Simab Chuhan Course Work ID-42903

Summarizing the technique used in developing the cyber virus and developing
a policy to mitigate the cyber virus problems

BY

Simab Chuhan
Student Number: 42903

A paper in partial fulfillment of the requirements for the degree of the

MSc Security Technology

Course Module: Cyber Security

British Institute of Technology & E-commerce

2011

Supervisor: Prof. Hasan Al-Saedy / Dr. Fatemah Shaikh

I am submitting cyber security course work as part of my MSc security technology

module requirement; I declare that all I submitted my own work and I did use the
references for avoiding any cited words to avoid plagiarism.

Signature (handwritten candidate number):

Date:

British Institute of Technology & E-commerce Page 1

Simab Chuhan Course Work ID-42903

Table of Content

Table of Content

1. Introduction………………………………………………………………..3
2. Boot Sector Viruses.........................................................................................3
3. File Infecting Virus…………………………………………………….…..3
4. Multi-Partite Viruses………………………………………………….…...4
5. Macro Viruses………………………………………………………….…..4
6. Virus Hoax……………………………………………………………….…4
7. Spam………………………………………………………………………...4
8. Motivation for sending spam……………………………………………...5
9. Basic spamming techniques............................................................................5
10. Countermeasures for Spam………………………………………….........5
11. Email phishing…………………………………………………….….…….5
12. Pharming…………………………………………………………..………..6
13. Techniques Use for Viruses……………………………………….……….6
14. Trojan Virus……………………………………………………….……….6
15. ZSecurity Virus Case Study……………………………………….………7
16. Cyber virus protection…………………………………………….…..…...8
17. Keep Software up to date………………………………………………….8
18. Run Anti Virus Program…………………………………………………..8
19. Keep on your Firewall……………………………………………………..9
20. Backup Files………………………………………………………….……..9
21. Avoid file Sharing………………………………………………...….…….9
22. Malwar attacks……………………………………………………..……...9
23. SQL Injection Attack……………………………………………………..10
24. DDOS Attack……………………………………………….……………..10
25. Conclusion………………………………………………….……………...11
26. Bibliography ……………………………………………….……..………12

British Institute of Technology & E-commerce Page 2

Simab Chuhan Course Work ID-42903

Introduction:
A Cyber Virus is an executable source code of program that has the ability to replicate itself
uncountable times very fast. it can also contain files to spread and damage to other
computers. The replication itself cause system down mostly when virus payloads triggered it
can destroy files, damaging operating system antivirus and many more.
Cyber viruses were spread via floppy disks and other peripheral devices such as flash drive
but now internet has given the cyber viruses spreading viruses via email or downloading
inligament software which seems to be legatment.

There are four main type of viruses:

1. Boot Sector Viruses
2. File Infecting Viruses
3. Multi-Partite Viruses
4. Macro Viruses

[1]As Brian Krebs compiled in 14/02/2003 some history of viruses in his article as he said
that in 1945 Admiral Grace Murray discovers a moth trapped between relays in navy
computer. She calls it a "bug" that terms used since late 19th century she also used the term
debugging for fixing the computer problem. In 1983 FBI cop the "414s," a group of young
hacker who breaks the U.S Government networks. During the year Fred Cohen use the terms
of computer virus to describe a computer program which copying itself, he also did research
on antivirus making. In 1986 first computer viruses ever created, "The Brain," by two
Pakistani brothers rather it’s also claimed by copying two Chinese brothers. In 2000 the virus
named "I LOVE YOU" infects million of computer on virtual network, used the similar
techniques of Melissa virus. That virus was triggered by Pilipino student; this virus has
ability to send passwords and usernames.

Boot Sector Viruses:

Before we have to discuss boot sector viruses we have to know about what boot sector are.
Our hardisk consist on segments and clusters we are dividing them and called a partition.
Each disk has a master boot records MBR. Its work like a index of a book, which files needed
to run first for using the operating system. Boot sector contain the file type and operating
system version. if boot sector was compromised entire system will be in risk. for example if
the floppy disk contain bootable disk which is infected bootable virus once you restart the
system virus will triggered user won’t get any option except press f1 to continue and he was
unaware about the virus which harm their boot sector. Simply to remove boot sector virus via
antivirus because that was the clean way of removing rather than using manual DOS
commands.

