Thursday 29 September 2011

VIRUS THREATS IN COMPUTERS

WHAT IS A COMPUTER VIRUS?

Computer Virus is typically a computer program that can reproduce/replicate on itself.However,in the broader sense even malware not having the reproductive/replecative ability(like adware,spyware) are erroneously included in this categorisation.A virus is spread (In some form of executable code) if its host is taken to the victim computer (either across a network or through CD/D
VD/USB).
It should be kept in mind that viruses and trojan horses and worms ar
e all technically different.



WHAT ARE THE TYPICAL OBSERVABLE ATTRIBUTES WHEN A COMPUTER IS INFECTED WITH VIRUS?


The typical indicators of a virus attack include the
slow functioning of computer,it stops responding or locks up frequently,crashes or restarts after every few minutes,Applications don't work correctly,disks or disk drives are inaccessible,unusual error messages are displayed,there is double extension on an attachment you recently opened.[1]


The following are some of the error messages that are displayed when a system is infected with a virus:






















HOW DOES A VIRUS DETECTION TOOL SCAN AND FILTER VIRUS FROM COMPUTER FILES?


Infection schemes include Resident viruses and non-resident viruses. In case of resident viruses, there exist a finder's module and a replication module. The finder module looks for a new file to infect and thereupon,calls the replication module. However,in case of non-resident viruses ,there's no finder module and the replication module is loaded in the memory and is executed everytime the OS is called to perform an operation.

A variety of techniques are implemented by the anti-virus tools/softwares to detect viruses.The most common of which is the signature(a hexadecimal string) based detection which utilises a list of pre-defined virus-signature definitions.(The anti-virus software authors update this list with time,and therefore it becomes mandatory to update your anti-virus tool on a regular basis to eliminate security holes). The major disadvantage of this method is that users are only protected against viruses whose samples have been obtained and whose signature has been created. New viruses are created everyday and the virus authors try to stay a step ahead by writing "oligomorphic" , "polymorphic" and "metamorphic" viruses which encrypt a part of themselves or modify themselves to disguise and hence are not filtered in by their existing virus signatures.

Second method implemented involves heuristics(generic detection).Many viruses start as a single infection but as it passes on and is refined by other attackers,mutates itself into various different strains,called variants.Heuristics based scanning will detect several threats on the basis of that one virus signature of the origional virus infection.
It is quicker to identify a virus family as virus researchers find common areas that all viruses in a family share uniquely and thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code.[2]

Eg:the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B.[3]



WHAT CAN BE DONE TO SPEED UP THE OPERATION OF VIRUS DETECTION TOOLS?

To speed up the virus-detection operation, archive files may be excluded or the nesting level upto which the files are scanned may be defined.The software may be configured to scan only certain types of files. (decided by the internal structure.This ensures that only files prone to attack are scanned.)The software may be customised to allow scanning "on the fly" that is, objects may be scanned in RAM without saving them on the hard disk.
Such features are offered by only some anti-virus softwares like Kaspersky.



WHAT ARE THE DIFFERENT STEPS INVOLVED IN FUNCTIONING OF KASPERSKY VIRUS DETECTION TOOL?

VIRUS DICTIONARY APPROACH
1. Scans the files
2. If a certain part of the file matches a virus signature (a code) , then :
2.1 Deletes the file
2.2 Quarantines the file (isolates the file, so that it is inaccesible to other programs )
2.3 Tries to repair by eradicating the virus from the file.


SUSPICIOUS BEHAVIOUR APPROACH
1. Doesnt scan the files for signatures instead keeps a track on the behaviour of all programs

for example, if a program attempts to write data to an executable program , it is flagged as suspicious behaviour and the user is alerted and asked what to do ! [4]


SANDBOX
1. Performed only during "on demand " scans ( because of performance issues )
2. Sandbox copies actions of the O.S. and runs the executable in this replica.
3. After termination, sandbox is analysed for changes .
4. Changes indicate virus.



HOW CAN ONE MAKE A SIMPLE VIRUS PROGRAM USING A SHORT SHELL SCRIPT ?


Python is a high level programming language whose design purpose emphasizes readability. Python scripts are often used for web and mobile applications. Here, we are using a simple python script to open 100 pop-ups on execution(a virus).
The code is as follows(saved as pop1.py)

from Tkinter import *
for i in range(1,100):
root=Tk()
root.title("Pop up %d"%i)
root.mainloop()









To convert it into a setup (.exe) file, the following is the code(saved as setup.py)

from distutils.core import setup
import py2exe
setup(console=['pop1.py'])











Therefore,we have converted the python script into an executable (.exe) code that can be embedded in a file to implement the virus.






















































[1]: www.microsoft.com
[2],[3]: http://en.wikipedia.org/wiki/Antivirus_software
[4]:http://www.antivirusworld.com/articles/antivirus.php



Contributed by:
Akanksha Singh (2011012)
Shruti Nagpal ( 2011105)

No comments:

Post a Comment