SlideShare a Scribd company logo

Network virus detection & prevention

Download as DOCX, PDF
K
Khaleel Assadi

Network Virus detection & prevention Seminar Report docx file

Technology
1 of 31
NETWORK VIRUS DETECTION AND PREVENTION ABSTRACT One of the most high profile threats to information integrity isNetwork viruses.Network viruses are software that behaves like biological viruses—they attach themselves to a host and replicate, spreading the infection. For a computer program to be classified as a virus, it simply must replicate itself. In this paper (Network Virus Detection and Prevention), I am presenting what are viruses, worms, and Trojan horses and their differences, different strategies of virus spreading, Virus detection, Virus prevention and case studies of Slammer and Blaster worms. 1 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no Chapter 1 Introduction 1.1 Preliminaries 5 1.2 Characteristics 8 Chapter 2 Detailed descriptions 2.1 Malicious Code Environments 9 2.2 Virus/Worm types overview 9 Chapter 3 File infection techniques of viruses 3.1 Overwriting Viruses 12 3.2 Random Overwriting Viruses 13 3.3 Appending Viruses 13 3.4 Prepending Viruses 14 3.5 Classical Parasitic Virus 14 3.6 Cavity Viruses 15 3.7 Compressing Viruses 16 3.8 Amoeba Infection Technique 16 Chapter 4 Steps in worm propagation 4.1 Target Locator 17 4.2 Infection Propagator 18 4.3 Remote Control and Update Interface 18 4.4 Life-Cycle Manager 18 4.5 Payload 19 4.6 Self-Tracking 19 2 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no Chapter 5Identification methods 5.1 Signature-based detection 20 5.2 Heuristics 21 5.3 Rootkit detection 22 5.4 Malware detection and removal 22 Chapter 6 Virus prevention 6.2 Generations of Antivirus s/w 23 6.3 Advanced antivirus techniques 24 6.4 Other Technologies 24 6.4.1 Cloud antivirus 24 6.4.2 Network firewall 25 6.4.3 Online scanning 26 6.4.4 Specialist tools 26 Chapter 7 Case studies 7.1 Slammer Worm 27 7.1.1 Vulnerability 27 7.1.2 Target Selection 27 7.1.3 Infection Propagator 27 7.1.4 Payload 27 7.1.5 Network Propagation 27 7.1.6 Prevention 28 3 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no 7.2 Blaster Worm 28 7.2.1 Vulnerability 28 7.2.2 Initialization 28 7.2.3 Target Selection 28 7.2.4 Infection Propagator 28 7.2.5 Payload 29 7.2.6 Prevention 29 Conclusion 30 References 31 4 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 1 INTRODUCTION The internet consists of hundreds of millions of computers distributed around the world. Millions of people use the internet daily, taking full advantage of the available services at both personal and professional levels. The internet connectivity among computers on which the World Wide Web relies, however renders its nodes on easy target for malicious users who attempt to exhaust their resources or damage the data or create a havoc in the network. Computer Viruses, especially in recent years, have increased dramatically in number. One of the most high- profile threats to information integrity is the Computer Virus. Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing in 1986. With global computing on the rise, computer viruses have had more visibility in the past few years. In fact, the entertainment industry has helped by illustrating the effects of viruses in movies such as ”Independence Day”, ”The Net”, and ”Sneakers”. Along with computer viruses, computer worms are also increasing day by day. So, there is a need to immunize the internet by creating awareness in the people about these in detail. In this paper I have explained the basic concepts of viruses and worms and how they spread. The basic organization of the paper is as follows. In section 2, give some preliminaries: the definitions of computer virus, worms, trojan horses, as well as some other malicious programs and also basic characteristics of a virus. In section 3, detailed description: describe Malicious Code Environments where virus can propagate, Virus/Worm types overview where different types have been explained, and Categories of worm where the different forms of worm is explained in broad sense. In section 4, File Infection Techniques which describe the various methods of infection mechanisms of a virus. In section 5, Steps in Worm Propagation describe the basic steps that a normal worm will follow for propagation. In section 6 Case studies: two case studies of Slammer worm and blaster worm are discussed. 1.1Preliminaries: A. Virus: A self-replicating program.Some definitions also add the constraint saying that it has to attach itself to ahost program to be able to replicate. Often Viruses require ahost, and their goal is to infect other files so that the virus canlive longer. Some viruses perform destructive actions although this is not necessarily the case.Many viruses attempt to hidefrom being discovered.A virus might rapidly infect every file on individual computer or slowly infect the documents on thecomputer, but it does not intentionally try to spread itself from that computer (infected computer) to other. In mostcases, that’s where humans come in. We send e-mail documentattachments, trade programs on diskettes, or copy files to fileservers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computers, and soon. 5 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION B. Worms: Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselvesfrom one computer to others. The computer worm is a program that is designed to copy itself from one computer to another,leveraging some network medium: e-mail, TCP/IP, etc. Theworm is more interested in infecting as many machines aspossible on the network, and less interested in spreading manycopies of itself on a single computer (like a computer virus).The prototypical worm infects (or causes its code to run on) target system only once; after the initial infection, the wormattempts to spread to other machines on the network. Some researchers define worms as a sub-type of Viruses. In early years the worms are considered as theproblem of Mainframes only. But this has changed after theInternet become wide spread; worms quickly accustomed to windows and started to send themselves through networkfunctions.Some categories that come under worms are Mailers and Mass-Mailer worms Octopus Rabbits C. Trojan Horses: A Trojan Horse is a one which pretend to be useful programs but do some unwanted action. Most Trojans activate when they are run and sometimes destroy the structure of the current drive (FATs, directories, etc.) obliterating themselves in the process. These do not require a host and does not replicate. A special type is the backdoor trojan, which does not do anything overtly destructive, but sets your com- puter open for remote control and unauthorised access. 6 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION D. Others: There are other types of malicious programs apart from Viruses, Worms and Trojan Horses. Some of them are described below. 1) Logic Bombs: A logic bomb is a programmed malfunction of a legitimate application. These are intentionally inserted in otherwise good code. They remains hidden with only their effects are being visible. These are not replicated. Bugs do everything except make more bugs. 2) Germs: These are first-generation viruses in a form that the virus cannot generate to its usual infection process. When the virus is compiled for the first time, it exists in a special form and normally does not have a host program attached to it. Germs will not have the usual marks that the most viruses use in second-generation form to flag infected files to avoid reinfecting an already infected object. 3) Exploits: Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is to run a program (possibly remote, networked) system automatically or provide some other form of more highly previliged access to the target system. 7 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 1.2 Characteristics: The following are some of the characteristics of Viruses: 1) Size- The sizes of the program code required for computer viruses are very small. 2) Versatility - Computer viruses have appeared with the ability to generically attack a wide variety of applications. 3) Propagation - Once a computer virus has infected a program, while this program is running, the virus is able to spread to other programs and files accessible to the computer system. 4) Effectiveness - Many of the computer viruses have far-reaching and catastrophic effects on their victims, including total loss of data, programs, and even the operating systems. 5) Functionality - A wide variety of functions has been demonstrated in virus programs. Some virus programs merely spread themselves to applications without attacking data files, program functions, or operating system activities. Other viruses are programmed to damage or delete files, and even to destroy systems. 6) Persistence - In many cases, especially networked operations, eradication of viruses has been complicated by theability of virus program to repeatedly spread and reoccur through the networked system from a single copy. 8 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 2 DETAILED DESCRIPTION 2.1 Malicious Code Environments It is important to know about the particular execution environments to understand about Computer Viruses. A successful penetration of the system by a viral code occurs only if the various dependencies of malicious code match a potential environment. The following are some of the various malicious code environments 1) Computer Architecture Dependency 2) CPU Dependency 3) Operating System Dependency and Operating System version Dependency 4) File System Dependency 5) File Form Dependency 6) Interpreted Environment Dependency 7) Vulnerability Dependency 8) Date and Time Dependency 9) Just-In-Time Dependency 10) Achieve Format Dependency 11) File Format Extension Dependency 12) Network Protocol Dependency 13) Source Code Dependency 14) Self Contained Environment Dependency 2.2 Virus/Worm types overview These are the main categories of Viruses and worms: 1) Binary File Virus and Worm – File virus infect executable (program files). They are able to infect over networks. Normally these are written in machine code. File worms, are also written in machine code, instead of infecting other files, worms focus on spreading to other machines. 9 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 2) Binary Stream Worms – Stream worms are a group of network spreading worms that never manifest as files. Instead, they will travel from computer to computer as just pieces of code that exist only in memory. 3) Script File Virus and Worm – A script virus is technically a file virus, but script viruses are written as human readable text. Since computers cannot understand text instructions directly, the text first has to be translated from text to machine code. This process is called ”Interpretation”, and is performed by separate programs on computer. 4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived as data files, like documents and spreadsheets. Just about anything that we can do with ordinary programs on a computer we can do with macro instructions. Macro viruses are more common now-a-days. These can infect over the network. VIRUS STRUCTURE: program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do- damage; goto next;} next: } 10 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 5) Boot Virus – The first known successful computer viruses were boot sector viruses. Today these are rarely used. These infect boot sectors of hard drives and floppydisks and are not dependent on the actual operating system installed. These are not able to infect overnetworks. These take the boot process of personal computers. Because most computers don’t contain Operating System in their Read Only Memory (ROM), they need to load the system from somewhere else, such as from a disk or from the network (via a network adapter). 6) Multipartite Viruses – Multipartite Virus infect both executable files and boot sectors, or executable and datafiles. These are not able to infect over the networks. 