Anda di halaman 1dari 49

INTRODUCTION

Do viruses and all the other nasties in cyberspace matter? Do they really do much harm? Imagine that no one has updated your anti-virus software for a few months. When they do, you find that your accounts spreadsheets are infected with a new virus that changes figures at random. Naturally you keep backups. But you might have been backing up infected files for months. How do you know which figures to trust? Now imagine that a new email virus has been released. Your company is receiving so many emails that you decide to shut down your email gateway altogether and miss an urgent order from a big customer. Imagine that a friend emails you some files he found on the Internet. You open them and trigger a virus that mails confidential documents to everyone in your address book including your competitors. Finally, imagine that you accidentally send another company, a report that carries a virus. Will they feel safe to do business with you again? Today new viruses sweep the planet in hours and virus scares are major news. A computer virus is a computer program that can spread across computers and networks by making copies of itself, usually without the user's knowledge. Viruses can have harmful side effects. These can range from displaying irritating messages to deleting all the files on your computer. In the case of cell phone, All of us are familiar with cell phones. The use of cell phones to access internet and share executable files have increased. With the growing number of functionalities, the amount of personal data at risk is high. With the growth of the smart phone, mobile phones with Internet connectivity that work like a handheld computer, phone users have also seen the advent of the mobile phone virus. If not handled properly, it may prove to be fatal to our privacy. It is not just PCs that are vulnerable to virus attacks these days--now we also have to protect your phone from mobile phone virus and PDA, too. Advanced mobile phones run the same kind of applications as desktop and laptop computers, and they have multiple wireless connections so they too get infected by mobile phone virus and spread cell phone virus. There are currently about 100 mobile viruses that can disable a phone or create bills of hundreds of dollars by sending pricey picture messages. The first mobile virus

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

spreading "in the wild" emerged less than two years ago. While this is still a tiny number compared with personal computer viruses, the threat is expected to increase. A virus program has to be run before it can infect your computer. Viruses have ways of making sure that this happens. They can attach themselves to other programs or hide in code that is run automatically when you open certain types of files. The virus can copy itself to other files or disks and make changes on your computer. Virus side effects, often called the payload, are the aspect of most interest to users. Password-protecting the documents on a particular day, mailing information about the user and machine to an address somewhere are some of the harmful side effects of viruses. Various kinds of viruses include macro virus, parasitic or file virus, Boot virus, E-mails are the biggest source of viruses. Usually they come as attachments with emails. The Internet caused the spreading of viruses around the globe. The threat level depends on the particular code used in the WebPages and the security measures taken by service providers and by you. One solution to prevent the viruses is anti-virus softwares. Anti-virus software can detect viruses, prevent access to infected files and often eliminate the infection. Computer viruses are also starting to affect mobile phones too. The virus is rare and is unlikely to cause much damage. Anti-virus experts expect that as mobile phones become more sophisticated they will be targeted by virus writers. Some firms are already working on anti-virus software for mobile phones. VBS/Timo-A, Love Bug, Timofonica, CABIR, aka ACE-? and UNAVAILABLE are some of the viruses that affect the mobile phones

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

VIRUS, WHAT IS IT?


A virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. It may have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. A worm is one that exploit security vulnerabilities to spread it to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious.

Use of the word "virus"? V.I.R.U.S. - Vital Information Resources Under Siege The word virus is derived from and used in the same sense as the biological equivalent. The term "virus" is often used in common parlance to describe all kinds of Malware (malicious software), including those that are more properly classified as Worms or Trojans. THE FUNCTIONAL ELEMENTS OF A VIRUS Every viable computer virus must have at least two basic parts, or subroutines, if it is even to be called a virus. Firstly, it must contain a search routine, which locates new files or new areas on disk which are worthwhile targets for infection. This routine will determine how well the virus reproduces, e.g., whether it does so quickly or slowly, Dept. Of CE 3 M.P.T.C. Mala, Kallettumkara

whether it can infect multiple disks or a single disk, and whether it can infect every portion of a disk or just certain specific areas. As with all programs, there is a size versus functionality tradeoff here. The more sophisticated the search routine is, the more space it will take up .So although an efficient search routine may help a virus to spread faster, it will make the virus bigger, and that is not always so good. Secondly, every computer virus must contain a routine to copy itself into the area which the search routine locates. The copy routine will only be sophisticated enough to do its job without getting caught. The smaller it is, the better. How small it can be will depend on how complex a virus it must copy. For example, a virus which infects only COM files can get by with a much smaller copy routine than a virus which infects EXE files. This is because the EXE file structure is much more complex, so the virus simply needs to do more to attach itself to an EXE file. While the virus only needs to be able to locate suitable hosts and attach itself to them, it is usually helpful to incorporate some additional features into the virus to avoid detection, either by the computer user, or by commercial virus detection software. Antidetection routines can either be a part of the search or copy routines, or functionally separate from them. For example, the search routine may be severely limited in scope to avoid detection. A routine which checked every file on every disk drive, without limit, would take a long time and cause enough unusual disk activity that an alert user might become suspicious. Alternatively, an Anti-detection routine might cause the virus to activate under certain special conditions. For example, it might activate only after a certain date has passed (so the virus could lie dormant for a time).

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

Figure 1. Functional diagram of a virus. Alternatively, it might activate only if a key has not been pressed for five minutes (suggesting that the user was not there watching his computer). Search, copy, and antidetection routines are the only necessary components of a computer virus, and they are the components which we will concentrate on in this volume. Of course, many computer viruses have other routines added in on top of the basic three to stop normal computer operation, to cause destruction, or to play practical jokes. Such routines may give the virus character, but they are not essential to its existence. In fact, such routines are usually very detrimental to the virus goal of survival and self-reproduction, because they make the fact of the virus existence known to everybody. If there is just a little more disk activity than expected, no one will probably notice, and the virus will go on its merry way. On the other hand, if the screen to ones favorite program comes up saying Ha! Gotcha! and then the whole Computer locks up, with everything on it ruined, most anyone can figure out that theyve been the victim of a destructive program. And if theyre smart, theyll get expert help to eradicate it right away. The result is that the viruses on that particular system are killed off, either by themselves or by the clean up crew.

