Submitted in partial fulfillment of Bachelor of Engineering degree Of the University of Rajasthan, Jaipur

Submitted to: Mr.D.K.Mehta Head of the department, Computer Science Department

Submitted by: Jalaj Mathur IVth Year Computer Science




1 3 11 19 24 28 30 36 37 38


At the very outset, we would like to express our deep sense of gratitude to our mentors at the college, Principle Dr. D C Surana and Mr. D.K. Mehta, who have been so kind to give us the necessary guidance. They have also been a constant source of inspiration. . I extend heartfelt thanks to my parents and friends for their inspiration and thoughtfulness in care and support. With these comments, I take this opportunity of revealing my thanks to those who have helped me in a number of ways and helped during my project work.


Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk. Viruses are most easily spread by attachments in e-mail messages or instant messaging messages. That is why it is essential that you never open e-mail attachments unless you know who it's from and you are expecting it. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download. To help avoid viruses, it's essential that you keep your computer current with the latest updates and antivirus tools, stay informed about recent threats, and that you follow a few basic rules when you surf the Internet, download files, and open attachments. Once a virus is on your computer, its type or the method it used to get there is not as important as removing it and preventing further infection.

Key Terms To Understanding Computer Viruses:

A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.

Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves

A program or algorithm that replicates itself over a computer network and usually performs malicious actions

Blended Threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities .

Antivirus Program
A utility that searches a hard disk for viruses and removes any that are found.

The internet consists of hundreds of millions of computers distributed around the world. Millions of people use the internet daily, taking full advantage of the available services at both personal and professional levels. The internet connectivity among computers on which the World Wide Web relies, however renders its nodes on easy target for malicious users who attempt to exhaust their resources or damage the data or create a havoc in the network. Computer Viruses, especially in recent years, have increased dramatically in number. One of the most highprofile threats to information integrity is the Computer Virus. Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime, appearing in 1986. With global computing on the rise, computer viruses have had more visibility in the past few years. In fact, the entertainment industry has helped by illustrating the effects of viruses in movies such as ”Independence Day”, ”The Net”, and ”Sneakers”. Along with computer viruses, computer worms are also increasing day by day. So, there is a need to immunise the internet by creating awareness in the people about these in detail. In this paper I have explained the basic concepts of viruses and worms and how they spread. .


A. Virus: A self-replicating program. Some definitions also add the constraint saying that it has to attach itself to a host program to be able to replicate. Often Viruses require a host, and their goal is to infect other files so that the virus can live longer. Some viruses perform destructive actions although this is not necessarily the case.Many viruses attempt to hide from being discovered. A virus might rapidly infect every file on individual computer or slowly infect the documents on the computer, but it does not intentionally try to spread itself from that computer (infected computer) to other. In most cases, that’s where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computers, and so on.

B. Worms: Worms are insiduos because they rely less (or not at all) upon human behaviour in order to spread themselves from one computer to others. The computer worm is a program that is designed to copy itself from one computer to another, leveraging some network medium: e-mail, TCP/IP, etc. The worm is more interested in infecting as many machines as possible on the network, and less interested in spreading many copies of itself on a single computer (like a computer virus). The prototypical worm infects (or causes its code to run on) target system only once; after the initial infection, the worm attempts to spread to other machines on the network. Some researchers define worms as a sub-type of Viruses. In early years the worms are considered as the problem of Mainframes only. But this has changed after the Internet become wide spread; worms quickly accustomed to windows and started to send themselves through network functions.

Some categories that come under worms are _Mailers and Mass-Mailer worms _Octopus _Rabbits

C. Trojan Horses: A Trojan Horse is a one which pretend to be useful programs but do some unwanted action. Most Trojans activate when they are run and sometimes destroy the structure of the current drive (FATs, directories, etc.) obliterating themselves in the process. These does not require a host and does not replicate. A special type is the backdoor trojan, which does not do anything overtly destructive, but sets your computer open for remote control and unauthorised access.

