250 likes | 812 Views
Recent Internet Viruses & Worms. By Doppalapudi Raghu. Outline. History of Malicious Logic Types of Viruses & Worms Recent Internet viruses Recent Internet Worms Defense Good Habits in Computer world. History. Definition of malicious logic Fred cohen Brain Virus(1986)
E N D
Recent Internet Viruses & Worms By Doppalapudi Raghu
Outline • History of Malicious Logic • Types of Viruses & Worms • Recent Internet viruses • Recent Internet Worms • Defense • Good Habits in Computer world
History • Definition of malicious logic • Fred cohen • Brain Virus(1986) • MacMag peace virus(1987) • Duff’s Experiment virus(1987)
Understanding Virus namesSymantec Notation • Family name • Names for the variants in a virus family • Suffix is added to the names in the same virus family • Examples • badvirus.a----------badvirus.z • badvirus.aa--------badvirus.az • badvirus.ba--------badvirus.bz
Terminology in virus world • ZERO DAY EXPLOIT • Proof of concept • Zombie computer • Ethical Hacker • Payload • Honey pots
Types of viruses • Boot sector Infectors • Executable Infectors • Multipartite Viruses • TSR Viruses • Stealth Viruses • Encrypted Viruses • Polymorphic Viruses • Macro Viruses • Many new virus types are added to the list
Companion virus file with same name is created but with extension higher in execution hierarchy • Link virus These viruses create changes to the File allocation table
Virus.win32.VB.cx • Jan 12th 2007 • Virus scans victims machine for executable files. • Virus itself is a windows PE .exe files • Contents of the files with extension .cpp, .doc, .htm, .html, .txt, .xls will be overwritten with following text • "Sorry!!!! $%%#@&re*$%$rthn#$^&&!f#&%$$f$#df#@^%$~`<:JHFgYttrt" "$%%%7``0924ksh<:{[86#$36455hgf#$45"
W32/FUJACKS.AB • 4/7/2007 • Infects .exe files also infects web pages by Inserting malicious hyperlinks of windows ani exploit • It creates the following registry key to start itself at boot up time: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Death.exe\"\%system%\Death. • Terminates the processes containing the strings like zone alarm, Symantec anti virus. • It also attempts to download other malware
Effects of Win32.fujacks • Infected through network shares which are protected with very weak passwords. • This virus tries with passwords present in the directory. • Change in the executable file sizes. • Creates the following files in root directory: setup.inf, setup.exe, GameSetup.exe
Windows Vulnerabilities • W1 Web Servers & Services • W2 Workstation Service • W3 Windows Remote Access Services • W4 Microsoft SQL Server (MSSQL) • W5 Windows Authentication • W6 Web Browsers • W7 File-Sharing Applications • W8 LSAS Exposures • W9 Mail Client • W10 Instant Messaging • W11 ani vulnerability
Windows .ANI vulnerability • Determina security • User32.DLL code has vulnerability • Buffer overflow • Remote code execution • Microsoft released patches on April 5th
July 13 2001 Worm spread using .ida (indexing service) vulnerability in Microsoft Internet Information Server Damage caused: Infected machines randomly attacked other web servers Performed denial of service attack on www.whitehouse.gov The homepage of infected machines is defaced Code Red Worm
Spida Worm • Microsoft SQL server vulnerability • Different worm exploiting databases • On SQL server 7.0 password is blank by default • Connect to sa with blank password • The worm uses the extended stored procedure xp_cmdshell
My tob worm • Mass mailing worm • It can use even the LSASS vulnerability of windows • Stack based buffer overflow • It sends itself to all email addresses harvested from the victim machine using its own email engine • Aug 9 2005 the proof of concept was released & by aug 11th worms started attacking. • My tob worm was designed from some version of my doom
Worms at a glance • Vulnerability • Spreading methods • Infecting
Fighting Internet worms • Honey pots • Computer elements to delude aggressors • 2 kinds of honey pots are used • High Interaction • Low Interaction • Honey pots versus worms • Honey pots and worm infections • Honey pots and payload worms • Honey pots and propagation of worms
How anti-virus software works • Virus dictionary approach • DAT files are released by the Anti virus company. • These DAT files have virus definitions and signatures of the virus. • Suspicious behavior approach • Other ways to detect viruses • Sandboxing
Good practices • Install the patches supplied by the software vendors • Keep your Antivirus software updated • Do not open the email attachments from the unknown. • Configure the firewall properly • Use strong passwords so that others cant brute force • Be aware of the Internet viruses and worms • Zero day exploits cannot be avoided.
Kaspersky discovers an iVirus • Even the I pods are effected with viruses • Last year 2 viruses were found which infected during manufacturing process • Podloso virus is the proof of concept • Currently it does not have any malicious payload • It just display a message on the screen that “You are infected with Oslo the first iPodLinux Virus.”