1. NETWORK VIRUS DETECTION AND PREVENTION
ABSTRACT
One of the most high profile threats to information integrity isNetwork
viruses.Network viruses are software that behaves like biological viruses—they attach
themselves to a host and replicate, spreading the infection. For a computer program to be
classified as a virus, it simply must replicate itself. In this paper (Network Virus Detection
and Prevention), I am presenting what are viruses, worms, and Trojan horses and their
differences, different strategies of virus spreading, Virus detection, Virus prevention and
case studies of Slammer and Blaster worms.
1
Deprt of ECE, BCET
5. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 1
INTRODUCTION
The internet consists of hundreds of millions of computers distributed around the
world. Millions of people use the internet daily, taking full advantage of the available
services at both personal and professional levels. The internet connectivity among computers
on which the World Wide Web relies, however renders its nodes on easy target for malicious
users who attempt to exhaust their resources or damage the data or create a havoc in the
network. Computer Viruses, especially in recent years, have increased dramatically in
number. One of the most high- profile threats to information integrity is the Computer Virus.
Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing
in 1986. With global computing on the rise, computer viruses have had more visibility in the
past few years. In fact, the entertainment industry has helped by illustrating the effects of
viruses in movies such as ”Independence Day”, ”The Net”, and ”Sneakers”. Along with
computer viruses, computer worms are also increasing day by day. So, there is a need to
immunize the internet by creating awareness in the people about these in detail. In this paper
I have explained the basic concepts of viruses and worms and how they spread. The basic
organization of the paper is as follows. In section 2, give some preliminaries: the definitions
of computer virus, worms, trojan horses, as well as some other malicious programs and also
basic characteristics of a virus. In section 3, detailed description: describe Malicious Code
Environments where virus can propagate, Virus/Worm types overview where different types
have been explained, and Categories of worm where the different forms of worm is explained
in broad sense. In section 4, File Infection Techniques which describe the various methods of
infection mechanisms of a virus. In section 5, Steps in Worm Propagation describe the basic
steps that a normal worm will follow for propagation. In section 6 Case studies: two case
studies of Slammer worm and blaster worm are discussed.
1.1Preliminaries:
A. Virus:
A self-replicating program.Some definitions also add the constraint saying that it has
to attach itself to ahost program to be able to replicate. Often Viruses require ahost, and their
goal is to infect other files so that the virus canlive longer. Some viruses perform destructive
actions although this is not necessarily the case.Many viruses attempt to hidefrom being
discovered.A virus might rapidly infect every file on individual computer or slowly infect the
documents on thecomputer, but it does not intentionally try to spread itself from that
computer (infected computer) to other. In mostcases, that’s where humans come in. We send
e-mail documentattachments, trade programs on diskettes, or copy files to fileservers. When
the next unsuspecting user receives the infected file or disk, they spread the virus to their
computers, and soon.
5
Deprt of ECE, BCET
6. NETWORK VIRUS DETECTION AND PREVENTION
B. Worms:
Worms are insidious because they rely less (or not at all) upon human behavior in
order to spread themselvesfrom one computer to others. The computer worm is a program
that is designed to copy itself from one computer to another,leveraging some network
medium: e-mail, TCP/IP, etc. Theworm is more interested in infecting as many machines
aspossible on the network, and less interested in spreading manycopies of itself on a single
computer (like a computer virus).The prototypical worm infects (or causes its code to run on)
target system only once; after the initial infection, the wormattempts to spread to other
machines on the network. Some researchers define worms as a sub-type of Viruses. In early
years the worms are considered as theproblem of Mainframes only. But this has changed after
theInternet become wide spread; worms quickly accustomed to windows and started to send
themselves through networkfunctions.Some categories that come under worms are
Mailers and Mass-Mailer worms
Octopus
Rabbits
C. Trojan Horses:
A Trojan Horse is a one which pretend to be useful programs but do some unwanted
action. Most Trojans activate when they are run and sometimes destroy the structure of the
current drive (FATs, directories, etc.) obliterating themselves in the process. These do not
require a host and does not replicate. A special type is the backdoor trojan, which does not do
anything overtly destructive, but sets your com- puter open for remote control and
unauthorised access.