11 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 3 FILE INFECTION TECHNIQUES OF VIRUSES The following are the common strategies that virus writes used over the years to invade into the new host systems: 3.1 Overwriting Viruses These locate another file on the disk and overwrite with their own copy. This is the easiest approach and these can do a great damage when they overwrite all the files in the system. These cannot be disinfected from a system. Infected files must be deleted and should be restored from backups. These don’t change the size of the host. Figure 3.1. An overwriting virus infection. Well-Known Overwriting Viruses Grog.377 - Known as a non-memory resident virus, it interprets a random sector of a hard disk in search of special instructions. If instructions exist, it overwrites that part of the sector with a malicious code. When launched, the infection can inflict considerable damage on system BIOS and prevent a computer from booting up. Grog.202/456 - Two of the most dangerous overwriting viruses. They seek out COM. files in the current directory, quickly deleting and replacing the content with malicious code. If no COM. files are found in that particular directory, the GROG virus dials a random phone number over the user's modem in search of interconnected network computers. Both of these infections are also considered to be non-memory overwriting viruses. Loveletter - Perhaps the most complex overwriting virus. Like other variants, it's main intend is to seek out files and overwrite them with malicious code. What makes this virus 12 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION different is that it acts as file infector, an email worm and a Trojan horse capable of downloading other types of malware. Overwriting viruses were initially deployed because of their effectiveness; a way for the infection to infuse itself with an innocent file. This corrupts the original file in such a way that it can't be disinfected. Many of them are able to escape the scanner of an anti-virus program, making no alterations to the victim file so changes aren't detected. While they were very effective, most malicious codes do not write this type of virus anymore. Many tend to focus on tempting users with genuine Trojan horses and distributing malware via email. At the same time, you must keep your computer protected from all probable threats at all times. Your best bet would be installing a quality anti-virus program and conducting frequent scans for suspicious activity. 3.2 Random Overwriting Viruses This is another rare variation of the overwriting method does not change the code at the top of the file but it chooses a random location in the host program and overwrites that location. In this case it may be possible that the code is not even get control during the execution. In both cases , the host program is lost during the virus attack, and often crashes before the virus code executes. Figure 3.2. A random overwriter virus. 3.3 Appending Viruses In this technique the virus code is appended at the end of the program and the first instruction of the code is changed to a jump or call instruction which will be pointing to the starting address of the viral code. 13 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION Figure 3.3. A typical DOS COM appender virus. 3.4 Prepending Viruses A common virus infection technique uses the principle of inserting virus code at the front of host programs. Such viruses are called Prepending Viruses. This is a simple infection technique and is often successful. Virus writers wrote much of this kind on various operating systems, causing major outbreaks in many. Figure3.4. A typical prepender virus. 3.5 Classical Parasitic Virus This is a variation of prepen- der technique. These overwrite the top portion of the program with virus code and the top portion is being copied at the end of the program. 14 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION Figure 4.8. A classic parasitic virus. 3.6 Cavity Viruses These typically don’t increase the size of the program they infect. Instead they will overwrite a part of the code that can be used to store the virus code safely. Normally these overwrite areas of files that contain zeros in binary files. These are often slow spreaders in DOS systems. Figure 3.6. A cavity virus injects itself into a cave of the host. 15 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 3.7 Compressing Viruses This is a special technique where the content of host program is compressed. Compressor Viruses are sometimes beneficial because such viruses might compress the infected program to a much shorter size saving disk space. Figure 3.7. A compressor virus. 3.8 Amoeba Infection Technique This is a rarely seen infection technique where the head part of the viral code is stored at the starting of the host program and the tail part is stored after the end of the host program. Figure 3.8. The Amoeba infection method. 16 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 4 STEPS IN WORM PROPAGATION Each Worm has a few essential components, such as tar get locator, infection propagation modules, and a couple of nonessential modules, such as remote control, update interface, life cycle-manager, and payloads. 4.1 Target Locator: For a worm to propagate first it must discover the existence of a machine. There are many techniques by which a worm can discover new ma- chinesto exploit. They are a) Scanning: This entails probing a set of addresses toidentify the vulnerable hosts. Two simple forms of scanning are Sequential scanning (working through an address block using ordered set of addresses)and Random scanning (trying addresses out of a block in pseudo- random fashion). b) Pre-generated Target Lists: An attacker could obtain a target list in advance, creating a ”hit-list” of a probable victims with good network connections. This list is being created well before the release of worm. There are some scanning techniques that just see for particular criteria such as the operating system that the machine is running, what are the servers running, what is the version of operating systems etc. Stealthy scans, Distributed scanning, DNS searches, Just listen and also there are some public surveys that list such as Netcraft Survey. c) Externally Generated Target Lists: An externally generated list is one which is maintained by a separate server, such as a matchmaking service’s metaserver. This can also be used to speed the worm propagation. This worm has not yet in the wild. d) Internal Target Lists: Many applications contain information about the other hosts providing vulnerable services. Such target lists can be used to create ’topological’ worms, where the worm searches for the local information to fine new victims by trying to discover the local communication topology. e) Passive: These do not seek out victim machines. Instead, they either wait for potential victims to contact the worm or rely on user behaviour to discover new targets. Although potentially slow these worms produce no anomalous traffic pat- terns during the target discovery, which potentially makes them high stealthy. 17 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 4.2 Infection Propagator: A very important strategy of the worm uses to transfer itself to a new node and get control on remote machine. Most worms will assume that one has a copy of certain window machine and send a worm with such compatible system. 4.3 Remote Control and Update Interface: Another important component of a worm is remote control using a communication module. Without such a module, the worm’s author cannot control the worm network by sending control messages to the worm copies. Such remote control can allow the attacker to use the worm as a DDoS (distributed denial of service) tool on the zombie network against several unknow targets. The attacker is interested in changing the behaviour of the worm and even sending new infection strategies to as many compromised nodes as possible. 4.4 Life-Cycle Manager: Some writers prefer to run a version of a computer worm for a preset period of time. On the other hand, many worms have bugs in their life- cycle manager component and continue to run without ever stopping. 18 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 4.5 Payload: This is optional but common component of a worm. An increasingly popular payload is a DDoSattack against a particular website. These can utilise the compromised systems as a ”super computer”. Recently it is becoming popular to install an SMTP (Simple Mail Transfer Protocol) spam relay as the payload of a worm. 4.6 Self-Tracking: Many virus authors are interested in seeing how many machines the virus can infect and also they want others to track the path of virus infections. 19 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 5 Identification methods One of the few solid theoretical results in the study of computer viruses is Frederick B. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses.[The proof relies on the "infect" and "spread" abilities of computer viruses. While common, the "infect" and "spread" abilities of a computer code, which create the "replicate" ability, are not necessarily contained in malware. "Computer virus", in its recent meaning, and "malware" are overlapping terms, but not synonymous. The difference is between a code with the ability to "infect" and "spread" and a code with malicious purpose. There are several methods which antivirus software can use to identify malware. Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.[16] Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions. 5.1 Signature-based detection: Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses. As new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such a software does not implement antivirus protection, but facilitates human analysis. Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise 20 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. 5.2 Heuristics: Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundotrojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B. While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection." Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high. In such cases, there are dedicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate.This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company. 5.3 Rootkit detection: Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. Rootkits can change how the operating system functions and in some cases can tamper with the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system. 21 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 5.4 Malware detection and removal: 5.4.1 Method 1: The most popular approach to this requirement is to install an antivirus program and to keep this current. As new viruses are detected on a daily basis the signatures and heuristic methods need to be kept updated on a very regular basis. For this reason, modern antivirus programs generally include facilities automatically to update themselves using a network connection whenever new virus signatures and heuristics become available. 5.4.2 Method 2: Platforms which are not themselves thought to be vulnerable to viruses but which are used to distribute content potentially including viruses, e.g. via email between Windows users, must also scan for viruses to avoid becoming part of this problem. But the number of known virus signatures continues to increase. So even using the Clam-av antivirus package which is open source and freely installable, growing memory demands are making this job increasingly expensive. The next slide shows how many virus signatures exist and how much memory these occupy as of November 2008. 5.4.3 Other countermeasures: One approach involves stopping a system from running and mounting its hard disk using another operating system, booted using trusted media. Tools can be run on the trusted system to detect suspicious changes to files on the system being scanned. This is considered more reliable than running antivirus software directly on the system which might have been compromised and where the results of the antivirus scan may also have been compromised by an unknown virus. The trusted scanning system might also store a set of hash signatures or checksums of files which the virus might modify and test if any executable or registry tables have been modified. 22 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 6 Virus prevention 6.1 Antivirus or anti-virussoftware: It is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worms, trojan horses, spyware and adware. Computer security, including protection from social engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods. An example of free antivirus software: ClamTk 3.08. A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. 