They have another peculiarity
that they activate after certain period of time or they may activate
instantly.

3) General .com or .exe infectors- From the infection point of view, these viruses
are most dangerous. They attach themselves to program files and can spread over
to almost any executable program in any system. These viruses change the original
program instructions to a ‘jump’ to its own code and follows that code with a
return to original program. As a result, whenever a program is executed, the virus
gets loaded and executed first and then the original program proceeds. The virus
remains in the memory of the system and infects each and every program that is
loaded for execution. thus by attaching themselves to a .exe or .com files, these
viruses change the size of the file and sometimes render program file is too large
to be accommodated in the memory. Examples: Form, Disk Killer, Michelangelo,
and Stone virus

4) Program viruses: These infect executable program files, such as those with
extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device
driver). These programs are loaded in memory during execution, taking the virus
with them. The virus becomes active in memory, making copies of itself and
infecting files on disk.

Examples: Sunday, Cascade

5) Multipartite viruses: A hybrid of Boot and Program viruses. They infect

program files and when the infected program is executed, these viruses infect the
boot record. When you boot the computer next time the virus from the boot record
loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila

6) Stealth viruses: These viruses use certain techniques to avoid detection. They
may either redirect the disk head to read another sector instead of the one in which
they reside or they may alter the reading of the infected file’s size shown in the
directory listing. For instance, the Whale virus adds 9216 bytes to an infected file;
then the virus subtracts the same number of bytes (9216) from the size given in the
directory.

Examples: Frodo, Joshi, Whale

7) Polymorphic viruses: A virus that can encrypt its code in different ways so that
it appears differently in each infection. These viruses are more difficult to detect.

Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101

8) Macro Viruses: A macro virus is a new type of computer virus that infects the
macros within a document or template. When you open a word processing or
spreadsheet document, the macro virus is activated and it infects the Normal
template (Normal. dot)-a general purpose file that stores default document
formatting settings. Every document you open refers to the Normal template, and
hence gets infected with the macro virus. Since this virus attaches itself to
documents, the infection can spread if such documents are opened on other
computers.
Examples: DMV, Nuclear, Word Concept.

Companion virus: A program that attaches to the operating system, rather than
files or sectors. In DOS, when you run a file named "ABC", the rule is that
ABC.COM would execute before ABC.EXE. A companion virus places its code in
a COM file whose first name matches the name of an existing EXE. You run
"ABC", and the actual sequence is "ABC.COM", "ABC.EXE"
Encrypted virus : A virus whose code begins with a decryption algorithm, and
continues with the scrambled or encrypted code of the remainder of the virus.
When several identical files are infected with the same virus, each will share a
brief identical decryption algorithm, but beyond that, each copy may appear
different. A scan string could be used to search for the decryption algorithm. Cf.
Polymorphic.

File virus :Viruses that attach themselves to (or replace) .COM and .EXE
files, although in some cases they can infect files with extensions .SYS,
.DRV, .BIN, .OVL, OVR, etc. The most common file viruses are resident
viruses, going into memory at the time the first copy is run, and taking
clandestine control of the computer. Such viruses commonly infect additional
programs as you run them. But there are many non-resident viruses, too,
which simply infect one or more files whenever an infected file is run.

Zoo virus :A virus which is rarely reported anywhere in the world, but which
exists in the collections of researchers. A zoo virus has some "escaping" virus
collections, and infecting user machines. Its prevalence could increase to the point
that it was considered "in the wild."

Types of viruses
1) Scores virus- They exist on Macintosh machines. They have a built-in time
trigger that activates at 2nd, 4th and 7th day after the disk has been infected.
The consequences are varied ranging from printing problems to system
crashes etc. Data files are not affected directly by this virus but removal of
it requires deletion of all files.
2) Pakistani (Brain) virus- This is one of the first viruses that came into being.
Two Pakistani brothers developed it to keep the track of low cost software
that were sold out in Lahore. This virus is known to destroy data files.
3) Lehigh virus- It was originated at Lehigh University computer centre. It
stays in the stack place of command.com file. With booting of the Pc form
the infected disk, the virus is spread through commands like COPY, TYPE
etc. On any other disk with command.com file, the virus code gets copied
on the disk and counter is incremented on the parent file. When the counter
reaches the value 4, all files on other disk get erased. Boot sector is
collapsed and so also file allocation table.
4) Friday the 13th- This virus attacks command.com as well as other
executable files. When a .com or .exe file is executed for the first time after
booting, the virus captures a specific interval and inserts its own code after
which, whenever a .exe file is executed, virus code is written at the end of
the file, increasing file size by 1808 bytes.
 In .com files, the virus code is written at the beginning of the actual
program. Thus increase in the file size causes the program become too large to
be loaded in the memory. Also, after certain interval of time, delays are
inserted, resulting in slowing down of the program.
5) Raindrops- This virus checks whether the file is .exe or not and if the file is
not .exe file, the first three bytes of the file are replaced by jump instruction
at the end of the file, where it gets attached after encryption. This results in
dropping off the characters on the screen like raindrops and is also
accompanied by appropriate sound effects.
6) Happy birthday 30th- This virus gets activated on 5th January; if any of the
program gets executed and will ask the user to type ‘Happy Birthday 30th’. It
might destroy all the data stored on the disk spacing on 1.2 Mb floppy.
Symptom of this virus is that the computer memory is reported to be 64Kb
less than the actual memory.

