Recent Internet Viruses & Worms By Doppalapudi Raghu.
-
Upload
wilfred-cummings -
Category
Documents
-
view
224 -
download
0
Transcript of Recent Internet Viruses & Worms By Doppalapudi Raghu.
![Page 1: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/1.jpg)
Recent Internet Viruses & Worms
ByDoppalapudi Raghu
![Page 2: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/2.jpg)
Outline
• History of Malicious Logic
• Types of Viruses & Worms
• Recent Internet viruses
• Recent Internet Worms
• Defense
• Good Habits in Computer world
![Page 3: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/3.jpg)
History
• Definition of malicious logic
• Fred cohen
• Brain Virus(1986)
• MacMag peace virus(1987)
• Duff’s Experiment virus(1987)
![Page 4: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/4.jpg)
Difference between Internet virus and Internet worm
Virus Worm
Need a host file No need of host file
It’s a variant of virus
Human intervention No human Intervention
It infects the files and infect other systems by sharing these files
Infects computers and spread over network
Causes damage to hardware, software
Consumes too much system resources or N/W bandwidth.
![Page 5: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/5.jpg)
Understanding Virus namesSymantec Notation
• Family name• Names for the variants in a virus family• Suffix is added to the names in the same virus
family• Examples• badvirus.a----------badvirus.z• badvirus.aa--------badvirus.az• badvirus.ba--------badvirus.bz
![Page 6: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/6.jpg)
Terminology in virus world
• ZERO DAY EXPLOIT
• Proof of concept
• Zombie computer
• Ethical Hacker
• Payload
• Honey pots
![Page 7: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/7.jpg)
Types of viruses• Boot sector Infectors• Executable Infectors• Multipartite Viruses• TSR Viruses• Stealth Viruses• Encrypted Viruses• Polymorphic Viruses• Macro Viruses• Many new virus types are added to the list
![Page 8: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/8.jpg)
• Companion virus
file with same name is created but with extension higher in execution hierarchy
• Link virus
These viruses create changes to the File allocation table
![Page 9: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/9.jpg)
Types of Wormsworms
Email worms
IRC worms
File sharing network worms
Internet worms
Instant Messaging worms
![Page 10: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/10.jpg)
Virus.win32.VB.cx
• Jan 12th 2007• Virus scans victims machine for executable files.• Virus itself is a windows PE .exe files• Contents of the files with
extension .cpp, .doc, .htm, .html, .txt, .xls will be overwritten with following text
• "Sorry!!!! $%%#@&re*$%$rthn#$^&&!f#&%$$f$#df#@^%$~`<:JHFgYttrt" "$%%%7``0924ksh<:{[86#$36455hgf#$45"
![Page 11: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/11.jpg)
W32/FUJACKS.AB • 4/7/2007
• Infects .exe files also infects web pages by Inserting malicious hyperlinks of windows ani exploit
• It creates the following registry key to start itself at boot up time: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Death.exe\"\%system%\Death.
• Terminates the processes containing the strings like zone alarm, Symantec anti virus.
• It also attempts to download other malware
![Page 12: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/12.jpg)
Effects of Win32.fujacks
• Infected through network shares which are protected with very weak passwords.
• This virus tries with passwords present in the directory.• Change in the executable file sizes.• Creates the following files in root directory: setup.inf, setup.exe, GameSetup.exe
![Page 13: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/13.jpg)
Windows Vulnerabilities• W1 Web Servers & Services • W2 Workstation Service • W3 Windows Remote Access Services • W4 Microsoft SQL Server (MSSQL) • W5 Windows Authentication • W6 Web Browsers • W7 File-Sharing Applications • W8 LSAS Exposures • W9 Mail Client • W10 Instant Messaging • W11 ani vulnerability
![Page 14: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/14.jpg)
Windows .ANI vulnerability
• Determina security
• User32.DLL code has vulnerability
• Buffer overflow
• Remote code execution
• Microsoft released patches on April 5th
![Page 15: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/15.jpg)
Code Red Worm• July 13 2001
• Worm spread using .ida (indexing service) vulnerability in Microsoft Internet Information Server
• Damage caused:
• Infected machines randomly attacked other web servers
• Performed denial of service attack on www.whitehouse.gov
• The homepage of infected machines is defaced
![Page 16: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/16.jpg)
Code red worm working
![Page 17: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/17.jpg)
Spida Worm• Microsoft SQL server vulnerability• Different worm exploiting databases• On SQL server 7.0 password is blank by default• Connect to sa with blank password• The worm uses the extended stored procedure
xp_cmdshell
![Page 18: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/18.jpg)
My tob worm
• Mass mailing worm
• It can use even the LSASS vulnerability of windows
• Stack based buffer overflow
• It sends itself to all email addresses harvested from the victim machine using its own email engine
• Aug 9 2005 the proof of concept was released & by aug 11th worms started attacking.
• My tob worm was designed from some version of my doom
![Page 19: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/19.jpg)
Worms at a glance
• Vulnerability
• Spreading methods
• Infecting
![Page 20: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/20.jpg)
Fighting Internet worms
• Honey pots• Computer elements to delude aggressors• 2 kinds of honey pots are used• High Interaction• Low Interaction• Honey pots versus worms• Honey pots and worm infections• Honey pots and payload worms• Honey pots and propagation of worms
![Page 21: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/21.jpg)
How anti-virus software works
• Virus dictionary approach
• DAT files are released by the Anti virus company.
• These DAT files have virus definitions and signatures of the virus.
• Suspicious behavior approach
• Other ways to detect viruses
• Sandboxing
![Page 22: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/22.jpg)
Good practices
• Install the patches supplied by the software vendors
• Keep your Antivirus software updated
• Do not open the email attachments from the unknown.
• Configure the firewall properly
• Use strong passwords so that others cant brute force
• Be aware of the Internet viruses and worms
• Zero day exploits cannot be avoided.
![Page 23: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/23.jpg)
Kaspersky discovers an iVirus
• Even the I pods are effected with viruses
• Last year 2 viruses were found which infected during manufacturing process
• Podloso virus is the proof of concept
• Currently it does not have any malicious payload
• It just display a message on the screen that
“You are infected with Oslo the first iPodLinux Virus.”
![Page 24: Recent Internet Viruses & Worms By Doppalapudi Raghu.](https://reader034.fdocuments.us/reader034/viewer/2022051001/56649efc5503460f94c0f73a/html5/thumbnails/24.jpg)