VIRUS

Definition
Computer virus refers to a program which
damages computer systems and destroy
data files

Once its running, it spreads by inserting

copies of itself into other executable code or
documents
Symptoms of Virus Attack

Computer runs slower then usual

Computer no longer boots up
Screen sometimes flicker
PC speaker beeps periodically
System crashes for no reason
Files/directories sometimes disappear
Denial of Service (DoS)
Classifying Virus - Types

File infectors viruses

File infectors viruses are made to infect files of on
the computer. File infectors spread once the user
runs the infected file. The virus copies itself to
locations on the computer where it can be
executed.
The file infector will continue to infect files while
granting the virus access to the infect files.
Cont...
Boot sector virus
Boot infectors spread during the boot up of a
computer. Boot infectors target thecritical
sectionon the hard drive or onfloppy disksin
order to gain access to the computer. This enables
the virus to be able to obtain complete control
and/or extract any important information from
your computer.
Cont...
Multipartite viruses
Multipartite viruses increase their chances of
spreading within the computer by combining
features from both the file infector and the boot
infector. These viruses have the ability to infect
bothfiles andboot sectors. Because of this, the
chance of the virus spreading is increased, but the
virus also becomes more vulnerable to detection
due to the increased number of locations the virus
can be found by anantivirus software.
Cont...
E-mail Viruses
Moves around in e-mail messages
Replicates itself by automatically mailing itself to
dozens of people in the victims e-mail address book
Example: Melissa virus, ILOVEYOU virus
Classifying Virus - Categories
Stealth
In order to avoid detection by users, these viruses make sure
that the "last modified" date of a host file stays the same when
the file is infected by the virus or Some viruses infect files
without increasing their sizes or damaging the files.

Polymorphic
Polymorphic virus infects files with an encrypted copy of itself,
which is decoded by a decryption module. However, this
decryption module is also modified on each infection. A well-
written polymorphic virus therefore has no parts which remain
identical between infections, making it very difficult to detect.
Cont...
Companion
A type ofcomputer virusthat compromises a feature ofDOSthat
enablessoftwarewith the same name, but different extensions, to operate
with different priorities. For example you may have program.exeon your
computer, and thevirusmay create afile calledprogram.com. When the
computer executesprogram.exe, the virus
runsprogram.combeforeprogram.exeis executed. In many cases, the real
program will run so users believe that the system is operating normally and
aren't aware that a virus was run on the system .

Armored
A type ofvirusthat has been designed to thwart attempts by analysts from
examining itscodeby using various methods to make tracing, disassembling
andreverse engineeringmore difficult. An Armored Virus may also protect
itself fromantivirus programs, making it more difficult to trace. To do this, the
Armored Virus attempts to trick theantivirus programinto believing its
location is somewhere other than where it really is on thesystem.
Some Common virus attacking
windows operating system
Brain

Brainis the industry standard name for a

computer virus that was released in its first form
in January 1986,and is considered to be the first
computer virusforMS-DOS. It infects theboot
sectorof storage media formatted with
theDOSFile Allocation Table(FAT) file system.
Brain was written by two brothersfromPakistan.
 Cont...
Commwarrior
Commwarrior was particularly effective via
theMMSvector it used to infect other phones. It appeared
as though it had been sent from a source that was known
to the victim, leading even security-conscious users to
open the infected message. Actually, the message was
sent at random to a contact in the sender's address book.
Once the message is opened, the virus attempts to install
itself on the phone via aSISfile. ThisSISfile works in a
similar manner to that of a Windows.EXEfile and once it
runs, the worm is executed every time the phone is
switched on.
Cont...
ILOVEYOU

ILOVEYOU, sometimes referred to asLove Letter, was

acomputer wormthat attacked tens of millions
ofWindowspersonal computers on and after 5 May 2000local
time in thePhilippineswhen it started spreading as an email
message with the subject line "ILOVEYOU" and the attachment
"LOVE-LETTER-FOR-YOU.txt.vbs". The latter file extension (in this
case, 'VBS' - a type ofinterpreted file) was most often hidden
by default on Windows computers of the time, leading unwitting
users to think it was a normal text file. Opening the attachment
activated theVisual Basicscript. The worm did damage on the
local machine, overwriting image files, and sent a copy of itself
to the first 50 addresses in theWindows Address Book
Cont...
Melissa virus
Melissa virus spread in Microsoft Word documents
sent via email.
How it works ?
Created the virus as word document
Uploaded to an internet newsgroup
Anyone who download the document and opened
it would trigger the virus.
Send friendly email messages to first 50 people in
persons address book.
Cont...
SCA
It appeared in November 1987. The SCA virus is a boot
sector virus. It features a line of text that appears at
every 15th copy after a warm reboot
SCA will not harm disks per-se, but spreads to any
write-enabled floppies inserted. If they use custom
bootblocks (such as games), they are rendered
unusable. SCA also checksums as an original
filesystem (OFS) bootblock, hence destroying newer
filesystems if the user doesn't know the proper use of
the "install" command to remove SCA
What is Antivirus

Computer Programs Intended To Identify And

Eliminate Computer Viruses.

