Computer Viruses

viruses

virus vital information resource under seige (VIRUS) ( its self replicating )

is small program written to alter the way a computer operates WITHOUT PERMISIION OR KNOWLEDGE OF THE USER

for a program to be considered a virus it must be able to execute and replicate itself without intervention of the user .

*

a virus is spread by inserting copies of itlself into other executable code or documentas with or without the knowledge

of the user by PIGGYBACKING with legimate application

*

the insertion of the virus into a program is known as INFECTION the infected file or executable code

-------------------------------------------------------------------------------------------------------------------------

REPLICATION - A VIRUS INFECT A HOST FILE WHICH IS A FILE THAT CONTAINS EXECUTABLE CODE

this stage is very difficult to detect . this file will attach to empty space inside an existing file .

*

ACTIVATION - the virus delivers its playload

*

PROGRAM INFECTORS - it infects .EXE OR .COM FILES

*

BOOOT SECTOR INFECTOR (BSI) - its passed at the time of disk accesss , its simple as DIR cmmnd

-------------------------------------------------------------------------------------------------------------------------

WORMS are self contained and do not need to be part of another program (host) to spread

it uses email or another transport mechanism (it dosent need user interaction for activation ) from one disk drive

to another .

some worms install BACKDOOR in an infected computer a backdoor is used to gain unauthorized access to a computer

EXAMPLE OF WORMS

MYDOOM -fastest spreading mass mailer

SOBIG WORM

--------------------------------------------------------------------------------------------------------------------------

TROGAN HORSE OR TROJAN FOR SHORT

IS A HARMFUL PROGRAM THAT IS DISGUIED as legitimate software ( like a rouge sequrity software)

it dosent look harmful intresting & useful they are quite damaging when they run

*

they r not self-replicating which distinguished them from viruses ond worms

*

additonally they require interaction with a hacker to fullfil their purpose the hacker need not be the individual

responsible for disturbing the Trojan horse

--------------------------------------------------------------------------------------------------------------------------

SPYWARE

its a generic term for a class off software designed to either gather information for marketing purpose or to deliver

advertisement to webpages

altough software of this type is legimate it can be installed on ur computer without the user's knowledge

---------------------------------------------------------------------------------------------------

adware

the term adware refers to any software which displays advertisement whether the user agreed to the advertisement or not

adware is a computer program where advertisement are automatically loaded by the software and displayed after instalation

adware is usually responsible for pop-ups that occur on an computer for no reason even when the computer is dissconnected from the internet

adware is often refferd to simply as spyware the main difference between spyware and adware is that adware programs do not

invisibilly collect and upload activity records or personal information to third parties

*************************************************************

ROOTKIT

a rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network

typically a cracker installs a rootkit on a computer after first obtaining user level access either by exploiting a known

vulnerability or cracking a password

once the rootkit is installed . it allows the attacker to mask intrustion and gain root or privleded access to the computer and posibbily other machiens

***************************************************************

phishing

it is an act of sending an email to a user falsely claiming to be established legitamate enterprise in attempt to scam

user into surrendering private information that will be used for identity theft

the email directs the user to visit a web site where they r asked to update personal information such as passwords and

credit card social security and bank account numbers that the legimate organization already has

**************************************************************************************************************************

key logger

a computer program that captures keystrokes of a computer user and stores them keyloggers spreads via email

*************************************************************************************************************************

pharming is a hackers attack aiming to riderct website traffic to another bogus website

it can be conducted either by changing the host file on a victims computer or by exploitation of a vulnerables dns server software

it has become a major concern to buisness hosting e- commerce & online banking websites

evry host on the internet has an ip address these 32-bit

address are usually re-presented as a dotted codes 4 number seprated by dot for eg.192.152.2.245

*************************************************************************************************************************

IP ADDRESS SPOOFING

in computer networking . IP ADDRESS SPOOFING OR IP SPOOFING reffers to the creation of internet protocol (IP)

packets with a forged source ip address called spoofing with the purpose of concealing the identity of the sender

or impersonating another computing system

*************************************************************************************************************************

question

MANUAL THREAT REMOVAL

FILE REMOVAL

ENABLE FIREWALL

PROGRAM REMOVAL

****************************************************************

BOTS

bot is derived from the word "robot" and is an automated process that interacts with other network services bots often automate tasks

and provide information or services that would otherwise be coundected by a human being

bots can be used for either good or malicious intent a malicious bot is self-propagating malware desinged to infect a hosts

and connect back to a centeral server or servers that attack

************************************************************************************************************************************************

SYMPTONS OF INFECTION

you recived an email message that has a strange attachment . when you open the attachment dailog boxes appear or a sudden degradation in system

performance occurs

an antivirus programs is disabled for no reason an it cannot be restarted

an antivirus program cannot be installed on the computer or it will not run

strange dailog boxes or messages boxes appear on the computer or it will not run

strange dialog boxes or message boxes appear onscreen

someone tells you that they have recently recived e-mail message from you containing attached files ( especially with .exe .bat .scr and .vbs extentions ) that you did not send

windows will not start because certain critical system files are missing and then you receive an error message that list those files

the computer runs very slowly and it takes a long time . to start

windows spontaneously restarts unexpectedly

a partition completely dissapears

a disk utility such as scandisk reports multiple serious disk errors

THE INFECTED FILE REPLICATES and multiples itself and fills up the space on the hard disk

a virus can attacthes itself to an email and sends itself to the contact lists in an email account

the virus may reformat your disk drive and delete your files and programs

the virus may install hidden programs such as pirated software this pirated software may then be disturbed and sold from your computer

the virus may reduce security this could allow intruders to remotely access your computer or network

****************************************************************

*********************************************************************************************************************************************************************

threat identification -

a list of some of the more frequently used AUTO START ENTRY POINTS (ASEP) IN WINDOWS INCLUDING STARTUP FOLDER REGISTRY KEYS AN INIFILES ARE