File Infecting Virus:

file infecting virus are the most common ones use to attached all kind of executable
files such as .exe , .com etc. it can change original code with its own code. File infecting
virus are targeting windows, dos, UNIX and Macintosh operating system widely.

British Institute of Technology & E-commerce Page 3

Simab Chuhan Course Work ID-42903

Multi-Partite Viruses:
In 1989 Fridrick skulason found the first multipartite virus ghost ball, multipartite viruses can
infect system sectors and system files; it can spread in number of different ways.

Macro Viruses:
A macro virus is a source code, Microsoft Word and some infected
using similar triggers, a typical effect is not desirable Write to the insertion of a comic
text in different lines, in which we assume something. This virus can spread through an e-
mail virus Mellissa.

Virus Hoax:
Virus Hoax is typically arriving as an e-mail. that would be the false information which
comes to user , that information forced user to do something which is not necessary sometime
its comes from valid emails for example an email received from friends which says delete
xyz.exe file from your windows c: drive it is virus and antivirus can not detect this because its
new version of malware etc user will urgently found that file and deleted because news
comes from valid resource but that file was genuine and use for windows operating system
these kind of false information was hard to find unless you do have knowledge about that file
or you can search it about their contents.

There is nothing happen to your system if you ignore the Hoax messages, its just a waste of
time to delete something which you don't know about.

In the truest sense, we cannot say that is a computer virus hoax, because false information
based e-mail that turn the mind of the user things collect wrong time to his store user
information or were, is all his warnings against false information users make a mistake under
pressure. Operating system and antivirus software cannot detect false information or spam e-
mails to know we let them. The best thing to do when an e-mail like the one that will only
remove incorrect information should investigated.

Spam:
Unsolicited Bulk Email, junk email, sending copies of the same email messages to as many
users as possible, those users would not usually choose to receive email messages its all are
spam messages which effecting the communication medium. there is some kind of spam such
as email spam, instant messaging spam, UseNet newsgroup spam, web search engines spam,
mobile phone messaging spam. Origin & contents of spam email Spammers conceal the
origin and intention of their messages, by spoofing the sender’s email address Intentional
misspelling of common spam filter Keywords to avoid filtering, for example,
viagra – vaigra – v/i/a/g/r/a - …
Sending the message as an image – message
Presented as GIF or JPEG image

British Institute of Technology & E-commerce Page 4

Simab Chuhan Course Work ID-42903

Motivation for sending spam:

motivation is the main task to control user , such as get rich quick , click each time and have
money as much as u click, get illegal software’s , start home base jobs and earn money, have
phone sex line free of cost just need only registration, discounted software’s , illegal health
product buying there is still many ways to motivate people to install spam on their machine
they could install it and get infect there system could be use for different purpose such as
DDOS attack or making zombies.

Basic spamming techniques:

Sending spam from one dedicated machine does not work well Instead, spammers use Free
web mail services (e.g. Hotmail), Open mail relays, Open proxy servers, Boot nets, Use
spam sending software (to create
Dynamic text and connect to bots)

Countermeasures for Spam:

Content filtering Heuristic/signature-based – pattern Matching, Bayesian – a single user trains
the filtering software, Collaborative - many users collaborate to train the filtering software.
Spam traps, Honey pot used to collect spam, Blacklisting containing bad behaving IP
addresses. Grey listing, temporarily blocking Emails from unknown senders (new
combination of IP address, sender and receiver), White listing delivering email from known
senders only, Disposable identities, renew email Address of recipients, Email authentication,
authenticate the message sender, Sender reputation solutions, and assign a reputation to the
message sender.

Email phishing:
Is a form of social engineering Attempts to fraudulently acquire sensitive information (such
as passwords and credit card details) by masquerading as a trustworthy person or business in
an apparently in official electronic communication, Phisher uses the sensitive information in
further crimes. Phisher spam’s email messages, spoofed so as to appear to be sent from a
legitimate source, Email requests sensitive information either by email or by visiting a
website, User supplies sensitive information which is captured by the Phisher. Phishing scam
sites are hosted on compromised servers, usually in poorly regulated countries.

There is no direct connection between the Phisher and the compromised server. Theirs is such
advance techniques such as port redirection tool which is installed on the compromised
server, redirecting incoming HTTP request to another compromised server, Copycat Domain
Names, register copycat brand name at domain provider, for example
“barclaysbankupdate.co.uk" etc. Visual Spoofing, which replace certain component of user's
browsers with fake copies in the form of images, for example, the address and status bars.
Browser hijacking ,its take control of user's web browser and steal confidential data, URL
obfuscation disguising the true URL bar contents, Plug-and-play phishing kit which allows
installation of phishing website within seconds to everywhere.

