This report briefly introduces computer
viruses and how they effect network security. I have introduced today's virus
situation. Many people are afraid of viruses, mostly because they do not know
much about them. This report will guide you in the event of a virus infection.
Computer viruses and network security is
important. There are things that are not public information. Therefore it is
good to be a weare of possible network security problems.
________________________________________
Table of Contents
1. Introduction to computer viruses
2. General information about computer
viruses
2.1 Different Malware types
2.1.1 Viruses
2.1.2 Trojan
2.1.3 Worms
2.2 Macro viruses
2.3 Virus sources
2.3.1 Why do people write and spread
viruses?
2.4 How viruses act
2.4.1 How viruses spread out
2.4.2 How viruses activate
2.5 Viruses in different platforms
2.5.1 PC viruses
2.5.2 Macintosh viruses
2.5.3 Other platforms
3. How to deal with viruses
3.1 What are the signs of viruses
3.2 What to do when you find viruses
4. How to protect from viruses
4.1 How to provide against viruses
4.2 Different anti-virus programs
5. Computer viruses in Finland
5.1 A questionnaire survey in Finland about
viruses
5.2 It is going to be a criminal act to make
viruses in Finland
6. How computer viruses have spread out
around the world
7. Computer viruses and network security
8. Conclusions
1. Introduction to Computer Viruses
The person might have a computer virus
infection when the computer starts acting differently. For instance getting
slow or when they turn the computer on, it says that all the data is erased or
when they start writing a document, it looks different, some chapters might be
missing or something else ubnormal has happened.
The next thing usually the person whose
computer might be infected with virus, panics. The person might think that all
the work that have been done is missing. That could be true, but in most cases
viruses have not done any harm jet, but when one start doing something and are
not sure what you do, that might be harmful. When some people try to get rid of
viruses they delete files or they might even format the whole hard disk like my
cousin did. That is not the best way to act when the person think that he has a
virus infection.
What people do when they get sick? They go
to see a doctor if they do not know what is wrong with them. It is the same way
with viruses, if the person does not know what to do they call someone who
knows more about viruses and they get professional help.
If the person read email at their PC or if
they use diskettes to transfer files between the computer at work and the
computer at home, or if they just transfer files between the two computers they
have a good possibility to get a virus. They might get viruses also when they
download files from any internet site. There was a time when people were able
to be sure that some sites we secure, that those secure sites did not have any
virus problems, but nowadays the people can not be sure of anything. There has
been viruses even in Microsoft's download sites.
In this report I am going to introduce
different malware types and how they spread out and how to deal with them. Most
common viruses nowadays are macro viruses and I am going to spend a little more
time with them. I am going to give an example of trojan horses stealing
passwords.
2. General information about computer
viruses
2.1 Different malware types
Malware is a general name for all programs
that are harmful; viruses, trojan, worms and all other similar programs
[1].
2.1.1 Viruses
A computer virus is a program, a block of
executable code, which attach itself to, overwrite or otherwise replace another
program in order to reproduce itself without a knowledge of a PC user.
There are a couple of different types of
computer viruses: boot sector viruses, parasitic viruses, multi-partite
viruses, companion viruses, link viruses and macro viruses. These
classifications take into account the different ways in which the virus can
infect different parts of a system. The manner in which each of these types
operates has one thing in common: any virus has to be executed in order to
operate. [2]
Most viruses are pretty harmless. The user
might not even notice the virus for years. Sometimes viruses might cause random
damage to data files and over a long period they might destroy files and disks.
Even benign viruses cause damage by occupying disk space and main memory, by
using up CPU processing time. There is also the time and expense wasted in
detecting and removing viruses.
2.1.2 Trojan
A Trojan Horse is a program that does
something else that the user thought it would do. It is mostly done to someone
on purpose. The Trojan Horses are usually masked so that they look interesting,
for example a saxophone.wav file that interests a person collecting sound
samples of instruments. A Trojan Horse differs from a destructive virus in that
it doesn't reproduce. There has been a password trojan out in AOL land (the
American On Line). Password30 and Pasword50 which some people thought were wav.
files, but they were disguised and people did not know that they had the trojan
in their systems until they tried to change their passwords. [9]
According to an administrator of AOL, the
Trojan steals passwords and sends an E-mail to the hackers fake name and then
the hacker has your account in his hands.
