8/2/2019 Intro Computer Virus
1/38
1University of Colombo
8/2/2019 Intro Computer Virus
2/38
Consumes resources (i.e. Processor + Memory)of your PC at an extraordinary (abnormal) higherrate (while do nothing useful) causing
Drop performance Remove / Block access to important files
Delete Logically
Physically Hide Make them System Files (attrib +h +s)
Access Deny
3
8/2/2019 Intro Computer Virus
3/38
What a virus can do further Spying
Copy / Download your important / secret files
without your permission Hacking
Switch on / off computer at unexpected time
Remote Log Restart (without allowing you to save
documents)
4
8/2/2019 Intro Computer Virus
4/38
A computer virus is a computer program that can replicateitself and spread from one computer to another via
Removable device CD / DVD ROM
USB Thumb drives
Memory Cards
External Hard Disk
Network Wired
Wireless Bluetooth
Wi-Fi
GPRS (W@P)
Internet Any Internet Connection i.e. Broadband / Modem
5
8/2/2019 Intro Computer Virus
5/38
The first theory of computer viruses
(although the term "computer virus" was notused at that time)
John von Neumann (1949)
6
http://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumannhttp://en.wikipedia.org/wiki/John_von_Neumann8/2/2019 Intro Computer Virus
6/38
The actual term "virus" was first used todenote a self-reproducing program in ashort story by David
Gerrold in Galaxymagazine in 1969 - andlater in his 1972 novel, When HARLIE WasOne. In that novel, a sentient computernamed HARLIE writes viral software to
retrieve damaging personal informationfrom other computers to blackmail theman who wants to turn him off.
7
http://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/When_HARLIE_Was_Onehttp://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/Galaxy_(magazine)http://en.wikipedia.org/wiki/David_Gerroldhttp://en.wikipedia.org/wiki/David_Gerrold8/2/2019 Intro Computer Virus
7/38
The Terminal Man, a science fiction novel by MichaelCrichton (1972), told (as a sideline story) of acomputer with telephone modem dialing capability,which had been programmed to randomly dial phone
numbers until it hit a modem that is answered byanother computer. It then attempted to program theanswering computer with its own program, so thatthe second computer would also begin dialing
random numbers, in search of yet another computerto program. The program is assumed to spreadexponentially through susceptible computers.
8
http://en.wikipedia.org/wiki/The_Terminal_Manhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/Michael_Crichtonhttp://en.wikipedia.org/wiki/The_Terminal_Man8/2/2019 Intro Computer Virus
8/38
In order to replicate itself,
Attach themselves to executable files
that may be part of legitimate programs.
If a user attempts to launch an infectedprogram, Sorry ! (the virus' code may
be executed simultaneously)
9
8/2/2019 Intro Computer Virus
9/38
Nonresident viruses Immediately search for other hosts that can be
infected, infect those targets, and finally
transfer control to the applicationprogram they infected
Resident viruses
Do not search for hosts when they are started
Instead, loads itself into memory on executionand transfers control to the host program
10
8/2/2019 Intro Computer Virus
10/38
Malware Computer Worms
Trojan horses
Rootkits Spyware BootsectorVirus Memory Resident
Polymorphic Logic / Time Bombs
Dishonest Adware and Other malicious or unwanted software
11
8/2/2019 Intro Computer Virus
11/38
Malware, short for malicious software,is software (or script or code) designed to
disrupt computer operation, gather
sensitive information, or gain unauthorizedaccess to computer systems
12
http://en.wikipedia.org/wiki/Script_(computing)http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Script_(computing)8/2/2019 Intro Computer Virus
12/38
A computer worm is a self-replicating malware computer program,
which uses a computer networkto send
copies of itself to other nodes (computerson the network) and it may do so without
any user intervention
This is due to security shortcomings on thetarget computer
13
http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Malware8/2/2019 Intro Computer Virus
13/38
A Trojan horse, or Trojan,is software that is intended toperform, simultaneously, a desirable(expected) effect and a covert(unexpected) effect
Trojan horses can make copies ofthemselves, steal information, orharm the computer system
The term is derived from the TrojanHorse story in Greek mythology
Some of the most popular trojanhorses are Netbus
Subseven
Y3K RAT 14
http://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Software8/2/2019 Intro Computer Virus
14/38
A rootkit is a stealthy type ofmalicious software (malware) designed to hidethe existence of certain processes orprograms from normal methods of
detection and enables continued privilegedaccess to a computer. The term rootkit is
a concatenation of"root"(the traditional nameof the privileged account on Unix operatingsystems) and the word "kit" (which refers tothe software components that implement thetool)
15
http://en.wikipedia.org/wiki/Superuserhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Superuser8/2/2019 Intro Computer Virus
15/38
A logic bomb is a piece ofcode intentionallyinserted into a software system that will set offa malicious function when specified conditionsare met. For example, a programmer may hide a
piece of code that starts deleting files (such as adatabase trigger)
A time bomb is a piece ofcode intentionallyinserted into a software system that will set offa malicious function after a specified time
16
http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Computer_filehttp://en.wikipedia.org/wiki/Database_triggerhttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Database_triggerhttp://en.wikipedia.org/wiki/Computer_filehttp://en.wikipedia.org/wiki/Softwarehttp://en.wikipedia.org/wiki/Source_code8/2/2019 Intro Computer Virus
16/38
A macro virus is a virus that is written ina macro language: that is to say, a language built into asoftware application such as a word processor. Sincesome applications (notably, but not exclusively, theparts ofMicrosoft Office) allow macro programs to be
embedded in documents, so that the programs may berun automatically when the document is opened, thisprovides a distinct mechanism by which viruses can bespread.
