Академический Документы
Профессиональный Документы
Культура Документы
]--]--]--]--]--
]--
]--
]--
]--
--oOo-->
--oOo-->
--oOo-->
--oOo-->
--oOo-->
--oOo-->
--OoO-->
Worms
Trojan Horses
Logic Bombs
Legal Issues
Conclusion
Disclaimer
=============================================
]--]--]--]--]--]--]---
only a few kilobytes in size. This enables the virus to be easily hidden
from Anti-Virus scanners. Virii can infect any computer, it does not make
any difference if it is a laptop or a network server. Different Virii
exist for different Operating Systems, there are Virii for all of them,
although more exist for Windows than any other.
Once a virus has been written, it can be distributed very easily be the
author, the main means of doing this today would be to use the Internet.
Once on the Internet, it will be available to anybody, to either distribute
to others with knowledge of what it is, or by accidental means. The Internet
is not the only way for the new virus to replicate. It may be given to
people on disk, who then use it in their computer, which is on a company
network, for example.
These factors make it harder to trace the virus back to the author, or the
person that actually released it into the pubic domain. Once a virus is
active on a host computer, it could spread onto large networks. One of the
main protections against this, is using good Anti Virus Software. If the
virus is detected before its payload is released or is it able to spread
then the results will be better than if the virus had discharged its payload.
Virii enter computer systems from external sources, Virii are made to be
attractive. An example would be a new application that is available for
download from the Internet. People may download it, run the installation
program, then the new virus is out on their system. During the time before
the virus was undetected by conventional Anti Virus Software, it may have
caused a lot of damage. For this reason, it is important to keep the
database patterns that the anti viral software uses upto date.
A virus can also be programmed to activate straight away or it can be
made to lie dormant for a certain period of time, until a certain date or
action triggers it. There are also many other variations that can be
made to activate a virus or its payload. Timer functions of a virus
are provided by the Logic Bomb.
There are a lot of ways a virus can spread, although some methods are
more common than others. For example, if you download a piece of software
from the Internet, then take it into work on a disk without checking it for
any infections, you may risk infecting the company network.
If the downloaded software was in fact clean, it could still be infected
once it is on your computer. Floppy disks were the main method of
transporting Virii, today they are not used as much as before, because of
the constantly expanding Internet, files can be sent quickly and easily
by using email.
What Can Be Affected:
=====================
There are a number of characteristics that need to be in place for a
virus infection to take place. For example, the file must be:
****-> Executable
****-> Stored on a write-enabled disk
****-> Have individual write properties
Write protecting a disk can stop some infections, but at some point
you will want to write to a disk so you would need to remove the
read-only property. At this point the files on the disk are open
to being written to.
Boot Sector
File Infecting
Multi-Partite
Polymorphic
Stealth
==============
These Virii attempt to hide, without being noticed from the Operating
System and any installed anti-virus scanning software. To achieve this,
the virus must stay resident in memory (TSR). By staying in memory,
it can make changes to files and directories easily.
As the virus is memory resident, there will be less memory available to the
system, although this type of virus is usually small, so would not take up
memory. Good anti-virus software will detect and remove resident Virii from
memory, which needs to be completed before the disk based components of the
virus can be removed.
Multi-Partite Virii:
====================
These type of Virii infect the boot sector and executable files.
They are also the most difficult to detect, as they can combine
techniques from the other types of Virii. The damage caused from an
infection from one of these types of Virii can be the most damaging,
sometimes causing a total loss of data on computer systems. Some of the
more advanced Virii, can also spread over a network, which when combined
with the other techniques used to avoid detection and removal, can cause
a company network to grind to a halt. For this reason, it is always a good
idea to keep important data backed up, as it is better to be safe than sorry.
Introduction To Worms:
======================
Apart from Virii, there are a number of other programs that are designed
to be destructive to computer systems. Worms are also programmed to alter or
destroy data, but their main difference from Virii is that they can be
programmed to exploit holes in various operating systems in order to gain
access to the system. In that sense, they do replicate to other hosts
but they do not spread in the same way as Virii do by simply spreading
onto floppy disks.