2.1.3
Worms
A worm is a
program which spreads usually over network connections. Unlike a virus which
attach itself to a host program, worms always need a host program to spread. In
practice, worms are not normally associated with one person computer systems.
They are mostly found in multi-user systems such as Unix environments. A
classic example of a worm is Robert Morrisis Internet-worm 1988.
2.2 Macro virus
Macro viruses
spread from applications which use macros. The macro viruses which are
receiving attention currently are specific to Word 6, WordBasic and Excel.
However, many applications, not all of them Windows applications, have
potentially damaging and infective macro capabilities too.
A CAP macro virus,
now widespread, infects macros attached to Word 6.0 for Windows, Word 6.0.1 for
Macintosh, Word 6.0 for Windows NT, and Word for Windows 95 documents.
What makes such a
virus possible is that the macros are created by WordBASIC and even allows DOS
commands to be run. WordBASIC in a program language which links features used
in Word to macros.
A virus, named
"Concept," has no destructive payload; it merely spreads, after a
document containing the virus is opened. Concept copies itself to other
documents when they are saved, without affecting the contents of documents.
Since then, however, other macro viruses have been discovered, and some of them
contain destructive routines.
Microsoft suggests
opening files without macros to prevent macro viruses from spreading, unless
the user can verify that the macros contained in the document will not cause
damage. This does NOT work for all macro viruses.
Why are macro viruses so successful? Today
people share so much data, email documents and use the Internet to get programs
and documents. Macros are also very easy to write. The problem is also that
Word for Windows corrupts macros inadvertently creating new macro
viruses.
Corruption's also creates
"remnant" macros which are not infectious, but look like viruses and
cause false alarms. Known macro virus can get together and create wholly new
viruses.
There have been
viruses since 1986 and macro viruses since 1995. Now about 15 percent of virus
are macro viruses. There are about 2.000 macro viruses and about 11.000 DOS
viruses, but the problem is that macro viruses spreads so fast. New macro
viruses are created in the work-place, on a daily basis, on typical end-user
machines, not in a virus lab. New macro virus creation is due to corruption,
mating, and conversion. Traditional anti-virus programs are also not good at
detecting new macro viruses.
Almost all
virus detected in the Helsinki University of Technology have been macro
viruses, according to Tapio Keihänen, the virus specialist in HUT.
Before macro
viruses it was more easy to detect and repair virus infections with anti-virus
programs. But now when there are new macro viruses, it is harder to detect
macro viruses and people are more in contact with their anti-virus vendor to
detect an repair unknown macro viruses, because new macro viruses spread faster
than new anti-virus program updates come up.
2.3 Virus
sources
Viruses don not
just appear, there is always somebody that has made it and they have own reason
to so. Viruses are written everywhere in the world. Now when the information
flow in the net and Internet grows, it does not matter where the virus is made.
Most of the
writers are young men. There are also few university students, professors,
computer store managers, writers and even a doctor has written a virus. One
thing is common to these writers, all of them are men, women do not waste their
time writing viruses. Women are either smarter or they are just so good that
never get caught.
2.3.1 Why do
people write and spread viruses?
It is difficult
to know why people write them. Everyone has their own reasons. Some general
reasons are to experiment how to write viruses or to test their programming
talent. Some people just like to see how the virus spreads and gets famous
around the World. The following is a list from news group postings
alt.comp.virus and tries to explain why people write and spread viruses.
- they don't understand or prefer not to think about the consequences for other people
- they simply don't care
- they don't consider it to be their problem if someone else is inconvenienced
- they draw a false distinction between creating/publishing viruses and distributing them
- they consider it to be the responsibility of someone else to protect systems from their creations
- they get a buzz, acknowledged or otherwise, from vandalism
- they consider they're fighting authority
- they like 'matching wits' with anti virus vendors
- it's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List
- they're keeping the anti virus vendors in a job
Viruses main
mission is to spread out and then get active. Some viruses just spread out and
never activate. Viruses when they spread out, they make copies of self and
spreading is harmful.
Viruses mission
is to hop from program to other and this should happen as quickly as possible.
