Computer Network ForensicsComputer Network ForensicsLecture - VirusLecture - Virus

© Joe CleetusConcurrent Engineering Research Center,

Lane Dept of Computer Science and Engineering, WVU

2

Viruses, Trojan Horses, and Worms: Viruses, Trojan Horses, and Worms: What’s the technical definition of a virus?What’s the technical definition of a virus?

A computer virus is a program that attaches itself to a file, reproduces itself, and spreads to other files

A virus can perform a trigger event:– corrupt and/or destroy data– display an irritating message

Key characteristic is their ability to “lurk” in a computer for days or months quietly replicating themselves

3

What’s the technical definition of a virus?What’s the technical definition of a virus?

File virus - a virus that attaches itself to an application program– Chernobyl - designed to lurk in computer until April 26

A boot sector virus infects the system files that your computer uses every time you turn it on– A macro virus infects a set of instructions called a

“macro”.– Macro - a miniature program that usually contains

legitimate instructions to automate document and worksheet production

4

How is a Trojan horse How is a Trojan horse different from a virus?different from a virus?

A modern day Trojan horse is a computer program that appears to perform one function while actually doing something else– Not a virus, but may carry a virus– Does not replicate itself

Another type of Trojan horse looks like a log-in screen

PictureNote.Trojan – arrives as e-mail named picture.exe and then tries to steal login and e-mail passwords

5

What’s a worm?What’s a worm?

A software worm is a program designed to enter a computer system through security holes– usually through a network– does not need to be attached to a document to reproduce

“Love Bug” – arrives as e-mail attachment and overwrites most music, graphic, document, spreadsheet and web files on your disks

Denial of Service attacks

6

How are viruses spread?How are viruses spread?

7

How are viruses spread?How are viruses spread?

Viruses are spread through e-mails as wellMacro viruses are usually found in MS Word

and MS Excel files (.doc and .xls)To keep safe, you can disable macros on files

you do not trust

8

What are the symptoms of a virus?What are the symptoms of a virus?

– Your computer displays a vulgar, embarrassing or annoying message

– Your computer develops unusual visual or sound effects

– You have difficulty saving files: files mysteriously disappear

– Your computer reboots suddenly– Your computer works very slowly– Your executable files unaccountably increase in

size– Your computer starts sending out lots of e-mail

messages on its own

9

Antivirus Software: What’s Antivirus Software: What’s antivirus software?antivirus software?

Antivirus software is a set of utility programs that looks for and eradicates a wide spectrum of problems such as viruses, Trojan horses, and worms

10

How does antivirus software work?How does antivirus software work?

Hackers have created viruses that can insert themselves into unused portions of a program.

To counterattack the work of hackers, antivirus software designers created software with a checksum - a number calculated by combining binary values of all bytes in a file– compares checksum each time you run a program

11Page 189

How does antivirus software work?How does antivirus software work?

Antivirus software also checks for a virus signature – a unique series of bytes used to identify a known virus

Write-protecting a floppy disk will not prevent virus infection because you need to remove write protection each time you save a file to disk

12

When should I use antivirus software?When should I use antivirus software?

“All the time”Most antivirus software allows you to specify

what to check and when to check itNorton AntivirusMcAfee Antivirus

13

How often should I get an update?How often should I get an update?

New viruses and variations of old viruses are unleashed just about everyday

Check website of antivirus software publisher for periodic updates

Some software updates itself automatically

14

How reliable is antivirus software?How reliable is antivirus software?

Antivirus software is pretty reliable, but viruses try to get around detection– Multi-partite viruses– Polymorphic viruses– Stealth viruses– Retro viruses

Antivirus software is not 100% reliable, but protection is worth the risk

15

How do I recognize a hoax?How do I recognize a hoax?

Bogus virus e-mail message usually contain a long list of people in the To: and CC: boxes and have been forwarded to a lot of people

List some “authority”Most recommend reformattingFake viruses are often characterized as doing

bizarre deedsYou can validate the hoax by going to a

reliable website that lists hoaxes and viruses

16

Chapter

4

Virus Hoaxes: What’s a virus hoax?Virus Hoaxes: What’s a virus hoax?

Some viruses don’t really existsA virus hoax arrives as an e-mail message

containing dire warnings about a supposedly new virus that is on the loose– Recommends a strategy – Recommends forwarding the email– Says no one has a fix for it yet

Most cases it is a fake

17

How do I recognize a hoax?How do I recognize a hoax?

18

How can I protect myself?How can I protect myself?

PRACTICE SAFE SURF!

Step One: Purchase a good antivirus program like Norton AntiVirus or McAfee Viruscan.

19

How can I protect myself?How can I protect myself?

Step Two: Update your virus definitions once a week!

If you don’t,

YOU AREN’T PROTECTED!

20

How can I protect myself?How can I protect myself?

Step Three: Never double-click (or launch) ANY file, especially an email attachment, regardless of who the file is from, until you first scan that file with your antivirus program.

How did Melissa, Bubbleboy, and WormExploreZip come to infect so many computers? Simple! People ignored this step.

21

How can I protect myself?How can I protect myself?

Step Four: Turn on macro virus protection in Microsoft Word, especially if you don’t know what macros are.

To find out how, go to NetSquirrel.com and look in the Urban Legend Combat Kit.

22

QuestionsQuestions

What is the:– I Love You Virus?– Sircam?– Code Red II?

How can you protect yourself from it?What virus is current?

23

More ReferencesMore References

http://www.symantec.com/avcenter/