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

TOOLS NEEDED FOR WRITING VIRUSES


Viruses are written in assembly language. High level languages like Basic, C, and Pascal have been designed to generate stand-alone programs, but the assumptions made by these languages render them almost useless when writing viruses. They are simply incapable of performing the acrobatics required for a virus to jump from one host program to another. That is not to say that one could not design a high level language that would do the job, but no one has done so yet. Thus, to create viruses, we must use assembly language. It is just the only way we can get exacting control over all the computer systems resources and use them the way we want to, rather than the way somebody else thinks we should. MOTIVES Viruses are written for a variety of reasons, such as curiosity, a challenge, or to gain wider attention. Some virus writer groups are known to target any new platform, just be able to say they were the first to write a virus for this platform. At the time of writing, the WAP infrastructure is still emerging and the uptake of WAP devices is still increasing. Currently therefore, WAP devices do not present a big enough target and so no WAP-specific viruses have yet been seen. However, a growing threat is coming in from the horizon as the power of WAP devices is set to increase dramatically with future WAP protocol versions. As WML also increases in sophistication, so do the opportunities for creating more advanced, malicious code. When the first WAP virus hits, it could spread as fast or faster than similar PC viruses. The implications for the WAP infrastructure as a whole are ominous if this were to occur. For example, public confidence for an activity such as wireless banking would deteriorate if the threat of WAP viruses loomed large.

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

TYPES OF VIRUSES
GENERAL CLASSIFICATION OF VIRUSES(Malware) Viruses A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc. Backdoor or trapdoor A backdoor is a program that allows someone to take control of another users PC via the internet. a backdoor virus poses as legitimate or desirable software. When it is run (usually on a Windows 95/98 PC), it adds itself to the PCs startup routine. The backdoor virus can then monitor the PC until it makes a connection to the internet. Once the PC is on-line, the person who sent the backdoor virus can use software on their computer to open and close programs on the infected computer, modify files and even send items to the printer. Subseven and Back Orifice are among the best known backdoor virus . Logic bomb A logic bomb employs code that lies inert until specific conditions are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). Logic bombs may reside within standalone programs, or they may be part of worms or viruses. An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time. An example of a time bomb is the infamous Friday the 13th virus. E-mail viruses An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. The latest thing in the world of computer viruses is the e-mail virus, and the Melissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. As a result, the Melissa virus was the fastest-spreading virus ever seen! As mentioned earlier, it forced a number of large companies to shut down their e-mail systems. The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus. The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess. Microsoft applications have a feature called Macro Virus Protection built into them to prevent this sort of thing. With Macro Virus Protection turned on (the default option is ON), the auto-execute feature is disabled. So when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway. Many other people turn off the protection mechanism. So the Melissa virus spread despite the safeguards in place to prevent it.

Dept. Of CE

M.P.T.C. Mala, Kallettumkara

In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable. Worms A worm is a small piece of software that uses computer networks andsecurity holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001. A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server. This article offers a fascinating look inside Slammer's tiny (376 byte) program. Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt. The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies. The Code Red worm was designed to do three things:

Replicate itself for the first 20 days of each month Replace Web pages on infected servers with a page that declares "Hacked by

Chinese" Dept. Of CE 9 M.P.T.C. Mala, Kallettumkara

Launch a concerted attack on the White House Web server in an attempt to

overwhelm it The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001. According to the National Infrastructure Protection Center: The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permits the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST. Trojan horses A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically. Examples: NetBus and BackOrifice, Subseven

Dept. Of CE

10

M.P.T.C. Mala, Kallettumkara

BEHAVIOURAL CLASSIFICATION OF VIRUSES

In addition to the general classification ,viruses can also be classified according to the following behavior patterns exhibited by them: Nature of attack. Deception techniques employed. Frequency of infection. Boot Sector Viruses - As virus creators got more sophisticated, they learned new tricks. One important trick was the ability to load viruses into memory so they could keep running in the background as long as the computer remained on. This gave viruses a much more effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. The boot sector contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it gets executed. It can load itself into memory immediately, and it is able to run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and on college campuses where lots of people share machines they spread like wildfire. In general, both executable and boot sector viruses are not very threatening any more. The first reason for the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact disc. Compact discs cannot be modified, and that makes viral infection of a CD impossible. The programs are so big that the only easy way to move them around is to buy the CD. People certainly can't carry applications around on a floppy disk like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined because operating systems now protect the boot sector. Both boot sector viruses and executable viruses are still possible, but they are a lot harder now and they don't spread nearly as quickly as they once could. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but huge executables, unchangeable CDs and better operating system safeguards have largely eliminated that environmental niche. Examples: Form, Disk Killer, and Michelangelo Dept. Of CE 11 M.P.T.C. Mala, Kallettumkara

Program viruses - These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of it and infecting files on disk. Examples: Sunday, Cascade Multipartite viruses - A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.Examples: Invader, Flip, and Tequila Stealth viruses - These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected files size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory. Examples: Frodo, Joshi, Whale Polymorphic viruses - A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect. Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101 Macro Viruses - A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on another computer.Examples: DMV, Nuclear, Word Concept. Active X - ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom. Dept. Of CE 12 M.P.T.C. Mala, Kallettumkara

TIMELINE OF COMPUTER VIRUSES AND WORMS


1. 19601969

1966 The work of John von Neumann on the "Theory of self-reproducing

automata" is published. The article is based on lectures held by von Neumann at the University of Illinois about the "Theory and Organization of Complicated Automata" back in 1949. 2. 19701979 1971 The Creeper virus, an experimental self-replicating program, is written by

Bob Thomas at BBN Technologies. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper. 1974 The Wabbit virus, more a fork bomb than a virus, is written. The Wabbit

virus makes multiple copies of itself on a single computer (and was named "Wabbit" for the speed at which it did so) until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer. 3. 1974/1975

ANIMAL is

written

by John

Walker for

the UNIVAC

1108. Animal asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structures, and not to copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild". Dept. Of CE 13 M.P.T.C. Mala, Kallettumkara

The novel "The Shockwave Rider" by John Brunner is published, that coins the use of the word "worm" to describe a program that propagates itself through a computer network.

4. 19801989

1980

Jrgen

Kraus

wrote

his Diplom thesis

"Selbstreproduktion

bei

Programmen" (self-reproduction of programs).

1981

A program called Elk Cloner, written for Apple II systems and created by Richard Skrenta. Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what malware was and how to protect against it led to Elk Cloner being responsible for the first largescale computer virus outbreak in history.

1983

The term 'virus' is coined by Frederick Cohen in describing selfreplicating computer programs. In 1984 Cohen uses the phrase "computer virus" as suggested by his teacher Leonard Adleman to describe the operation of such programs in terms of "infection". He defines a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself."

November 10, 1983, at Lehigh University, Cohen demonstrates a viruslike program on a VAX11/750 system. The program could install itself to, or infect, other system objects.

A very early Trojan Horse designed for the IBM PC called ARF-ARF was downloaded from BBS sites and claimed to Sort the DOS Diskette Directory. This was a very desirable feature because DOS didnt list the files in alphabetical order in 1983. Instead, the program deleted all of the files on the diskette, cleared the screen and typed ARF ARF. ARF was a reference to the common Abort, Retry Fail message you would get when a PC could not boot from a diskette.