Antivirus software is considered to be an aid that

detects, fixes and even prevents viruses and worms
from spreading to your computer as well as
connecting computers.
How Anti Virus Works
Specific Scanning
The Application Scans Files To Look For Known Viruses Matching Definitions In
A Virus Dictionary When The Antivirus Looks At A File It Refers To A
Dictionary Of Known Viruses And Matches A Piece Of Code (Specific Patterns
Of Bytes) From The New File To The Dictionary After Recognizing The Malicious
Software The Antivirus Software Can Take One Of The Following Actions: (1):
Attempt To Repair The File By Removing The Virus Itself From The File (2): Or
Delete The File Completely However, Specific Scanning Is Not Always Reliable
Because Virus Authors Are Creating New Ways Of Disguising Their Viruses So
The Antivirus Software Does Not Match The Virus Signature To The Virus
Dictionary
Generic Scanning
Generic Scanning Is Used When New Viruses Appear. In This Method The
Software Does Not Look For A Specific Signature But Instead Monitors The
Behavior Of All Applications If Anything Questionable Is Found By The Software
A Warning Is Broadcasted To The User About What The Program May Be Trying
Some Common Antivirus
Protection Measures
The basic steps to keep your computer and
your data secure:

1. Get the latest Anti-Virus Software.

2. Make sure you have the latest security patches
and hot fixes using Windows Update.
3. Use a Host-Based Firewall.
4.Be aware of the e-mails and attachments to be
opened
5. BACKUP your Important Files
TROJAN HORSE
TROJAN HORSE
Non-self-replicating type
Malware program that attaches itself to an
innocuous file and embeds itself in your
system
acts as abackdoor
not easily detectable
Relationship with worms, as they spread with
the help given by worms and travel across the
internet with them.
HOW TROJAN HORSE COME IN
YOUR SYSTEM
These files often come from
spam or scam emails
from clicking unknown links online.

SURVEY CONDUCTED BY BITDEFENDER

from January to June 2009
"Trojan-type malware is on the rise,
accounting for 83-percent of the global
malware detected in the world."
GOVWARE
In German-speaking countries, spyware used
or made by the government is sometimes
called govware.
Govware: A trojan horse software used to
intercept communications from the target
computer.
PURPOSE AND HACKER
USES
To perform automated spamming
distribute Denial-of-service attacks
Electronic money theft
Data theft including
confidential files
industrial espionage
information with financial
Passwords and payment card information
Modification or deletion of files
Downloading or uploading of files for various purposes
Downloading and installing software, including third-party
Keystroke logging
Watching the user's screen
PURPOSE AND HACKER
USES
Viewing the user's webcam
Controlling the computer system remotely
Encrypting files; a ransom payment may be demanded for
decryption, as with the CryptoLocker
Modifications of registry
Using infected computer as proxy for illegal activities and
attacks on other computers.
Crashing the computer, e.g. with "blue screen of death"
(BSOD)
Data corruption
Formatting disks, destroying all contents
Infects entire Network banking information and other
connected devices
COMMON TROJAN HORSES
Netbus (by Carl-Fredrik Neikter):Netbus is a Trojan that opens
up a backdoor program that, once installed on a system,
permits unauthorized users to remotely perform a variety of
operations, such as
changing the registry,
executing commands,
starting services,
listing files, and
uploading or downloading files.
Subseven or Sub7(by Mobman): is aremote administration
tool/ trojanprogram.
Its typical use is to allow undetected and unauthorized access
hence it is described as atrojan horseby security experts
Cont..
Back Orifice (Sir Dystic):Back Orifice 2000(often shortened
toBO2k) is acomputer programdesigned forremote system
administration. It enables a user to control a computer running
theMicrosoft Windowsoperating system from a remote location.
Whereas the original Back Orifice was limited to theWindows 95and
Windows 98operating systems, BO2k also supports Windows NT,
Windows 2000andWindows XP
BO2k installs and operates silently, without warning a logged-on user
that remote administration or surveillance is taking place.
Features which were intended for irritating purposes including
changing desktop colors
opening and closing the optical drive
swapping the mouse buttons
turning the monitor off/on
Cont..
Beast:The researchers say that their code is
calledBEAST (Browser Exploit Against SSL /
TLS)prove to the world that any cryptographic
protocol designed to TLS 1.1, is vulnerable and can
be quite easily deciphered.
http://www.technewsdaily.com/7187-beast-hack.html
Zeus
Flashback Trojan (Trojan BackDoor.Flashback)
ProRat
ZeroAccess
Koobface
HOW TO GET RID OF
TROJAN HORSES
1. Recognize the Trojan
2. Usually, your system will give you DLL error, which is associated
with Trojan attack. A DLL error is any error with aDLL file- a kind
offileending in theDLLfile extension. DLL errors can appear in
any of Microsoft's operating systems includingWindows 8,
Windows 7,Windows Vista, andWindows XP.You can copy the
error and find out about the affected exe file online.
http://pcsupport.about.com/od/fixtheproblem/ht/dll-error-
troubleshooting.htm
3. Stop the function of system restore: If you forget this step, then
it will restore the files you will delete.
4. Restart you computer: when you restart, press F8 and then
select safe mode to start your computer.
5. Go to Add or Remove Programs: You will find this in the control
panel and then remove the programs affected with Trojan horse.
6. Remove extensions: To delete all files of a program, you should
remove them from Windows System folder.
7. Once you have done the following steps, you should restart your
Disable System Restore.
Control Panel->System and Security
System and Security->System
System->System
Protection
System Protection-
>configure
Cont..
Disable system protection and delete all of
the restore points saved on your computer.
This will ensure that the virus does not
replicate through System Restore.
You can re-enable System Restore once the
virus has been removed
Directory Traversal
In Windows..
- Each partition has a separate root directory
eg:- labeled C:\ for a particular partition C