23 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 6.2 Generations of antivirus s/w: First generation: (simple scanners)scanner uses virus signature to identify virusor change in length of programs Second generation: (heuristic scanners) uses heuristic rules to spot viral infectionor uses crypto hash of program to spot changes Third generation: (activity traps) memory-resident programs identify virus by actions Fourth generation: (full featured protection) packages with a variety of antivirus techniques like access control capability. E.g. scanning & activity traps, access-controls. 6.3 Advanced antivirus techniques: 1. Generic Decryption:Enables antivirus program to detect even the most complex polymorphic viruses.Every executable file should be run in the GD scanner which has CPU emulator, Virus sign scanner and Emulation control module. 2. Digital Immune System:Developed by IBM.To solve threats in a network. Integrated mail systems Mobile program systems 6.4 Other Technologies: No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a computer's performance. Inexperienced users may also have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack. Installed antivirus software running on an individual computer is only one method of guarding against viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-line scanners. 6.4.1 Cloud antivirus: Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while offloading the majority of data analysis to the provider's infrastructure. 24 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION One approach to implementing cloud antivirus involves scanning suspicious files using multiple antivirus engines. This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV. CloudAV was designed to send programs or documents to a network cloud where multiple antivirus and behavioral detection programs are used simultaneously in order to improve detection rates. Parallel scanning of files using potentially incompatible antivirus scanners is achieved by spawning a virtual machine per detection engine and therefore eliminating any possible issues. CloudAV can also perform "retrospective detection," whereby the cloud detection engine rescans all files in its file access history when a new threat is identified thus improving new threat detection speed. Finally, CloudAV is a solution for effective virus scanning on devices that lack the computing power to perform the scans themselves. 6.4.2 Network firewall: Network firewalls prevent unknown programs and processes from accessing the system. However, they are not antivirus systems and make no attempt to identify or remove anything. They may protect against infection from outside the protected computer or network, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system. An illustration of where a firewall would be located in a network. 25 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 6.4.3 Online scanning: Some antivirus vendors maintain websites with free online scanning capability of the entire computer, critical areas only, local disks, folders or files. Periodic online scanning is a good idea for those that run antivirus applications on their computers because those applications are frequently slow to catch threats. One of the first things that malicious software does in an attack is disable any existing antivirus software and sometimes the only way to know of an attack is by turning to an online resource that is not installed on the infected computer. Using rkhunter to scan for rootkits on an UbuntuLinux computer. 6.4.4 Specialist tools: Virus removal tools are available to help remove stubborn infections or certain types of infection. Examples include Trend Micro's Rootkit Buster, and rkhunter for the detection of rootkits, Avira's AntiVir Removal Tool, PCTools Threat Removal Tool, and AVG's Anti- Virus Free 2011. A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus software outside of the installed operating system, in order to remove infections while they are dormant. A bootable antivirus disk can be useful when, for example, the installed operating system is no longer bootable or has malware that is resisting all attempts to be removed by the installed antivirus software. 26 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 7 CASE STUDIES 7.1 Slammer Worm Slammer worm sometimes called as Sapphire was the fastest computer worm in history till now. It began his journey on January 25, 2003. It began spreading through the Internet infected more than 90 percent of vulnerable hosts within 10 minutes, causing a significant disruption to financial, transportation, and government institutions and precluding any human-based response. 1) Vulnerability: Microsoft’s database server SQL Server or Microsoft SQL Server Desktop Engine(MSDE) 2000 exhibits two buffer overrun vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server. These are being attacked based on the Stack overflow and heap overflow techniques. 2) Target Selection: It used random scanning for selecting IP addresses, there by selecting vulnerable systems. Random scanning worms intially spread exponentially,later infection slows as the worms continually retry infected or immune addresses. Slammer is bandwidth-limited, in contrast to Code Red which is latency-limited. 3) Infection Propagator: It carries only 376 bytes of code where there is a simple, fast scanner. Along with the headers of the protocol it will of total size of 404 bytes. It used UDP protocol for propagation so it can transmit the entire packet in a single transfer. It uses 1434 port to transfer packets. It doesnot write itself into the system. It exists only as network packets and in running processes on the infected computers. 4) Payload: This does not contain any additional malicious content in the form of backdoors, etc. The speed at which it attempts to re-infect systems to create a denial surface of attack. 5) Network Propagation: When the SQL server receives a malicious request, the overrun in the server’s buffer allows the worm code to be executed. After the worm has entered into the vulnerable system,, first it gets the addresses to certain functions then start an infinite loop to scan for the othervulnerable hosts on the internet. This performs pseudo- randomnumber generation formula using the GetTickCount() value to generate an IP address that is used as target thereby, spreading furher into the network and infecting the vulnerable machines. These don’t check for the multiple instances of the worm affected the system. This could have been a great damage if it would have carried any malicious code with it. There are few wrong things that this wormauthor did such as in the pseudo random number generation algorithm the author used the following equation x1= (x?214013+2531011)mod232here the authorsubstituted a different value for 2531011 increment value: hex 0xFFD9613C. This value is equivalent to -2531012 when interpreted as a twos-complement decimal. 27 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION 6) Prevention: This can be prevented using a firewall which blocks 1434 port as the worm infects through this port only. 7.2 Blaster Worm It is a multi stage worm first observed on August 11, 2003. It affected between 200,000 and 500,000 computers. 1) Vulnerability: It exploited a remote procedure call (RPC) vulnerability of Microsoft Windows 2000 and Windows XP operating systems which were made public in July 2003. 2) Intialization: The worm when launched, opens a mutexcalled ”BILLY” that is used to prevent multiple infections of the same machine and sets a registry key which ensures that it is started every time the system reboots. 3) Target Selection: In theintialization phase it decides whether it will exploit code for Microsoft XP with 80% probability or the one for Windows 2000. It first scans with 60%, an IPv4 address of the form X.Y.Z.0 with X, Y, Z are chosen at random. With 40% probability, and address of the form X.Y.Z1.0 derived from the infected computer’s local address X.Y.Z.U is chosen. Z1 is set to Z unless Z1 is greater than 20, in which case a random values less than 20 is subtracted from Z to get Z1. The destination IP is incremented after each scan. 4) Infection Propagator: If TCP connection to a destination 135 port is opened, the exploit code is sent to victim. If the machine was vulnerable it can start listening on 4444/TCP and allows remote command execution. unpatched windows automatically reboots XP. Next it intiates a TCP connection to 4444 port, if successful, using TFTP( Trivial File Transfer Protocol - which is a smaller version of FTP) the mblast.exe file is transfered. After 28 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION that if TFTP requests are not blocked, on UDP port 69 the worm code is being downloaded. Infected host stops TFTP daemon after transmission or after 20 secsof inactivity. If successful it sends a command mblast.exe on the already open TCP connection to port 4444 of the victim. 5) Payload: The payload of the worm for RPC step is as follows– 72 bytes for RPC, 1460 bytes for ”request” and a 244 bytes of TCP packet, Along with these there is 40-48 bytes for TCP/IP which makes the worm to 1976 to 2016 bytes.The worm code is of 6176 bytes. along with the overhead of headers it will come to 6592 bytes on the IP layer. 6) Prevention: This can be prevented by using the firewall that blocks traffic to incoming to port 135/TCP or 4444 port or TFTP port and by applying the operating system patch against the RPC vulnerability. 29 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION CONCLUSION I have gone through the basic definitions of Viruses and Worms, then discussed in about the different malicious code environments. After that I have discussed about the different types of viruses and worms, then discussed in detail about the various ways of virus and worm propagation techniques. After that I have discussed about the Prevention From Viruses and Worms. I have also looked into two case studies of slammer and blaster worms. The ability of attackers to rapidly gain control of vast numbers of internet hosts poses an immense risk to overall security of the internet. Now-a-days the virus writers are more concentrating on writing worms as they have got great capability to spread over the network in few minutes. There are various upcoming techniques in worm propagation such as polymorphic worms which are really a big threat to the internet community. Worms can be written such that they can be affected only to a particular region or country. There are worms which willkeep quiet for a specific amount of time and attack at random times. These worms can also be used to create Distributed Denial of Service (DDoS) which is a real threat to the websites and the network traffic. Can a virus ever be good? In biology, viruses enable potentially beneficial DNA to be transferred between species. This is considered to be a part of the optimisation of the evolutionary process. But it is thought unlikely that anyone could benefit from computer viruses, other than the proceeds of crime which those who write and spread viruses might obtain. The difference between a virus and another kind of program is that an ordinary program will normally have the informed consent of the system owner before it can be installed. While there is a similarity between an operating system which can create a copy of itself on installation media and a virus, the OS that makes it easy for its users to copy it will do this with the users full knowledge and consent. There is no situation in which taking away the end users consent to perform an action is considered likely to be of benefit. 30 Deprt of ECE, BCET
NETWORK VIRUS DETECTION AND PREVENTION REFERENCES [1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England: Addison Wesely Professional, 2005. [2] Norman, Norman book on Computer Virus, Norman ASA, 2003. [3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of Computer Virus on the Internet: An Overview, IEEE Computer Society 2004, 601-606. [4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and Trends, Washington, DC, USA: WORM-2003 [5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003. [6] Thomas Subendorfer, Arno Wagner, TheusHossmann, and Bernhard Plattner, Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone, Springer-Verlag Berlin Heidelberg 2005. [7] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, A Taxonomy of Computer Worms, Washington, DC, USA: WORM-2003. [8] H. Kopka and P. W. Daly, A Guide to LATEX, 3rd ed. Harlow, England: Addison- Wesley, 1999. 31 Deprt of ECE, BCET