D. Others: There are other types of malicious programs apart from Viruses, Worms and Trojan Horses. Some of them are described below. 1) Logic Bombs:: A logic bomb is a programmed malfunction of a legitimate application. These are intentionally inserted in otherwise good code. They remains hidden with only their effects are being visible. These are not replicated. Bugs do everything except make more bugs. 2) Germs:: These are first-generation viruses in a form that the virus cannot generate to its usual infection process. When the virus is compiled for the first time, it exists in a special form and normally does not have a host program attached to it. Germs will not have the usual marks that the most viruses use in second-generation form to flag infected files to avoid reinfecting an already infected object. 3) Exploits:: Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is to run a program (possibly remote, networked) system automatically or provide some other form of more highly previliged access to the target system.

E. Characteristics: The following are some of the characteristics of Viruses:

1) Size - The sizes of the program code required for computer viruses are very small. 2) Versatility - Computer viruses have appeared with the ability to generically attack a wide variety of applications. 3) Propagation - Once a computer virus has infected a program, while this program is running, the virus is able to spread to other programs and files accessible to the computer system. 4) Effectiveness - Many of the computer viruses have far-reaching and catastrophic effects on their victims, including total loss of data, programs, and even the operating systems. 5) Functionality - A wide variety of functions has been demonstrated in virus programs. Some virus programs merely spread themselves to applications without attacking data files, program functions, or operating system activities. Other viruses are programmed to damage or delete files, and even to destroy systems. 6) Persistence - In many cases, especially networked operations, eradication of viruses has been complicated by the ability of virus program to repeatedly spread and reoccur through the networked system from a single copy.

III. DETAILED DESCRIPTION A. Malicious Code Environments It is important to know about the particular execution environments to understand about Computer Viruses. A successful penetration of the system by a viral code occurs only if the various dependencies of malicious code match a potential environment. The following are some of the various malicious code environments 1) Computer Architecture Dependency

2) CPU Dependency 3) Operating System Dependency and Operating System version Dependency 4) File System Dependency 5) File Form Dependency 6) Interpreted Environment Dependency 7) Vulnerability Dependency 8) Date and Time Dependency 9) Just-In-Time Dependency 10) Achieve Format Dependency 11) File Format Extension Dependency 12) Network Protocol Dependency 13) Source Code Dependency 14) Self Contained Environment Dependency

B. Virus/Worm types overview These are the main categories of Viruses and worms: 1) Binary File Virus and Worm – File virus infect executables (program files). They are able to infect over networks. Normally these are written in machine code. File worms, are also written in machine code, instead of infecting other files, worms focus on spreading to other machines. 2) Binary Stream Worms – Stream worms are a group of network spreading worms that never manifest as files. Instead, they will travel from computer to computer as just pieces of code that exist only in memory. 3) Script File Virus and Worm – A script virus is technically a file virus, but script viruses are written as human readable text. Since computers cannot understand text instructions directly, the text first has to be translated from text to machine code. This rocess is called ”Interpretation”,and is performed by separate programs on computer. 4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived as data files, like documents and spreadsheets. Just about anything that we can do with ordinary programs on a computer we can do with macro instructions. Macro viruses are more common now-a-days. These can infect over the network. 5) Boot Virus – The first known successful computer viruses were boot sector viruses. Today these are rarely used. These infect boot sectors of hard drives and floppy disks and

are not dependent on the actual operating system installed. These are not able to infect over networks. These take the boot process of personal computers. Because most computers don’t contain Operating System in their Read Only Memory (ROM), they need to load the system from somewhere else, such as from a disk or from the network (via a network adapter).

6) Multipartite Viruses – Multipartite Virus infect both executable files and boot sectors, or executable and data files. These are not able to infect over the networks.


Secure Operating System
One use of the term computer security refers to technology to implement a secure operating system. Much of this technology is based on science developed in the 1980s and used to produce what may be some of the most impenetrable operating systems ever. Though still valid, the technology is almost inactive today, perhaps because it is complex or not widely understood. Such ultra strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced on an operating environment. An example of such a security policy is the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor hardware features, often involving the Memory Management Unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system that if certain critical parts are designed and implemented correctly can ensure that it is physically impossible for hostile or subversive applications to violate the security policy. This capability is enabled because the operating system not only impose a security policy, but completely protects itself from corruption. Ordinary operating systems lack the completeness property. The design methodology to produce such secure systems is not an ad-hoc best effort activity, but one that is very precise, deterministic and logical.

Systems designed with such methodology represent the state of the art of computer security and the capability to produce them is not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information and military secrets. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of Top Secret to unclassified (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore

there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security capability (as Protection Profile) and assurance levels (as EAL levels.) None of these ultra high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.

