Computer viruses other malware
1 / 37

Computer Viruses - PowerPoint PPT Presentation

  • Updated On :

Computer Viruses & Other Malware CONTENT Definition of Virus/Malware Classification of V/M New generation viruses New technology How to design a powerful V/M Definition of a Computer Virus An executable code That could make copies of itself or attach itself to other executable codes

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Viruses ' - Leo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer viruses other malware l.jpg

Computer Viruses &Other Malware

Content l.jpg

  • Definition of Virus/Malware

  • Classification of V/M

  • New generation viruses

  • New technology

  • How to design a powerful V/M

Definition of a computer virus l.jpg
Definition of a Computer Virus

  • An executable code

  • That could make copies of itself or attach itself to other executable codes

  • Most of computer viruses have their latency period.

  • Attack programs or data on your hard drive on a specific day when conditions has been fulfilled.

  • That could make copies of itself or attach itself to other executable codes

Slide5 l.jpg

  • Why / Who write viruses

    • To prove their own theories.

    • To see if they can do it.

    • People who are political, religionary ardor.

    • People usually publish their virus source codes in BBSes or the Internet for users who are interested in computer virus programming.

    • Most of them belong to specific organizations

Classification of viruses l.jpg
Classification of Viruses

  • BOOT Viruses

  • DOS Viruses

  • Windows Viruses

  • Macro Viruses

  • Script Viruses

  • Java Viruses

  • Palm Viruses

Classification of other malware l.jpg
Classification of Other Malware

  • Worms

  • Trojans

  • Joke Programs

  • Hacking Tools

  • Virus Droppers

Macro viruses l.jpg

Global Template

WORD Content

Global Macros

WORD Macros

WORD Content

WORD Macros

Macro Viruses

With the Macro Virus resident in the Global Template, it can now reproduce copies of itself to other documents opened.

When an infected Document is opened in Word, it will copy its macro codes in the Global Template

Macro viruses9 l.jpg

XLStart Directory


Startup Files

Excel Macros


Excel Macros

Macro Viruses

With the Macro Virus resident every time Excel is opened, it can now infect every sheet opened in Excel

When an infected sheet is opened in Excel, it will create an excel file in the directory \Microsoft Office\Office\XLStart

Macro viruses10 l.jpg

Normal File

Infected File

Macro Viruses

Using DFVIEW.EXE to view a Word 2K Document

An infected file will show that it has a MACROS folder

Macro viruses11 l.jpg
Macro Viruses

Other locations of macro viruses in Excel

The remaining 5% can be seen in the WORKBOOK Stream

95 % of Excel Viruses can be seen here

Windows viruses l.jpg

Header &Table


Windows Viruses

Virus modifies


and Table

Host Program


Virus Code

Virus Section

Windows viruses13 l.jpg
Windows Viruses

  • unusual entries in the Task Manager list

  • unusual slowdown of system

  • increase in file size of infected files

Windows viruses14 l.jpg
Windows Viruses

Checking the Registry for possible Virus residence

  • \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

  • \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKEY_CLASSES_ROOT\exefile\shell\open\command

  • ( Where the only entry should be (Default)= "%1" %* )

Script viruses l.jpg
Script Viruses

Thus enabling them to replicate to other mail recipients or web page users

If a mail or a web page has some malicious scripts

These malicious scripts utilizes Scripting Host execution capabilities of Browsers and Mail Systems

Script viruses16 l.jpg

Upon receiving an e-mail with script in it, the following message will appear

Clicking Yes will run the Script, which might contain malicious codes. Clicking No will show this message.

Now you can see that the mail has some script in it because of this script icon

Now you can verify the contents of the saved HTM file if it has some malicious codes or not

Script Viruses

Script Viruses in E-mails / Web

Java viruses l.jpg
Java Viruses message will appear

  • security loopholes exploited by virus writers

  • annoying while some infect

  • depends on the security settings for the virus to run

  • has the extension *.CLASS

Java viruses18 l.jpg
Java Viruses message will appear

Two Types of Java Viruses

  • Java Applet

    • 99% of Java Viruses

    • Just create some annoying events

  • Java Application

    • Capable of doing anything that Executable Programs like Disk I/O

    • Infects only other *.class files

Palm viruses l.jpg
Palm Viruses message will appear

  • Trojan Type

  • Download from Internet to PC, HotSync to Palm

Trojans worms net hacking tools l.jpg

Hacker message will appear

Trojans, Worms & Net Hacking Tools

A computer worm is a self-contained program that is able to spread functional copies of itself to other computer systems.

Trojans are malicious codes that create havoc to files or systems

Net Hacking tools are malicious codes that has the sole purpose of controlling computers remotely and to exploit some backdoors in some systems.

Trojans worms net hacking tools21 l.jpg
Trojans, Worms & Net Hacking Tools message will appear

  • The checking for these malware is the same as that of Windows Viruses (registry, task manager….)