6
Deprt of ECE, BCET
7. NETWORK VIRUS DETECTION AND PREVENTION
D. Others:
There are other types of malicious programs apart from Viruses, Worms and Trojan
Horses. Some of them are described below.
1) Logic Bombs:
A logic bomb is a programmed malfunction of a legitimate application. These are
intentionally inserted in otherwise good code. They remains hidden with only their effects are
being visible. These are not replicated. Bugs do everything except make more bugs.
2) Germs:
These are first-generation viruses in a form that the virus cannot generate to its usual
infection process. When the virus is compiled for the first time, it exists in a special form and
normally does not have a host program attached to it. Germs will not have the usual marks
that the most viruses use in second-generation form to flag infected files to avoid reinfecting
an already infected object.
3) Exploits:
Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is to run a
program (possibly remote, networked) system automatically or provide some other form of
more highly previliged access to the target system.
7
Deprt of ECE, BCET
8. NETWORK VIRUS DETECTION AND PREVENTION
1.2 Characteristics:
The following are some of the characteristics of Viruses:
1) Size- The sizes of the program code required for computer viruses are very small.
2) Versatility - Computer viruses have appeared with the ability to generically attack a
wide variety of applications.
3) Propagation - Once a computer virus has infected a program, while this program is
running, the virus is able to spread to other programs and files accessible to the computer
system.
4) Effectiveness - Many of the computer viruses have far-reaching and catastrophic
effects on their victims, including total loss of data, programs, and even the operating
systems.
5) Functionality - A wide variety of functions has been demonstrated in virus programs.
Some virus programs merely spread themselves to applications without attacking data files,
program functions, or operating system activities. Other viruses are programmed to damage
or delete files, and even to destroy systems.
6) Persistence - In many cases, especially networked operations, eradication of viruses has
been complicated by theability of virus program to repeatedly spread and reoccur through the
networked system from a single copy.
8
Deprt of ECE, BCET
9. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 2
DETAILED DESCRIPTION
2.1 Malicious Code Environments
It is important to know about the particular execution environments to understand about
Computer Viruses. A successful penetration of the system by a viral code occurs only if the
various dependencies of malicious code match a potential environment. The following are
some of the various malicious code environments
1) Computer Architecture Dependency
2) CPU Dependency
3) Operating System Dependency and Operating System version Dependency
4) File System Dependency
5) File Form Dependency
6) Interpreted Environment Dependency
7) Vulnerability Dependency
8) Date and Time Dependency
9) Just-In-Time Dependency
10) Achieve Format Dependency
11) File Format Extension Dependency
12) Network Protocol Dependency
13) Source Code Dependency
14) Self Contained Environment Dependency
2.2 Virus/Worm types overview
These are the main categories of Viruses and worms:
1) Binary File Virus and Worm – File virus infect executable (program files). They
are able to infect over networks. Normally these are written in machine code. File worms, are
also written in machine code, instead of infecting other files, worms focus on spreading to
other machines.
9
Deprt of ECE, BCET
10. NETWORK VIRUS DETECTION AND PREVENTION
2) Binary Stream Worms – Stream worms are a group of network spreading worms
that never manifest as files. Instead, they will travel from computer to computer as just pieces
of code that exist only in memory.
3) Script File Virus and Worm – A script virus is technically a file virus, but script
viruses are written as human readable text. Since computers cannot understand text
instructions directly, the text first has to be translated from text to machine code. This process
is called ”Interpretation”, and is performed by separate programs on computer.
4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived as
data files, like documents and spreadsheets. Just about anything that we can do with ordinary
programs on a computer we can do with macro instructions. Macro viruses are more common
now-a-days. These can infect over the network.
VIRUS STRUCTURE:
program V :=
{goto main;
1234567;
subroutine infect-executable :=
{loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if condition holds}
main: main-program :=
{infect-executable;
if trigger-pulled then do-
damage;
goto next;}
next:
}
10
Deprt of ECE, BCET
11. NETWORK VIRUS DETECTION AND PREVENTION
5) Boot Virus – The first known successful computer viruses were boot sector viruses.
Today these are rarely used. These infect boot sectors of hard drives and floppydisks and are
not dependent on the actual operating system installed. These are not able to infect
overnetworks. These take the boot process of personal computers. Because most computers
don’t contain Operating System in their Read Only Memory (ROM), they need to load the
system from somewhere else, such as from a disk or from the network (via a network
adapter).