Computer Security By Design
Computer security is a logic-based technology. There is no universal standard notion of what secure behavior is. “Security” is a property that is unique to each situation and so must be overtly defined by a Security Policy, if it is to be seriously enforced. Security is not an ancillary function of a computer application, but often what the application doesn’t do. Unless the application is just trusted to ‘be secure,’ security can only be imposed as a constraint on the application’s behavior from outside of the application. There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).

2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).

3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).

4. Trust no software but enforce a security policy with trustworthy mechanisms.

Many approaches unintentionally follow 1. One and 3 lead to failure. Since 2 is expensive and non-deterministic, its use is very limited. Because 4 is often hardwarebased mechanisms and avoid abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of 2 and 4 are often used in a layered architecture with thin layers of 2 and thick layers of 4. There are a strategies and techniques used to design in security. There are few, if any strategies to add-on security after design. One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way, even if an attacker has subverted one part of the system, fine-grained security ensures that it is just as difficult for them to subvert the rest. Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single wellcharacterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Defense in depth works when the subverting one hurdle is not a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure. What constitutes such a decision and what authorities are legitimate is controversial.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable in the long term. Full audit

trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

Early History of Security By Design
The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security. This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

Secure Coding
The majority of software vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.

Some common languages such as C and C++ are vulnerable to all of these defects (see Seacord, "Secure Coding in C and C++"). Other languages, such as Java, are immune to some of these defects, but are still prone to code/command injection and other software defects which lead to software vulnerabilities.

Techniques for Creating Secure Systems
The following techniques can be used in engineering secure systems. These techniques, whilst useful, do not of themselves ensure security. One security maxim is "a security system is no stronger than its weakest link"

Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications. Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.

A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: eg Hurd.

Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified. Strong authentication techniques can be used to ensure that communication endpoints are who they say they are.

Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.
• •

Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers. Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges. Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.

Some of the following items may belong to the computer insecurity article:

Do not run an application with known security flaws. Either leave it turned off until it can be patched or otherwise fixed, or delete it and replace it with some other application. Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.

Cryptographic techniques involve transforming information, scrambling it so it becomes unreadable during transmission. The intended recipient can unscramble the message, but eavesdroppers cannot.

Backups are a way of securing information; they are another copy of all the important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Suggested locations for backups are a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals. o Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.

Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).

Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules.

Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.

Encryption is used to protect the message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.

Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.

Social engineering awareness - Keeping employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers.

Capabilities vs. ACLs
Within computer systems, the two fundamental means of enforcing privilege separation are access control lists (ACLs) and capabilities. The semantics of ACLs have been proven to be insecure in many situations (e.g., Confused deputy problem). It has also been shown that ACL's promise of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems — only that the designers of certain utilities must take responsibility to ensure that they do not introduce flaws. Unfortunately, for various historical reasons, capabilities have been mostly restricted to research operating systems and commercial OSs still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open source project in the area is the E language [2]. The Cambridge CAP computer demonstrated the use of capabilities, both in hardware and software, in the 1970s, so this technology is hardly new. A reason for the lack of adoption of capabilities may be that ACLs appeared to offer a 'quick fix' for security without pervasive redesign of the operating system and hardware. The most secure computers are those not connected to the Internet and shielded from any interference. In the real world, the most security comes from operating systems where security is not an add-on, such as OS/400 from IBM. This almost never shows up in lists of vulnerabilities for good reason. Years may elapse between one problem needing remediation and the next. A good example of a secure system is EROS. But see also the article on secure operating systems. TrustedBSD is an example of an opensource project with a goal, among other things, of building capability functionality into the FreeBSD operating system. Much of the work is already done.

Other Uses of the Term "trusted"

The term "trusted" is often applied to operating systems that meet different levels of the common criteria, some of which are discussed above as the techniques for creating secure systems.

The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects. A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail. A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities. To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time. Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

In the context of computer software, a Trojan horse is a program that contains or installs a malicious program (sometimes called the payload or 'trojan'). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks, not Trojans, were gaining malicious access). There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives. Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration. However there is another meaning for the term 'Trojan Horse' in the field of computer architecture. Here it basically represents any piece of User Code which makes the Kernel Code access anything it would not have been able to access itself in the first place (i.e making the OS do something it wasn't supposed to be doing). Such security loopholes are called Trojan Horses.

