|
NIA #23 - Overview on Viruses and Threats Part I
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????? ????????????????????????????????? ????????????????????
? Founded By: ? ? Network Information Access ? ? Founded By: ?
? Guardian Of Time ??? 17APR90 ??? Judge Dredd ?
???????????????????? ? Judge Dredd ? ????????????????????
? ? File 23 ? ?
? ????????????????????????????????? ?
? ????????????????????????????????? ?
????????????? Overview on Viruses & Threats ?????????????
?????????????????????????????????
The term computer virus is often used in a general sense to
indicate any software that can cause harm to systems or networks.
However, computer viruses are just one example of many different
but related forms of software that can act with great speed and
power to cause extensive damage -other important examples are
Trojan horses and network worms. In this series, I will discuss
each. This first file is a basic overview.
$_Trojan Horses
A Trojan horse1 program is a useful or apparently useful program
or command procedure containing hidden code that, when invoked,
performs some unwanted function. An author of a Trojan horse
program might first create or gain access to the source code of a
useful program that is attractive to other users, and then add
code so that the program performs some harmful function in
addition to its useful function. A simple example of a Trojan
horse program might be a calculator program that performs
functions similar to that of a pocket calculator. When a user
invokes the program, it appears to be performing calculations and
nothing more, however it may also be quietly deleting the user's
files, or performing any number of harmful actions. An example
of an even simpler Trojan horse program is one that performs only
a harmful function, such as a program that does nothing but
delete files. However, it may appear to be a useful program by
having a name such as CALCULATOR or something similar to promote
acceptability.
Trojan horse programs can be used to accomplish functions
indirectly that an unauthorized user could not accomplish
directly. For example, a user of a multi-user system who wishes
to gain access to other users' files could create a Trojan horse
program to circumvent the users' file security mechanisms. The
Trojan horse program, when run, changes the invoking user's file
permissions so that the files are readable by any user. The
author could then induce users to run this program by placing it
in a common directory and naming it such that users will think
the program is a useful utility. After a user runs the program,
the author can then access the information in the user's files,
which in this example could be important work or personal
information. Affected users may not notice the changes for long
periods of time unless they are very observant.
An example of a Trojan horse program that would be very difficult
to detect would be a compiler on a multi-user system that has
been modified to insert additional code into certain programs as
they are compiled, such as a login program. The code creates a
trap door in the login program which permits the Trojan horse's
author to log onto the system using a special password. Whenever
the login program is recompiled, the compiler will always insert
the trap door code into the program, thus the Trojan horse code
can never be discovered by reading the login program's source
code.
Trojan horse programs are introduced into systems in two ways:
they are initially planted, and unsuspecting users copy and run
them. They are planted in software repositories that many people
can access, such as on personal computer network servers,
publicly-accessible directories in a multi-user environment, and
software bulletin boards. Users are then essentially duped into
copying Trojan horse programs to their own systems or
directories. If a Trojan horse program performs a useful
function and causes no immediate or obvious damage, a user may
continue to spread it by sharing the program with other friends
and co-workers. The compiler that copies hidden code to a login
program might be an example of a deliberately planted Trojan
horse that could be planted by an authorized user of a system,
such as a user assigned to maintain compilers and software tools.
$_Computer Viruses
Computer viruses, like Trojan horses, are programs that contain
hidden code which performs some usually unwanted function.
Whereas the hidden code in a Trojan horse program has been
deliberately placed by the program's author, the hidden code in a
computer virus program has been added by another program, that
program itself being a computer virus or Trojan horse. Thus,
computer viruses are programs that copy their hidden code to
other programs, thereby infecting them. Once infected, a program
may continue to infect even more programs. In due time, a
computer could be completely overrun as the viruses spread in a
geometric manner.
