2. DDoS ProgramsDDoS Programs
DDoS programs are made by attackers to disable web
servers, thereby preventing legitimate users from
using their services.
DDos stands for Distributed Denial of Service
8. HOST
orig. header
DOS VirusesDOS Viruses
VIRUS
orig. header
VIRUS
CODE
INFECTED
PROGRAM
A virus usually infects by attaching a copy
of itself at the tail of the host program.
Then, it saves a
copy of the
original header
somewhere in
the virus body
It modifies the
header to gain
control when the
program executes.
Jump to virus
Append Prepend Insert
Although most viruses append their
codes, some also prepend, insert,
or overwrite their virus codes.
9. DOS Viruses
increase in the file size of infected programs
decrease in the size of available memory
unusual slowdown of computer system
Some symptomsSome symptoms
12. Windows VirusesWindows Viruses
Unnecessary changes in executable files (i.e.: file
size, timestamp, behavior, etc.)
Any unusual tasks/processes
The Registry and other configuration files for any
unusual or suspicious modifications
Things to check:Things to check:
14. Collection of instructions
Handles boring, awkward, and tedious tasks
Saves a user keystrokes.
Visual Basic® for Applications (VBA) Environment
What is a Macro?
15.
When an infected
document is opened
with Word, it will
usually copy its macro
codes in the Global
Template
With the macro virus already
resident in the Global Template, it
can already produce additional
copies of itself to other documents
accessed by Word.
The Global Template is
used as the basis for
the document settings
and macros
Macro Viruses in WordMacro Viruses in Word
DocumentsDocuments
16.
With the macro virus already in the
startup folder, it can already
produce additional copies of itself
to other spreadsheets accessed by
Excel.
When Excel is loaded,
every file in the Excel
startup folder will be
opened and their
macros will be
executed.
Macro Viruses in ExcelMacro Viruses in Excel
DocumentsDocuments
When an infected
spreadsheet is opened
with Excel, it will
usually drop a copy of
itself unto the startup
folder.
17. Macro Viruses in other file typesMacro Viruses in other file types
LotusScript
LotusScript
CorelScript
CorelScript
VBA
VBA
18. Script VirusesScript Viruses
If a mail message or a Web page
has some malicious scripts the malicious scripts may utilize the
scripting host execution capabilities
of some Web and mail browsers
thus enabling them to spread
and replicate to other mail
recipients or Web page users
20. Safe Computing Tips &
Techniques
1. Disable the Windows Scripting Host
functionality
2. Do not hide the file extensions of known file
types
3. Set up the Internet Explorer security setting
4. Apply the latest Microsoft security updates
5. Enabling Macro Virus Protection
6. Scan floppy diskettes before use
7. Enable Virus Warning in CMOS setup
21. Disable the Windows Scripting Host
functionality
This prevents Visual Basic script viruses and malware from
running, so that they cannot activate, spread or cause
damage to files.
A typical PC does not need Windows Scripting Host (WSH)
to function normally. Therefore, it is usually ok to disable it.
You can always reinstall WSH if you change your mind later.
Safe Computing Tips & Techniques
22. Do not hide the file extensions of known file
types
Safe Computing Tips &
Techniques
All Windows operating systems, by default, hide the known
file extensions in Windows Explorer. This feature can be
used by virus writers and hackers to disguise malicious
programs as some other file formats, such as text, video or
audio files.
23. Set up the Internet Explorer security setting to
Medium or High
Safe Computing Tips &
Techniques
By default, the Internet Explorer security setting is set to
"Medium." However, some viruses and malware have been
found to have the ability to change the settings to "Low"
and therefore allowing the system to be vulnerable.
It is encouraged that the security
setting is set to at least "Medium" to
reduce the risk of accidentally
running a malicious file. At the
"Medium" security level, Internet
Explorer will prompt the user before
running a potentially unsafe content.
24. Apply the latest Microsoft security updates
Safe Computing Tips &
Techniques
Security updates will help prevent hackers from accessing
your system and prevent viruses and other malware from
running in your system.
In order to close off security holes that have been
discovered since Windows was shipped and installed, it is
advisable that users visit the Microsoft Update Web site at
http://windowsupdate.microsoft.com. The Web site has
instructions provided that are easy enough to follow in
updating your system.