A virus basically constitutes of three parts

1. Replicator - The replicator’s job is to ensure the survival of the virus on a

system. Most successful viruses do this by not inflicting damage on the system but
by appending themselves to legitimate programs in the machine. Each time the
program is run then the virus will 'wake up' and start to reproduce. As said earlier,
this is the most important part of the virus code.

2.Concealer - This part of the virus has the job of hiding the virus. It uses a
number of methods to do this but the point is if you don't know a virus is there
then you wont try and kill it. Today's viruses use advance techniques to stop being
caught from Antivirus software.

3.Payload - The payload of a virus can be practically anything, in fact if it can be

programmed then it can be the payload. If a virus is going to have a long life then
any damage it causes must either be very slight or not take place for a long period
after infection. If an obvious payload gets delivered soon after infection then the
user is soon going to notice and will go virus hunting. This does not help the long
life or wide spread of a virus.

10 virus symptoms

1. Programs take longer to load. Memory-intensive operations take a lot of

time to start.
2. A change in dates against the filenames in the directory. When the virus
modifies a file the operating system changes the date stamp.
3. The floppy disk or hard disk is suddenly accessed without logical reason.
 4. Increased use of disk space and growth in file size-the virus attaches itself
to many files.
5. Abnormal write-protect errors. The virus trying to write to a protected disk.
6. Strange characters appear in the directory listing of filenames.
7. Strange messages like "Type Happy Birthday Joshi" (Joshi Virus) or
"Driver Memory Error" (kak.worm) appear on the screen and in documents.
8. Strange graphic displays such as falling letters or a bouncing ball appear on
screen.
9. Programs may hang the computer or not work at all.
10. Junk characters overwrite text in document or data files.

Tips to protect your computer from malicious programs

1) Common Sense

2) Listed below are some of the steps recommended by experts to safeguard your
PC from viruses. These are a compilation of my past experiences and magazine
sources.

3) Write-protect your floppy disks when using them on other computers.

4) Remove floppy disks from drives while booting.

5. Change a setting in the BIOS that enables your PC to boot from the C-drive
first.
6. Use a good anti-virus program to scan floppy disks before copying files.
Recommended ones are Norton Antivirus and

7. Install software only from original write-protected disks with the

publisher’s label.

8. Do not install pirated software, especially computer games. Purchase or

obtain files or software only from trusted sources.

9. Activate watch-guard programs (monitors) that look out for suspicious

activity.

10. Use the update service offered by software vendors and update the anti-
virus software every month.

11. Scan the entire hard disk twice a month.

12. Scan files downloaded from the Internet or those transferred through a
network.
 13. Prepare a rescue disk with critical system files. Preferably, it should be
bootable.

14. Keep the original CD-ROM or diskettes containing the operating system
handy.

Look for an unexpected file extension on any attachment

Structure of Viruses
Here is a simple structure of a virus. In the infected
binary, at a known byte location in the file, a virus inserts
a signature byte used to determine if a potential carrier
program has been previously infected.
V()
{
infectExecutable();
if (triggered()) {
doDamage();
}
jump to main of infected program;
}
void infectExecutable()
{
file = chose an uninfected executable file;
prepend V to file;
}
void doDamage() {
...
}
int triggered()
{
return (some test? 1 : 0);
}
The above virus makes the infected file longer than it was,
making it easy to spot. There are many techniques to leave
the file length and even a check sum unchanged and yet infect.
For example, many executable files often contain long
sequences of zero bytes, which can be replaced by the virus
and re-generated. It is also possible to compress the
original executable code like the typical Zip programs do, and
uncompress before execution and pad with bytes so that the
check sum comes out to be what it was.
Virus Detection
Known viruses are by far the most common security problem on
modern computer systems. Several web sites maintain complete
lists of known viruses. There are thousands. Visit, e.g.,
www.cai.com/ virusinfo/ encyclopedia/. In the month of July
2000, there were 200+ "PC Viruses in the Wild" (www. wildlist.
org). Virus detection programs analyze a suspect program for
the presence of known viruses.
Fred Cohen has proven mathematically that perfect detection of
unknown viruses is impossible: no program can look at other
programs and say either "a virus is present" or "no virus is
present", and always be correct. But, in the real world, most
new viruses are sufficiently like old viruses that the same
sort of scanning that finds known viruses also finds the new
ones. And there are a large number of heuristic tricks that
anti-virus programs use to detect new viruses, based either on
how they look, or what they do. These heuristics are only
sometimes successful, but since brand-new viruses are
comparatively rare, they are sufficient to the purpose.
Virus scanners are sometimes classified by their "generation."
The first generation virus scanners used previously obtained
a virus signature, a bit pattern, to detect a known virus.
They record and check the length of all executables. The
second generation scans executables with heuristic rules,
looking, e.g., for fragments of code associated with a typical
virus. They also do integrity checking by calculating a
checksum of a program and storing somewhere else the encrypted
checksum. The third generation use a memory resident program
to monitor the execution behavior of programs to identify a
virus by the types of action that the virus takes. The fourth
Generation Virus Detection combines all previous approaches
and includes access control capabilities.