This is why it may be dangerous to openunexpected attachments in e-mails.
Modern antivirus software detects macro viruses aswell as other type
17
http://en.wikipedia.org/wiki/Macro_(computer_science)http://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Macro_(computer_science)http://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Microsoft_Officehttp://en.wikipedia.org/wiki/E-mail_attachmenthttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/Antivirus_softwarehttp://en.wikipedia.org/wiki/Antivirus_softwarehttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/E-mail_attachmenthttp://en.wikipedia.org/wiki/Microsoft_Officehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Macro_(computer_science)8/2/2019 Intro Computer Virus
17/38
Adware, or advertising-supportedsoftware, is any software package which
automatically plays, displays, or downloads
advertisements to a computer These advertisements can be in the form of
a pop-ups
18
8/2/2019 Intro Computer Virus
18/38
Temporary / Permanently Disable AutoPlay Never DoubleClick & Open Devices i.e. Pen
Drives / Suspicious (Infected) Drives (Hard Disk) &Folders
Use Navigation Pane instead RightClick Open Options are NOT safe !
Do not Click / DoubleClick or navigate intosuspicious files
Use Setups from Trusted resources only Use Strong Anti-Virus Software
Pointless if you dont update them at least everyother day! (Recommended Daily Update)
Update ?
19
8/2/2019 Intro Computer Virus
19/38
Go to Contro Panel
20
8/2/2019 Intro Computer Virus
20/38
Select AutoPlay
21
8/2/2019 Intro Computer Virus
21/38
Uncheck Use AutoPlay for all media and
devices
22
8/2/2019 Intro Computer Virus
22/38
23
8/2/2019 Intro Computer Virus
23/38
24
8/2/2019 Intro Computer Virus
24/38
Wanna See a Virus ? First Disable AutoPlay
Connect the Suspicious Device to Computer(That infected from malicious)But Still You
Cant Open ! (Remember Never Double -Click)
Enable View System Files (See Next Slide)
25
8/2/2019 Intro Computer Virus
25/38
Open ANY Folder (OR Folder Options from the Control Panel)
26
A M B ill S l YES
8/2/2019 Intro Computer Virus
26/38
A Message Box will appear. Select YES
27
8/2/2019 Intro Computer Virus
27/38
Now, Using the Navigation Pane, Open the device
28
Icon of Virus can
be different
Description i.e. File
Folder also can differ
Actual Virus
Autorun File
8/2/2019 Intro Computer Virus
28/38
What are the things can be determined ? The actual Virus (usbdur.exe) contains in sysusb
Targeted System file to be infected is SHELL32.dll, located on-
%SystemRoot%\system32\SHELL32.dll
%SystemRoot% is the hard-disk partition where the Operating System is installed
i.e. C:\
Actually not a virus ! but a supportive
Here are the instructions written How to and where to install the virus on computer
It is OK to doubleclick and open. No harm at all!
29
8/2/2019 Intro Computer Virus
29/38
Smaller in Size (Most Probably less than 1024 KB)
Changes the standard icons for devices
30
Not Infected
Infected
8/2/2019 Intro Computer Virus
30/38
Delete Permanently
Move to vaulta place where collected
viruses are kept under restricted
execution
Disinfect (Detach the virus from
original file) Update virus definition (Train themselves) Send info to parent company (To study them and
create anti-virus)
31
8/2/2019 Intro Computer Virus
31/38
32
Free Microsoft Security Essentials
Avira AntiVir
Non-Free Avast
AVG
SymentecNorton Kaspersky
Bit-Defender
8/2/2019 Intro Computer Virus
32/38
There is a database / knowledgebase about almostall viruses up to date of last update in all strongvirus guards
A virus guard can detect a virus only if it is knownto the knowledgebase (of virus guard software) At least similar patterns (behavior) should follow
That means if a new virus (not similar to a known)comes and tries to infect, which is unknown to thevirus guard, the virus guard cannot protect thecomputer from it further
Therefore, updating a virus guard is nothing butEnriching the knowledgebase about newviruses with virus definition (files)enabling thevirus guard to detect them as viruses
33
8/2/2019 Intro Computer Virus
33/38
If you cant see your important files andfolders (suddenly missing) and seems
deleted, dont worry!
Because most probably (if the compilerof the virus is aware of ethical hacking /
computer ethics) they are not actually
deleted, but hidden ! Even in case of a physical (permanent)
deletion, you still can recover!!
34
8/2/2019 Intro Computer Virus
34/38
Anatomy of HDD
35
8/2/2019 Intro Computer Virus
35/38
Anatomy of HDD
36
8/2/2019 Intro Computer Virus
36/38
Recover ?
Can you believe this story ? Whatever you delete (not only logicallyeven
physically with Shift + Del) are actually not deleted on
your hard disk Only path (where its is located on HDD) is made
unknown to the file management system of theoperating system
When you store new files on your HDD, those filesare replaced by new files
If you sure you didnt do so, the recovery softwarecan perform their task!
37
8/2/2019 Intro Computer Virus
37/38
38
8/2/2019 Intro Computer Virus
38/38
(+94) 77 567 5 416
mailto:[email protected]:[email protected]