  • Sometimes they are able to reside in memory

  • Capable of attacking other systems via the network or by mail

  • unusual slowdown of system

  • unusual behaviour of the system or screen

Joke malware l.jpg
Joke Malware message will appear

Ordinary executable programs created to make fun of users.

You can only go back to what you are doing after you solve the puzzle

  • will not infect or do any damage, it will just annoy you.

  • usually difficult to halt or terminate the program

  • unusual function of devices (mouse, keyboard)

Virus dropping malwares l.jpg
Virus Dropping Malwares message will appear

Upon Execution this malware will drop a virus or other malwares.

If the dropped malware is executed, then it can already infect or do some payload

  • a program that drops a Virus or other Malware

  • used by novice programmers to create viruses

  • unnecessary addition of files

How to catch a virus virus test abc l.jpg

JMP message will appear


Virus Body


65 7a 4e 2a


How to catch a virus(Virus ‘TEST-ABC’)


EXE Header

Pattern Info


First byte:

Jump depth:

File offset:


E9 fd 02 00


01 02 03 04

Program Body

0xe9 (JMP xx)



0x65, 0x7a, 0x4e, 0x2a

Found !!!

Virus ‘TEST-ABC’

New generation viruses l.jpg
New Generation Viruses message will appear

2001/7 CodeRed

  • Target: IIS Servers with exploitable flaw

  • Infect: Attack IIS servers via HTTP, utilize Indexing Service (IDA) buffer overflow, embed the virus code in memory







u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801

%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078


  • Effect : Spit out hundreds of attacking threads, cause network congestion

  • CodeRed.C : leave backdoor for hacker

Impact from codered l.jpg
Impact from CodeRed message will appear

  • No Virus File

  • -no way for file base AntiVirus scanner

  • Distributed Deny of Services

  • Infect when you do nothing

New generation viruses27 l.jpg
New Generation Viruses message will appear

2001/9 NIMDA

Unite multiple infective tech

  • EMAIL : security hole of processing MIME header

Content-Type: audio/x-wav;


Content-Transfer-Encoding: base64

Content-ID: <EA4DMGBP9p>

Slide28 l.jpg

  • IIS Unicode Web Traversal Security Hole message will appear

  • Share Folders

  • Browse infected Web site

  • Infect Win32 EXE files

  • Infect html, ASP files, append

    < script language="JavaScript" >"readme.eml", null, "resizable=no,top=6000,left=6000")< / script >

New technology l.jpg
New Technology message will appear

  • Behavior Monitor

    • Old idea, New tech

    • IFS Hook + socket Hook


    • Can not clean

    • High False Positive

      Hard to Identify malicious behavior

Design a powerful v m l.jpg
Design A Powerful V/M message will appear

  • Infect

  • Hiding

  • Spread

  • Destroy

Infect l.jpg
Infect message will appear

  • Windows PE(portable execute) file format

    • Spare space in section (size of exe file not changed)

    • Modify the entry point in PE header

  • Use assemble language for infect module

    • Combine codes in spare space to whole code

    • Modify the import table to load the main module

    • Note: this code must be earsed after infected.

Hiding l.jpg
Hiding message will appear

  • Use CreateRemoteThread

    • Create a thead in other process (explorer.exe)

      • Advantage:

        • No unusual process in task manager

      • Disadvantage:

        • Require high programming skill, you must be very careful and do everything yourself

        • Not work on Windows 9x platform

        • Need unusual entry in registry

Hiding cont l.jpg
Hiding (cont) message will appear

  • Modify the import table

    • Two ways of load a DLL

      • API: LoadLibrary(Ex)

      • Import table

        • There’s an import table in PE file, when system execute the .exe file, it walks through the import table and loads all .dll file in the import table into memory.

      • Add an entry in import table

        • Load the main module of V/M, in DllMain function, hook the DLL_PROCESS_ATTACH message

      • Advantage

        • No unusual entry in registry and task manager

        • Easy to programming

        • Works on all windows platform

Hiding cont34 l.jpg
Hiding (cont) message will appear

  • Escape from virus scan engine

    • Encrypt

      • Common encrypt algorithm (you only need cheat scan engine ), such as XOR, complex algorithm has unique signature.

      • difference encrypt keys (HD serial-number, CPU info…) on difference computer, Hard to generate the pattern.

      • Compress the V/M (zlib is enough, it’s common on windows platform)

      • Only Decrypt when needed

Spread l.jpg
Spread message will appear

  • Use combined way

    • Email (Marco: VBS)

    • Security Hole (IIS)

    • Share folder

  • Suggestion: not too aggressive, spread silently. More silent, more spread.

Destroy l.jpg
Destroy message will appear

  • Warning: write/distribute V/M is illegal

  • Destroy:

    • Meet a condition (time…)

    • Fill garbage in HD, Destroy the BIOS

      • In X86 protection mode, need enter Ring 0 mode

    • Block the network

      • Send grand garbage to network, DoS attack.

Slide37 l.jpg

Q&A message will appear