Dept. Of CE

14

M.P.T.C. Mala, Kallettumkara

1984

Ken Thompson publishes his seminal paper, Reflections on Trusting Trust, in which he describes how he modified a C compiler so that when used to compile a specific version of the Unix operating system, it inserted a backdoor into the login command, and when used to compile itself, it inserted the backdoor insertion code, even if neither the backdoor nor the backdoor insertion code were present in the source code.

1986

January: The Brain boot sector virus (aka Pakistani flu) is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

December 1986: Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

1987

Appearance of the Vienna virus, which was subsequently neutralizedthe first time this had happened on the IBM platform.

Appearance of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New Zealand, Ping Pongfrom Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only.

October: The Jerusalem virus, part of the (at that time unknown) Suriv family, is detected in the city ofJerusalem. The virus destroys all

Dept. Of CE

15

M.P.T.C. Mala, Kallettumkara

executable files on infected machines upon every occurrence of Friday the 13th (except Friday 13 November 1987 making its first trigger date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988.

November: The SCA virus, a boot sector virus for Amigas appears, immediately creating a pandemic virus-writer storm. A short time later, SCA releases another, considerably more destructive virus, the Byte Bandit.

December: Christmas Tree EXEC was the first widely disruptive replicating network program, which paralysed several international computer networks in December 1987.

1988

March 1: Ping-Pong virus is a boot sector virus. It was discovered at University of Turin in Italy.

June: The Festering Hate Apple ProDOS virus spreads from underground pirate BBS systems and starts infecting mainstream networks.

November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines runningBSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

1989

October 1989: Ghostball, the first multipartite virus, is discovered by Fririk Sklason.

5. 19901999

1990

Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family. Chameleon series debuted with the release of1260.

1992

Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal. John McAfee had been quoted by the media as saying that 5 million computers would be affected.

Dept. Of CE

16

M.P.T.C. Mala, Kallettumkara

He later said that, pressed by the interviewer to come up with a number, he had estimated a range from 5 thousand to 5 million, but the media naturally went with just the higher number.

1993

"Leandro & Kelly" and "Freddy Krueger" spread quickly due to popularity of BBS and sharewaredistribution.

1994

April: OneHalf is a DOS-based polymorphic computer virus.

1995

The first Macro virus, called "Concept," is created. It attacked Microsoft Word documents.

1996

"Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.

1998

June 2: The first version of the CIH virus appears.

1999

Jan 20: The Happy99 worm first appeared. It invisibly attaches itself to emails, displays fireworks to hide the changes being made, and wishes the user a happy New Year. It modifies system files related to Outlook Express and Internet Explorer (IE) on Windows 95 and Windows 98.

March

26:

The Melissa

worm was

released,

targeting Microsoft

Word and Outlook-based systems, and creating considerable network traffic.

June

6:

The ExploreZip worm,

which

destroys Microsoft

Office documents, was first detected.

December 30:[15] Kak worm is a Javascript computer worm that spread itself by exploiting a bug in Outlook Express.

6. 2000 and later

2000

May: The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm purportedly created by a Filipino computer science student. Written in VBScript, it infected millions of Windows

Dept. Of CE

17

M.P.T.C. Mala, Kallettumkara

computers worldwide within a few hours of its release. It is considered to be one of the most damaging worms ever.

2001

February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook addressbook. Its creator, Dutchman Jan de Wit, was sentenced to 150 hours of community service.

May

8:

The Sadmind

worm spreads

by

exploiting

holes

in

both Sun Solaris and Microsoft IIS.

July: The Sircam worm is released, spreading through Microsoft systems via e-mail and unprotected network shares.

July 13: The Code Red worm attacking the Index Server ISAPI Extension in Microsoft Internet Information Services is released.

August 4: A complete re-write of the Code Red worm, Code Red II begins aggressively spreading onto Microsoft systems, primarily in China.

September 18: The Nimda worm is discovered and spreads through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm.

October 26: The Klez worm is first identified. It exploits a vulnerability in Microsoft Internet Explorer and Microsoft Outlook and Outlook Express.

2002

February 11: Simile (computer virus) is a metamorphic computer virus written in assembly.

Beast is a Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool). It is capable of infecting almost all versions of Windows. Written in Delphi and released first by its author Tataye in 2002, its most current version was released October 3, 2004

March 7: Mylife (computer worm) is a computer worm that spread itself by sending malicious emails to all the contacts in Microsoft Outlook.

August 30: Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K.

2003

January 24: The SQL slammer worm, aka Sapphire worm, Helkern and other names, attacks vulnerabilities inMicrosoft SQL Server and MSDE and causes widespread problems on the Internet.

Dept. Of CE

18

M.P.T.C. Mala, Kallettumkara

April 2: Graybird is a Trojan also known as Backdoor.Graybird. June 13: ProRat is a Turkish-made Microsoft Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool).

August 12: The Blaster worm, aka the Lovesan worm, rapidly spreads by exploiting a vulnerability in system services present on Windows computers.

August 18: The Welchia (Nachi) worm is discovered. The worm tries to remove the blaster worm and patch Windows.

August 19: The Sobig worm (technically the Sobig.F worm) spreads rapidly through Microsoft systems via mail and network shares.

September 18: Swen is a computer worm written in C++. October 24: The Sober worm is first seen on Microsoft systems and maintains its presence until 2005 with many new variants. The simultaneous attacks on network weakpoints by the Blaster and Sobig worms cause massive damage.

November 10: Agobot is a computer worm that can spread itself by exploiting vulnerabilities on Microsoft Windows. Some of the vulnerabilities are MS03026 and MS05-039.

November 20: Bolgimo is a computer worm that spread itself by exploiting a buffer overflow vulnerability at Microsoft Windows DCOM RPC Interface.

2004

January 18: Bagle (computer worm) is a mass-mailing worm affecting all versions of Microsoft Windows. There were 2 variants of Bagle worm, they were Bagle.A and Bagle.B. Bagle.B was discovered on February 17, 2004.

Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm.

February 16: The Netsky worm is discovered. The worm spreads by email and by copying itself to folders on the local hard drive as well as on mapped network drives if available. Many variants of the Netsky worm appeared.

March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.

May 1: The Sasser worm emerges by exploiting a vulnerability in the Microsoft Windows LSASS service and causes problems in networks, while removing MyDoom and Bagle variants, even interrupting business.