Example of a simple Trojan horse
A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead would allow access to the user's computer remotely.

Name AIDS Back Orifice Back Orifice 2000 Beast Trojan Bifrose Insurrection NetBus Optix Pro Posion Ivy ProRat Sub7 EGABTR RemoteHAK A-311 Death A4zeta Abacab Acessor AcidBattery Acid Drop AcidHead Acid Kor Acidsena AcidShivers Acid Trojan Horse AckCmd Acojonaor Acropolis Admin.Troj.Kikzyurarse Advertiser Bot AeonwindDoll SubSeven ShapeLeSS Mobman HaKKa http://www.chas Alias(es) Type Subtype Isolation Isolation Origin Date Author Sir Dystic Dildog ksv CarlFredrik Neikter Successor to Back Orifice Notes


Afcore A-FTP AF Agent 40421 AH Aibolit AIMaster AIM Filter AimFrame aim P Aim Password Stealer AIM Pws AimRat AIM Robber AIM Spy AIMVision AIR AirBot Akosch Aladino Al-Bareki Alcatraz Alerter AlexMessoMalex Alicia Alien Hacker Alien Spy Almaster Almetyevsk Almq Alex Alofin Alop Alph AlphaDog Alvgus Amanda Amiboide Uploader Ambush AmigaAnywhere Amitis Amoeba

AMRC AMS Anal FTP Anal Ra AnarchoIntruder Andromeda A New Trojan Angelfire AngelShell Annoy Toys Anthena Anti Danger Anti-Denial AntiMks AntiPC AntiLamer Backdoor Anti MSN Antylamus AolAdmin Apdoor Aphex's FTP Aphex's Remote Packet Sniffer Aphex tunneld 2.0 AppServ APRE Aqua Arcanum Area Control Ares Invader Armageddon arplhmd Arranca Arsd Artic Arturik AsbMay A.S.H. Ashley Ass4ss1n Assasin Asylum

Admin.Troj.Kikzyurarse Atentator A-Trojan Attack FTP Atwinda AudioDoor Autocrat AutoPWN Autograph AutoSpY Avanzado Avone Ayan Bilisim Azrael BD Blade runner 0.80a Crazy Daisy Connect4 Donald Dick Flatley Trojan Theef Twelve Tricks VMLFILL


Types of Trojan horse payloads
Trojan horse payloads are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horse payloads are:
• • • •

Remote Access Email Sending Data Destructive Proxy trojan (disguising others as the infected computer)

• • • •

FTP trojan (adding or copying data from the infected computer) security software disabler denial-of-service attack (DoS) URL trojan (directing the infected computer to only connect to the internet via an expensive dial-up connection)

Some examples are:
• • • • • • • • • • • • • • • • •

erasing or overwriting data on a computer. encrypting files in a cryptoviral extortion attack. corrupting files in a subtle way. upload and download files. allowing remote access to the victim's computer. This is called a RAT (remote administration tool). spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'. setting up networks of zombie computers in order to launch DDoS attacks or send spam. spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware). make screenshots. logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger). phish for bank or other account details, which can be used for criminal activities. installing a backdoor on a computer system. opening and closing CD-ROM tray. harvest e-mail addresses and use them for spam. Restarts the computer whenever the infected program is started. Deactivate or interfere with anti-virus and firewall programs Deactivate or interfere with other competing forms of malware

Time bombs and logic bombs
"Time bombs" and "logic bombs" are types of trojan horses. "Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.

Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.

Trojan Horse Attacks
If you were referred here, you may have been "hacked" by a Trojan horse attack. It's crucial that you read this page and fix yourself immediately. Failure to do so could result

in being disconnected from the IRC network, letting strangers access your private files, or worst yet, allowing your computer to be hijacked and used in criminal attacks on others.

Trojan horse attacks pose one of the most serious threats to computer security. If you were referred here, you may have not only been attacked but may also be attacking others unknowingly. This page will teach you how to avoid falling prey to them, and how to repair the damage if you already did. According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden horse to sneak into the fortified city of Troy. In today's computer world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign". For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks like those that have virtually crippled the DALnet IRC network for months on end. The following general information applies to all operating systems, but by far most of the damage is done to/with Windows users due to its vast popularity and many weaknesses. (Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all interchangeably, but they really don't mean the same thing. If you're curious, here's a quick primer defining and distinguishing them. Let's just say that once you are "infected", trojans are just as dangerous as viruses and can spread to hurt others just as easily!)