Recommended

Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
Malicious
MaliciousMalicious
Maliciousashraf karaimeh
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virusFaisal Hassan
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMuhammad Uzair Rasheed
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationabhijit chintamani
 

Recommended

Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
Malicious
MaliciousMalicious
Maliciousashraf karaimeh
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virusFaisal Hassan
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMuhammad Uzair Rasheed
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationabhijit chintamani
 
The Way Virus Spread
The Way Virus SpreadThe Way Virus Spread
The Way Virus Spreadwenxin
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMDAZAD53
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studydilsherece
 
Computer virus
Computer virusComputer virus
Computer virusShailendra Gohil
 
Viruses ppt
Viruses pptViruses ppt
Viruses pptKartik Kalpande Patil
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Computer Virus
Computer Virus Computer Virus
Computer Virus Study Hub
 
Virus soran university
Virus soran universityVirus soran university
Virus soran universityRebaz Hamad
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Cybercrime: Virus and Defense
Cybercrime: Virus and DefenseCybercrime: Virus and Defense
Cybercrime: Virus and DefenseMd.Tanvir Ul Haque
 
Ch19
Ch19Ch19
Ch19saurabhmittal79
 
Computer virus !!!!!
Computer virus !!!!!Computer virus !!!!!
Computer virus !!!!!pratikpandya18
 
Computer virus and worms
Computer virus and wormsComputer virus and worms
Computer virus and wormsrishi ram khanal
 
Virus
VirusVirus
VirusRamasubbu .P
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesVikas Chandwani
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 
Virus part2
Virus part2Virus part2
Virus part2Ajay Banyal
 
Computer virus
Computer virusComputer virus
Computer virusJoydipGhosh12
 
Computer viruses
Computer virusesComputer viruses
Computer virusesRaviteja Chowdary Adusumalli
 
Final taxo
Final taxoFinal taxo
Final taxouniversity of sargodha
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 

More Related Content

What's hot

The Way Virus Spread
The Way Virus SpreadThe Way Virus Spread
The Way Virus Spreadwenxin
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMDAZAD53
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studydilsherece
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
Computer Virus
Computer Virus Computer Virus
Computer Virus Study Hub
 
Virus soran university
Virus soran universityVirus soran university
Virus soran universityRebaz Hamad
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesVikas Chandwani
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 

What's hot (20)

The Way Virus Spread
The Way Virus SpreadThe Way Virus Spread
The Way Virus Spread
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Dilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_studyDilsher idrees mustafa_6_a_vulnerabilities_study
Dilsher idrees mustafa_6_a_vulnerabilities_study
 
Computer virus
Computer virusComputer virus
Computer virus
 
Viruses ppt
Viruses pptViruses ppt
Viruses ppt
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
Computer Virus
Computer Virus Computer Virus
Computer Virus
 
Virus soran university
Virus soran universityVirus soran university
Virus soran university
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo Malicioso
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
 
Cybercrime: Virus and Defense
Cybercrime: Virus and DefenseCybercrime: Virus and Defense
Cybercrime: Virus and Defense
 
Ch19
Ch19Ch19
Ch19
 
Computer virus !!!!!
Computer virus !!!!!Computer virus !!!!!
Computer virus !!!!!
 