British Institute of Technology & E-commerce Page 5

Simab Chuhan Course Work ID-42903

Pharming:
It’s like a wholesale harvesting of personal details, “Pharming is like phishing with a really
big net.” Users use the legitimate host and domain name of the targeted organization, but are
directed to a spoofed website. The spoofed website corresponds to the original (including the
padlock symbol for SSL, as an image). Users are not able to detect the fraud and enter their
personal details. Malware attacking the browser address bar Exploitation of a vulnerability of
DNS server software. Insert entry into HOSTS.TXT file (works only for a single user or
group of users using the same computer). DNS cache poisoning (works for a whole section of
the Internet).

Techniques Use for Viruses:

Viruses and worms are both well written with similar languages, because they are not very
different from each other. Viruses and worms can be written in any programming language,
but I think is that they are in C or C + + usually written in C and C + + are relatively low
level languages, Visual Basic, C #, comparison etc. Low Programming languages it easier for
computer equipment and access Operating system is it a virus / worm usually.

Trojan Virus:
The main difference between a Trojan Virus / Trojan and a virus is that Trojans do not
reproduce. Trojan horse as a useful and valuable software available for download from the
internet masquerade. Most people are fooled by this ruse, and finally solve the virus disguised
as a different application. The name comes from the mythical Trojan horse "that the ancient
Greeks in the city of Troy.

a server and a client - A Trojan horse is usually separated into two parts. It is the customer
who is sent disguised as a software and place in large networks file-sharing peer-to-peer sites
or downloads. Once the client Trojan horse on your computer, the attacker, so the person
where the server is a high degree of control over your computer may have devastating effects,
such as the goals of the attackers.

A Trojan can spread in a number of ways. The most common type of infection is through
cultivation. To spread the developer of various techniques commonly used virus scan virus
unsuspecting users. Be an alternative method of software developers to distribute their
malicious Trojan virus is the chat software like Yahoo Messenger and Skype. Another
method used by the virus to other machines by sending copies thereof to the people in the
address of a user whose computer was infected by the virus infects.

There are many types of Trojans, Trojans as a remote access trojan I send, keyloggers,
Trojans destructive denial of service (DoS) attack Trojan horses, by proxy or Wingate
Trojans, FTP Trojans killer detection software, etc.

British Institute of Technology & E-commerce Page 6

Simab Chuhan Course Work ID-42903

ZSecurity Virus Case Study:

[2]Case Study: In spring 1999 Melissa.V called Dan, a worker in a state of research and
development lab NY to develop its technology to make computer repair appointment. He had
his machine because it had started to kill a few days earlier. When pressed on symptoms Dan
called his computer very slow, especially when it was first run and trying to retrieve his e-
mails. He also mentioned that his problems with some of his Microsoft Office
documents. Dan was on vacation for a week so he could call the repair tech at a house on the
Same day receive.

After an initial examination of technology has decided that he needed to return the machine
in his shop for a closer look. A closer look reveals the computer with the now infamous
"Melissa" virus that has infected were known as W97M. This virus, originally a resident of
New Jersey, David L. Smith was not intended to be malicious. However, they are spread so
fast; it causes all the systems of e-mail to be off and running. Variants of malware by Melissa
were dropped shortly after and it was the variant that Dan had contracted Melissa.V
computer.

Melissa attack begins an infected file that Microsoft Office uses the interoperability of
Microsoft software. It copies in separate files on the infected computer, and then e-mails are
still on the entries in the address books on the device with an attachment with the
Microsoft. Doc files extension initially, an attempt to get Smith from a list of names and
passwords for access to pornographic sites past. An infected machine can send any Office
file as an attachment Melissa, all within a few hours. Doc system was supposed to.

In addition to copying and e-mail itself can also edit office documents Melissa infected in a
variety of ways, including corruption of data, replacing existing data with something
completely different, malicious macros, or by adding your own, even in harvest data records
found. It is the experience of Dan with Office documents on their computer. Another version
was, as far Melissa.U, modify the properties of Windows system files and delete them, which
starts the machine stops after being arrested. Fortunately, Dan was not affected with this
variant.

