Virii, Worms and Trojans - a quick rundown. - Security

Author	All Replies
Rocktagon Slightly Bent Premium join:2000-11-04 Chattaroy, WA	Virii, Worms and Trojans - a quick rundown. DEFINITIONS =========== A virus is a self-replicating program that consists of three parts: The replicating routines; the trigger and the payload. The self-replicating routines can be manyfold: the virus can spread itself by hanging about in memory infecting every (for example) .exe file it comes across; it can email itself out (a Worm); it can search your HDD looking for files to infect; or other methods. A virus isn't limited to one self-replicating method; and last year saw quite a few virii that had multiple methods of replicating, all in the same virus. The trigger can be something like the system time or date; or may be missing entirely...with the virus proceeding straight onto the payload as soon as it run. The payload is what the virus DOES. Part of what the virus does is self-replicate, so it could just lay low until triggered THEN start replicating itself (usually, virii go for the self-replicating as soon as they are run; but there could be secondary, tertiary etc. replicating done upon triggering). Other things virii can do include just about anything you can do from the keyboard: modify your registry; delete files; start a format; write random crap to your BIOS; halt your system etc. This is the bit you don't want to happen. Unfortunately, it often happens as soon as you run the file, so the moral here is don't run the file. Worms, technically speaking are routines that just propagate themselves and don't have a payload. As the term is used today, "worm" is used for a virus that goes through your address book (or gleans addresses some other way) and emails itself out. It can have a payload. The most successful virii last year were described as worms, and they were successful because they (often) came from somebody you know. Trojans. Technically, again, a 'Trojan' is a hidden program; a program containing a nasty surprise; or a program that does the unexpected. In practice, "Trojan" is usually used to describe RATs or 'Remote-Access Trojan's. A RAT is a program (that can be as small as 3K!!!) that gives someone access to your computer. How much access depends on the RAT; but the more sophisticated ones give a remote user as much access to your computer as you do from the keyboard....nominally more because the remote user may be able to turn your keyboard and mouse off. RAT's commonly arrive in 'wrapped' executables. Say, for example, you wanted an FTP program. The evil remote user could send you the FTP (or any other kind of executable) program with a Trojan wrapped in it. When you ran the program, the Trojan would install itself, then hand over to the FTP install program. You expected FTP, you got FTP...you just missed the Trojan installing itself. You would then be Own3d by the remote user. WHAT WEAKNESSES DO THESE PROGRAMS HAVE? ======================================= 1) They have to be run to do you any harm. You have to either click on the file and run it yourself, or they have to use a weakness in your system to run themselves. A virus, worm or Trojan is totally harmless unless you run it. Not running it is your VERY BEST way of not getting hurt. You can repair the damage; you can apologize to everyone that it's emailed; you can buy a new motherboard or do the six months work again, but not running the bugger saves you some time, if nothing else. ---a) Don't click on executables that you get in your email. Even (nay, especially) from friends. Personally, I don't run any executables that I receive in email unless I have specifically requested them. I get laughed at for my paranoia; and then I laugh back when I'm helping to clean their systems, so it all balances out. ---b) Ban Outlook and Outlook Express. Really. They may look nice, but they are the worst virus-propagating software known to mankind. They are inherently insecure and they are the most popular email clients on the planet, so guess what the virus-writers are going to target. Yup. Avoid, also, the email clients that wank off the Outlook engine and are effectively just an Outlook skin...there's a few of them about. If you HAVE to use Outlook, at least turn HTML off: »ntbugtraq.ntadvice.com/default.a···5&did=38 ...but you're better off going with another client like the free Pegasus (»www.pmail.com/), Eudora (free + Pro version) (»www.eudora.com/) or The Bat (non-free)(»www.ritlabs.com/). If you use Outlook Express, there's no hope for you, I'm afraid. When you get your new email client; turn 'automatic HTML view' off. ---c) Stop automatic scripting on your machine. This includes java and javascript (turn automatic HTML off in your email client...at least you'll have a chance then); ActiveX (sort of executables for the internet with the safeties off - there's quite a few exploits that use ActiveX too); and Windows Scripting Host (used to run .vbs scripts etc). ---d) Make sure you can see all file endings. In W98, there's a load of registry keys: 'NeverShowExt', so you START ==> RUN ==> regedit ...and search through and delete all the NeverShowExt keys. Then you can see all the file endings; and virus.jpg.vbs isn't shown just as virus.jpg anymore. Other OS - don't know...would welcome input here. 2) They have to be running. Most virii and Trojans want to STAY running, and so modify your startup files so they start up with your computer. You can see all running processes using this freebie: »www.ltn.lv/~kblums/products.php?id=procview Learn what runs regularly on your puter, and then you can spot invaders more easily. 3) In the case of Trojans in particular (they HAVE to); and some worms and virii, it may be necessary for them to connect to the internet. You can see what's connecting out using: START ==> RUN ==> netstat -ar But you might like this more: »www.freshsw.com/xns/main.htm ============================ ========================================================== RANDOM STUFF ============ The other main way you can be got at, is by the attacker using an exploit to break your operating system or a running program. So keep current with your patches. ================================================================ ====================== Antivirus programs usually rely on signature files...ie., recognising a bit of code from a known and tagged virus. If the virus is unknown (or new) or you haven't updated your antivirus program for a while, you're stuffed. Be aware of this. Source undisclosed -- God bless America
	to forum · permalink · 2002-01-16 09:47:32 ·