25. Safe Computing Tips &
Techniques
Enabling Macro Virus Protection
For MS Office 95 and MS Office 97
26. Safe Computing Tips &
Techniques
Enabling Macro Virus Protection
For MS Office 2000
27. Disabling Macros when prompted
For MS Office
95 and 97
For MS Office 2000
Safe Computing Tips &
Techniques
28. Safe Computing Tips &
Techniques
Select BIOS
Features Setup
Then enable boot
virus warning
• Scan floppy diskettes before use
• Enable Virus Warning in CMOS setup
29. Safe Computing Tips &
Techniques
Safe computing practices
make it more difficult for malicious codes to enter or
execute on client systems.
add a protective layer of defense to prevent viruses and
other malware from running.
should always be followed in conjunction with updating
antivirus software.
DDoS programs
DDoS programs are special type of Trojans or backdoors. They are made to disable certain Web servers, IRC servers or ICQ servers by launching a DDoS attack.
DDoS stands for Distributed Denial of Service. A DDoS attack is usually launched simultaneously from different infected computers known as the “attack servers” with the initiation from the attacker. When a DDoS program is already installed in a computer, it opens a port or connect to a certain server and waits for a command or information coming from the attacker. The following are some of the information provided by an attacker to the DDoS program:
1. IP address of the victim server
2. Port number of the victim server
3. The number and size of packets to send
4. The duration of the attack
The attack is usually made by sending a large amount of packets such as ICMP(ping), UDP, and IGMP packets and is performed simultaneously by several infected computers with the DDoS program installed. In this way, the victim server’s network bandwidth gets consumed thereby disabling itself from the network and eventually preventing its legitimate users from accessing the services it offers.
Classification of Viruses
Viruses may come in different types -- there are boot viruses, DOS viruses, Windows viruses, macro viruses, script viruses, and Java viruses. All of these share the same characteristics of viruses except that they infect different types of host files or programs.
Let’s go over the formal definition of what a virus is and what it can infect. Basically, a virus needs a host to attach itself unto – which could either be an application or an applet, a boot code, a macro code inside a document or file, or some script code embedded into email messages and web pages. The host should contain a program – executable code – and image files are not programs, nor are sound files, text files, or cmos data. These objects are supposed to contain pure data and they do not contain computer instructions of any kind. Even if instructions can be inserted into these files, image viewers, sound players and the like are designed to view images and play sound and not search through these files for instructions to execute. None of the data in these objects are executed and they therefore cannot be infected, they can only be corrupted.
A virus contains code that explicitly copy itself and that can infect other programs by modifying them or their environment. This would usually entail making modifications to gain control when the infected program is executed. After the virus code has finished execution, in most cases, control is passed back to the original host program to give the impression to the user that nothing is wrong with the infected file.
Now, let’s go over the different classification of viruses in detail.
Boot Viruses
Boot viruses target a specific location of the hard disk and/or floppy diskette. They generally infect the partition sector (also known as the master boot record, MBR) of hard disks and/or the boot sector of floppy diskettes. Floppy disks do not have a partition sector.
The MBR is the first sector of the hard disk and it contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program.
The boot sector, on the other hand, is the first sector on a floppy disk. On a hard disk, it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program.
When a PC starts up, it typically reads the partition sector and executes the small program there when a hard disk is present. In the absence of a hard disk or depending on the CMOS settings, the PC may instead read the boot sector of a disk in drive A: and execute the small program there.
Boot viruses modify the small program from either the partition sector and/or from the boot sector. They also commonly move the original contents of the sector elsewhere on the disk which they pass control back after they have finished executing the virus code.
DOS viruses
When a DOS virus infects a program, it usually attaches a copy of itself at the tail of the host program. Further, it copies the original header of the host program and saves it somewhere in the virus body. It does this to be able to revert control to the original host program after it has executed its virus code. It then replaces the header of the program with a jump that will lead to the virus code so that the virus will gain control when the program is executed. The infection is now complete.
When an infected program is executed, it automatically jumps to the virus body and performs whatever the virus is supposed to do. Afterwards, it reverts control to the original host program by making use of the original header information it has saved during the infection process. After the infected program has completed execution, if the virus is well-made, the user will get the impression that nothing is wrong with the computer system.
Although most DOS viruses append their codes at the tail of host programs, some prepend, insert, or overwrite their virus codes instead.
DOS viruses
If a computer system is already infected with a DOS virus, there are usually some noticeable changes in the system. First and foremost, infected files oftentimes increase in size, since the virus needs to attach a copy of itself unto host programs. Moreover, if the virus is memory resident, it could also take up some memory space and, possibly, slow down the computer system.