Usually viruses join to the host program in some way. They even write over part
of the host program.
A computer is
infected with a boot sector virus if it is booted from an infected floppy disk.
Boot sector infections cannot normally spread across a network. These viruses
spread normally via floppy disks which may come from virtually any source:
·
unsolicited demonstration
disks
·
brand-new software
·
disks used on your PC by
salesmen or engineers
·
repaired hardware
A file virus
infects other files, when the program to which it is attached is run, and so a
file virus can spread across a network and often very quickly. They may be
spread from the same sources as boot sector viruses, but also from sources such
as Internet FTP sites and newsgroups. Trojan horses spread just like file
viruses.
A multipartite
virus infects boot sectors and files. Often, an infected file is used to infect
the boot sector: thus, this is one case where a boot sector infection could
spread across a network.
2.4.2
How viruses activate
We are always
afraid that viruses do something harmful to files when they get active, but not
all the viruses activate. Some viruses just spread out, but when viruses activate
they do very different things. Might play a part of melody or play music in the
background, show a picture or animated picture, show text, format hard disk or
do changes to files.
As an example,
in one unnamed company: over a long period of time, the files in a server were
corrupted just a bit. So backup copies were taken from the corrupted files. And
after they noticed that something was wrong, it was too late to get back the
data from the backups. That kind of event is the worst that can happen for the
uses.
There is also
talk that viruses have done something to hardware like hard disk or monitor.
Viruses can not do any harm to hardware but they can do harm to programs and
for example to BIOS so that computer does not start after that. Usually you can
start the computer from a boot diskette if the computer does not start
otherwise.
2.5.1
PC viruses
Viruses are
mostly written for PC-computers and DOS environment. Even though viruses are
made for DOS environment, they are working also in Windows, Windows95, Windows
NT and OS/2 operating systems. Some viruses like boot sector viruses, do not
care what about operating systems.
2.5.2
Macintosh viruses
Macintosh
viruses are not as a big problem as PC viruses are. There are not so many
viruses in Macintosh operating system. Macintosh viruses has been found mostly
from schools.
How many Mac
viruses there are? I found out that there are about 2-300 Mac-specific viruses.
There are virtually no macro viruses which have a Mac-specific payload, but all
macro viruses can infect on Macs and other platforms which runs Word 6.x of
better.
Viruses can be
found from in almost any kind of computer, such as HP calculators used by
students like HP 48-calculators and old computers like Commodore 64 and Unix
computers too.
In general,
there are virtually no non-experimental UNIX viruses. There have been a few
Worm incidents, most notably the Morris Worm,. the Internet Worm, of 1988.
There are
products which scan some Unix systems for PC viruses. Any machine used as a
file server (Novell, Unix etc.) can be scanned for PC viruses by a DOS scanner
if it can be mounted as a logical drive on a PC running appropriate network
client software such as PC-NFS.
Intel-based PCs
running Unix e.g. Linux, etc. can also be infected by a DOS boot-sector virus
if booted from an infected disk. The same goes for other PC-hosted operating
systems such as NetWare.
While viruses
are not a major risk on Unix platforms, integrity checkers and audit packages
are frequently used by system administrators to detect file changes made by
other kinds of attack.
3. How to
deal with viruses
3.1
What are the signs of viruses
Almost anything
odd a computer may do, can blamed on a computer "virus," especially
if no other explanation can readily be found. Many operating systems and
programs also do strange things, therefore there is no reason to immediately
blame a virus. In most cases, when an anti-virus program is then run, no
virus can be found.
A computer
virus can cause unusual screen displays, or messages - but most don't do
that. A virus may slow the operation of the computer - but many times
that doesn't happen. Even longer disk activity, or strange hardware
behavior can be caused by legitimate software, harmless "prank"
programs, or by hardware faults. A virus may cause a drive to be accessed
unexpectedly and the drive light to go on but legitimate programs can do that
also.
One usually
reliable indicator of a virus infection is a change in the length of executable
(*.com/*.exe) files, a change in their content, or a change in their file
date/time in the Directory listing. But some viruses don't infect files,
and some of those which do can avoid showing changes they've made to files,
especially if they're active in RAM.