Ugly Fishy Cool Bird join:2001-12-12 The Meadow	This is really good! Why is it a secret?
	to forum · permalink · 2002-01-16 19:15:26 ·
Jason Levine Premium join:2001-07-13 USA	reply to Rocktagon said by Rocktagon: ...but you're better off going with another client like the free Pegasus (»www.pmail.com/), Eudora (free + Pro version) (»www.eudora.com/) or The Bat (non-free)(»www.ritlabs.com/). I used to recommend Eudora to people over Outlook/Outlook Express, but I can't any longer. As I posted back here, there's a problem with running Eudora 5.1 and Script Sentry together. (That post was buried by a lot of Zhen's posts. ) Apparently, Eudora ignores which command is the default and just uses the Open command. So if you're running Script Sentry or even just set all vbs files to "edit" (open with Notepad) by default, Eudora will still run the script. This is just poor design and Eudora's tech support didn't seem to think this was much of a problem. As they said: "it is hard coded into the program." Until they change this, it'd be all too easy to "open" a file expecting SS or Notepad to get it and instead get your system infected. -- -Jason Levine »www.jasons-toolbox.com/
	to forum · permalink · 2002-01-16 22:12:30 ·
tenacious join:2001-10-16 San Jose, CA	reply to Rocktagon Well done! Thanks!
	to forum · permalink · 2002-01-17 00:51:01 ·
dkoert join:2001-11-20 Wichita, KS	reply to Rocktagon On the plural form of virus Check out »language.perl.com/misc/virus.html and/or »www.cknow.com/vtutor/vtplural.htm -- imperat animus corpori, et paretur statim: imperat animus sibi, et resistitur. -AUGUSTINI
	to forum · permalink · 2002-01-17 01:34:18 ·
xp9 join:2002-01-16	reply to Rocktagon Re: Virii, Worms and Trojans - a quick rundown. I am so glad somebody other than myself brought that up. Technically you _could_ get away with viri, but that also means man so ... The most successful virus to ever be created will probably be none of the following definitions and create new standards in order to propagate itself and stay hidden.;## # Polymorphic Viruses ###; Polymorphic viruses encrypt there own body. Self encryption usually hides the virus signature from the AV software. For polymorphic viruses to spread the virus first decrypts itself ... the virus has to momentarily take control of the CPU in order to do this. After decrypting the body of the virus, the decryption routine gives control of the machine to the decrypted viral body so the virus can spread. A polymorphic virus is significantly harder for AV software to detect, because they generate new decryption routines on each infect ion which also changes the virus signature. Usually polymophic code changes its signature using a simple binary generator called the mutation engine (MTE) .... The MTE uses a random number generator and a simply algorithm to change the virus signature. With the MTE we can make any virus polymorphic by making a few simple changes to the assembly code to call MTE before copying itself. ;### Stealth Viruses ###; Stealth viruses hide the modifications they make to your files or bo ot records, they hide this by monitoring the system functions of the OS used to read the files or sectors and by forging calls to such functions. Therefore pro grams that try to read the files or sectors see the original uninfected version. This helps hide it from AV, another way a stealth virus does this is to sit in memory while you run the AV. The first DOS virus, Brain, was a stealth virus . This boot sector virus monitors physical disc I/O operations and redirects the OS every time it tries to read an infected sector. In programming terms the virus captures Interrupt 21H (int 21h) which is a system interrupt that processes D OS services. Stealth viruses usually have either size stealth or read stealth properties. Size stealth viruses are the file infectors, the virus attaches itself to an executable and then replicates .... which makes the file grow, so the virus shows a copy of the uninfected size which is the first thing it looks at upon infection (after checking for itself). Read stealth viruses are of the Brain family as mentioned above. ;### Slow Viruses ###; Slow viruses are hard to detect be cause they only infect files (.com for example) that the OS is modifying or copying. A slow virus only infects a file when a user performs some operation on the file. For example a slow virus might only infect the boot sector of a floppy w hen commands such as format and sys write to the boot sector. A slow virus might infect the copied version but not the original. ;### Retro Viruses ###; A retro virus is a virus that bypass, edit, or destroy AV programs by attacking it directly. Making a retro virus is a pretty simple task .... as all the programmer has to do if find the execution path and edit or otherwise hinder the AV software, this could involve editing the AV itself or its definition files which could render the AV useless and the user totally oblivious to ANY viruses that infect there system. Other types of retro viruses detect the AV and either hide from it, stop the AV, or in some cases trigger a destructive payload before the AV has chance to stop it. ;### Multipartite Viruses ###; Multipartite viruses infect both executable files and boot sectors and sometimes floppy boot sectors too. They are called multipartite because they infect in multiple ways rather than specific disk locations or file type. When you run a file infected with a multipartite virus, it infects the boot sector and next time you boot your system the virus activates again and sits in memory ... it then infects every program you run. ;###Armored