If there is an unexplained decrease in the available memory or an unusual slowdown of the computer system, there is a possibility that the computer is harboring a virus and it would be wise to check it with an antivirus scanner.
Windows viruses and Windows executable file formats
With the introduction of the Windows™ operating system comes the the New Executable (NE), Linear Executable (LE), and Portable Executable (PE) file formats. These new file formats are extensions of the old familiar MZ MS-DOS executable file format and are used by Win16 and Win32-based applications. The NE file format came out during the time of Windows 3.xx and is used by Win16-based applications.
The file format is not widely used as a newer file format was introduced immediately afterwards (PE came out at the time of Windows 95). The PE file format is commonly used by Win32-based applications while the LE file format is used by virtual device drivers. Windows viruses normally infect executables in the PE file format although some of them may also infect other executable file formats in the Windows environment.
Windows viruses are similar to DOS viruses as they also infect executable files. However, Windows viruses work in the Windows operating system instead of the DOS environment. As such, Windows viruses have to contend with the file format of Windows executables and the operating system design of Windows.
Windows viruses and the file types they infect
Most Windows viruses infect Windows applications, predominantly PE files. These Windows executables include commonly used applications such: Calculator, Explorer, Games, Paint and similar graphics applications, Notepad, MS Word, Outlook, and many others.
Additionally, some Windows viruses may infect executable code on device drivers. Others target screen savers, help files, and other file formats with executable codes.
Checking for possible Windows viruses
If you suspect that your system is infected with a Windows virus, you may check the following to determine if it is indeed harboring a virus or not:
Any unexpected changes on executable files
Viruses will usually attach themselves at the tail of executable programs and modify some entries in the header to gain control of the program when they are executed. When viruses attach copies of themselves to host programs, they normally increase the file size and the timestamp of the change will be reflected as well. Some viruses are smart enough to save the original timestamp of the host program and restore it after infection to give the impression to ordinary users that the file has not been changed since the last known update. Although most Windows viruses create a new section where they place their virus code (which will unavoidably increase the file size), some will not create any new sections and will go as far as finding ways to insert copies of themselves without increasing the size of the infected file. They do this by scanning for free spaces in between sections which are oftentimes found with Windows executables.
Any unusual tasks or processes
When a Windows virus stays resident, it will usually be evident in the Task Manager. Look for any tasks and processes that are out of the ordinary and determine which applications they are associated with.
Check the Registry and other configuration files for any unusual or suspicious modifications
Many Windows viruses modify the Registry and some other configuration files to enable automatic execution when Windows is started. This guarantees that they are given control on successive sessions of Windows.
Macro Viruses
Macro viruses use an application's macro programming language to distribute themselves. Some applications (i.e. MS Word and MS Excel) provide a macro programming language (i.e: Visual Basic for Application (VBA) and WordBasic) which is powerful enough to allow malicious macro instructions to be placed inside documents. These macros are specific to an application’s macro language and they require the application to interpret their instructions. As such, they cannot execute outside of the application because the interpreter would not be present and they also cannot stay active once the application has closed for the same reason.
Macro viruses often exploit the auto-execute (i.e. AutoNew, AutoOpen, and AutoClose) capabilities of applications which support macros. These auto-execute macros are executed in response to their corresponding event (i.e AutoClose is performed when a document is closed) and it provides an easy avenue for macro virus writers to place their malicious codes.
Macro viruses in Word documents
Every Microsoft Word document is based on a template. A template determines the basic structure for the document and contains document settings, including macros. The two basic types of templates are global templates and document templates. Global templates, including the Normal template, contain settings that are available to all documents. Word macro viruses oftentimes target the Normal template (NORMAL.DOT) when they initially infect a computer system as it makes the macro codes available also in the succeeding Word sessions.
Macro viruses in Excel documents / spreadsheets
When Microsoft Excel is loaded, it opens all the files in the startup folder. Upon opening the files, it also executes the macros in them. An Excel macro virus customarily drops a copy of the infected spreadsheet / document in the startup (XLSTART) folder to allow itself to propagate and infect in the succeeding sessions of Excel.
Macro viruses in other file types
Macro viruses are also found in other file types aside from MS Word and MS Excel. They have been found in MS Powerpoint files, MS Access files, CorelDraw files and Visio files, among others.
If the macro language used in an application is powerful enough to manipulate files and if the file format supports the inclusion of both data and macro codes in the same file, then macro viruses are possible for the particular file type.