6) Multipartite Viruses – Multipartite Virus infect both executable files and boot
sectors, or executable and datafiles. These are not able to infect over the networks.
11
Deprt of ECE, BCET
12. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 3
FILE INFECTION TECHNIQUES OF VIRUSES
The following are the common strategies that virus writes used over the years to
invade into the new host systems:
3.1 Overwriting Viruses
These locate another file on the disk and overwrite with their own copy. This is the
easiest approach and these can do a great damage when they overwrite all the files in the
system. These cannot be disinfected from a system. Infected files must be deleted and should
be restored from backups. These don’t change the size of the host.
Figure 3.1. An overwriting virus infection.
Well-Known Overwriting Viruses
Grog.377 - Known as a non-memory resident virus, it interprets a random sector of a hard
disk in search of special instructions. If instructions exist, it overwrites that part of the sector
with a malicious code. When launched, the infection can inflict considerable damage on
system BIOS and prevent a computer from booting up.
Grog.202/456 - Two of the most dangerous overwriting viruses. They seek out COM. files
in the current directory, quickly deleting and replacing the content with malicious code. If no
COM. files are found in that particular directory, the GROG virus dials a random phone
number over the user's modem in search of interconnected network computers. Both of these
infections are also considered to be non-memory overwriting viruses.
Loveletter - Perhaps the most complex overwriting virus. Like other variants, it's main
intend is to seek out files and overwrite them with malicious code. What makes this virus
12
Deprt of ECE, BCET
13. NETWORK VIRUS DETECTION AND PREVENTION
different is that it acts as file infector, an email worm and a Trojan horse capable of
downloading other types of malware.
Overwriting viruses were initially deployed because of their effectiveness; a way for the
infection to infuse itself with an innocent file. This corrupts the original file in such a way
that it can't be disinfected. Many of them are able to escape the scanner of an anti-virus
program, making no alterations to the victim file so changes aren't detected.
While they were very effective, most malicious codes do not write this type of virus
anymore. Many tend to focus on tempting users with genuine Trojan horses and distributing
malware via email. At the same time, you must keep your computer protected from all
probable threats at all times. Your best bet would be installing a quality anti-virus program
and conducting frequent scans for suspicious activity.
3.2 Random Overwriting Viruses
This is another rare variation of the overwriting method does not change the code at
the top of the file but it chooses a random location in the host program and overwrites that
location. In this case it may be possible that the code is not even get control during the
execution. In both cases , the host program is lost during the virus attack, and often crashes
before the virus code executes.
Figure 3.2. A random overwriter virus.
3.3 Appending Viruses
In this technique the virus code is appended at the end of the program and the first
instruction of the code is changed to a jump or call instruction which will be pointing to the
starting address of the viral code.
13
Deprt of ECE, BCET
14. NETWORK VIRUS DETECTION AND PREVENTION
Figure 3.3. A typical DOS COM appender virus.
3.4 Prepending Viruses
A common virus infection technique uses the principle of inserting virus code at the
front of host programs. Such viruses are called Prepending Viruses. This is a simple infection
technique and is often successful. Virus writers wrote much of this kind on various operating
systems, causing major outbreaks in many.
Figure3.4. A typical prepender virus.
3.5 Classical Parasitic Virus
This is a variation of prepen- der technique. These overwrite the top portion of the
program with virus code and the top portion is being copied at the end of the program.
14
Deprt of ECE, BCET
15. NETWORK VIRUS DETECTION AND PREVENTION
Figure 4.8. A classic parasitic virus.
3.6 Cavity Viruses
These typically don’t increase the size of the program they infect. Instead they will
overwrite a part of the code that can be used to store the virus code safely. Normally these
overwrite areas of files that contain zeros in binary files. These are often slow spreaders in
DOS systems.
Figure 3.6. A cavity virus injects itself into a cave of the host.
15
Deprt of ECE, BCET
16. NETWORK VIRUS DETECTION AND PREVENTION
3.7 Compressing Viruses
This is a special technique where the content of host program is compressed.
Compressor Viruses are sometimes beneficial because such viruses might compress the
infected program to a much shorter size saving disk space.
Figure 3.7. A compressor virus.