Viruses ###; Armored viruses protect themselves by adding code that makes them very difficult to trace, understand and disassemble the code. They may protect themselves by wrapping code that deflects the onlooker from the actual operating code or it might add distraction code that makes you think the virus is somewhere other than it's true location. ;### Companion Viruses ###; Companion viruses attach themselves to an executable file by creating a new file with a different extension ... hence there namesake, they make a companion file for each infected program. A companion virus might make notepad.com and then launch itself first then the original notepad.exe infecting the system. Phage viruses can also create companion files but it's not a defining or required feature. ;### Phage Viruses ###; The last of the true viruses . Phage viruses are programs that modify programs or databases. Phage viruses are the real bitch of the bunch as they are by far the most destructive by nature. They are not designed to attach themselves to other code or to replicate .... they are designed to overwrite every program they infect. A phage viruses can spread by creating a companion virus of itself so when the program is attempted to be launched the virus runs again. ;###Macro Viruses ###; Macro viruses are written in a simple macro programming language, and more often than not nowadays using VBA (Visual Basic for Applications), these viruses usually target Microsoft Office applications suck as Word and Excel. About 3/4 of all viruses found in the wild today are macro viruses . A macro infected document may have several macros, such as AutoSave, Exit etc that replace there original counterparts with there own code but still operate in the expected way. The macro will generally try to infect any template that exists such as world.dot so that if the macro is removed they may still regenerate. Macro viruses have picked up on the trend of opening the WAB and sending a copy of themselves to all addresses in the address book, the most famous of these being WM97/Melissa. ;###Worms###; Worms are not viruses . They are self replicating pieces of code that by natures should contain no payload (although this is not always* the case). The most famous worm of all time was the Robert Morris Jnr worm that exploited a buffer overflow in the UNIX Sendmail program. Due to which the speed of which worms create new instances of themselves if they stayed on a single host they would soon eat up all the resources, so they spread from computer to computer, network to network (unlike a virus which needs some sort of human intervention in order to spread). Because they can move so fast they often cause havoc, not due to malicious nature, but due to overload of mail server etc etc, the Morris worm nearly brought the whole internet to a standstill in its day. Most worms you will find written today are written in VBS (Visual Basic Script) and spread though Outlook. Recent high profile worms include LoveLetter and Life_Stages. xp
	to forum · permalink · 2002-01-17 08:56:19 ·
yazdzik Premium,MVM join:2000-07-26 Honesdale, PA kudos:1	reply to dkoert Re: On the plural form of virus Dear Friends, The original post is incredibly helpful to all, and our gratitude to rock, and to xp for the poly's. As to the plural of virus, it is non-inflected II Declension, and there is no use of it as inflected any time during the classical period. A single glance in any Latin dictionary will confirm this. Since English has few non-inflected plurals, the normal usage, viruses, from the OED is commonly accepted. Only the non-Latin-literate would use viri, as it confuses those who actually use Latin on a daily basis, and if Poitin were still here, he would confirm this. All good wishes, Yazdzik [text was edited by author 2002-01-17 09:12:52]
	to forum · permalink · 2002-01-17 09:11:54 ·
xp9 join:2002-01-16	reply to Rocktagon Re: Virii, Worms and Trojans - a quick rundown. Which was my point. There is speculation that the original word virus was a mass noun anyway, meaning that its the same for singular and plural.
	to forum · permalink · 2002-01-17 09:18:29 ·
Rocktagon Slightly Bent Premium join:2000-11-04 Chattaroy, WA	reply to xp9 Very good! I learned a lot from your post and hopefully I can remember some of it. I did not write the original post, I found it at one of those "less than desirable" sites some of us occasionally visit. That is why I did not post the source. I cannot take credit for the information, only sharing it. I found it well written despite what some may find as grammatically incorrect. -- God bless America
	to forum · permalink · 2002-01-17 10:23:35 ·
xp9 join:2002-01-16	reply to Rocktagon I wrote that a while back for a message board I'm a moderator of.
	to forum · permalink · 2002-01-17 10:26:22 ·
Rocktagon Slightly Bent Premium join:2000-11-04 Chattaroy, WA	Well thank you for the good piece and I do hope you approve of me sharing it. I did not want to link to your board. Glad to see you have registered here and your posts contain useful dialog. Hope to see you around more often xp! -- God bless America
	to forum · permalink · 2002-01-17 12:08:22 ·
Anon	reply to Rocktagon list of ports for trojans... one of the biggest i have found »www.simovits.com/nyheter9902.html
	to forum · permalink · 2002-01-17 13:13:08 ·

Broadband Tech > Security > Security > Virii, Worms and Trojans - a quick rundown.

Virii, Worms and Trojans - a quick rundown.

On the plural form of virus

Re: Virii, Worms and Trojans - a quick rundown.

Re: On the plural form of virus

Re: Virii, Worms and Trojans - a quick rundown.