Trojan Horses:-
Trojans are malicious programs created to perform
unexpected operations. On your computer. The name comes from the
famous Trojan horse that was used in Trojan war. The idea behind it is
to trick a person into running the file. It is usually sent to them in e-mail
and promoted as some game or funny program that the recipient is
likely to run. When the Trojan file is run, it usually installs itself so that
it will be loaded automatically or it places itself in the place of common
application that is likely to get run such as NOTEPAD is windows.
Automatic loading is done by modifying start-up files such as registry or
startup applications directory.
 The range of Trojan horses is unlimited, but the most
common steal passwords for popular internet services like America
Online and install backdoor servers that open your computer to hackers
while you are online. They can also have timed payloads that will erase
hard drives or corrupt the data.
Password stealers usually give themselves away by causing
difficulty logging onto your account or complaints that you have been
sending spam or other forms of unwanted e-mail when you have nothing
to do with it.
Backdoor servers will be hard for you to detect unless you
happen to notice your internet connection slowing down or strange
things are happening when you use your computer. A backdoor server is
opening a connection on your computer so that someone, (anyone in the
world), can connect and control your computer while you are online.
They can read, copy, delete and write files. They can open and close
your CD-tray. There are hundreds of tricks they can play with you.
How does a Trojan affect a computer: In order to gain access to a
user’s computer, the victim has to be induced to install the Trojan
himself. The usual method is to offer a seemingly useful system
enhancement or perhaps a free game that has the Trojan attached to it.
By installing it, the user also installs the Trojan. The most common
sources of infection are as follows:

• Executing any files from suspicious or unknown sources.

• Opening an email attachment from an unknown source.
• Allowing a "friend" access to your computer while you are away.
• By executing files received from any online activity client such as ICQ.

Virtually every Trojan virus is comprised of two main parts. The "server" and
the "client". It is the server part that infects a user’s system. In order to find
infected machines, intruders scan the Internet by using a port scanner.
Technically speaking, the attacker sends request packets across the Internet
using the client part of the Trojan. An infected machine responds with a signal
to tell the attacker that it is infected. The attacker subsequently establishes a
link between the two machines. This whole process may only take a few
seconds at the most. Once that has happened, the intruder can take control of
the user’s machine in the same way as if he were sitting right in front of it.

Any commands that he performs on the user’s machine are completely

invisible to the user who may be working on an entirely different application at
the time. In this situation, the intruder becomes the master and the user, the
slave. The Trojan itself is a "backdoor" to the user’s machine in a similar way
as the backdoor to your house. It allows a remote user unauthorized access to
 your computer in the same way that a thief who obtains a key to your
backdoor, he can enter your house, steal its contents and leave again whenever
he likes and without your knowledge.

Once infected, the computer becomes accessible to any remote user, usually
referred to as a "cracker" or "intruder” that has the client part of the Trojan. That
person can perform any action that the user can. For example, if the user keeps his
credit card details on the computer, the intruder can steal that information. He may
not necessarily make use of the credit card himself, but he can certainly sell the
information to a third party who can then go on a spending spree at the user’s
expense. The intruder can also steal passwords in order to gain access to restricted
information or to password protected web sites as well.
In addition, the intruder can cause the system to reboot without warning, shutdown
without warning, eject the CD-ROM tray, delete files, add files, make use of the
user’s email client, etc. etc. The possibilities are endless.

Types of Trojan

1) Remote Access Trojans: These are the probably the most popular and very
likely the most dangerous of the many Trojan classes currently available. It is
these types that work in the server/client mode. The server part installs itself on
the unsuspecting user’s computer and the client remains on the attacker’s system.
Once an infected machine has been discovered, the intruder establishes a link
between the two. He can subsequently perform any action the user can and more.
For example, let’s assume that the user has valuable data stored in a folder called
"ABC" on his C: drive. In order to steal that data, all the intruder needs to do is to
drag and drop the folder called ABC from the user’s C: drive onto his own. A few
of the most popular Remote Access Trojans, are Net-bus, Sub-seven, Back Orifice
(The Cult of the Dead Cow – CDC), etc.