Dept. Of CE

19

M.P.T.C. Mala, Kallettumkara

June 15: Caribe or Cabir is a computer worm that is designed to infect mobile phones that run Symbian OS. It is the first computer worm that can infect mobile phones. It spread itself through Bluetooth. More information can be found on and

August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan that infectsWindows NT family systems (Windows

2000, Windows XP, Windows 2003).

August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a trojan known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehaviour including performance degradation and denial of service with some websites including Google and Facebook.

October 12, 2004: Bifrost, also known as Bifrose, is a backdoor trojan which can infect Windows 95 throughVista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack.

December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and usedGoogle in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.

2005

August 16: Zotob (computer worm) is a worm that spread itself by exploiting Microsoft Windows Plug and Play Buffer Overflow (MS05-039).

October 13: The Samy XSS worm becomes the fastest spreading virus by some definitions as of 2006.

Late 2005: The Zlob Trojan, is a trojan horse which masquerades as a required video codec in the form of the Microsoft Windows ActiveX component. It was first detected in late 2005.

2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / kernel patching to bypass the firewall, and let the server component hijack processes and gain rights for accessing the Internet.

Dept. Of CE

20

M.P.T.C. Mala, Kallettumkara

2006

January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.

February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced. Late March: Brontok variant N was found in late March.[33] Brontok was a mass-email worm and the origin for the worm was from Indonesia.

Late September: Stration or Warezov worm first discovered.

2007

January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, and it had compromised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.

July: Zeus is a trojan that targets Microsoft Windows to steal banking information by keystroke logging.

2008

February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China.

March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.

May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.

Dept. Of CE

21

M.P.T.C. Mala, Kallettumkara

July 6: Bohmini.A is a configurable remote access tool or trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.

July

31:

The Koobface computer

worm

targets

users

of Facebook and MySpace. New variants constantly appear.

November 21: Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defence(including Royal Navy warships and submarines), Sheffield Norwegian Police Hospital were all

network, German Bundeswehrand

affected. Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s). Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. On December 16, 2008, Microsoft releases KB958644 patching the server service vulnerability responsible for the spread of Conficker.

2009

July 4: The July 2009 cyber attacks occur and the emergence of the W32.Dozer attack the United States andSouth Korea.

July 15: Symantec discovered Daprosy Worm. Said trojan worm is intended to steal online-game passwords in internet cafes. It could, in fact, intercept all keystrokes and send them to its author which makes it particularly a very dangerous worm to infect B2B (business-to-business) systems.

2010

February 18: Microsoft announced that a BSoD problem on some Windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon trojan.

June 17: Stuxnet, a Windows trojan, was detected. It is the first worm to attack SCADA systems. There are suggestions that it was designed to target Iranian nuclear facilities. It uses a valid certificate fromRealtek.

September 9: The virus, called "here you have" or "VBMania", is a simple Trojan Horse that arrives in the inbox with the odd-but-suggestive subject line "here you have". The body reads "This is The Document I told you about, you

Dept. Of CE

22

M.P.T.C. Mala, Kallettumkara

can find it Here" or "This is The Free Download Sex Movies, you can find it Here".

September 15: The Virus called Kenzero is a virus that spreads online from Peer to peer (P2P) sites taking browsing history.

2011

SpyEye and Zeus merged code is seen. New variants attack mobile phone banking information.

Anti-Spyware 2011, a trojan which attacks Windows 9x, 2000, XP, Vista, and Windows 7, posing as an anti-spyware program. It actually disables securityrelated process of anti-virus programs, while also blocking access to the Internet which prevents updates.

The Morto worm emerged in the summer of 2011. It attempts to propagate itself to additional computers via the Microsoft Windows Remote Desktop Protocol (RDP). Morto spreads by forcing infected systems to scan for Windows servers allowing RDP login. Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named 'Administrator' using a number of common passwords. A detailed overview of how the worm worksalong with the password dictionary Morto useswas done by Imperva.

July 13, the Zeroaccess Rootkit or Max++ was discovered. Duqu worm

2012

Flame also

known

as Flamer, sKyWIper,

and Skywiper is

modular

computer malware discovered in 2012 that attacks computers running Microsoft Windows. The program is being used for targeted cyber espionage in Middle Eastern countries. Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab. of the Budapest University of Technology and Economics. CrySyS stated in their report that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found".

Shamoon is a computer virus discovered in 2012 designed to target computers running Microsoft Windows in the energy sector. Symantec, Kaspersky Lab and Seculert announced its discovery on 16 August 2012.

Dept. Of CE

23

M.P.T.C. Mala, Kallettumkara

EXECUTION OF VIRUSES
Early viruses were pieces of code attached to a common program like a popular game or a popular word processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small piece of code embedded in a larger, legitimate program. Any virus is designed to run first when the legitimate program gets executed. The virus loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it modifies it to add the virus's code to the unsuspecting program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time either of those programs gets executed, they infect other programs, and the cycle continues. If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a bulletin board, then other programs get infected. This is how the virus spreads. The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they did was replicate them. Unfortunately, most viruses also have some sort of destructive attack phase where they do some damage. Some sort of trigger will activate the attack phase, and the virus will then "do something" -- anything from printing a silly message on the screen to erasing all of your data. The trigger might be a specific date, or the number of times the virus has been replicated, or something similar.

Dept. Of CE

24

M.P.T.C. Mala, Kallettumkara

IMPACT AND EFFECTS

Nuisance Spoofing Denial of Service Overwriting and Data diddling Destruction Psychological Netspionage Siphoning data Exposing vulnerabilities Compromise or Loss of Data Loss of Productivity Denial of Service Data Manipulation Loss of Credibility Loss of Revenue Embarrassment

Dept. Of CE

25

M.P.T.C. Mala, Kallettumkara

PROTECTION AGAINST VIRUSES

You can protect yourself against viruses with a few simple steps:

Secure Operating System If you are truly worried about traditional (as opposed to e-mail) viruses, you should be running a more secure operating system like UNIX. You never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from your hard disk. Antivirus Protection If you are using an unsecured operating system, then buying virus protection software is a nice safeguard. Symantec Corporation Symantec Corporation helps make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. The company is focused on addressing customer needs in three main application areas: the Norton Product line of anti-virus and PC-assistance products; the pcANYWHERE, WinFax, and ACT! product lines that cater to remote user productivity; and the Caf product lines in Internet development tools. Founded in 1982, the company's global operations span North America, Europe, Japan, and several fast-growing markets throughout Asia Pacific and Latin America. Traded on Nasdaq under the symbol SYMC, Symantec Corporation is based in Cupertino, California, and employs more than 2,000 people. Unknown Sources Protection If you simply avoid programs from unknown sources (like the Internet), and instead stick with commercial software purchased on CDs, you eliminate almost all of the risk from traditional viruses. In addition, you should disable floppy disk booting -- most computers now allow you to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.