3.8 Amoeba Infection Technique
This is a rarely seen infection technique where the head part of the viral code is
stored at the starting of the host program and the tail part is stored after the end of the host
program.
Figure 3.8. The Amoeba infection method.
16
Deprt of ECE, BCET
17. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 4
STEPS IN WORM PROPAGATION
Each Worm has a few essential components, such as tar get locator, infection propagation
modules, and a couple of nonessential modules, such as remote control, update interface, life
cycle-manager, and payloads.
4.1 Target Locator:
For a worm to propagate first it must discover the existence of a machine. There are
many techniques by which a worm can discover new ma- chinesto exploit. They are
a) Scanning: This entails probing a set of addresses toidentify the vulnerable hosts. Two
simple forms of scanning are Sequential scanning (working through an address block using
ordered set of addresses)and Random scanning (trying addresses out of a block in pseudo-
random fashion).
b) Pre-generated Target Lists: An attacker could obtain a target list in advance,
creating a ”hit-list” of a probable victims with good network connections. This list is being
created well before the release of worm. There are some scanning techniques that just see for
particular criteria such as the operating system that the machine is running, what are the
servers running, what is the version of operating systems etc. Stealthy scans, Distributed
scanning, DNS searches, Just listen and also there are some public surveys that list such as
Netcraft Survey.
c) Externally Generated Target Lists: An externally generated list is one which is
maintained by a separate server, such as a matchmaking service’s metaserver. This can also
be used to speed the worm propagation. This worm has not yet in the wild.
d) Internal Target Lists: Many applications contain information about the other hosts
providing vulnerable services. Such target lists can be used to create ’topological’ worms,
where the worm searches for the local information to fine new victims by trying to discover
the local communication topology.
e) Passive: These do not seek out victim machines. Instead, they either wait for potential
victims to contact the worm or rely on user behaviour to discover new targets. Although
potentially slow these worms produce no anomalous traffic pat- terns during the target
discovery, which potentially makes them high stealthy.
17
Deprt of ECE, BCET
18. NETWORK VIRUS DETECTION AND PREVENTION
4.2 Infection Propagator:
A very important strategy of the worm uses to transfer itself to a new node and get
control on remote machine. Most worms will assume that one has a copy of certain window
machine and send a worm with such compatible system.
4.3 Remote Control and Update Interface:
Another important component of a worm is remote control using a communication
module. Without such a module, the worm’s author cannot control the worm network by
sending control messages to the worm copies. Such remote control can allow the attacker to
use the worm as a DDoS (distributed denial of service) tool on the zombie network against
several unknow targets. The attacker is interested in changing the behaviour of the worm and
even sending new infection strategies to as many compromised nodes as possible.
4.4 Life-Cycle Manager:
Some writers prefer to run a version of a computer worm for a preset period of time.
On the other hand, many worms have bugs in their life- cycle manager component and
continue to run without ever stopping.
18
Deprt of ECE, BCET
19. NETWORK VIRUS DETECTION AND PREVENTION
4.5 Payload:
This is optional but common component of a worm. An increasingly popular payload
is a DDoSattack against a particular website. These can utilise the compromised systems as a
”super computer”. Recently it is becoming popular to install an SMTP (Simple Mail Transfer
Protocol) spam relay as the payload of a worm.
4.6 Self-Tracking:
Many virus authors are interested in seeing how many machines the virus can infect
and also they want others to track the path of virus infections.
19
Deprt of ECE, BCET
20. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 5
Identification methods
One of the few solid theoretical results in the study of computer viruses is Frederick B.
Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible
viruses.[The proof relies on the "infect" and "spread" abilities of computer viruses. While
common, the "infect" and "spread" abilities of a computer code, which create the "replicate"
ability, are not necessarily contained in malware. "Computer virus", in its recent meaning,
and "malware" are overlapping terms, but not synonymous. The difference is between a code
with the ability to "infect" and "spread" and a code with malicious purpose.
There are several methods which antivirus software can use to identify malware.
Signature based detection is the most common method. To identify viruses and other
malware, antivirus software compares the contents of a file to a dictionary of virus signatures.
Because viruses can embed themselves in existing files, the entire file is searched, not just as
a whole, but also in pieces.[16]
Heuristic-based detection, like malicious activity detection, can be used to identify
unknown viruses.