There is no common root directory above that.

This means that for most directory vulnerabilities on

Windows, the attack is limited to a single partition.
Directory Traversal
Directory Traversal is an HTTP exploit which allows attackers
to access restricted directories and execute commands
outside of the web server's root directory.

Directory traversal(orpath traversal) consists

ofexploitinginsufficient security validation / sanitization of
user-supplied input file names, so that characters
representing "traverse to parent directory" are passed
through to the file APIs.

Directory traversal is a form ofHTTP exploitin which

ahacker uses the software on aWeb serverto access data
in adirectoryother than the server'sroot directory.
Directory traversalis also known as the../(dot dot
slash) attack,directoryclimbing, and backtracking.

If the attempt is successful, the hacker can view

restrictedfiles or even executecommands on the
server.

Directory traversal attacks are commonly performed

usingWeb browsers. Any server in which input data
from Web browsers is not validated is vulnerable to this
type of attack.

It allows malicious users to literally "traverse" the

directory and bypass the malicious code.
Goal of this attack!
To access acomputer filethat is not intended
to be accessible.

This attack exploits a lack of security (the

software is acting exactly as it is supposed to)
as opposed to exploiting a bug in the code.
Example of a Directory Traversal
Attack via Web Application Code
In web applications with dynamic pages, input is usually received from
browsers through GET or POST request methods.

Here is an example of a GET HTTP request URL:

http://test.webarticles.com/show.asp?view=oldarchive.html

With this URL, the browser requests the dynamic page show.asp from
the server and with it also sends the parameter "view" with the value of
"oldarchive.html".

When this request is executed on the web server, show.asp retrieves

the file oldarchive.html from the server's file system, renders it and then
sends it back to the browser which displays it to the user. The attacker
would assume that show.asp can retrieve files from the file system and
sends this custom URL:
http://test.webarticles.com/show.asp?view=../../../../../Wi
ndows/system.ini

This will cause the dynamic page to retrieve the file

system.ini from the file system and display it to the
user.

The expression ../ instructs the system to go one

directory up which is commonly used as an operating
system directive.

The attacker has to guess how many directories he has

to go up to find the Windows folder on the system, but
this is easily done by trial and error.
Example of a Directory Traversal
Attack via Web Server
Apart from vulnerabilities in the code, even the web server
itself can be open to directory traversal attacks. The problem
can either be incorporated into the web server software or
inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web

server software, but there are web servers online which are still
using older versions of IIS and Apache which might be open to
directory traversal attacks.

Even though you might be using a web server software

version that has fixed this vulnerability, you might still have
some sensitive default script directories exposed which are
well known to hackers.
Let us consider a URL request which makes use of the scripts directory
of IIS to traverse directories and execute a command can be:
http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/ c+dir+c:\

The request would return to the user a list of all files in the C:\
directory by executing the cmd.exe command shell file and run the
command "dir c:\" in the shell.

The %5c expression that is in the URL request is a web server escape
code which is used to represent normal characters. In this case %5c
represents the character "\".

Newer versions of modern web server software check for these

escape codes and do not let them through. Some older versions
however, do not filter out these codes in the root directory enforcer
and will let the attackers execute such commands.
Normal URL Encoding
%2e = .
%2f = /
%5c = \
%25 = %

To URL encode a character we used to write

the%character followed by two hexadecimals and this
will be the encoded representation of the character.