The elimination of the virus needed to be done manually because vendors Dan anti-virus did
not publish a tool for automatic removal. The engineers first had to isolate Files Melissa
original source, most are still stored in the e-mail. The source file, together with all copies of
themselves made and placed elsewhere on the machine, but unfortunately, no source was
initially found to be deleted. In addition, all documents are scanned and cleaned, if possible,
removed when not cleaning was possible.

Finally, the technology had to clean the system registry and the preferences of Microsoft
Office. Melissa changed a registry entry that was originally produced by the operating
system. This changed in the virus if it had already sent. Curiously, the author Melissa
programmed to carry the mail once. As preferences for the office, Melissa macro-disabled, to
protect against macro viruses, testing of the model, and confirmation of the conversion of
documents. Disable this option allows the virus to documents without changing the user's
knowledge. All these properties have been reactivated in the context of the deletion.

British Institute of Technology & E-commerce Page 7

Simab Chuhan Course Work ID-42903

After the withdrawal has been completed and the computer is returned, and the technology
needed to know where Dan infection come to kill the source and prevent a second attack. The
usual suspects were checked first, young people in the house, frequently exchanged files,
unusual attachments to e-mail that had opened, questionable Web sites that have been
visited. But all these possibilities were empty.

Dan had mentioned to work all week holiday is compulsory and could not wait a few days
back. He had brought some work home last Friday, he would not return after the holidays, but
the computer does it for him, which prevents a lot of work. As it turned out to vote in the
comments Dan the source had released the documents, he did the house work. The floppy has
been tested and there he was, Dan had received a file in his e-mail, and he brought home and
opened on his computer.

The lab, worked in the Dan had been infected, but because of this one-week leave, he was not
able to demonstrate substantial damage to the system. A call was placed to the laboratory
department, which was immediately cleaned and all computers. When the doors opened the
following Monday it was "business as usual, thanks to a dedicated staff and a repair tech, he
knew.

ZSecurity detects and cleans thousands of computer viruses, Melissa and variants. Make sure
your program is maintained and operated at all times.

Cyber virus protection:

Whenever you visit a website, there is a chance that your computer will be "attacked”. Most
sites are safe, but even the best-known companies may be infected. Websites with a screen
saver, software or pirated games, music downloads and other low-to-attractions are no more
likely to be infected here we will discussed some basics tips to prevent those attack and
secure our computer and networks.

Keep Software up to date:

today’s many corrupt software available on internet via torrent and some unlicensed and
cracked software’s are available always ignore those software and try to use genuine key
software , they also provide up-to-date patches if any application need to update it will update
via online its also use the secure channel for downloading. even in windows7 is more secure
rather then xp. its also important to use update version of software’s such as java, adobe
reader, flash plug-in and Microsoft office it’s all need up-to-date secure patches. Nowadays
Google chrome is found the secure application for browsing because of inside running
'sandbox' which provides two layers protection.

Run Anti Virus Program:

we should have to run antivirus software there are many free antivirus available online such
as avg free, avast free, some of them are paid good antivirus such as Kaspersky antivirus
program. There are many fake antivirus program which find the malware and infect the
system that will cause you damage and force to pay for fixing their system with their own
product.

British Institute of Technology & E-commerce Page 8

Simab Chuhan Course Work ID-42903

Keep on your Firewall:

There are two types of firewalls and increase Firewall security, both
physical demands. Firewall between the Internet and computers, it will keep the traffic
between the transmitter and receiver, we can use the applications that need to control his
work, or we could avoid and prevent malicious access un authorization.

Backup Files:
Always remember keep save your system backup from last known good configuration
windows will provide this option beside also other software will do the same , keep save all
your work in backup drive , in case of damages it would be possible to recover it from saved
medium. Keep up to date save your work backup.

Avoid file Sharing:

Try to avoid all kind of unnecessary sharing stuff such as file and folder, us the access control
list for giving permission to any file , such privileges like execute ,read ,read only , modify,
always try to avoid providing full right of control try to give least privileges such as read
only if necessary.

[3]As authors Mindi McDowell, said that “unfortunately, there's no 100% guarantee that even
with the best precautions some of these things won't happen to you, but there are steps you
can take to minimize the chances”.