Another common
indication of a virus infection is a change to the reassignment of system
resources. Unaccounted use of memory or a reduction in the amount
normally shown for the system may be significant.
In short,
observing "something funny" and blaming it on a computer virus is
less productive than scanning regularly for potential viruses, and not
scanning, because "everything is running OK" is equally inadvisable.
3.2
What to do when you find viruses
First thing
what you should do when you find virus is count to ten and stay cool. You
should keep notes on what you do and write down what your virus programs and
you computer tells you. If you are not sure what to do, you should call the
administrator for future action. In some cases it is not good to start you
computer from hard disk, because the virus may active and then do some harm.
Second, make
sure that you should get sure that it is virus and what virus it is. It is
important to know what kind of virus we are dealing with. Companies that make
anti-virus programs knows what different viruses does and you can ether call
them and ask about that viruses or you can go to their web pages and read about
the virus you have.
When you start
you computer you should do it from a clean (non-infected) floppy diskette and
after that run the virus program. The boot diskette should be write protected
so that virus can not infect the boot diskette too.
It is good to
take a backup of the file that was infected. Virus program could do some damage
to the file and that is why it is good to have a backup.
It is good to
let you administrator to know about the virus, so viruses would not spread
around so much. In TKK PC classes are protected by anti-virus program and that
virus program reports to a person, responsible for virus protection.
4. How to
protect from viruses
4.1
How to provide against viruses
Best way to
protect yourself is to prepare your computer against viruses in advance. One
way to protect you computer is to use updated anti-virus program. When you get
an email attachment, you should first check the attachment by checking the file
with a anti-virus program.
As an example
in one unnamed Finnish company all information was mailed in email attachments.
There was this one Word document that was mailed to everybody. That email
attachment was infected by a macro virus. Everyone got the infected attachment
and those who opened that attachment by Word got that CAP-macro virus. After
all there were a few thousand infections. It took lots of time and money to
clear that virus.
One can protect
the computer against boot sector viruses by setting the BIOS to start from a
hard disk rather than from a floppy disk.
Write
protection is a good way to prohibit against viruses. Write protection works
well in floppy disks, Windows NT and UNIX, but not that well in Windows and
Windows95.
4.2
Different anti-virus programs
There are three
different kind of anti-viral packages: activity monitors, authentication or
change-detection software, and scanners. Each type has its own strengths and
weaknesses. Commercial anti-viral programs have a combination of the above
mentioned functions.
There are over
ten good anti-viral programs. Most knows programs are Data Fellows F-Prot,
EliaShim ViruSafe, ESaSS ThunderBYTE, IBM AntiVirus, McAfee Scan, Microsoft
Anti-Virus, Symantec Norton AntiVirus and S&S Dr Solomon's AVTK.
On a day-to-day
basis, the average corporation should be very interested in the scan time;
these impact strongly the users, who should be scanning hard drives and disks
on a daily basis. If a product takes too long to carry out these basic tasks,
users will be unwilling to wait, and will stop using it. This is clearly
undesirable - the perfect anti-virus product would be one which takes no time
to run and finds all viruses.
5. Computer
viruses in Finland
5.1
A questionnaire in Finland
about viruses
Computer
viruses are not uncommon in Finland,
especially not in schools and universities. "Virus prevention was not well
organized in some organizations and tended to be better in government
organizations than in local government or in firms" writes Marko Helenius
in his Computer viruses in Finland
report. He did a large scale questionnaire survey in Finland in the summer 1993. There
were not macro viruses at that time yet, so today the virus situation is a bit
different, but some results were pretty interesting.
The knowledge
of viruses was quite poor in all sectors: government, local authorities and
companies. Respondents' knowledge of viruses was best in government
organizations. How importance is virus prevention? The most positive attitude
to virus prevention was in government organizations.
90% of the
government organizations used some kind of anti-virus program, the same in
local authority organizations was about 55 % and in companies it was over 60
%.
5.2
It is going to be a criminal act to make viruses in Finland
There is a new
government bill about writing and spreading viruses. If the bill goes through,
it is going to be a criminal act to make and spread viruses in Finland and one
could get two years in prison or a fine, if one spread or write viruses. If a
person make a virus it would be same thing in court than a person were planning
to burn something. It is criminal to make viruses in England,
Italy, Netherlands, Switzerland
and Russia.