File emulation is another heuristic approach. File emulation involves executing a program in
a virtual environment and logging what actions the program performs. Depending on the
actions logged, the antivirus software can determine if the program is malicious or not and
then carry out the appropriate disinfection actions.
5.1 Signature-based detection:
Traditionally, antivirus software heavily relied upon signatures to identify malware.
This can be very effective, but cannot defend against malware unless samples have already
been obtained and signatures created. Because of this, signature-based approaches are not
effective against new, unknown viruses.
As new viruses are being created each day, the signature-based detection approach requires
frequent updates of the virus signature dictionary. To assist the antivirus software companies,
the software may allow the user to upload new viruses or variants to the company, allowing
the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by
human experts using reverse engineering. An example of software used in reversed
engineering is Interactive Disassembler. Such a software does not implement antivirus
protection, but facilitates human analysis.
Although the signature-based approach can effectively contain virus outbreaks, virus authors
have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic"
and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise
20
Deprt of ECE, BCET
21. NETWORK VIRUS DETECTION AND PREVENTION
modify themselves as a method of disguise, so as to not match virus signatures in the
dictionary.
5.2 Heuristics:
Some more sophisticated antivirus software uses heuristic analysis to identify new
malware or variants of known malware.
Many viruses start as a single infection and through either mutation or refinements by other
attackers, can grow into dozens of slightly different strains, called variants. Generic detection
refers to the detection and removal of multiple threats using a single virus definition.
For example, the Vundotrojan has several family members, depending on the antivirus
vendor's classification. Symantec classifies members of the Vundo family into two distinct
categories, Trojan.Vundo and Trojan.Vundo.B.
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus
family through a generic signature or through an inexact match to an existing signature. Virus
researchers find common areas that all viruses in a family share uniquely and can thus create
a single generic signature. These signatures often contain non-contiguous code, using
wildcard characters where differences lie. These wildcards allow the scanner to detect viruses
even if they are padded with extra, meaningless code. A detection that uses this method is
said to be "heuristic detection."
Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic"
and "metamorphic", where the differences between specific variants of the same virus are
significantly high. In such cases, there are dedicated statistical analysis-based algorithms,
implemented in the "real time" protection, which analyses software behaviour. This approach
is not absolutely exact and results in higher resource usage on the computer. Since
"oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the
resulting computer code has a (relatively) high dimension (although such cases are very rare),
this approach can be used with a relatively high success rate.This approach may imply human
ingeniousness for the design of the algorithm.
If the antivirus software employs heuristic detection, success depends on achieving the right
balance between false positives and false negatives. Due to the existence of the possibility of
false positives and false negatives, the identification process is subject to human assistance
which may include user decisions, but also analysis from an expert of the antivirus software
company.
5.3 Rootkit detection:
Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that is
designed to gain administrative-level control over a computer system without being detected.
Rootkits can change how the operating system functions and in some cases can tamper with
the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in some
cases requiring a complete re-installation of the operating system.
21
Deprt of ECE, BCET
22. NETWORK VIRUS DETECTION AND PREVENTION
5.4 Malware detection and removal:
5.4.1 Method 1:
The most popular approach to this requirement is to install an antivirus program and to keep
this current. As new viruses are detected on a daily basis the signatures and heuristic methods
need to be kept updated on a very regular basis. For this reason, modern antivirus programs
generally include facilities automatically to update themselves using a network connection
whenever new virus signatures and heuristics become available.
5.4.2 Method 2:
Platforms which are not themselves thought to be vulnerable to viruses but which are used to
distribute content potentially including viruses, e.g. via email between Windows users, must
also scan for viruses to avoid becoming part of this problem. But the number of known virus
signatures continues to increase. So even using the Clam-av antivirus package which is open
source and freely installable, growing memory demands are making this job increasingly
expensive. The next slide shows how many virus signatures exist and how much memory
these occupy as of November 2008.
5.4.3 Other countermeasures:
One approach involves stopping a system from running and mounting its hard disk
using another operating system, booted using trusted media. Tools can be run on the trusted
system to detect suspicious changes to files on the system being scanned. This is considered
more reliable than running antivirus software directly on the system which might have been
compromised and where the results of the antivirus scan may also have been compromised by
an unknown virus.