Dept. Of CE

26

M.P.T.C. Mala, Kallettumkara

Macro Virus Protection You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and you should NEVER run macros in a document unless you know what they do. There is seldom a good reason to add macros to a document, so avoiding all macros is a great policy.

Open the Options dialog from the Tools menu in Microsoft Word and make sure that Macro Virus Protection is enabled, as shown.

Dept. Of CE

27

M.P.T.C. Mala, Kallettumkara

Email-Virus Protection You should never double-click on an attachment that contains an executable that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense is to never run executables that arrive via e-mail. The simple measures to avoid being infected or to deal with viruses if you are infected are Make users aware of the risks: Tell everyone in the organization that they are at risk if they swap floppy disks, download files from websites or open email attachments. Install anti-virus software and update it regularly: Anti-virus programs can detect and often disinfect viruses. If the software offers on-access virus checking, use it. On-access checking protects users by denying access to any file that is infected Keep backups of all your data: Make sure you have backups of all data and software, including operating systems. If you are affected by a virus, you can replace your files and programs with clean copies. Forward warnings to one authorized person: only Hoaxes are as big a problem as viruses themselves. Tell users not to forward virus warnings to their friends, colleagues or everyone in their address book. Have a company policy that all warnings go to one named person or department only. Block files with double extensions at the gateway: Some viruses disguise the fact that they are programs by using a double extension, such as .TXT.VBS, after their filename. At first glance a file like LOVE-LETTER-FORYOU. TXT.VBS or ANNAKOURNIKOVA.JPG.VBS may seem tobe a harmless text file or a graphic. Any file with double extensions should be blocked at the email gateway.

Dept. Of CE

28

M.P.T.C. Mala, Kallettumkara

Block unwanted file types at the email gateway: Many viruses now use VBS (Visual Basic Script) and Windows scrap object (SHS) file types to spread. It is unlikely that your organization needs to receive these file types from outside, so block them at the email gateway. Change your computers boot up sequence: Most computers try to boot from floppy disk (the A: drive) first. Your IT staff should change the CMOS settings so that the computer boots from the hard disk by default. Then, even if an infected floppy is left in the computer, it cannot be infected by a boot sector virus. If you need to boot from floppy at any time, you can have the settings changed back. Write-protect floppies before giving to other users :A write-protected floppy cannot be infected. Subscribe to an email alert service: An alert service can warn you about new viruses and offer virus identities that will enable your anti-virus software to detect them. Sophos has a free alert service.

Dept. Of CE

29

M.P.T.C. Mala, Kallettumkara

MOBILE VIRUSES
Classification of Mobile Worms and Viruses

Behavior 1) Virus 2) Worm 3) Trojan Environment 1) Operating System 2) Vulnerable Application Family name and Variant identifier

Classification (examples)

Dept. Of CE

30

M.P.T.C. Mala, Kallettumkara

CURRENT THREATS BY MOBILE MALWARE


For financial gain / loss Unnecessary calls / SMS / MMS Send and sell private information

Cause phones to work slowly or crash Wipe out contact books and other information on the phone Remote control of the phone Install false applications Damage by deleting & modifying mobile phone. Starting to make calls to pay-per-minute numbers. Prevents phone from booting. Drains phones battery

Dept. Of CE

31

M.P.T.C. Mala, Kallettumkara

SPREADING OF VIRUS

Phones that can only make and receive calls are not at risk. Only smartphones with a Bluetooth connection and data capabilities can receive a cell-phone virus. These viruses spread primarily in three ways:

Internet downloads - The virus spreads the same way a traditional computer virus does. The user downloads an infected file to the phone by way of a PC or the phone's own Internet connection. This may include file-sharing downloads, applications available from add-on sites (such as ringtones or games) and false security patches posted on the Symbian Web site.

Bluetooth wireless connection - The virus spreads between phones by way of their Bluetooth connection. The user receives a virus via Bluetooth when the phone is in discoverable mode, meaning it can be seen by other Bluetooth-enabled phones. In this case, the virus spreads like an airborne illness.

Multimedia Messaging Service - The virus is an attachment to an MMS text message. As with computer viruses that arrive as e-mail attachments, the user must choose to open the attachment and then install it in order for the virus to infect the phone. Typically, a virus that spreads via MMS gets into the phone's contact list and sends itself to every phone number stored there.

With Bluetooth an infected file can be distributed simultaneously to all the devices in its proximity. Mobiles enabled with GPS facility can cause much large scale of virus infection spread. After all, the virus can access the address book stored on the mobiles. Now just imagine, as the smart phones (mobiles that are equipped with new facilities and technologies such as file storage, personal information storage, internet transacting facility, certificates and key storages and many more in the queue) are being launched into market after regular short intervals, what the great threat we are living in! In fact our

Dept. Of CE

32

M.P.T.C. Mala, Kallettumkara

current mobiles are at such low risk bearance state that if a proper attack of virus is there on mobiles, whole working of the world will came to halt. In all of these transfer methods, the user has to agree at least once (and usually twice) to run the infected file. But cell-phone-virus writers get you to open and install their product the same way computer-virus writers do: The virus is typically disguised as a game, security patch or other desirable application. The Commwarrior virus arrived on the scene in January 2005 and is the firstcell-phone virus to effectively spread through an entire company via Bluetooth .It replicates by way of both Bluetooth and MMS. Once you receive and install the virus, it immediately starts looking for other Bluetooth phones in the vicinity to infect. At the same time, the virus sends infected MMS messages to every phone number in your address list. Commwarrior is probably one of the more effective viruses to date because it uses two methods to replicate itself.

Dept. Of CE

33

M.P.T.C. Mala, Kallettumkara

WAP THREATS

The use of WAP-enabled mobile phones is booming. Cellular phones with support for WAP (Wireless Application Protocol) allow users to access a wide variety of services. WAP enables users to do on-line banking, monitor stock markets, use email, access the Internet all from their mobile phones. Future WAP services with positioning support will enable even more advanced services for example, you could ask your phone to find the closest restaurant in a strange city and your phone would answer back with map and directions. When it comes to WAP security, why worry? From the outset, vendors of mobile phones and WAP servers have ensured that much consideration was given to on fidentiality and privacy issues for WAP data, as well as to user authentication. Add this to the fact that data integrity checking has been taken into account, and you could be forgiven for thinking that the WAP infrastructure is already secure enough. However, we believe that there are still a number of security issues to be resolved. Firstly, there is no content security for the WAP infrastructure, and yet this is where one of the biggest threats typically lies. As we have already seen in the desktop-PC world, content-related security is the single biggest security issue for home and corporate users alike. Even now, we receive an average of seven new PC virus samples every day, with actions that range from benign to potentially catastrophic. In the telecommunications world, content has traditionally been speech with no security risks involved. Now the content is code, and the whole picture changes. The WAP infrastructure has not taken executable mobile content such as downloadable programs into account from a content-security point of view. The WAP content requested by the mobile device and returned by the origin server can, for example, contain WML cards, which may display text or pictures, working similarly to HTML pages on the Web. The pages can also contain script written with WML Script language which is a close relative to the JavaScript scripting language. As a side note, several PC viruses written with JavaScript were discovered during 1999 and 2000.

