2011

Basic Computer
Security
A course on Malware
Notes on malware and basic measures to dealing with viruses

Harvest
Media
2/20/2011
Computer Viruses
Definitions
A Virus or Malicious code can be defined as any computer program or part of a computer
program that is designed to take an action that the end user would not knowingly permit.
This action might be intended as a joke such as a funny message appearing on the screen, or
the code may render other computer programs useless. At its worst, malicious code may
cause the deletion of an entire hard disk.

Transmission
A computer virus is transmitted from computer to computer much like a biological virus
passes from person to person. Like a biological virus, the computer virus is able to replicate
itself, often using some of the host's resources to do so. Viruses therefore require a host
program in order to function. According to Fred Cohen, an expert in information protection,
a virus is “a computer program that can infect other computer programs by modifying them
in such a way as to include a (possibly evolved) copy of itself”.”

Note that any program that transmits itself as defined above is considered a virus under this
definition, whether or not its intent is malicious. Viruses may be further divided into several
different types, which are discussed below.

File infectors piggyback on (usually executable) program files. The virus replicates whenever
the infected file is executed, and attaches itself to more files. A "direct-action" file infector
attaches itself to programs each time a program infected by it is launched, while a
"resident" file infector lives in the computer's random access memory (RAM) and infects
programs as they are opened. Either way, the virus gets around.

Boot sector infectors are not the huge problem that they used to be, mainly because
manufacturers have begun adding special protection to the boot sectors of their storage
media. The goal of a boot sector infector is to modify the section of the disk that is used to
start up the computer. For this reason, it is important to boot a computer that may be
infected with a virus from a "clean" or an uninfected disk.

To stand the best chance at longevity, viruses should be difficult to detect and remove. Virus
authors have accomplished this goal in a number of interesting ways. Listed below are the
different types of viruses named according to their behaviour.

2
A stealth virus actually hides the damage it has done. In order to operate, the virus modifies
critical files or the boot sector of a hard disk. When the operating system calls for the status
of the modified files, the stealth virus sends back a phony version, hoping to fool the system
(including any active virus detection software) into believing that everything is just fine.
Since the stealth virus must be resident in memory, however, sometimes the virus detection
software will detect that.

A polymorphic virus produces copies of itself that are different from the original, but still
function to deliver whatever payload the virus has to offer. The hope here is that a virus
scanner will not detect all instances of the virus, leaving a few behind.

An armoured virus is difficult to trace, because it is encoded with special tricks or decoys
that make it difficult to understand its code and its source.

Unlike a virus, a worm does not require a host program in order to survive and propagate
itself, as it is a self-contained program. It sends itself, or parts of itself, to other computers,
most often through a network connection. Once introduced to a network, the worm looks
for other machines with a specific security breach or "hole," installs itself on those
machines, and then begins replicating from them. A famous example of a worm is the Code
Red worm, which replicated itself more than 250,000 times in nine hours on July 19, 2001.

Similar to a worm, a Trojan horse is a complete computer program unto itself. Its
uniqueness stems from the fact that it is usually consciously installed and launched by the
unaware user. The Trojan horse purports to do one thing, but in reality does another. It may
be disguised as a game or free program, for example, but actually does some form of
damage. Unlike worms and viruses, the Trojan horse cannot reproduce independently.

Most common Trojan horses are used to steal information form an unknowing user such as
passwords and account numbers.

Malicious code can be detected by:

† File size increase

† Many unexpected disk accesses

† Change in update or modified timestamps

3
Protecting Against Viruses
Introduction
Protecting one’s data against viruses is more of a life style than a single “one size fits all
“method. What we mean is that you should have both procedures to prevent viruses from
infecting the computer as well as antivirus software to complement these procedures.

So you cannot afford to download free pirated books or free videos form a weird website
and go on to ask the technician about the best antivirus to use. Before we move on to these
procedures let us look at the basic software used to prevent a computer from virus attacks.

Virus Protection Programs

There are many programs that can help you keep viruses and other wildlife away from your
system and can wipe out the critters if they gain access. Known as virus protection
programs, these programs are available from both commercial and public domain sources.
These products, and the system administration procedures that go along with them, have
two overlapping goals: they don't let you run a program that's infected, and they keep
infected programs from damaging your system.