The trusted scanning system might also store a set of hash signatures or checksums of files
which the virus might modify and test if any executable or registry tables have been
modified.
22
Deprt of ECE, BCET
23. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 6
Virus prevention
6.1 Antivirus or anti-virussoftware:
It is used to prevent, detect, and remove malware, including but not limited to
computer viruses, computer worms, trojan horses, spyware and adware. Computer security,
including protection from social engineering techniques, is commonly offered in products and
services of antivirus software companies. This page discusses the software used for the
prevention and removal of malware threats, rather than computer security implemented by
software methods.
An example of free antivirus software: ClamTk 3.08.
A variety of strategies are typically employed. Signature-based detection involves
searching for known patterns of data within executable code. However, it is possible for a
computer to be infected with new malware for which no signature is yet known. To counter
such so-called zero-day threats, heuristics can be used. One type of heuristic approach,
generic signatures, can identify new viruses or variants of existing viruses by looking for
known malicious code, or slight variations of such code, in files. Some antivirus software can
also predict what a file will do by running it in a sandbox and analyzing what it does to see if
it performs any malicious actions.
23
Deprt of ECE, BCET
24. NETWORK VIRUS DETECTION AND PREVENTION
6.2 Generations of antivirus s/w:
First generation: (simple scanners)scanner uses virus signature to identify virusor change
in length of programs
Second generation: (heuristic scanners) uses heuristic rules to spot viral infectionor uses
crypto hash of program to spot changes
Third generation: (activity traps) memory-resident programs identify virus by actions
Fourth generation: (full featured protection) packages with a variety of antivirus
techniques like access control capability. E.g. scanning & activity traps, access-controls.
6.3 Advanced antivirus techniques:
1. Generic Decryption:Enables antivirus program to detect even the most complex
polymorphic viruses.Every executable file should be run in the GD scanner which has CPU
emulator, Virus sign scanner and Emulation control module.
2. Digital Immune System:Developed by IBM.To solve threats in a network.
Integrated mail systems
Mobile program systems
6.4 Other Technologies:
No matter how useful antivirus software can be, it can sometimes have drawbacks.
Antivirus software can impair a computer's performance. Inexperienced users may also have
trouble understanding the prompts and decisions that antivirus software presents them with.
An incorrect decision may lead to a security breach. If the antivirus software employs
heuristic detection, success depends on achieving the right balance between false positives
and false negatives. False positives can be as destructive as false negatives. Finally, antivirus
software generally runs at the highly trusted kernel level of the operating system, creating a
potential avenue of attack.
Installed antivirus software running on an individual computer is only one method of
guarding against viruses. Other methods are also used, including cloud-based antivirus,
firewalls and on-line scanners.
6.4.1 Cloud antivirus:
Cloud antivirus is a technology that uses lightweight agent software on the protected
computer, while offloading the majority of data analysis to the provider's infrastructure.
24
Deprt of ECE, BCET
25. NETWORK VIRUS DETECTION AND PREVENTION
One approach to implementing cloud antivirus involves scanning suspicious files using
multiple antivirus engines. This approach was proposed by an early implementation of the
cloud antivirus concept called CloudAV. CloudAV was designed to send programs or
documents to a network cloud where multiple antivirus and behavioral detection programs
are used simultaneously in order to improve detection rates. Parallel scanning of files using
potentially incompatible antivirus scanners is achieved by spawning a virtual machine per
detection engine and therefore eliminating any possible issues. CloudAV can also perform
"retrospective detection," whereby the cloud detection engine rescans all files in its file
access history when a new threat is identified thus improving new threat detection speed.
Finally, CloudAV is a solution for effective virus scanning on devices that lack the
computing power to perform the scans themselves.
6.4.2 Network firewall:
Network firewalls prevent unknown programs and processes from accessing the system.
However, they are not antivirus systems and make no attempt to identify or remove anything.
They may protect against infection from outside the protected computer or network, and limit
the activity of any malicious software which is present by blocking incoming or outgoing
requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats
that come from network connections into the system and is not an alternative to a virus
protection system.
An illustration of where a firewall would be located in a network.