II. How can one get infected?
Trojans are executable programs, which means that when you open the file, it will perform some action(s). In Windows, executable programs have file extensions like "exe", "vbs", "com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and

"LOVE-LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts, be sure to unhide your extensions so that you see it

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a free game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTP archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just carelessly opened some email attachment. Trojans usually do their damage silently. The first sign of trouble is often when others tell you that you are attacking them or trying to infect them!

III. How do one avoid getting infected in the future?

You must be certain of BOTH the source AND content of each file you download! In other words, you need to be sure that you trust not only the person or file server that gave you the file, but also the contents of the file itself. . 1. NEVER download blindly from people or sites which you aren't 100% sure about. In other words, as the old saying goes, don't accept candy from strangers. If you do a lot of file downloading, it's often just a matter of time before you fall victim to a trojan.

2. Even if the file comes from a friend, you still must be sure what the file is before opening it, because many trojans will automatically try to spread themselves to friends in an email address book or on an IRC channel. There is seldom reason for a friend to send you a file that you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully updated anti-virus program.

3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To reduce the chances of being tricked, unhide those pesky extensions.

4. NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything which is extremely reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every single file you get manually. Likewise, disable the preview mode in Outlook and other email programs. 5. Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to trojan infection or other serious harm.

6. Don't be lulled into a false sense of security just because you run anti-virus programs. Those do not protect perfectly against many viruses and trojans, even when fully up to date. Anti-virus programs should not be your front line of security, but instead they serve as a backup in case something sneaks onto your computer.

7. Finally, don't download an executable program just to "check it out" - if it's a trojan, the first time you run it, you're already infected!

IV. How can one get rid of trojans?!?

Here are your many options, none of them are perfect. I strongly suggest you read through all of them before rushing out and trying to run some program blindly. Remember - that's how you got in this trouble in the first place. Good luck! 1. Clean Re-installation: Although arduous, this will always be the only sure way to eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, reinstall the operating system and all your applications from original CDs, and finally, if you're certain they are not infected, restore your user files from the backup. If you are not up to the task, you can pay for a professional repair service to do it.

2. Anti-Virus Software: Some of these can handle most of the well known trojans, but none are perfect, no matter what their advertising claims. You absolutely MUST make sure you have the very latest update files for your programs, or else they will miss the latest trojans. Compared to traditional viruses, today's trojans evolve much quicker and come in many seemingly innocuous forms, so anti-virus software is always going to be playing catch up. Also, if they fail to find every trojan, anti-virus software can give you a false sense of security, such that you go about your business not realizing that you are still dangerously compromised. There are many products to choose from, but the following are generally effective: AVP, PC-cillin, and McAfee VirusScan. All are available for immediate downloading typically with a 30 day free trial. For a more complete review of all major anti-virus programs, including specific configuration suggestions for each, see the HackFix Project's anti-virus software page [all are ext. links]. When you are done, make sure you've updated Windows with all security patches [ext. link].

3. Anti-Trojan Programs: These programs are the most effective against trojan horse attacks, because they specialize in trojans instead of general viruses. A popular choice is The Cleaner, $30 commercial software with a 30 day free trial. To use it effectively, you must follow's configuration suggestions [ext. link]. When you are done, make sure you've updated Windows with all security patches [ext. link], then change all your passwords because they may have been seen by every "hacker" in the world.

4. IRC Help Channels: If you're the type that needs some hand-holding, you can find trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet #NoHack. These experts will try to figure out which trojan(s) you have and offer you advice on how to fix it. The previous directions were in fact adapted from advice given by EFnet #dmsetup.

Combating Trojan Horses

The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.

A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.

It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.


The seminar preperation period was really a very enriching and informative experience for me .. The making of the seminar has enhanced my practical knowledge and taught me about a very interesting yet a new topic to me.. The regular guidance and constant watch never let us frivolous and kept me aware of what was going on in other parts of the department and the world. In the end, we would once again thank, all the persons who made such kind of project work possible for us.


1) 2) 3) Wikipedia

Sign up to vote on this title
UsefulNot useful