An example illustrating how a computer virus works might be an
operating system program for a personal computer, in which an
infected version of the operating system exists on a diskette
that contains an attractive game. For the game to operate, the
diskette must be used to boot the computer, regardless of whether
the computer contains a hard disk with its own copy of the
(uninfected) operating system program. When the computer is
booted using the diskette, the infected program is loaded into
memory and begins to run. It immediately searches for other
copies of the operating system program, and finds one on the hard
disk. It then copies its hidden code to the program on the hard
disk. This happens so quickly that the user may not notice the
slight delay before his game is run. Later, when the computer is
booted using the hard disk, the newly infected version of the
operating system will be loaded into memory. It will in turn
look for copies to infect. However, it may also perform any
number of very destructive actions, such as deleting or
scrambling all the files on the disk.
A computer virus exhibits three characteristics: a replication
mechanism, an activation mechanism, and an objective. The
replication mechanism performs the following functions:
- searches for other programs to infect
- when it finds a program, possibly determines whether
the program has been previously infected by checking a
flag
- inserts the hidden instructions somewhere in the
program
- modifies the execution sequence of the program's
instructions such that the hidden code will be
executed whenever the program is invoked
- possibly creates a flag to indicate that the program
has been infected
The flag may be necessary because without it, programs could be
repeatedly infected and grow noticeably large. The replication
mechanism could also perform other functions to help disguise
that the file has been infected, such as resetting the program
file's modification date to its previous value, and storing the
hidden code within the program so that the program's size remains
the same.
The activation mechanism checks for the occurrence of some event.
When the event occurs, the computer virus executes its objective,
which is generally some unwanted, harmful action. If the
activation mechanism checks for a specific date or time before
executing its objective, it is said to contain a time bomb. If
it checks for a certain action, such as if an infected program
has been executed a preset number of times, it is said to contain
a logic bomb. There may be any number of variations, or there
may be no activation mechanism other than the initial execution
of the infected program.
As mentioned, the objective is usually some unwanted, possibly
destructive event. Previous examples of computer viruses have
varied widely in their objectives, with some causing irritating
but harmless displays to appear, whereas others have erased or
modified files or caused system hardware to behave differently.
Generally, the objective consists of whatever actions the author
has designed into the virus.
As with Trojan horse programs, computer viruses can be introduced
into systems deliberately and by unsuspecting users. For
example, a Trojan horse program whose purpose is to infect other
programs could be planted on a software bulletin board that
permits users to upload and download programs. When a user
downloads the program and then executes it, the program proceeds
to infect other programs in the user's system. If the computer
virus hides itself well, the user may continue to spread it by
copying the infected program to other disks, by backing it up,
and by sharing it with other users. Other examples of how
computer viruses are introduced include situations where
authorized users of systems deliberately plant viruses, often
with a time bomb mechanism. The virus may then activate itself
at some later point in time, perhaps when the user is not logged
onto the system or perhaps after the user has left the
organization.
$_Network Worms
Network worm programs use network connections to spread from
system to system, thus network worms attack systems that are
linked via communications lines. Once active within a system, a
network worm can behave as a computer virus, or it could implant
Trojan horse programs or perform any number of disruptive or
destructive actions. In a sense, network worms are like computer
viruses with the ability to infect other systems as well as other
programs. Some people use the term virus to include both cases.
To replicate themselves, network worms use some sort of network
vehicle, depending on the type of network and systems. Examples
of network vehicles include (a) a network mail facility, in which
a worm can mail a copy of itself to other systems, or (b), a
remote execution capability, in which a worm can execute a copy
of itself on another system, or © a remote login capability,
whereby a worm can log into a remote system as a user and then
use commands to copy itself from one system to the other. The
new copy of the network worm is then run on the remote system,
where it may continue to spread to more systems in a like manner.
Depending on the size of a network, a network worm can spread to
many systems in a relatively short amount of time, thus the
damage it can cause to one system is multiplied by the number of
systems to which it can spread.