Computer virus and worms
Computer virus and wormsComputer virus and worms
Computer virus and worms
 
Virus
VirusVirus
Virus
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
 
Virus part2
Virus part2Virus part2
Virus part2
 
Computer virus
Computer virusComputer virus
Computer virus
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 

Similar to Network virus detection & prevention

Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Advanced polymorphic techniques
Advanced polymorphic techniquesAdvanced polymorphic techniques
Advanced polymorphic techniquesUltraUploader
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesUltraUploader
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
Hardware Trojan Identification and Detection
Hardware Trojan Identification and DetectionHardware Trojan Identification and Detection
Hardware Trojan Identification and Detectionijcisjournal
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approachUltraUploader
 
End2end resilience
End2end resilienceEnd2end resilience
End2end resiliencemuhammadz24
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
Finjan Vital Security For eMail Technical White Paper
Finjan Vital Security For eMail Technical White PaperFinjan Vital Security For eMail Technical White Paper
Finjan Vital Security For eMail Technical White PaperElliott Lowe
 
Automated worm fingerprinting
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprintingUltraUploader
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithmsUltraUploader
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Blueliv
 
network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2Manel Marco
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Andrew Ryan
 

Similar to Network virus detection & prevention (20)

Final taxo
Final taxoFinal taxo
Final taxo
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Advanced polymorphic techniques
Advanced polymorphic techniquesAdvanced polymorphic techniques
Advanced polymorphic techniques
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signatures
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
 
Hardware Trojan Identification and Detection
Hardware Trojan Identification and DetectionHardware Trojan Identification and Detection
Hardware Trojan Identification and Detection
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
 
End2end resilience
End2end resilienceEnd2end resilience
End2end resilience
 
Antivirus
AntivirusAntivirus
Antivirus
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
Finjan Vital Security For eMail Technical White Paper
Finjan Vital Security For eMail Technical White PaperFinjan Vital Security For eMail Technical White Paper
Finjan Vital Security For eMail Technical White Paper
 
Automated worm fingerprinting
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprinting
 
Netforts
Netforts Netforts
Netforts
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithms
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 
Network Insights into Vawtrak v2
Network Insights into Vawtrak v2Network Insights into Vawtrak v2
Network Insights into Vawtrak v2
 
network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2network-insights-into-vawtrak-v2
network-insights-into-vawtrak-v2
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Network virus detection & prevention