Malwar attacks:

[4]on 15 April 2010 bbc article about Porno virus web history victims published on the Net A
victim is reported to a principal service in Japan Kenzero.
A new type of malicious program infected computers to public file-sharing websites and the
history of the net user on a public website remain responsible for its withdrawal.
Japanese Trojan virus on computers with a popular service for sharing files, called Winny,
can be used up to 200 million people, is installed.
It is for people, illegal copies of games in this genre Hentai, an explicit form of the anime
downloads.
Yomiuri side claims that 5,500 people infected have been admitted.
The virus, known as Kenzero is monitored by web security company Trend Micro in Japan.
Pass for a setup screen of the game, he asked the owner personal computer.
It then takes screenshots of the user's web history and online publishing, on their behalf
before sending an e-mail or pop-up window requesting payment by credit card from 1500 yen
(10 €) to "pay your infringement of copyright" and delete the Web page.

British Institute of Technology & E-commerce Page 9

Simab Chuhan Course Work ID-42903

SQL Injection Attack:

SQL Injection is an attack in which malicious code is inserted into the
channels which is then sent to an instance of SQL Server for analysis and execution. The
automation of SQL injection is the possibility of SQL Injection worm that is about 60%
possible. Estimates Web Applications that use dynamic content are vulnerable to SQL
injection. The primary form of SQL injection involves the direct insertion of code in the User
input variables that are concatenated with the SQL commands and executed. A less direct
attack injects malicious code into strings that are intended Storage in a table or as metadata. If
the strings are then stored concatenated into a dynamic SQL command, the malicious code is
executed.
A SQL is a query to an action to perform on a database. In general, on a Web form for user
authentication when a user's name and Password in the text boxes provided for them, these
values inserted in SELECT is a query. There two main types of attack is the direct answer sql
Attacks are a further stay in the database and are not initiated immediately.

DDOS Attack:
A distributed denial of service attack known as DDOS attack, there is some
ways to launch these attacks such as ping request, echo request and TCP synchronization
ping etc. Trojan infected machine could help to launch DDOS attack each victim of Trojan
would triggered DDOS. Some of intruder control over the machine and create a zombie and
botnet which master program for multiple machines to launch DDOS attack, DDOS attack on
server and reserve there all buffers, buffer flow will cause unavailable server to other users
some companies like kaspersky and Symantec have identified this as a big threat for internet
security. DDOS attack can launch to any network, including switching device, internet email
or websites. Its increase the consumption of network bandwidth, disrupts of routing
information, disrupt the all incoming TCP session. It’s also disrupts the physical network
components besides obstructing all communication between users, victim and server which
cause no further communication. Some more attack on DDOS attack such as ICMP flood,
Teardrop attack, Peer-to-peer Attacks, starvation attacks, PDOS, Application level floods,
Nuke attack, reflected attack, Degradation of service attack, unintentional denial of service,
denial of service level 2 and blind denial of service attack. To prevent these attack use of
firewalls, switches, routers to be scan simultaneously, IPS based prevention could help to
reduce the attack.

British Institute of Technology & E-commerce Page 10

Simab Chuhan Course Work ID-42903

Conclusion:

We should know what viruses are and we know they are dangerous and harmful for our
system we have to protect it from viruses. basic understanding of viruses are needed for all
users and an expert level have to keep in eye on new updates about viruses and malware,
antivirus and firewalls are they way to protect system beside many patches from different
application keep updating time to time. Keep control on your network packets and ports use
the tools to detect any intrusions. Beside aware of all the users of the system of security, they
are certainly as much as they learn. AVOID attachments from unknown strangers of all kinds
of sites if illegal operating system behave incorrectly immediately Scan your system.

[5]As Daryl White said that “you can't hold firewalls and intrusion detection systems
accountable. You can only hold people accountable”.

British Institute of Technology & E-commerce Page 11

Simab Chuhan Course Work ID-42903

Bibliography

1. Brian Krebs
washingtonpost.com Staff Writer
Friday, February 14, 2003
http://www.washingtonpost.com/ac2/wp-dyn/A50636-2002Jun26

2. ZSecurity Virus Case Study In the spring of 1999 by Dan

http://www.zsecurity.com/articles-virus-case.php

3. Authors: Mindi McDowell, Allen Householder , 2009 Carnegie Mellon University

http://www.us-cert.gov/cas/tips/ST04-001.html

4. Anonyms article on BBC 15 April 2010

http://news.bbc.co.uk/1/hi/technology/8622665.stm

5. Daryl White, DOI CIO

http://www.nativeintelligence.com/ni-free/itsec-quips-04.asp

British Institute of Technology & E-commerce Page 12