Firewalls

A firewall protects your computer by examining each information packet that travels over
the network. Clues to a packet's purpose can be read from its destination address. Firewalls
contain a list of allowed and disallowed destinations and functions. If a packet is heading for
a forbidden address or comes from one, the firewall stops it. If a packet is heading for a valid
address, but its port identifier (the clue to packet function) is unknown or disallowed, the
firewall stops that packet as well. Advanced firewalls even keep track of outgoing packets,
and open up only if a packet is expected and returning.

The role of a packet in stopping the prevention of active threats such as worms and viruses
is that these pests often attempt to enter a computer using forbidden paths, such as port
numbers that are unmonitored or unusual. The firewall examines each packet, and it
quashes those that are unexpected or disallowed.

Antiviruses

Virus protection software uses two main techniques. The first uses signatures, which are
snapshots of the code patterns of the virus. The antivirus program lurks in the background
watching files come and go until it detects a pattern that aligns with one of its stored
signatures, and then it sounds the alarm and maybe isolates or quarantines the code.
Alternatively, the virus protection program can go looking for trouble. It can periodically

4
scan the various disks and memories of the computer, detecting and reporting suspicious
code segments, and placing them in quarantine.

One problem with signature-based virus protection programs is that they require a constant
flow of new signatures in response to evolving attacks. Their publishers stay alert for new
viruses, determine the signatures, and then make them available as updated virus definition
tables to their users. To access the new tables, users typically download them from the
World Wide Web.

Of course, as the number of viruses increases (and it shows no signs of abating), the tables
get progressively larger, making frequent updates somewhat of a chore. This is particularly a
problem in the case of memory-limited devices such as palm-top computers or intelligent
cell phones.

Another problem is called the Zero Day problem. Basically, this occurs when a user trips
over a new virus before the publisher discovers it and can issue an updated signature.

A third problem is that, just as with biological pathogens, viruses can mutate. Sometimes
this happens accidentally; other times, it happens because a clever programmer uses file
compression software to change the signature of the virus when it is not active or even
gives it the ability to be self-garbling. This means it can change its own form by introducing
extra statements or adding random numbers, to elude signature detection.

To counter these worries, virus protection publishers are adding what is called heuristic
detection features to their wares. Basically, a heuristic is a rule or behaviour. If a virus
exhibits that behaviour, the antivirus software tries to stop it in the act. For instance, a code
snippet that suddenly accesses a critical operating system area or file, such as a file table
definition sector on a hard drive, is likely up to no good, and should be stopped. Other risk
indicators include unexplained changes in file size, particularly in system files, sudden
decreases in available hard disk space, or changes in file time or date stamps.

5
Control Procedures
Let us now go back to the procedures we must undertake as part of our goal to conquer
viruses. The operation environment in an information system requires the use of controls to
manage the organizations information security environment.

The following is a list of control measures.

1. Administrative controls - advise workmates of the expected behaviour when interacting

with the company’s information systems; these are usually implemented as company
policies and guidelines e.g. screening of computer users and disallowing the usage of
unknown flash drives.

2. Preventive controls - Includes the application of passwords on machines.

-Installing anti-malware software

-Scanning flash drives before usage

3. Detective controls - identify and potentially react to security violations e.g. identifying
strange computer behaviour such as reduced processing speed and rapidly feeling hard disk
drives.

4. Corrective controls - react to detection of an incident in order to reduce or

eliminate the opportunity for the unwanted event to occur. Examples include keeping anti-
virus software up to date, additional training for members of the security force, additional
security awareness training for employees, implementation of more sophisticated firewalls.

5. Recovery controls - restore a system or operation of the system when an incident

occurs that results in the compromise of integrity or availability of a computing system.
Examples include

 Backing up important data on disks in case your computer crashes.

 Re-installing a fresh operating system
 Using system restore to restore the computer to a date when it worked well
 Using boot disks to recover data on malfunctioning hard drives
 Using data recovery software to recover lost or deleted data