  • 1. NETWORK VIRUS DETECTION AND PREVENTION ABSTRACT One of the most high profile threats to information integrity isNetwork viruses.Network viruses are software that behaves like biological viruses—they attach themselves to a host and replicate, spreading the infection. For a computer program to be classified as a virus, it simply must replicate itself. In this paper (Network Virus Detection and Prevention), I am presenting what are viruses, worms, and Trojan horses and their differences, different strategies of virus spreading, Virus detection, Virus prevention and case studies of Slammer and Blaster worms. 1 Deprt of ECE, BCET
  • 2. NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no Chapter 1 Introduction 1.1 Preliminaries 5 1.2 Characteristics 8 Chapter 2 Detailed descriptions 2.1 Malicious Code Environments 9 2.2 Virus/Worm types overview 9 Chapter 3 File infection techniques of viruses 3.1 Overwriting Viruses 12 3.2 Random Overwriting Viruses 13 3.3 Appending Viruses 13 3.4 Prepending Viruses 14 3.5 Classical Parasitic Virus 14 3.6 Cavity Viruses 15 3.7 Compressing Viruses 16 3.8 Amoeba Infection Technique 16 Chapter 4 Steps in worm propagation 4.1 Target Locator 17 4.2 Infection Propagator 18 4.3 Remote Control and Update Interface 18 4.4 Life-Cycle Manager 18 4.5 Payload 19 4.6 Self-Tracking 19 2 Deprt of ECE, BCET
  • 3. NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no Chapter 5Identification methods 5.1 Signature-based detection 20 5.2 Heuristics 21 5.3 Rootkit detection 22 5.4 Malware detection and removal 22 Chapter 6 Virus prevention 6.2 Generations of Antivirus s/w 23 6.3 Advanced antivirus techniques 24 6.4 Other Technologies 24 6.4.1 Cloud antivirus 24 6.4.2 Network firewall 25 6.4.3 Online scanning 26 6.4.4 Specialist tools 26 Chapter 7 Case studies 7.1 Slammer Worm 27 7.1.1 Vulnerability 27 7.1.2 Target Selection 27 7.1.3 Infection Propagator 27 7.1.4 Payload 27 7.1.5 Network Propagation 27 7.1.6 Prevention 28 3 Deprt of ECE, BCET
  • 4. NETWORK VIRUS DETECTION AND PREVENTION CONTENTS Pg no 7.2 Blaster Worm 28 7.2.1 Vulnerability 28 7.2.2 Initialization 28 7.2.3 Target Selection 28 7.2.4 Infection Propagator 28 7.2.5 Payload 29 7.2.6 Prevention 29 Conclusion 30 References 31 4 Deprt of ECE, BCET
  • 5. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 1 INTRODUCTION The internet consists of hundreds of millions of computers distributed around the world. Millions of people use the internet daily, taking full advantage of the available services at both personal and professional levels. The internet connectivity among computers on which the World Wide Web relies, however renders its nodes on easy target for malicious users who attempt to exhaust their resources or damage the data or create a havoc in the network. Computer Viruses, especially in recent years, have increased dramatically in number. One of the most high- profile threats to information integrity is the Computer Virus. Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing in 1986. With global computing on the rise, computer viruses have had more visibility in the past few years. In fact, the entertainment industry has helped by illustrating the effects of viruses in movies such as ”Independence Day”, ”The Net”, and ”Sneakers”. Along with computer viruses, computer worms are also increasing day by day. So, there is a need to immunize the internet by creating awareness in the people about these in detail. In this paper I have explained the basic concepts of viruses and worms and how they spread. The basic organization of the paper is as follows. In section 2, give some preliminaries: the definitions of computer virus, worms, trojan horses, as well as some other malicious programs and also basic characteristics of a virus. In section 3, detailed description: describe Malicious Code Environments where virus can propagate, Virus/Worm types overview where different types have been explained, and Categories of worm where the different forms of worm is explained in broad sense. In section 4, File Infection Techniques which describe the various methods of infection mechanisms of a virus. In section 5, Steps in Worm Propagation describe the basic steps that a normal worm will follow for propagation. In section 6 Case studies: two case studies of Slammer worm and blaster worm are discussed. 1.1Preliminaries: A. Virus: A self-replicating program.Some definitions also add the constraint saying that it has to attach itself to ahost program to be able to replicate. Often Viruses require ahost, and their goal is to infect other files so that the virus canlive longer. Some viruses perform destructive actions although this is not necessarily the case.Many viruses attempt to hidefrom being discovered.A virus might rapidly infect every file on individual computer or slowly infect the documents on thecomputer, but it does not intentionally try to spread itself from that computer (infected computer) to other. In mostcases, that’s where humans come in. We send e-mail documentattachments, trade programs on diskettes, or copy files to fileservers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computers, and soon. 5 Deprt of ECE, BCET
  • 6. NETWORK VIRUS DETECTION AND PREVENTION B. Worms: Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselvesfrom one computer to others. The computer worm is a program that is designed to copy itself from one computer to another,leveraging some network medium: e-mail, TCP/IP, etc. Theworm is more interested in infecting as many machines aspossible on the network, and less interested in spreading manycopies of itself on a single computer (like a computer virus).The prototypical worm infects (or causes its code to run on) target system only once; after the initial infection, the wormattempts to spread to other machines on the network. Some researchers define worms as a sub-type of Viruses. In early years the worms are considered as theproblem of Mainframes only. But this has changed after theInternet become wide spread; worms quickly accustomed to windows and started to send themselves through networkfunctions.Some categories that come under worms are Mailers and Mass-Mailer worms Octopus Rabbits C. Trojan Horses: A Trojan Horse is a one which pretend to be useful programs but do some unwanted action. Most Trojans activate when they are run and sometimes destroy the structure of the current drive (FATs, directories, etc.) obliterating themselves in the process. These do not require a host and does not replicate. A special type is the backdoor trojan, which does not do anything overtly destructive, but sets your com- puter open for remote control and unauthorised access. 6 Deprt of ECE, BCET
  • 7. NETWORK VIRUS DETECTION AND PREVENTION D. Others: There are other types of malicious programs apart from Viruses, Worms and Trojan Horses. Some of them are described below. 1) Logic Bombs: A logic bomb is a programmed malfunction of a legitimate application. These are intentionally inserted in otherwise good code. They remains hidden with only their effects are being visible. These are not replicated. Bugs do everything except make more bugs. 2) Germs: These are first-generation viruses in a form that the virus cannot generate to its usual infection process. When the virus is compiled for the first time, it exists in a special form and normally does not have a host program attached to it. Germs will not have the usual marks that the most viruses use in second-generation form to flag infected files to avoid reinfecting an already infected object. 3) Exploits: Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is to run a program (possibly remote, networked) system automatically or provide some other form of more highly previliged access to the target system. 7 Deprt of ECE, BCET
  • 8. NETWORK VIRUS DETECTION AND PREVENTION 1.2 Characteristics: The following are some of the characteristics of Viruses: 1) Size- The sizes of the program code required for computer viruses are very small. 2) Versatility - Computer viruses have appeared with the ability to generically attack a wide variety of applications. 3) Propagation - Once a computer virus has infected a program, while this program is running, the virus is able to spread to other programs and files accessible to the computer system. 4) Effectiveness - Many of the computer viruses have far-reaching and catastrophic effects on their victims, including total loss of data, programs, and even the operating systems. 5) Functionality - A wide variety of functions has been demonstrated in virus programs. Some virus programs merely spread themselves to applications without attacking data files, program functions, or operating system activities. Other viruses are programmed to damage or delete files, and even to destroy systems. 6) Persistence - In many cases, especially networked operations, eradication of viruses has been complicated by theability of virus program to repeatedly spread and reoccur through the networked system from a single copy. 8 Deprt of ECE, BCET
  • 9. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 2 DETAILED DESCRIPTION 2.1 Malicious Code Environments It is important to know about the particular execution environments to understand about Computer Viruses. A successful penetration of the system by a viral code occurs only if the various dependencies of malicious code match a potential environment. The following are some of the various malicious code environments 1) Computer Architecture Dependency 2) CPU Dependency 3) Operating System Dependency and Operating System version Dependency 4) File System Dependency 5) File Form Dependency 6) Interpreted Environment Dependency 7) Vulnerability Dependency 8) Date and Time Dependency 9) Just-In-Time Dependency 10) Achieve Format Dependency 11) File Format Extension Dependency 12) Network Protocol Dependency 13) Source Code Dependency 14) Self Contained Environment Dependency 2.2 Virus/Worm types overview These are the main categories of Viruses and worms: 1) Binary File Virus and Worm – File virus infect executable (program files). They are able to infect over networks. Normally these are written in machine code. File worms, are also written in machine code, instead of infecting other files, worms focus on spreading to other machines. 9 Deprt of ECE, BCET
  • 10. NETWORK VIRUS DETECTION AND PREVENTION 2) Binary Stream Worms – Stream worms are a group of network spreading worms that never manifest as files. Instead, they will travel from computer to computer as just pieces of code that exist only in memory. 3) Script File Virus and Worm – A script virus is technically a file virus, but script viruses are written as human readable text. Since computers cannot understand text instructions directly, the text first has to be translated from text to machine code. This process is called ”Interpretation”, and is performed by separate programs on computer. 4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived as data files, like documents and spreadsheets. Just about anything that we can do with ordinary programs on a computer we can do with macro instructions. Macro viruses are more common now-a-days. These can infect over the network. VIRUS STRUCTURE: program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do- damage; goto next;} next: } 10 Deprt of ECE, BCET
  • 11. NETWORK VIRUS DETECTION AND PREVENTION 5) Boot Virus – The first known successful computer viruses were boot sector viruses. Today these are rarely used. These infect boot sectors of hard drives and floppydisks and are not dependent on the actual operating system installed. These are not able to infect overnetworks. These take the boot process of personal computers. Because most computers don’t contain Operating System in their Read Only Memory (ROM), they need to load the system from somewhere else, such as from a disk or from the network (via a network adapter). 6) Multipartite Viruses – Multipartite Virus infect both executable files and boot sectors, or executable and datafiles. These are not able to infect over the networks. 11 Deprt of ECE, BCET