Currently, documents that support the Visual Basic for Applications (VBA) macro language are susceptible to viruses. Since VBA is a subset of the Visual Basic language, which is widely used by programmers, it is relatively easy to write malicious code in them, as compared to the other types of malware. Other popular script languages available are LotusScript, used in AmiPro and WordPro files, and CorelScript, used in CorelDraw files.
Script viruses
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.
Some e-mail messages or Web pages could contain malicious scripts (e.g., "ILOVEYOU" virus and Bubbleboy). Their malicious scripts may utilize the automatic scripting capabilities of some Web and mail browsers (e.g., Internet Explorer and MS Outlook) which enables them to replicate to other mail recipients or Web page users.
Safe computing tips and techniques
The following are some practical tips and techniques which can easily be done to reduce the risk of virus or malware infections and of inadvertently triggering or spreading them to other people.
These will help prevent a user from falling prey to viruses and other malicious codes while using today’s advanced computer information access technology. These will make your system more robust and, in general, make it difficult or impossible for viruses and other malware to run.
Disable the Windows Scripting Host functionality
This is to prevent Visual Basic script viruses and malware (like VBS_LoveLetter) from running, so that they cannot activate, spread or cause damage to files.
A typical PC does not need Windows Scripting Host (WSH) to function normally. Therefore, it is usually ok to disable it. You can always reinstall WSH if you change your mind later.
Do not hide the file extensions of known file types
By default, all Windows operating systems hide known file extensions in Windows Explorer. This feature can be used by virus writers and hackers to disguise malicious programs as some of the other file formats, such as text, video or audio files.
For example, if the file extensions of known file types are hidden, a malicious program file named "readme.txt.exe" is displayed as "readme.txt" in Windows Explorer. Therefore users are often tricked into clicking the supposed "text" file and then into inadvertently running the malicious program. To avoid this confusion, users are recommended to change the Windows Explorer setting to "Not hide the File Extension of known File Types."
Set up the Internet Explorer security setting to Medium or High
By default, the Internet Explorer security setting is set to "Medium." However, some viruses and malware have been found to have the ability to change the settings to "Low" and therefore allowing the system to be vulnerable.
It is encouraged that the security setting is set to at least "Medium" to reduce the risk of accidentally running a malicious file. At the "Medium" security level, Internet Explorer will prompt the user before running a potentially unsafe content.
Apply the latest Microsoft security updates
Security updates will help prevent hackers from accessing your system and prevent viruses and other malware from running in your system.
In order to close off security holes that have been discovered since Windows was shipped and installed, it is advisable that users visit the Microsoft Update Web site at http://windowsupdate.microsoft.com. The Web site has instructions provided that are easy enough to follow in updating your system.
Windows 98 or Windows 2000 users can also use the Windows Update feature to get all the latest security updates by simply clicking "Start" and then selecting "Windows Update".
Preventing Macro Virus Infections
To control the possible spread of macro viruses in your system, the macro virus protection should be enabled. This is available through the Tools | Options menu under the General settings for MS Office 95 and MS Office 97. While in the General settings, simply place a check mark for Macro Virus Protection to enable it.
Preventing Macro Virus Infections
For MS Office 2000, macro virus protection is enabled through the Tools | Options | Security menu. This is done by selecting either the Medium or High Security Level. If High security level is selected, only signed macros from trusted sources will be allowed to run. Any unsigned macro are automatically disabled. If Medium security level is selected, a warning message is displayed and the user is given the option to either enable or disable the macros when a document is opened.
Preventing Macro Virus Infections
While macro virus protection is enabled (for MS Office 95 and 97) or set to Medium security level (for MS Office 2000), MS Office will prompt the user when macro codes are existing in a document. Choose Disable Macros if you are not sure or if you are not aware of any macro codes in your documents. To know more about macros, click on Tell Me More (for MS Office 95 and 97) or More Info (for MS Office 2000).
Boot Viruses
To prevent from boot virus infections, floppy diskettes should be scanned for viruses before being used.
Additionally, boot virus protection on the CMOS should be enabled. In the CMOS setup utility, select BIOS FEATURES SETUP then enable Virus Warning. This will give out a warning when the boot or partition sector of the hard disk is being modified and the user can prevent any unexpected modifications.
Safe computing tips & techniques
Safe computing practices mainly make it more difficult for malicious codes to enter or execute on client systems. These should always be done in conjunction with an updated antivirus software.
In general, most viruses are mere nuisances. However, every once in a while, a new virus comes along that uses a new technique and causes major computer problems or threatens data or data security.
These safe computing practices will add a protective layer of defense to prevent viruses and other malware from running in your system.