Monday, November 28, 2005

Lesson I - Know Thy Enemy

Computer viruses have been causing trouble for nearly as long as computers have been around, but your computer doesn't have to end up another virus casualty. We look at what viruses are, how they work, and how you can avoid infection, as well as steps to take if your computer is already infected.

Sunday, November 27, 2005

What Is A Virus?

Briefly; there are three different types of programs that are commonly called a virus:
A true "Virus" is a program that attempts cripple your computer by "infecting" key files and spreading itself on to others. It might change critical files or performing unwanted functions like erasing your hard drive. NATAS (Satan backwards) is a particularly nasty virus.
A Trojan horse will leave your computer accessible for other people to use (a common Trojan horse is Back Orifice). Once a Trojan horse is installed they may "bounce" through your machine as a way to cover their tracks and do other damage. A Trojan horse commonly gives access to all the information stored on your hard drive, so they can read what you have, or use you as their storage server.
A Worm will travel from system to system and gather information and send it on, also doing collateral damage along the way. The recent ILOVEYOU scare was basically a worm.

Saturday, November 26, 2005

An Overview of Viruses, Worms, Trojan Horses & Other Malicious Code

Every few months, we hear about a new computer virus outbreak that threatens to inflict more damage than the last big virus. You probably know the drill by now: Run an anti-virus check, don’t open suspicious emails or attachments, and hold your breath.
Of course, some of the hype surrounding particular viruses, worms, and other threats seems silly at times. But viruses and their kin continue to grow in both number and strength, despite our best efforts to repel them. As computers and networks become increasingly complex and widespread, so does malicious code that seeks to steal or destroy data from computers and wreak havoc on networks of all sizes.
No computer user is truly immune to viruses, so it’s important to understand what these threats are and how they work. Let’s take a closer look at the truth behind the hype.

Friday, November 25, 2005

Among Us For Decades

The first documented virus classified as in the wild (not contained in an experimental environment but spread among normal, unsuspecting computer users) was Elk Cloner, way back in 1981. This virus spread on Apple II floppy disks and displayed a harmless rhyme on-screen.
Researcher Fred Cohen formally defined the virus concept in a 1984 paper titled “Computer Viruses – Theory and Experiments,” in which he wrote, “Every general purpose system currently in use is open to at least limited viral attack.” Amazingly, this discovery holds true nearly 20 years later, as many computers today are vulnerable to a multitude of viruses, as well as virus-like mutants such as worms.
Today, people loosely use the term “virus” to describe malicious code that can infect and possibly damage a computer. But viruses are just one of several examples of this code; others include worms and Trojan horses. Collectively known as malware (malicious software), these pieces of code can attack computers from a variety of sources, including downloaded program files, email attachments, and even web sites. Virus writers range from curious troublemakers tinkering with virus creation programs to experienced software coders.

Thursday, November 24, 2005

What’s The Big Deal?

In many cases, when a virus writer releases a new creation into the wild, the virus can be difficult to stop. Even if the writer intends no harm, some worms are powerful enough to halt activity on entire networks. For example, Carnegie Mellon’s CERT Coordination Center received the first confirmed reports of the Melissa macro virus on Friday, March 26, 1999. By Monday, March 29, the virus had affected more than 100,000 computers. According to CERT, one organization received 32,000 email messages containing Melissa within 45 minutes.
McAfee’s AVERT (Anti-Virus Emergency Response Team) reports that more than 62,000 virus threats exist today and virus writers create roughly 200 new viruses every month. Some of these viruses cause enough turmoil to result in substantial financial losses around the globe. Computer Economics, an independent research firm, estimates that in 2001, the Code Red worm and its variants had a worldwide economic impact that cost $2.62 billion, Sircam cost $1.15 billion, and Nimda cost $635 million.

Wednesday, November 23, 2005

A Closer Look at Malicious Code

Malicious code falls into three basic categories: self-replicating code viruses, worms, and Trojan horses. Although experts categorize many threats according to their general nature, some malicious code is more difficult to identify, particularly if it displays traits from more than one of these categories.