  • 12. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 3 FILE INFECTION TECHNIQUES OF VIRUSES The following are the common strategies that virus writes used over the years to invade into the new host systems: 3.1 Overwriting Viruses These locate another file on the disk and overwrite with their own copy. This is the easiest approach and these can do a great damage when they overwrite all the files in the system. These cannot be disinfected from a system. Infected files must be deleted and should be restored from backups. These don’t change the size of the host. Figure 3.1. An overwriting virus infection. Well-Known Overwriting Viruses Grog.377 - Known as a non-memory resident virus, it interprets a random sector of a hard disk in search of special instructions. If instructions exist, it overwrites that part of the sector with a malicious code. When launched, the infection can inflict considerable damage on system BIOS and prevent a computer from booting up. Grog.202/456 - Two of the most dangerous overwriting viruses. They seek out COM. files in the current directory, quickly deleting and replacing the content with malicious code. If no COM. files are found in that particular directory, the GROG virus dials a random phone number over the user's modem in search of interconnected network computers. Both of these infections are also considered to be non-memory overwriting viruses. Loveletter - Perhaps the most complex overwriting virus. Like other variants, it's main intend is to seek out files and overwrite them with malicious code. What makes this virus 12 Deprt of ECE, BCET
  • 13. NETWORK VIRUS DETECTION AND PREVENTION different is that it acts as file infector, an email worm and a Trojan horse capable of downloading other types of malware. Overwriting viruses were initially deployed because of their effectiveness; a way for the infection to infuse itself with an innocent file. This corrupts the original file in such a way that it can't be disinfected. Many of them are able to escape the scanner of an anti-virus program, making no alterations to the victim file so changes aren't detected. While they were very effective, most malicious codes do not write this type of virus anymore. Many tend to focus on tempting users with genuine Trojan horses and distributing malware via email. At the same time, you must keep your computer protected from all probable threats at all times. Your best bet would be installing a quality anti-virus program and conducting frequent scans for suspicious activity. 3.2 Random Overwriting Viruses This is another rare variation of the overwriting method does not change the code at the top of the file but it chooses a random location in the host program and overwrites that location. In this case it may be possible that the code is not even get control during the execution. In both cases , the host program is lost during the virus attack, and often crashes before the virus code executes. Figure 3.2. A random overwriter virus. 3.3 Appending Viruses In this technique the virus code is appended at the end of the program and the first instruction of the code is changed to a jump or call instruction which will be pointing to the starting address of the viral code. 13 Deprt of ECE, BCET
  • 14. NETWORK VIRUS DETECTION AND PREVENTION Figure 3.3. A typical DOS COM appender virus. 3.4 Prepending Viruses A common virus infection technique uses the principle of inserting virus code at the front of host programs. Such viruses are called Prepending Viruses. This is a simple infection technique and is often successful. Virus writers wrote much of this kind on various operating systems, causing major outbreaks in many. Figure3.4. A typical prepender virus. 3.5 Classical Parasitic Virus This is a variation of prepen- der technique. These overwrite the top portion of the program with virus code and the top portion is being copied at the end of the program. 14 Deprt of ECE, BCET
  • 15. NETWORK VIRUS DETECTION AND PREVENTION Figure 4.8. A classic parasitic virus. 3.6 Cavity Viruses These typically don’t increase the size of the program they infect. Instead they will overwrite a part of the code that can be used to store the virus code safely. Normally these overwrite areas of files that contain zeros in binary files. These are often slow spreaders in DOS systems. Figure 3.6. A cavity virus injects itself into a cave of the host. 15 Deprt of ECE, BCET
  • 16. NETWORK VIRUS DETECTION AND PREVENTION 3.7 Compressing Viruses This is a special technique where the content of host program is compressed. Compressor Viruses are sometimes beneficial because such viruses might compress the infected program to a much shorter size saving disk space. Figure 3.7. A compressor virus. 3.8 Amoeba Infection Technique This is a rarely seen infection technique where the head part of the viral code is stored at the starting of the host program and the tail part is stored after the end of the host program. Figure 3.8. The Amoeba infection method. 16 Deprt of ECE, BCET
  • 17. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 4 STEPS IN WORM PROPAGATION Each Worm has a few essential components, such as tar get locator, infection propagation modules, and a couple of nonessential modules, such as remote control, update interface, life cycle-manager, and payloads. 4.1 Target Locator: For a worm to propagate first it must discover the existence of a machine. There are many techniques by which a worm can discover new ma- chinesto exploit. They are a) Scanning: This entails probing a set of addresses toidentify the vulnerable hosts. Two simple forms of scanning are Sequential scanning (working through an address block using ordered set of addresses)and Random scanning (trying addresses out of a block in pseudo- random fashion). b) Pre-generated Target Lists: An attacker could obtain a target list in advance, creating a ”hit-list” of a probable victims with good network connections. This list is being created well before the release of worm. There are some scanning techniques that just see for particular criteria such as the operating system that the machine is running, what are the servers running, what is the version of operating systems etc. Stealthy scans, Distributed scanning, DNS searches, Just listen and also there are some public surveys that list such as Netcraft Survey. c) Externally Generated Target Lists: An externally generated list is one which is maintained by a separate server, such as a matchmaking service’s metaserver. This can also be used to speed the worm propagation. This worm has not yet in the wild. d) Internal Target Lists: Many applications contain information about the other hosts providing vulnerable services. Such target lists can be used to create ’topological’ worms, where the worm searches for the local information to fine new victims by trying to discover the local communication topology. e) Passive: These do not seek out victim machines. Instead, they either wait for potential victims to contact the worm or rely on user behaviour to discover new targets. Although potentially slow these worms produce no anomalous traffic pat- terns during the target discovery, which potentially makes them high stealthy. 17 Deprt of ECE, BCET
  • 18. NETWORK VIRUS DETECTION AND PREVENTION 4.2 Infection Propagator: A very important strategy of the worm uses to transfer itself to a new node and get control on remote machine. Most worms will assume that one has a copy of certain window machine and send a worm with such compatible system. 4.3 Remote Control and Update Interface: Another important component of a worm is remote control using a communication module. Without such a module, the worm’s author cannot control the worm network by sending control messages to the worm copies. Such remote control can allow the attacker to use the worm as a DDoS (distributed denial of service) tool on the zombie network against several unknow targets. The attacker is interested in changing the behaviour of the worm and even sending new infection strategies to as many compromised nodes as possible. 4.4 Life-Cycle Manager: Some writers prefer to run a version of a computer worm for a preset period of time. On the other hand, many worms have bugs in their life- cycle manager component and continue to run without ever stopping. 18 Deprt of ECE, BCET
  • 19. NETWORK VIRUS DETECTION AND PREVENTION 4.5 Payload: This is optional but common component of a worm. An increasingly popular payload is a DDoSattack against a particular website. These can utilise the compromised systems as a ”super computer”. Recently it is becoming popular to install an SMTP (Simple Mail Transfer Protocol) spam relay as the payload of a worm. 4.6 Self-Tracking: Many virus authors are interested in seeing how many machines the virus can infect and also they want others to track the path of virus infections. 19 Deprt of ECE, BCET
  • 20. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 5 Identification methods One of the few solid theoretical results in the study of computer viruses is Frederick B. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses.[The proof relies on the "infect" and "spread" abilities of computer viruses. While common, the "infect" and "spread" abilities of a computer code, which create the "replicate" ability, are not necessarily contained in malware. "Computer virus", in its recent meaning, and "malware" are overlapping terms, but not synonymous. The difference is between a code with the ability to "infect" and "spread" and a code with malicious purpose. There are several methods which antivirus software can use to identify malware. Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.[16] Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions. 5.1 Signature-based detection: Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses. As new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such a software does not implement antivirus protection, but facilitates human analysis. Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise 20 Deprt of ECE, BCET
  • 21. NETWORK VIRUS DETECTION AND PREVENTION modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. 5.2 Heuristics: Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundotrojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B. While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection." Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high. In such cases, there are dedicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate.This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company. 5.3 Rootkit detection: Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. Rootkits can change how the operating system functions and in some cases can tamper with the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system. 21 Deprt of ECE, BCET
  • 22. NETWORK VIRUS DETECTION AND PREVENTION 5.4 Malware detection and removal: 5.4.1 Method 1: The most popular approach to this requirement is to install an antivirus program and to keep this current. As new viruses are detected on a daily basis the signatures and heuristic methods need to be kept updated on a very regular basis. For this reason, modern antivirus programs generally include facilities automatically to update themselves using a network connection whenever new virus signatures and heuristics become available. 5.4.2 Method 2: Platforms which are not themselves thought to be vulnerable to viruses but which are used to distribute content potentially including viruses, e.g. via email between Windows users, must also scan for viruses to avoid becoming part of this problem. But the number of known virus signatures continues to increase. So even using the Clam-av antivirus package which is open source and freely installable, growing memory demands are making this job increasingly expensive. The next slide shows how many virus signatures exist and how much memory these occupy as of November 2008. 5.4.3 Other countermeasures: One approach involves stopping a system from running and mounting its hard disk using another operating system, booted using trusted media. Tools can be run on the trusted system to detect suspicious changes to files on the system being scanned. This is considered more reliable than running antivirus software directly on the system which might have been compromised and where the results of the antivirus scan may also have been compromised by an unknown virus. The trusted scanning system might also store a set of hash signatures or checksums of files which the virus might modify and test if any executable or registry tables have been modified. 22 Deprt of ECE, BCET
  • 23. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 6 Virus prevention 6.1 Antivirus or anti-virussoftware: It is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worms, trojan horses, spyware and adware. Computer security, including protection from social engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods. An example of free antivirus software: ClamTk 3.08. A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. 23 Deprt of ECE, BCET