Dept. Of CE

34

M.P.T.C. Mala, Kallettumkara

The WLAN weak link A security weakness in the encryption standard used within IEEE-based WLANs has been uncovered. Three cryptographers have described a practical way of attacking the key scheduling algorithm of the RC4 cipher, in a paper entitled Weaknesses in the key scheduling algorithm of RC4. The RC4 cipher forms the basis of the WEP encryption that is used in IEEE 802.11b wireless networks. The paper's authors discovered several ways to uncover patterns in packets of information passing over WLANs These patterns can be used to figure out the WEP encryption "key" and the number used to scramble the data being transmitted. Once the key is recovered, it can be used to decrypt the messages. According to the authors, using a longer key-128 bits instead of the current WEP standard of 40 bits-does not make it harder for attackers to uncover the process. The paper provides a more practical approach to breaking RC4 than previous publications and lends fresh urgency to the work of two IEEE groups grappling with the 802.11 vulnerabilities. However, the Wireless Ethernet Compatibility Alliance said enterprise users should continue to use WEP because only skilled crypto analysts would be able to exploit the weakness. Enterprises could also use several existing tools for additional security, such as VPNs, IPSec, and RADIUS authentication servers. In addition, many WLAN vendors have introduced proprietary encryption schemes because of the known weaknesses in WEP. However, these schemes are not interoperable with each other. There have been other problems uncovered in the WEP structure but the latest discovery is more significant because an attack could be carried out faster and with fewer resources. One emerging solution is from the 802.1x group that is focused on overall network security and authentication. Another is the 802.11i group that is making use of some of the 802.1x work to overhaul the identified WEP vulnerabilities. These initiatives are scheduled to be finalized by year end and vendors are likely to have products out soon Potential PDAs Problems What about palmtop computers and PDAs-can they be infected by computer viruses? PDAs run specially written scaled-down operating systems, such as EPOC, PalmOS or

Dept. Of CE

35

M.P.T.C. Mala, Kallettumkara

PocketPC. They are often connected to home or office PCs to synchronize the data between the two machines. This presents an opportunity for viruses to spread onto them. Yet, no viruses currently exist for the PocketPC and EPOC operating systems, although there is no technical reason why they could not be written. There is a virus called Palm/Phage, which is able to infect Palm OS, but it is not in the wild and poses little threat. Nonetheless, it is sensible to keep backups of any Palm applications and data. There is also a Trojan horse known as Palm/Liberty-A, which is able to infect the Palm OS. It deletes Palm OS applications and was distributed in the 'warez' community. Like Phage, it is low risk and you are unlikely to ever encounter it. Bluetooth Bugs Bluetooth is a standard for low-power radio data communication over very short distances. Computers, mobiles, fax machines and even domestic appliances, like video recorders, can use Bluetooth to discover what services are provided by other nearby mobile devices and establish transparent links with them. Software that utilizes Bluetooth is currently emerging. For example, Sun's Jini technology allows devices to form connections, exchange Java code automatically and give remote control of services. The worry is that an unauthorized user, or malicious code, could exploit Bluetooth to interfere with these services. However, Bluetooth and Jini are designed to ensure that only trusted code from known sources can carry out sensitive operations. For now, this means that it is highly unlikely for a virus outbreak to occur. History The first instance of a mobile virus occurred in June 2004 when it was discovered that a company called Ojam had engineered an anti-piracy Trojan virus in older versions of their mobile phone game Mosquito. This virus sent SMS text messages to the company without the user's knowledge. This virus was removed from more recent versions of the game; however it still exists on older, unlicensed versions. These older versions may still be distributed on file-sharing networks and free software download web sites. In July 2004, computer hobbyists released a proof-of-concept mobile virus named Cabir. This virus replicates itself on Bluetooth wireless networks.

Dept. Of CE

36

M.P.T.C. Mala, Kallettumkara

CASE STUDIES
CABIR As recently as this spring, the idea of a virus that infects mobile phones was a scary bedtime story for the wireless industry, viewed in a similar vein as the threat of global warming: important but not imminent. All that changed in June when the world got a glimpse of the first mobile phone virus, Cabir. Since then, the industry has been scrambling to prepare itself for Cabir's offspring, hoping to divine the best defense strategies before the scary bedtime story becomes reality. Cabir is the first ever computer virus that can infect mobile phones and has been discovered by the French arm of Kaspersky Labs, a Russian security software developer. Cabir can spread via cell phones and is the first malicious code with such ability. Anti-virus software developers, however, have yet to detect any harmful effects of the virus on cell phones. Kaspersky Labs said that Cabir seems to have been developed by some global group that specializes in creating viruses to demonstrate that 'no technology is reliable and safe from their attacks.' The developers of Cabir apparently have not designed the virus -- or worm -- to propagate on a massive scale, but to demonstrate that cell phones and PDAs can be infected by malicious code. This malicious code spreads to devices that run under Symbian OS, which is used in many models of phones, including some manufactured by Nokia, Siemens and Sony Ericcson. Cabir spreads in a file called 'Caribe.sis,' which installs itself automatically on the system when the user accepts the transmission. It displays a message on the screen with the text: 'Caribe' and then starts a continuous search for other devices to send itself to, although these must be connected via Bluetooth technology. Bluetooth's transmission range is 30 feet. The virus is only able to jump from phone to phone within that range. Also the phone must have the correct OS installed and the appropriate settings -- that is, it has to be set for a known number. It is able to scan for phones that are also using the Bluetooth technology and is able to send a copy of itself to the first handset that it finds. Dept. Of CE 37 M.P.T.C. Mala, Kallettumkara