A network worm exhibits the same characteristics as a computer
virus: a replication mechanism, possibly an activation mechanism,
and an objective. The replication mechanism generally performs
the following functions:
- searches for other systems to infect by examining host
tables or similar repositories of remote system
addresses
- establishes a connection with a remote system,
possibly by logging in as a user or using a mail
facility or remote execution capability
- copies itself to the remote system and causes the copy
to be run
The network worm may also attempt to determine whether a system
has previously been infected before copying itself to the system.
In a multi-tasking computer, it may also disguise its presence by
naming itself as a system process or using some other name that
may not be noticed by a system operator.
The activation mechanism might use a time bomb or logic bomb or
any number of variations to activate itself. Its objective, like
all malicious software, is whatever the author has designed into
it. Some network worms have been designed for a useful purpose,
such as to perform general "house-cleaning" on networked systems,
or to use extra machine cycles on each networked system to
perform large amounts of computations not practical on one
system. A network worm with a harmful objective could perform a
wide range of destructive functions, such as deleting files on
each affected computer, or by implanting Trojan horse programs or
computer viruses.
Two examples of actual network worms are presented here. The
first involved a Trojan horse program that displayed a Christmas
tree and a message of good cheer (this happened during the
Christmas season). When a user executed this program, it
examined network information files which listed the other
personal computers that could receive mail from this user. The
program then mailed itself to those systems. Users who received
this message were invited to run the Christmas tree program
themselves, which they did. The network worm thus continued to
spread to other systems until the network was nearly saturated
with traffic. The network worm did not cause any destructive
action other than disrupting communications and causing a loss in
productivity.
The second example concerns the incident whereby a network worm
used the collection of networks known as the Internet to spread
itself to several thousands of computers located throughout the
United States. This worm spread itself automatically, employing
somewhat sophisticated techniques for bypassing the systems'
security mechanisms. The worm's replication mechanism accessed
the systems by using one of three methods:
- it employed password cracking, in which it attempted
to log into systems using usernames for passwords, as
well as using words from an on-line dictionary
- it exploited a trap door mechanism in mail programs
which permitted it to send commands to a remote
system's command interpreter
- it exploited a bug in a network information program
which permitted it to access a remote system's command
interpreter
By using a combination of these methods, the network worm was
able to copy itself to different brands of computers which used
similar versions of a widely-used operating system. Many system
managers were unable to detect its presence in their systems,
thus it spread very quickly, affecting several thousands of
computers within two days. Recovery efforts were hampered
because many sites disconnected from the network to prevent
further infections, thus preventing those sites from receiving
network mail that explained how to correct the problems.
It was unclear what the network worm's objective was, as it did
not destroy information, steal passwords, or plant viruses or
Trojan horses. The potential for destruction was very high, as
the worm could have contained code to effect many forms of
damage, such as to destroy all files on each system.
$_Other Related Software Threats
The number of variations of Trojan horses, computer viruses, and
network worms is apparently endless. Some have names, such as a
rabbit, whose objective is to spread wildly within or among other
systems and disrupt network traffic, or a bacterium, whose
objective is to replicate within a system and eat up processor
time until computer throughput is halted. It is
likely that many new forms will be created, employing more
sophisticated techniques for spreading and causing damage.
$_The Threat of Unauthorized Use
In that computer viruses and related forms of malicious software
are intriguing issues in themselves, it is important not to
overlook that they are created by people, and are fundamentally a
people problem. In essence, examples of malicious software are
tools that people use to extend and enhance their ability to
create mischief and various other forms of damage. Such software
can do things that the interactive user often cannot directly
effect, such as working with great speed, or maintaining
anonymity, or doing things that require programmatic system
calls. But in general, malicious software exploits the same
vulnerabilities as can knowledgeable users. Thus, any steps
taken to reduce the likelihood of attack by malicious software
should address the likelihood of unauthorized use by computer
users.
-JUDGE DREDD/NIA
[OTHER WORLD BBS]
|
|