2) Mail Trojans: Another popular type of Trojan in hackers’ circles is the mail
Trojan. It works in server mode only and its main function is to record certain data
such as the keystrokes the user enters when passwords are typed, the web sites he
regularly visits and files in general. An infected machine will automatically send
the information by email to the attacker. These are very difficult to spot because
the email client is part of the Trojan itself.

3) FTP Trojans: This particular class of Trojan works in server mode only. It
allows FTP access to an infected machine and can download or upload files at the
intruder’s whim.

4) Telnet Trojans: Telnet Trojans run in server mode only and allow an intruder to
execute DOS commands on a remote machine.
5) Key logger Trojans: These Trojans record the keystroke input on an infected
machine and then stores the information in a special log file that the intruder can
access in order to decipher passwords.

6) Fake Trojans: This type of Trojan uses fake dialog boxes and other bogus
windows that purport to show that the user has attempted to perform an illegal
operation. By displaying a dialog box, its sole purpose is to get the user to enter
his user name and password. That information is then stored on file so that the
intruder can use it at a later date.

How to prevent yourself from Trojans?

• NEVER download blindly from people or sites which you aren't 100% sure
about. In other words, as the old saying goes, don't accept candy from
strangers. If you do a lot of file downloading, it's often just a matter of time
before you fall victim to a Trojan.
• Even if the file comes from a friend, you still must be sure what the file is
before opening it, because many Trojans will automatically try to spread
themselves to friends in an email address book or on an IRC channel. There
is seldom reason for a friend to send you a file that you didn't ask for. When
in doubt, ask them first, and scan the attachment with a fully updated anti-
virus program.
• Beware of hidden file extensions! Windows by default hides the last
extension of a file, so that innocuous-looking "Susie. jpg" might really be
"susie.jpg.exe" - an executable Trojan! To reduce the chances of being
tricked, unhide those pesky extensions.
• NEVER use features in your programs that automatically get or preview
files. Those features may seem convenient, but they let anybody send you
anything which is extremely reckless. For example, never turn on "auto
DCC get" in MIRC, instead ALWAYS screen every single file you get
manually. Likewise, disable the preview mode in Outlook and other email
programs.
• Never blindly type commands that others tell you to type, or go to web
addresses mentioned by strangers, or run pre-fabricated programs or scripts
(not even popular ones). If you do so, you are potentially trusting a stranger
with control over your computer, which can lead to Trojan infection or
other serious harm.
• Don't be lulled into a false sense of security just because you run anti-virus
programs. Those do not protect perfectly against many viruses and Trojans,
even when fully up to date. Anti-virus programs should not be your front
 line of security, but instead they serve as a backup in case something sneaks
onto your computer.
• Finally, don't download an executable program just to "check it out" - if it's
a Trojan, the first time you run it, you're already infected!

Computer worm:
It is a self content program that is able to spread functional copies of itself or its
segments to other computer systems. Unlike viruses, worms do not need to attach
themselves to a host program. There are two types of worms.
• Host computer worms
• Network worms
Host computer worms are entirely contained in the computer they run on and use
network connections only to copy themselves to other computer. The original
worm terminates itself after launching a copy on another host. So there is only one
copy of the worm, running somewhere on a network, at a given moment. Host
computer worms are also called as ‘rabbits’.
Network worms consist of multiple segments each running on different machines
(and possibly performing different actions) and using the network for several
different communication purposes. A network that has one main segment which
co-ordinates the work of other segments are sometimes called as octopuses.
There are three world famous worms as follows-
1) the Internet worm (1988): On 22nd November 1988, Cornell university
science graduate accidentally released this worm on a very large Network
(called Arpanet). The worm managed to infect 3000 computers in its 8
hours of activity. It disabled all those machines by making copies of itself
so that many machines had to be taken completely off the network till all
the copies of worm could be totally removed. Although entire process took
the scientists 2-3 days, no data was lost in any of the infected computers
and no permanent damage was done to any of the computers.
2) The SPAN Network worm (1989): On 16th October 1989, a worm named
‘WANK’ infected many VAX and RMS computers on a network. This
worm (if found that it has system privileges), would then change the
message to ‘worms against nuclear killers’. The message was then
graphically displayed as first three letters of each word and last three letters
of last word.
3) Christmas tree worm (1987): This was mainframe worm and managed to
paralyze IBM network on Christmas day 1987. It was written in a language
called EXEC. It asked the user to type the word ‘Christmas’ on the screen
and then it would drew a Christmas tree and sent itself to all those people,
whose names were stored in user files and in this way, propagating itself.