On the other hand, it is possible that the Caribe.sis file copies itself to other devices using Bluetooth, such as some printers. Cabir uses Symbian Series 60 phones to replicate it, sending a clone to the first Bluetooth-enabled device it can find in the area (even a printer) when a user OKs two installation prompts. It was launched as a proof of concept by a member of 29A Labs, a group of Eastern European hackers who develop innocuous viruses with the benevolent aim of exposing security weaknesses. Their incentive to create Cabir was likely the notoriety of boasting the world's first mobile phone virus. (Security nerds call Cabir a worm, not a virus, because it does not attach itself to a host program. Even bigger security nerds point out Cabir is not a worm because it cannot propagate itself; it relies on the user to do so by actively installing it. Symbian refers to it as malware.) Cabir had no real payload no harmful effect other than the word Caribe displayed on infected devices and it was sent directly to security experts rather than the general population, but it proved its concept as planned and sparked a wave of fear that a less scrupulous group of hackers would build on Cabir's design to unleash something far more sinister. It was a mid-summer wake-up call to the mobile phone industry, said Richard Wong, general manager of messaging and anti-abuse at software vendor Open wave Systems. According to the anti-virus software developer F-Secure, the discovery of Cabir is proof that the technologies are now available to create viruses for mobile phones and that they are now known to the writers of computer viruses. Anti-virus experts have been warning for months that mobile phone viruses are set to multiply, given the increasingly diverse uses of mobile phones. Commwarrior In March 2005 it was reported that a computer worm called Commwarrior-A has been infecting Symbian series 60 mobile phones. This worm replicates itself through the phone's Multimedia Messaging System (MMS). It sends copies of itself to other phone owners listed in the phone user's address book. Although the worm is not considered harmful, experts agree that it heralds a new age of electronic attacks on mobile phone Skuller was the first real Trojan for the Symbian OS. The Trojan appeared as a program which would offer new wallpapers and icons for Symbian OS. Installing the program led to the standard application icons to be replaced with a skull and crossbones. At the same Dept. Of CE 38 M.P.T.C. Mala, Kallettumkara

time it would overwrite the original application application ceased to work. Once the smart phone has been infected it can only be used to make calls. Doomboot (discovered July 2005) TYPE AND METHOD OF INFECTION Pretends to be a version of the Doom 2 video game, enticing users to download and install it

EFFECTS Prevents phone from booting Installs Cabir and CommWarrior on phone

FlexiSpy(discovered march 2006) TYPE AND METHOD OF INFECTION Internet download, typically installed by someone other than phone owner .

EFFECTS Sends a log of phone calls and copies of text and MMS messages to a commercial Internet server for viewing by a third party.

In August 2010, Kaspersky Lab reported the first malicious program named TrojanSMS.AndroidOS.FakePlayer.a classified as a Trojan-SMS has been detected for smartphones running on Googles Android operating system. It has already infected a number of mobile devices.[2] It sends SMS messages to premium rate numbers without the owners knowledge or consent which can rake up huge bills. For a security concern, Android users are advised to download from a trusted source

Dept. Of CE

39

M.P.T.C. Mala, Kallettumkara

VIRUS ACTIONS
The only way to deal with these threats is to secure all remaining gaps in WAP security, before such attacks are mounted. The industry is in a unique position to benefit from past experience and proactively prevent the type of weaknesses in infrastructure that caught us unaware with past computer incidents. There are no viruses on WAP yet we still have time to react. Before we consider the key security issues, and solutions that will help identify and meet WAP content security risks, it is best to understand how a basic WAP network is composed. There are three logical components: the WAP client (or mobile terminal), the WAP gateway and the origin server. The origin server is located in the traditional Internet domain and functions like an ordinary Web server by providing storage for WAP content. The WAP gateway interconnects the Internet domain with the mobile network domain by providing the mobile terminal with Internet access. The mobile terminal roams in the mobile network and sends encoded content requests to the origin server via the WAP gateway. WAP needs more functionality in order to be useful and for it to really take off the ground. Unfortunately, more functionality means more risks. The power of WAP devices is set to increase dramatically with future functions set to be included in the WAP specification in the near future. Such functions include making phone calls, accessing and modifying phone book data, and sending Short Messaging Service (SMS) messages. With such functionality available to WML scripts, it is not difficult to imagine a virus, which would spread by accessing your phone book and sending a link to itself in SMS text messages to all the phone numbers, found within. Subsequently, the virus could do damage by either deleting or modifying your phone book, or by starting to make phone calls to pay-per-minute numbers in the middle of the night. With such a feature, virus writers could easily make money with their viruses thus providing an obvious motivation. As WML increases in sophistication, so do the opportunities for creating more sophisticated, malicious code.

Dept. Of CE

40

M.P.T.C. Mala, Kallettumkara

PROTECTION AGAINST MOBILE VIRUS

The Symbian OS (operating system) smart phones will provide on-device protection, similar in fashion to antivirus protection programs for PCs, with automatic over-the-air antivirus updates for a monthly fee. The software will not come loaded into the device, but can be downloaded from the F-Secure Web site, according to Nokia .The Nokia 6670 will be the first mobile phone in its Series 60 line to offer the mobile virus protection, though users of other Series 60 mobile phones will also be able to purchase the antivirus protection software. F-Secure is also in talks with other handset manufacturers about offering similar antivirus protection. He declined to name any companies or set out potential dates for availability. This announcement is a starting point for us and we have been testing the service with a variety of handsets from different vendors and in several operator networks. Nokia, based in Espoo, Finland, already offers antivirus software through F-Secure for its Communicator line of mobile devices, but the protection offered for the Nokia 6670 is a greatly improved version in terms of both features and pricing options. "The first general offering for the mobile antivirus software came a couple of years ago, but this version has a whole new infrastructure. "For example, it has a patented SMS (short message service) update mechanism and HTTPS (Hypertext Transport Protocol Secure) connections. Plus, there is a big difference in the actual client. The monthly pricing plan is also a first for F-Secure. The first month of the service will be free trial period and thereafter, users will be charged a licensing fee that will include the cost of updates, he said. "Before you paid on a yearly basis, but by paying monthly, you just buy the protection that you need" The final decision about pricing has yet to be made but will be finalized by the time the phone ships "some time in October. According to the company's current estimates, the antivirus mobile protection licence will cost about 2.95 ($3.62) per month, but early buyers will most likely be offered a discounted price of 1.95 per month. The handset will have an estimated retail price of 500 without taxes, according to Nokia "That price will vary from market to market.