25
Deprt of ECE, BCET
26. NETWORK VIRUS DETECTION AND PREVENTION
6.4.3 Online scanning:
Some antivirus vendors maintain websites with free online scanning capability of the entire
computer, critical areas only, local disks, folders or files. Periodic online scanning is a good
idea for those that run antivirus applications on their computers because those applications
are frequently slow to catch threats. One of the first things that malicious software does in an
attack is disable any existing antivirus software and sometimes the only way to know of an
attack is by turning to an online resource that is not installed on the infected computer.
Using rkhunter to scan for rootkits on an UbuntuLinux computer.
6.4.4 Specialist tools:
Virus removal tools are available to help remove stubborn infections or certain types
of infection. Examples include Trend Micro's Rootkit Buster, and rkhunter for the detection
of rootkits, Avira's AntiVir Removal Tool, PCTools Threat Removal Tool, and AVG's Anti-
Virus Free 2011.
A rescue disk that is bootable, such as a CD or USB storage device, can be used to run
antivirus software outside of the installed operating system, in order to remove infections
while they are dormant. A bootable antivirus disk can be useful when, for example, the
installed operating system is no longer bootable or has malware that is resisting all attempts
to be removed by the installed antivirus software.
26
Deprt of ECE, BCET
27. NETWORK VIRUS DETECTION AND PREVENTION
CHAPTER 7
CASE STUDIES
7.1 Slammer Worm
Slammer worm sometimes called as Sapphire was the fastest computer worm in
history till now. It began his journey on January 25, 2003. It began spreading through the
Internet infected more than 90 percent of vulnerable hosts within 10 minutes, causing a
significant disruption to financial, transportation, and government institutions and precluding
any human-based response.
1) Vulnerability: Microsoft’s database server SQL Server or Microsoft SQL Server
Desktop Engine(MSDE) 2000 exhibits two buffer overrun vulnerabilities that can be
exploited by a remote attacker without ever having to authenticate to the server. These are
being attacked based on the Stack overflow and heap overflow techniques.
2) Target Selection: It used random scanning for selecting IP addresses, there by
selecting vulnerable systems. Random scanning worms intially spread exponentially,later
infection slows as the worms continually retry infected or immune addresses. Slammer is
bandwidth-limited, in contrast to Code Red which is latency-limited.
3) Infection Propagator: It carries only 376 bytes of code where there is a simple, fast
scanner. Along with the headers of the protocol it will of total size of 404 bytes. It used UDP
protocol for propagation so it can transmit the entire packet in a single transfer. It uses 1434
port to transfer packets. It doesnot write itself into the system. It exists only as network
packets and in running processes on the infected computers.
4) Payload: This does not contain any additional malicious content in the form of
backdoors, etc. The speed at which it attempts to re-infect systems to create a denial surface
of attack.
5) Network Propagation: When the SQL server receives a malicious request, the
overrun in the server’s buffer allows the worm code to be executed. After the worm has
entered into the vulnerable system,, first it gets the addresses to certain functions then start an
infinite loop to scan for the othervulnerable hosts on the internet. This performs pseudo-
randomnumber generation formula using the GetTickCount() value to generate an IP address
that is used as target thereby, spreading furher into the network and infecting the vulnerable
machines. These don’t check for the multiple instances of the worm affected the system. This
could have been a great damage if it would have carried any malicious code with it. There are
few wrong things that this wormauthor did such as in the pseudo random number generation
algorithm the author used the following equation x1= (x?214013+2531011)mod232here the
authorsubstituted a different value for 2531011 increment value: hex 0xFFD9613C. This
value is equivalent to -2531012 when interpreted as a twos-complement decimal.
27
Deprt of ECE, BCET
28. NETWORK VIRUS DETECTION AND PREVENTION
6) Prevention: This can be prevented using a firewall which blocks 1434 port as the worm
infects through this port only.
7.2 Blaster Worm
It is a multi stage worm first observed on August 11, 2003. It affected between
200,000 and 500,000 computers.
1) Vulnerability: It exploited a remote procedure call (RPC) vulnerability of Microsoft
Windows 2000 and Windows XP operating systems which were made public in July 2003.
2) Intialization: The worm when launched, opens a mutexcalled ”BILLY” that is used to
prevent multiple infections of the same machine and sets a registry key which ensures that it
is started every time the system reboots.