Tuesday, November 22, 2005

Viruses

A virus is actually a small, self-replicating program. This means that the virus copies itself by infecting other programs and modifying their structures or even replacing the programs altogether. Viruses typically run behind the scenes, so victims don’t often witness the actions of viruses.
The possible damage virus’s cause includes corrupting programs, deleting files, altering system settings, or reformatting hard drives. Not all viruses cause such physical damage; some viruses simply display or sound a message indicating their presence on systems to spook users.
Today’s most common virus is the macro virus. When Microsoft included Visual Basic with its Microsoft Office suite several years ago, virus writers began using the utility’s power and flexibility to create macro viruses. Macros are collections of instructions used to execute tasks automatically within a program (such as Microsoft Word or Excel), but when virus writers created macros with malicious intent, they found out that they could use macro viruses to wreak serious havoc on one or many computers.
The most infamous macro virus, Melissa, propagated via an email message with a Word document attached to it. When opened, the document ran the macro, which lowered macro security settings on the computer (if necessary), and then emailed an infected Word document to the first 50 entries in every Microsoft Outlook MAPI (Messaging Application Programming Interface) address book accessible by the user executing the macro. Melissa also infected Word’s Normal.dot template file and displayed a Scrabble reference in the present Word document if the current minutes of the hour matched the day of the month.
Another common virus type is the file infector virus, which attacks program files (often ending in the extensions of .COM or .EXE) by overwriting portions of the file. Then, when an infected program runs, the virus places itself in the computer’s memory and proceeds to infect any non-infected programs that run thereafter. The potential for serious computer damage caused by file infector viruses is great because users often run several programs during a typical computing session.
The CIH virus, also known as Chernobyl (due to some variants of the virus executing only on April 26, the anniversary of the nuclear disaster), is a particularly nasty example of the damage file infector viruses can cause. When the CIH virus infects a computer, it can erase the entire hard drive and even overwrite the computer’s BIOS (Basic Input/Output System), which could require users to purchase a new BIOS chip for the computer’s motherboard.
The third major virus type infects the area of hard drives or floppy diskettes that contains boot information. These boot sector viruses activate when users start their computers and remain in the memory. Although most boot sector viruses are for DOS, some of the viruses target other PC OSes (operating systems).
Michelangelo is a boot sector virus that generated a worldwide scare in January 1992 after it shipped on hundreds of new PCs and diskettes by mistake. The virus, set to activate on March 6 of each year (the birthday of Renaissance painter Michelangelo), overwrites vital system data on an unprotected computer and causes it to stop running.

Monday, November 21, 2005

Worms

A worm is a self-contained program that replicates itself over a computer network, such as the Internet. Worms can conduct this activity without the use of a host file, unlike viruses, which need a host file to spread from computer to computer. Email is a common target for the propagation of worms, but they also spread over network connections and IRC (Internet Relay Chat).
Worms can be relentless in their pursuit to achieve a goal (if there is a finite goal). For example, many worms continue to execute until a computer reboots or shuts down, and even then, they usually start again when a computer restarts.
One of the most damaging worms is Code Red, which exploited vulnerability in servers running Microsoft’s IIS (Internet Information Server). A variant of this crafty worm attacked more than 350,000 servers over several days in July 2001, flooding the Internet with scans for vulnerable computers. When clocks struck midnight (GMT [Greenwich Mean Time]) on July 19, the worm instructed the infected servers to begin a massive DoS (denial of service) attack on a White House Internet hub, creating the potential for blackouts across the Internet. Fortunately, a design flaw left the worm open to counterattack, which successfully shut down Code Red.

Sunday, November 20, 2005

Trojan Horses

Like their virus and worm counterparts, Trojan horses contain malicious code, but their designers don’t build them to replicate. Instead, designers disguise Trojan horses as safe programs that they want unassuming users to execute so the Trojan horses can work in the background to damage or steal data.
Trojan horses usually work in one of two ways: Either they allow access to a victim’s computer to upload other malicious programs or they use a victim’s computer for malicious administrative tasks.
Several years ago, many hackers (savvy computer users who break into systems for illegal and/or unethical purposes) found the SubSeven intruder tool to be extremely useful as a Trojan horse. Placed on a victim’s computer, the server portion of SubSeven lets a remote hacker browse the victim’s computer, open and close programs, edit the Windows Registry, and even use the computer as an FTP (File Transfer Protocol) server.

Saturday, November 19, 2005

New Breeds Promise A Dark Future

Although some researchers indicate that new virus activity is beginning to slow for the first time in years, they also report that the viruses that do manage to break into the wild are more dangerous than ever.
Blended Threats, which combine aspects of viruses, worms, and Trojan horses, are appearing with more frequency. Although blended threats are not new (for example, Nimda appeared in 2001), they are becoming more popular among virus writers who appreciate their complexity and elusiveness.
Polymorphic Viruses, which change their code each time they replicate to thwart anti-virus detection, are also materializing more often. Like blended threats, polymorphic viruses have a long history and show no sign of slowing down. Alarmingly, sophisticated threats such as these often do significantly more damage than viruses we saw four or five years ago.
The enormous surge in virus outbreaks since Elk Cloner reared its innocuous head long ago spawned a hefty anti-virus industry that continues to valiantly battle malicious code. Unfortunately, recent history has shown us that viruses, worms, and Trojan horses—and even combinations of the three— inevitably stay one step ahead of detection attempts.