Dept. Of CE

41

M.P.T.C. Mala, Kallettumkara

The Nokia 6670 will come in two tri-band versions, optimized for GSM (Global System for Mobile Communications) networks in the EMEA (Europe, Middle East and Asia) markets (on 900MHz, 1800MHz and 1900MHz bands), and in the Americas (on 850MHz, 1800MHz and 1900MHz bands). Both versions will be able to roam in GSM networks across regions. Nokia is also offering addition security through its mobile VPN (virtual private network) client and SSL (Secure Sockets Layer) encryption for Web-based applications. Lehmusvirta stressed that there is nothing about the Nokia 6670 that makes it particularly susceptible to viruses and that Nokia knows of no capabilities within any of its devices that a virus might exploit. The rational behind the phone is as a smart phone targeted at business users who use data in their daily work, and we want to offer them some security for that data. There has been a common perception for many years by the entire industry that mobile devices will become a target of viruses, though to date this kind of threat is small. We want to begin protecting against it now. After a series of three malicious program targeting wireless devices were discovered in between June and August, security specialists stepped up their warnings of the pending possibility of serious attacks against mobile phones and PDAs (personal digital assistants). In June, Antivirus company Kaspersky Labs Ltd. said it discovered Cabir, a network worm infecting phones running the Symbian mobile phone operating system by Symbian Ltd. At the time, the company characterized Cabir as the first-ever computer virus capable of spreading over mobile phone networks. Cabir was followed in August by the discovery of the so-called Backdoor.Bardor.A virus, a Windows CE Trojan horse program designed to give attackers control over Pocket PC mobile devices. A few days later, a Symbian Trojan program infecting phones using the Series 60 user-interface platform cropped up with the ability to make the phones send text messages without the knowledge of the user. The threats we saw for the first time this summer have not been big ones, but it was a proof of concept in a way. It shows the point that hackers and virus writers are targeting all types of mobile handsets. There is no reason to panic, but it is good to be ready, to prepare for the future with protective insurance. We learned that from the PC world. Dept. Of CE 42 M.P.T.C. Mala, Kallettumkara

F-Secure claims its mobile anti virus software service is the first commercially available product for protecting Symbian OS smart phones but similar programs can be expected in the very near future. With the convergence of both the fixed and the wireless worlds, comes the increasing need to monitor not just for malicious code but also for an influx of Spam that could clog up networks. It isn't an issue today, but it's a potential issue that could exist down the line.

Dept. Of CE

43

M.P.T.C. Mala, Kallettumkara

COMMON PROTECTION AGAINST MOBILE MALWARE


Non-discoverable Bluetooth - Switch to Bluetooth hidden mode. If your phone has Bluetooth capability, ensure that the Bluetooth capability is switched to hidden or invisible mode unless you specifically need it to be visible. This will help prevent other Bluetooth-enabled devices from finding your phone (unless you grant them the necessary permission) and will therefore help protect your phone from worms that spread using the Bluetooth wireless technology. Install antivirus Firmware Updates. Dont use untrusted sites & softwares. Infection Scanners at public locations.

Scanning at a gateway or during data transfer: In the near future, the best way to protect mobile devices may be to check data when you transfer it to or from them.For mobile phones, for example, the WAP gateway might be a good place to install virus protection. All communications pass through this gateway in unencrypted form, so there would be an ideal opportunity for virus scanning. For palmtop computers, you could use virus protection when the palmtop is synchronizing data with a conventional PC.

Virus scanning on the mobile device: As mobile devices become more interconnected, it will become difficult to police data transfer at a central point. The solution will be to put anti-virus software on each device once they have sufficient processing power and memory.

Dept. Of CE

44

M.P.T.C. Mala, Kallettumkara

Enable Bluetooth only when it is needed:

Disable Bluetooth, if it is not in use.

This will prevent the mobile being affected by virus and will also make the battery last longer as Bluetooth consumes lot of power. But if you have to keep it ON, then at least keep it in invisible mode Dont install unexpected applications: If your Bluetooth is ON and you are

receiving a file, be Alert. Accept only what you expect. Accept only the files you are expecting. Never download cell phone applications from file sharing networks: It is strongly recommended to scan all the cell applications-even the one downloaded from official web site- with antivirus software on your computer. Some of them do detect cell phone viruses.

Dept. Of CE

45

M.P.T.C. Mala, Kallettumkara

CONCLUSION

Viruses are not evil and that programmers have a right to create them, posses them and experiment with them. But we should never support those people who writing viruses with destructive nature. If you do create a virus, though, be careful with it. Make sure you know it is working properly or you may wipe out your own system by accident. And make sure you dont inadvertently release it into the world.

In order to deal with the viruses it is necessary to have a deep knowledge of the way in which different viruses exploits our systems weakness, there by causing destruction of data or hampering of security. Furthermore, it is also impossible to create antivirus against a particular virus with out knowing the way it affects our system.

Dept. Of CE

46

M.P.T.C. Mala, Kallettumkara

REFERENCE
http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms www.mobile.f-secure.com www.free-av.com www.zdnet.com.au www.scribd.com www.physorg.com www.hoax-slayer.com/mobile-phone-virus-hoax.html www.wisegeek.com Operating system principles Securing Wireless Data: System Architecture Challenges Srivaths Ravi, Anand Raghunathan and Nachiketh Potlapally Computer & Communications Research Labs NEC USA, Princeton, Bose, Shin, Proactive Security for Mobile Messaging Networks, WiSe '06, September 29, 2006. http://www.viruslist.com/en/analysis?pubid=198981193 http://www.viruslist.com/en/analysis?pubid=200119916 http://www.viruslist.com/en/analysis?pubid=201225789 http://electronics.howstuffworks.com/cell-phone-virus.htm Norman, Norman book on Computer Virus, Norman ASA, 2003. Dan Xu, Xiang Li, and Xian Fan Wang, Mechanisms for Spreading of Computer Virus COMPUTER VIRUSES: The Technology and Evolution of an Artificial Life Form, Karsten Johansson, 1994.

Dept. Of CE

47

M.P.T.C. Mala, Kallettumkara

ABSTRACT
A computer virus is a small software program that targets computers and spreads from one computer to another computer and that interferes with computer operation. A computer virus may corrupt or delete data on a computer, use an e-mail program to spread the virus to other computers, or even delete everything on the hard disk.

A mobile virus is an electronic virus that targets mobile phones or wirelessenabled PDAs. As wireless phone and PDA networks become more numerous and more complex, it has become more difficult to secure them against electronic attacks in the form of viruses or other malicious software (also known as malware).Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Although mobile phone virus hoaxes have been around for years, the so-called Cabir virus is the first verified example.

Dept. Of CE

48

M.P.T.C. Mala, Kallettumkara

CONTENTS

Introduction Virus, what is it? Tools needed for writing viruses Types of virus Behavioral classifications of Viruses Timeline of computer viruses and worms Execution of virus Impacts and effects Protection against virus Classification of mobile worms and viruses Current threats by mobile malware Spreading of virus Wap threats Case studies Virus actions Protection against mobile virus Common protection against mobile malware Conclusion References

1 3 6 7 11 13 24 25 26 30 31 32 34 37 40 41 44 46 47

Dept. Of CE

49

M.P.T.C. Mala, Kallettumkara