The damage that worms can cause can be just as serious as a virus attack,
especially if not discovered in time. For example, a worm could be
programmed to exploit mountd, to gain access to a vulnerable host.
Firstly, the worm would have to be released on a system, once on that
system, it could scan an IP subnet and find hosts that are open to being
exploited. Once into a system, it could then patch the hole that allowed
it to gain access originally, then proceed to backdoor the system and run
a scan on another IP class. It could also email a list of exploited hosts
hosts to an account that had been set-up by the author, or another
individual that releases it.
This process of replication could continue, as long as there are hosts
to exploit. Considering that a lot of systems are not patched against
new exploits straight away, it would be quite a field day for a new worm that
uses that new hole to gain access.
Introduction To Trojan Horses:
==============================
A Trojan Horse is a destructive program that has been concealed inside
another genuine piece of software. In addition to this, a worm or virus
would be hidden inside a Trojan Horse. The main reason a Trojan Horse is not
a virus, is because they do not replicate like Virii. There is a long
history behind the origin of the Trojan Horse. When Greek warriors built a
large, attractive wooden horse they were able to hide their warriors inside.
They left it outside the gates of the city of Troy. When the Trojans saw it,
they thought it was part of a peace offering and gladly opened the gates and
took it into their city. Once inside the Greek warriors jumped out and
started fighting with the Trojans and destroying their city.
Trojan Horse software works in the same way. The software package might look
good and seem genuine, which gives the user the piece of mind they want, so
they download and run the executable. The software package itself is
legitimate but the Trojan Horse is lurking inside and will be able to get out
once the executable is run. Once out, it could continue with what it was
programmed to do, at this point it may act like some Virii and wait until a
certain date or other activation method, before proceeding to release its
payload.
Trojan Horses can also be programmed to self-destruct, leaving no trace of
their existence, apart from the damage that they have caused if not
discovered in time. A Trojan Horse is particularly good for the once common
banking crime known as Salami Slicing, in which small sums of money are
transferred from a number of accounts into another account operated by an
intruder. Due to increasing security, that and other schemes are harder to
complete successfully as time goes on.
Introduction To Logic Bombs:
============================
A Logic Bomb is similar to a Trojan Horse. Each has the ability to damage
or destroy data, the difference is that a Logic Bomb has a timing device
so that it can be programmed to go off at a particular date or time.
For example, the Michelangelo virus is embedded inside a Logic Bomb.
Logic Bombs can still be very destructive on their own, as they usually
are developed in much the same manner as Virii are, even if they lack the
ability to replicate as Virii can.
Logic Bombs are timed to do maximum damage. Once example of this would be
an ex-employee, that wants to cause some damage to the company network.
They could install a Logic Bomb on the network computers and set it to
activate months after they have left.
Legal Issues:
=============
There are a number of legal issues related to Virii and other malicious
programs. To program and virus and put it up on your website for
educational purposes in source/binary form should not be illegal.
Of course, people will download it and then distribute it to people to
cause damage to their systems, this would be illegal.
Regardless or being illegal or not, people will still continue to write
and distribute Virii and other infecting programs that allow
unauthorised access to computer systems.
Conclusion:
===========
I hope that you enjoyed reading this article and that you actually learned
some new information from it. If you have any comments or suggestions about
this article, please feel free to send me an email: jasun@phreaker.net
I hope this gave you a little insight into the world of the virus and other
related programs.
Look out for more articles from me in the future. I have made this
information as accurate as possible to my knowledge, but don't complain if I
made an error, most of this was written at times around 4am in the morning.
Disclaimer:
===========
This document is for educational *INTERNAL USE ONLY*
It is for educational purposes only, the information contained within it must
not be used to cause damage to any person/system. What you do with this
information is your business, but anything that arises from its misuse cannot be
held against anybody, apart from yourself.