WIN,INI

SYSTEM.INI

STARTUPFOLDER

REGISTRY

INTERNET EXPLORER

***************************************************************************************************************************************************

System registry run keys

Certain registry keys may contain values used to load appliocations when windows is started like run and run once

Start up folder

The windows start up folder can include shortcuts, documents, executables or other types of files and programs to be launced when Windows is started. The current logged on user can view start up filder inclusions through the start menu:

Start/Programs/startup

The common startup folder, applicable to all users, correlates to:

/Start Menu/Programs/Startup

ASEP specific to ME, 2000, XP

Also check the following keys for unexpected values:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

ASEP Laoding Sequence

The order in which Windows processes the autostart entry points is as follows:

1. RunServices/RunServicesOnce-

HKEY_LoOCAL_MACHINE and

HKEY_CURRENT_USER

RunServices/RunServicesOnce will be launced concurrently. In the event of a conflict, precedent is given to HKEY_LoOCAL_MACHINE. These ASEPs may continue loading during and after the login dialog.

2. Login Dialog (Winlogon)

3. RunOnce/Run for HKEY_CURRENT_USER hive

4. Run key in HKEY_CURRENT_USER hive

5. Startup Folder

6. RunOnce in HKEY_CURRENT_USER hive

----------------------------------------------------------------------------------------------------------------------

COMMON LOCATIONS AND AUTO START ENTRY POINTS(ASEP) OF VIRUS

System Registry Run Keys

• System Registry Run Keys - Certain registry keys may contain values used to load applications (including malware) when Windows is started. The values to examine are located in subkeys Run, RunOnce, RunServices, and RunServicesOnce, located in either of the following registry keys:

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Startup Folder

• The Windows Startup folder can include shortcuts, documents, executables, or other types of files and programs to be launched when Windows is started. The current logged on user can view startup folder inclusions through the Start menu:

• Start | Programs | Startup

• The common startup folder, applicable to all users, correlates to:

• \Start Menu\Programs\Startup

Winlogon

• Winlogon is responsible for supporting the DLL responsible for managing the interactive logon when Windows starts. Pre-Vista, that DLL provides a customizable user interface and authentication process.

• Malware that hooks into Winlogon can be particularly difficult to remove, as even booting into Safe Mode will not deactivate it. The string values that customize the Winlogon process are located in the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

ASEP Loading Sequence

The order in which Windows processes the autostart entry points is as follows:

• RunServices / RunServicesOnce - HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER RunServices/RunServicesOnce will be launched concurrently. In the event of a conflict, precedent is given to HKEY_LOCAL_MACHINE. These ASEPS may continue loading during and after the login dialog.

• Login Dialog (Winlogon)

• RunOnce / Run for HKEY_LOCAL_MACHINE hive

• Run key in HKEY_CURRENT_USER hive

• Startup Folder

• RunOnce in HKEY_CURRENT_USER hive

Some Advanced Loading points which are identified recently with rootkit enabled malwares

• C:\Documents and Settings\

• C:\Documents and Settings\\Application Data\

• C:\Documents and Settings\

• C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5

• C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

• C:\Windows\Temp

• C:\WINDOWS\system32\config\ systemprofile

Startup and Winlogon

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

• HKEY_CLASSES_ROOT\comfile\shell\open\command

• HKEY_CLASSES_ROOT\piffile\shell\open\command

• HKEY_CLASSES_ROOT\exefile\shell\open\command

• HKEY_CLASSES_ROOT\txtfile\shell\open\command

Services

• HKLM\SYSTEM\CurrentControlSet\Services\

• Active Setup Stub Keys (These are disabled if there is a twin in HKCU)

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

• ICQ Agent Autostart

• HKCU\Software\Mirabilis\ICQ\Agent\Apps

• If you suspect that a system is infected, then examine each of these keys. Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.

Internet Explorer (To check for IE threats)

• HKLM\Software\Microsoft\Internet Explorer\Main, Start Page

• HKCU\Software\Microsoft\Internet Explorer\Main: Start Page

• HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL

• HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL

• HKLM\Software\Microsoft\Internet Explorer\Main: Search Page

• HKCU\Software\Microsoft\Internet Explorer\Main: Search Page

• HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)

• HKCU\Software\Microsoft\Internet Explorer\Main: Window Title

• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride

• HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext

• HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar

• HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks

• HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch =

• HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch

Identify Rootkit Infections

1. MSconfig -> Boot.ini tab -> Check /BOOTLOG

2. Restart the computer.

3. Go to c:\windows and open the file c:\windows\ntbtlog.txt

Check for any suspicious entries.

Program Removal

• Click on start->control panel->add/remove programs icon.

• Discuss with customer about any new program which is installed. If customer does not know about a particular program, follow the steps below -

o Click on start->My computer->Local drive C:-> Program files.

o Right click on the particular program folder-click on properties and check date created. Repeat the same to all new programs and close the program window.

Physical Location

• c:\program files

• c:\program files\common files

• C:\documents & Settings\User\Application Data

Registry

• H_Key_Local_Machine\Software

• H_Key_Current_User\Software

• H_Key_Local_Machine\Software\Microsoft\Windows\Current Version\Uninstall

File Removal GUI Mode

• Delete - Right click -> Delete or Higlight the file and hit the Delete button on the keyboard

• Rename - Right click -> Rename or Highlight the file -> Press F2 -> Type a new name -> Hit enter

• Move - Right click->Cut->Right click and paste it on the desire location

• Removing Permissions - Right click on file ->Go to properties ->Click on Security Tab ->Click Advanced -> Uncheck the box "Inherit from parent control…." -> Click Remove ->Click OK