%2e%2e%2f = ../
%2e%2e%5c = ..\
Variations of Directory Traversal
1. Directory traversal on Unix

2. Directory traversal on Microsoft Windows

3. URI encoded directory traversal

4. Unicode / UTF-8 encoded directory traversal

Directory traversal on
Unix
uses the../characters.

consider the following simple example:

http://www.somewebsite.com/../password.txt

Most web servers in the world would block such

an attempt but before most web servers became
immune, the below attack was successful:

http://www.somewebsite.com/%2e%2e%2fpasswor
d.txt
Ideally a web server must not serve documents
outside the web root folder, but in the above case
the web server fails to block the escaped
representation of the../command.

../tells the server to step one level up.../../

tells the server to step two levels up and so on.

If you un escape the%2e%2e%2fsequence you will

get../. The web server failed to count for escaped
characters and as a result made the attack
successful.
Directory traversal on
Microsoft Windows
Microsoft Windows orDOSdirectory traversal uses
the..\characters.

Windows programs or APIs also acceptUnix-

likedirectory traversal characters.

Each partition has a separate root directory (labeled

C:\ for a particular partition C) and there is no common
root directory above that. This means that for most
directory vulnerabilities on Windows, the attack is
limited to a single partition.
URI encoded directory
traversal
Used for Canonicalization problem.
Some web applications scanquery string for dangerous
characters such as:
..
..\
../
to prevent directory traversal. However, the query string is
usually URI decoded before use. Therefore these applications
are vulnerable topercent encodeddirectory traversal such as:
%2e%2e%2fwhich translates to../
%2e%2e/which translates to../
..%2fwhich translates to../
%2e%2e%5cwhich translates to..\
Unicode / UTF-8 encoded
directory traversal
Canonicalization problem.
UTF-8 was noted as a source of vulnerabilities and
attack vectors byBruce Schneierand Jeffrey Streifling.
When Microsoft addedUnicodesupport to their Web
server, a new way of encoding../was introduced into
their code, causing their attempts at directory
traversal prevention to be circumvented.
Multiple percent encodings, such as
%c1%1c
%c0%af
translated into/or\characters.
Percent encodings were decoded into the
corresponding 8-bit characters by Microsoft web
server. This has historically been correct behavior as
Windows andDOStraditionally usedcanonical8-bit
characters sets based uponASCII.

However, the originalUTF-8was not canonical, and

several strings were now string encodings translatable
into the same string. Microsoft performed the anti-
traversal checks without UTF-8 canonicalization, and
therefore not noticing that (HEX)C0AFand
(HEX)2Fwere the same character when
doingstringcomparisons. Malformed percent
encodings, such as%c0%9vwas also utilized.
What an Attacker can do if your Website is Vulnerable?
With a system vulnerable to Directory Traversal, an attacker can
make use of this vulnerability to step out of the root directory
and access other parts of the file system.

This might give the attacker the ability to view restricted files,
or even more dangerous, allowing the attacker to execute
powerful commands on the web server which can lead to a full
compromise of the system.

Depending on how the website access is set up, the attacker

will execute commands by impersonating himself as the user
which is associated with "the website". Therefore it all depends
on what the website user has been given access to in the
system.
Preventing Directory Traversal Attacks
Install the latest version of your web server software, and sure that
all patches have been applied.

Filter any user input. Ideally remove everything but the known good
data and filter meta characters from the user input. This will ensure
that only what should be entered in the field will be submitted to the
server.

Check if your Website is Vulnerable to Attack with Web Vulnerability

Scanner

Acunetix Web Vulnerability Scanner ensures website security by

automatically checking forSQL Injection, Cross Site Scripting,
Directory Traversal and other vulnerabilities. It checks password
strength on authentication pages and automatically audits shopping
carts, forms, dynamic content and other web applications. As the
scan is being completed, the software produces detailed reports that
Conti..
Process URI requests that do not result in a file request,
e.g., executing a hook into user code, before continuing
below.

When a URI request for a file/directory is to be made,

build a full path to the file/directory if it exists, and
normalize all characters (e.g.,%20 converted to spaces).

It is assumed that a 'Document Root' fully qualified,

normalized, path is known, and this string has a
lengthN. Assume that no files outside this directory can
be served.
Conti..
Ensure that the firstNcharacters of the fully qualified
path to the requested file is exactly the same as the
'Document Root'.
If so, allow the file to be returned.
If not, return an error, since the request is clearly out
of bounds from what the web-server should be allowed
to serve.
Check if the string contains '..' (two periods next to
each other).
Using a hard-coded predefined file extension to suffix
the path does not limit the scope of the attack to files
of that file extension.
Thank
You