3) Target Selection: In theintialization phase it decides whether it will exploit code for
Microsoft XP with 80% probability or the one for Windows 2000. It first scans with 60%, an
IPv4 address of the form X.Y.Z.0 with X, Y, Z are chosen at random. With 40% probability,
and address of the form X.Y.Z1.0 derived from the infected computer’s local address
X.Y.Z.U is chosen. Z1 is set to Z unless Z1 is greater than 20, in which case a random values
less than 20 is subtracted from Z to get Z1. The destination IP is incremented after each scan.
4) Infection Propagator: If TCP connection to a destination 135 port is opened, the
exploit code is sent to victim. If the machine was vulnerable it can start listening on
4444/TCP and allows remote command execution. unpatched windows automatically reboots
XP. Next it intiates a TCP connection to 4444 port, if successful, using TFTP( Trivial File
Transfer Protocol - which is a smaller version of FTP) the mblast.exe file is transfered. After
28
Deprt of ECE, BCET
29. NETWORK VIRUS DETECTION AND PREVENTION
that if TFTP requests are not blocked, on UDP port 69 the worm code is being downloaded.
Infected host stops TFTP daemon after transmission or after 20 secsof inactivity. If successful
it sends a command mblast.exe on the already open TCP connection to port 4444 of the
victim.
5) Payload: The payload of the worm for RPC step is as follows– 72 bytes for RPC, 1460
bytes for ”request” and a 244 bytes of TCP packet, Along with these there is 40-48 bytes for
TCP/IP which makes the worm to 1976 to 2016 bytes.The worm code is of 6176 bytes. along
with the overhead of headers it will come to 6592 bytes on the IP layer.
6) Prevention: This can be prevented by using the firewall that blocks traffic to incoming
to port 135/TCP or 4444 port or TFTP port and by applying the operating system patch
against the RPC vulnerability.
29
Deprt of ECE, BCET
30. NETWORK VIRUS DETECTION AND PREVENTION
CONCLUSION
I have gone through the basic definitions of Viruses and Worms, then discussed in
about the different malicious code environments. After that I have discussed about the
different types of viruses and worms, then discussed in detail about the various ways of virus
and worm propagation techniques. After that I have discussed about the Prevention From
Viruses and Worms. I have also looked into two case studies of slammer and blaster worms.
The ability of attackers to rapidly gain control of vast numbers of internet hosts poses an
immense risk to overall security of the internet. Now-a-days the virus writers are more
concentrating on writing worms as they have got great capability to spread over the network
in few minutes. There are various upcoming techniques in worm propagation such as
polymorphic worms which are really a big threat to the internet community. Worms can be
written such that they can be affected only to a particular region or country. There are worms
which willkeep quiet for a specific amount of time and attack at random times. These worms
can also be used to create Distributed Denial of Service (DDoS) which is a real threat to the
websites and the network traffic.
Can a virus ever be good?
In biology, viruses enable potentially beneficial DNA to be transferred between
species. This is considered to be a part of the optimisation of the evolutionary process. But it
is thought unlikely that anyone could benefit from computer viruses, other than the proceeds
of crime which those who write and spread viruses might obtain.
The difference between a virus and another kind of program is that an ordinary program will
normally have the informed consent of the system owner before it can be installed. While
there is a similarity between an operating system which can create a copy of itself on
installation media and a virus, the OS that makes it easy for its users to copy it will do this
with the users full knowledge and consent.
There is no situation in which taking away the end users consent to perform an action is
considered likely to be of benefit.
30
Deprt of ECE, BCET
31. NETWORK VIRUS DETECTION AND PREVENTION
REFERENCES
[1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England: Addison Wesely
Professional, 2005.
[2] Norman, Norman book on Computer Virus, Norman ASA, 2003.
[3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of Computer Virus on
the Internet: An Overview, IEEE Computer Society 2004, 601-606.
[4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and Trends,
Washington, DC, USA: WORM-2003
[5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and Nicholas
Weaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003.
[6] Thomas Subendorfer, Arno Wagner, TheusHossmann, and Bernhard Plattner, Flow-Level
Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone,
Springer-Verlag Berlin Heidelberg 2005.
[7] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, A Taxonomy of
Computer Worms, Washington, DC, USA: WORM-2003.
[8] H. Kopka and P. W. Daly, A Guide to LATEX, 3rd ed. Harlow, England: Addison-
Wesley, 1999.
31
Deprt of ECE, BCET