It is not
punished to make or spread viruses in Finland, according today's penal
code. If viruses make harm to somebody that could be punished. Nobody has been
punished for that in Finland,
even though some Finns has made viruses, for example Finnish Spryer. That virus
formatted about 600 hard disks and did lots of damage. They say that it was
made in Espoo,
but they never got the persons that made that virus.
Virus business
in Finland
is pretty big. Businesses that have specialized in viruses have about 100
million in sales together. It costs money to stop working and clean up the
viruses. Computer viruses put in danger general safety, says Pihlajamäki from
Ministry of Justice. It is dangerous if viruses gets to programs that control
trains or airplanes.
Computer
viruses can also be used as a weapon. It is sad that America
used computer viruses to slay and to make Iraq's computers
non-functional.
6. How computer
viruses have spread out around the world
Computer viruses are a problem all over the
world. The following picture tells us how many times people have accessed Data
Fellows, a company that makes anti-virus program F-Prot, more than 1,672,846
per month. It means that people are interesting in virus information. One
reason is that people have to deal with viruses. Viruses in not only a problem
in Finland and USA, it is a
problem around the world.
7. Computer
viruses and network security
Computer viruses
are one network security problem. A few people when asked if computer viruses
can cause network security problems answered as follows.
Dave Kenney
answered from National Computer Security Assoc: "There is one macro virus
for MSWord that is received as an attachment to MS Mail messages. If a
user has Word open, and double clicks to see the contents of the attachment, MS
Word and the open document is infected. Then the document is mailed to three
other users listed in the original user's address book."
"The only
information that is leaked is the thing you should be worried about, your
password! The trojan sends an E-mail to the hackers fake name and then he
has your account at his hands," wrote CJ from American Online.
"Rarely, a
Word macro virus may accidentally pick up some user information and carry it
along; we know of one case where a macro virus "snatched" an innocent
user macro that contained a password, and spread it far outside the company
where that happened. In the future, however, it is entirely possible that more
network-aware viruses will cause significant network security problems,"
wrote David Chess from IBM.
Marko Helenius
wrote from Virus Research Unit, that there has been some cases when hackers
have used trojan horses to gain information. There is one example in one
finnish corporation where some money were transferred illegally a year ago.
There has been a trojan in the University
of Tampere too
where the trojan pretend to be a host transfer program. The trojan saved users
login name and password to hard disk.
8.
Conclusions
There are lots
of viruses in the world and new viruses are coming up every day. There are new
anti-virus programs and techniques developed too. It is good to be aware of
viruses and other malware and it is cheaper to protect you environment from
them rather then being sorry.
There might be
a virus in your computer if it starts acting differently. There is no reason to
panic if the computer virus is found.
It is good to
be a little suspicious of malware when you surf in the Internet and download
files. Some files that look interesting might hide a malware.
A computer
virus is a program that reproduces itself and its mission is to spread out.
Most viruses are harmless and some viruses might cause random damage to data
files.
A trojan horse
is not a virus because it doesn't reproduce. The trojan horses are usually
masked so that they look interesting. There are trojan horses that steal
passwords and formats hard disks.
Marco viruses
spread from applications which use macros. Macro viruses spreads fast because
people share so much data, email documents and use the Internet to get
documents. Macros are also very easy to write.
Some people
want to experiment how to write viruses and test their programming talent. At
the same time they do not understand about the consequences for other people or
they simply do not care.
Viruses mission
is to hop from program to other and this can happen via floppy disks, Internet
FTP sites, newsgroups and via email attachments. Viruses are mostly written for
PC-computers and DOS environments.
Viruses are not
any more something that just programmers and computer specialist have to deal
with. Today everyday users have to deal with viruses.
References
[4] Koskinen P.,
Tietokonevirusten teko ja levitys aiotaan säätää rangaistavaksi,
Helsingin Sanomat 12.11.1997
<http://www.infosecnews.com/articles/9705/article1.html>
[12] Proceedings of the Seventh International Virus Bulletin Conference, The Fairmont Hotel San Francisco USA, 2-3 October 1997 <http://www.virusbtn.com>
No comments:
Post a Comment