  • 24. NETWORK VIRUS DETECTION AND PREVENTION 6.2 Generations of antivirus s/w: First generation: (simple scanners)scanner uses virus signature to identify virusor change in length of programs Second generation: (heuristic scanners) uses heuristic rules to spot viral infectionor uses crypto hash of program to spot changes Third generation: (activity traps) memory-resident programs identify virus by actions Fourth generation: (full featured protection) packages with a variety of antivirus techniques like access control capability. E.g. scanning & activity traps, access-controls. 6.3 Advanced antivirus techniques: 1. Generic Decryption:Enables antivirus program to detect even the most complex polymorphic viruses.Every executable file should be run in the GD scanner which has CPU emulator, Virus sign scanner and Emulation control module. 2. Digital Immune System:Developed by IBM.To solve threats in a network. Integrated mail systems Mobile program systems 6.4 Other Technologies: No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a computer's performance. Inexperienced users may also have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack. Installed antivirus software running on an individual computer is only one method of guarding against viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-line scanners. 6.4.1 Cloud antivirus: Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while offloading the majority of data analysis to the provider's infrastructure. 24 Deprt of ECE, BCET
  • 25. NETWORK VIRUS DETECTION AND PREVENTION One approach to implementing cloud antivirus involves scanning suspicious files using multiple antivirus engines. This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV. CloudAV was designed to send programs or documents to a network cloud where multiple antivirus and behavioral detection programs are used simultaneously in order to improve detection rates. Parallel scanning of files using potentially incompatible antivirus scanners is achieved by spawning a virtual machine per detection engine and therefore eliminating any possible issues. CloudAV can also perform "retrospective detection," whereby the cloud detection engine rescans all files in its file access history when a new threat is identified thus improving new threat detection speed. Finally, CloudAV is a solution for effective virus scanning on devices that lack the computing power to perform the scans themselves. 6.4.2 Network firewall: Network firewalls prevent unknown programs and processes from accessing the system. However, they are not antivirus systems and make no attempt to identify or remove anything. They may protect against infection from outside the protected computer or network, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system. An illustration of where a firewall would be located in a network. 25 Deprt of ECE, BCET
  • 26. NETWORK VIRUS DETECTION AND PREVENTION 6.4.3 Online scanning: Some antivirus vendors maintain websites with free online scanning capability of the entire computer, critical areas only, local disks, folders or files. Periodic online scanning is a good idea for those that run antivirus applications on their computers because those applications are frequently slow to catch threats. One of the first things that malicious software does in an attack is disable any existing antivirus software and sometimes the only way to know of an attack is by turning to an online resource that is not installed on the infected computer. Using rkhunter to scan for rootkits on an UbuntuLinux computer. 6.4.4 Specialist tools: Virus removal tools are available to help remove stubborn infections or certain types of infection. Examples include Trend Micro's Rootkit Buster, and rkhunter for the detection of rootkits, Avira's AntiVir Removal Tool, PCTools Threat Removal Tool, and AVG's Anti- Virus Free 2011. A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus software outside of the installed operating system, in order to remove infections while they are dormant. A bootable antivirus disk can be useful when, for example, the installed operating system is no longer bootable or has malware that is resisting all attempts to be removed by the installed antivirus software. 26 Deprt of ECE, BCET
  • 27. NETWORK VIRUS DETECTION AND PREVENTION CHAPTER 7 CASE STUDIES 7.1 Slammer Worm Slammer worm sometimes called as Sapphire was the fastest computer worm in history till now. It began his journey on January 25, 2003. It began spreading through the Internet infected more than 90 percent of vulnerable hosts within 10 minutes, causing a significant disruption to financial, transportation, and government institutions and precluding any human-based response. 1) Vulnerability: Microsoft’s database server SQL Server or Microsoft SQL Server Desktop Engine(MSDE) 2000 exhibits two buffer overrun vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server. These are being attacked based on the Stack overflow and heap overflow techniques. 2) Target Selection: It used random scanning for selecting IP addresses, there by selecting vulnerable systems. Random scanning worms intially spread exponentially,later infection slows as the worms continually retry infected or immune addresses. Slammer is bandwidth-limited, in contrast to Code Red which is latency-limited. 3) Infection Propagator: It carries only 376 bytes of code where there is a simple, fast scanner. Along with the headers of the protocol it will of total size of 404 bytes. It used UDP protocol for propagation so it can transmit the entire packet in a single transfer. It uses 1434 port to transfer packets. It doesnot write itself into the system. It exists only as network packets and in running processes on the infected computers. 4) Payload: This does not contain any additional malicious content in the form of backdoors, etc. The speed at which it attempts to re-infect systems to create a denial surface of attack. 5) Network Propagation: When the SQL server receives a malicious request, the overrun in the server’s buffer allows the worm code to be executed. After the worm has entered into the vulnerable system,, first it gets the addresses to certain functions then start an infinite loop to scan for the othervulnerable hosts on the internet. This performs pseudo- randomnumber generation formula using the GetTickCount() value to generate an IP address that is used as target thereby, spreading furher into the network and infecting the vulnerable machines. These don’t check for the multiple instances of the worm affected the system. This could have been a great damage if it would have carried any malicious code with it. There are few wrong things that this wormauthor did such as in the pseudo random number generation algorithm the author used the following equation x1= (x?214013+2531011)mod232here the authorsubstituted a different value for 2531011 increment value: hex 0xFFD9613C. This value is equivalent to -2531012 when interpreted as a twos-complement decimal. 27 Deprt of ECE, BCET
  • 28. NETWORK VIRUS DETECTION AND PREVENTION 6) Prevention: This can be prevented using a firewall which blocks 1434 port as the worm infects through this port only. 7.2 Blaster Worm It is a multi stage worm first observed on August 11, 2003. It affected between 200,000 and 500,000 computers. 1) Vulnerability: It exploited a remote procedure call (RPC) vulnerability of Microsoft Windows 2000 and Windows XP operating systems which were made public in July 2003. 2) Intialization: The worm when launched, opens a mutexcalled ”BILLY” that is used to prevent multiple infections of the same machine and sets a registry key which ensures that it is started every time the system reboots. 3) Target Selection: In theintialization phase it decides whether it will exploit code for Microsoft XP with 80% probability or the one for Windows 2000. It first scans with 60%, an IPv4 address of the form X.Y.Z.0 with X, Y, Z are chosen at random. With 40% probability, and address of the form X.Y.Z1.0 derived from the infected computer’s local address X.Y.Z.U is chosen. Z1 is set to Z unless Z1 is greater than 20, in which case a random values less than 20 is subtracted from Z to get Z1. The destination IP is incremented after each scan. 4) Infection Propagator: If TCP connection to a destination 135 port is opened, the exploit code is sent to victim. If the machine was vulnerable it can start listening on 4444/TCP and allows remote command execution. unpatched windows automatically reboots XP. Next it intiates a TCP connection to 4444 port, if successful, using TFTP( Trivial File Transfer Protocol - which is a smaller version of FTP) the mblast.exe file is transfered. After 28 Deprt of ECE, BCET
  • 29. NETWORK VIRUS DETECTION AND PREVENTION that if TFTP requests are not blocked, on UDP port 69 the worm code is being downloaded. Infected host stops TFTP daemon after transmission or after 20 secsof inactivity. If successful it sends a command mblast.exe on the already open TCP connection to port 4444 of the victim. 5) Payload: The payload of the worm for RPC step is as follows– 72 bytes for RPC, 1460 bytes for ”request” and a 244 bytes of TCP packet, Along with these there is 40-48 bytes for TCP/IP which makes the worm to 1976 to 2016 bytes.The worm code is of 6176 bytes. along with the overhead of headers it will come to 6592 bytes on the IP layer. 6) Prevention: This can be prevented by using the firewall that blocks traffic to incoming to port 135/TCP or 4444 port or TFTP port and by applying the operating system patch against the RPC vulnerability. 29 Deprt of ECE, BCET
  • 30. NETWORK VIRUS DETECTION AND PREVENTION CONCLUSION I have gone through the basic definitions of Viruses and Worms, then discussed in about the different malicious code environments. After that I have discussed about the different types of viruses and worms, then discussed in detail about the various ways of virus and worm propagation techniques. After that I have discussed about the Prevention From Viruses and Worms. I have also looked into two case studies of slammer and blaster worms. The ability of attackers to rapidly gain control of vast numbers of internet hosts poses an immense risk to overall security of the internet. Now-a-days the virus writers are more concentrating on writing worms as they have got great capability to spread over the network in few minutes. There are various upcoming techniques in worm propagation such as polymorphic worms which are really a big threat to the internet community. Worms can be written such that they can be affected only to a particular region or country. There are worms which willkeep quiet for a specific amount of time and attack at random times. These worms can also be used to create Distributed Denial of Service (DDoS) which is a real threat to the websites and the network traffic. Can a virus ever be good? In biology, viruses enable potentially beneficial DNA to be transferred between species. This is considered to be a part of the optimisation of the evolutionary process. But it is thought unlikely that anyone could benefit from computer viruses, other than the proceeds of crime which those who write and spread viruses might obtain. The difference between a virus and another kind of program is that an ordinary program will normally have the informed consent of the system owner before it can be installed. While there is a similarity between an operating system which can create a copy of itself on installation media and a virus, the OS that makes it easy for its users to copy it will do this with the users full knowledge and consent. There is no situation in which taking away the end users consent to perform an action is considered likely to be of benefit. 30 Deprt of ECE, BCET
  • 31. NETWORK VIRUS DETECTION AND PREVENTION REFERENCES [1] Peter Szor, The Art of Computer Virus and Defence, Harlow, England: Addison Wesely Professional, 2005. [2] Norman, Norman book on Computer Virus, Norman ASA, 2003. [3] Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of Computer Virus on the Internet: An Overview, IEEE Computer Society 2004, 601-606. [4] Darrell M. Kienzie, and Matthew C. Elder, Recent Worms: A Survey and Trends, Washington, DC, USA: WORM-2003 [5] David Moore, Vern Paxson, Stefan Savage, Colleen, Stuart Staniford and Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, 2003. [6] Thomas Subendorfer, Arno Wagner, TheusHossmann, and Bernhard Plattner, Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone, Springer-Verlag Berlin Heidelberg 2005. [7] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunnigham, A Taxonomy of Computer Worms, Washington, DC, USA: WORM-2003. [8] H. Kopka and P. W. Daly, A Guide to LATEX, 3rd ed. Harlow, England: Addison- Wesley, 1999. 31 Deprt of ECE, BCET