The virus Propagation in the world

Abstract

Today, computers play an important role in our daily life. Indeed, it is thinkable that in some years, a computer will be in each home. However, it is not necessary to go so far to understand the impact of the new technologies since for a big number among us; the computer is an essential work tool. There are people who work at home on their computer through a direct internet connection with their enterprise. Unfortunately, these days, Internet became a major highway to contract viruses. Considering the gravity of a contamination, enterprises are sensitized more and more to the problem of the information security.

      The topic of this paper is to introduce the viruses in the computer network and their derivatives, their impacts on individual and corporate environments as well as the solutions that are put in place to fight them.

      Thus, in the first part, I will define the notion of a virus and its functioning. More extensively, I will present the other destructive programs that exist (Worms, Trojans, Adwares, and Spyware). In a second part, a statistical approach will allow us to achieve the magnitude of the viruses’ effect in a computer network. Then, we will show the consequences of the virus propagation: economically, (within an enterprise) and penal consequences). Finally, in a fourth part, I will tempt to determine how to detect a virus and also I will discuss the possible solutions to avoid all risk of contamination: what are the measures to take and how to protect itself as efficient as possible (prevention).

 

 

CHAPTER I – THE VIRUS

        1.1-The first virus

The first virus was descended from a research that was led by Neumann von. He conceived a game called « Core War » in the sixties by Bell laboratories. He opposed two loaded programs in the random-access memory of a computer. The goal of the game was simple: every program had to mark the other and had to destroy it while duplicating itself in his code.

As a defence reaction, every program could duplicate itself and auto-repair themselves. Displacement within the memory, analysis of the environment and destruction of a program, Core War put in evidence all the main functions of the auto-reproductive codes. Other laboratories seized this game to analyze the behavior of the program. In the beginning the viruses remain enclosed in the random-access memory; their mutations, let them reproduce quickly on the hard disk to propagate themselves from a machine to another. The computer virus is born.

1.2-What is a virus?

  1.2.1 Definition

Definition according to Larousse: virus (Latin word, poison) Instruction or continuation of parasitic instructions, introduced into a program and likely to involve various disturbances in the operation of the computer.

A virus is a piece of conceived malicious data-processing program that has the ability to write in order to reproduces. This capacity to be retorted can touch a computer, without permission and the knowledge. In more technical terms, the traditional virus will stick to object programs and will be copied systematically from any other achievable launched. There is no spontaneous generation of data-processing viruses. They must be written with a specific aim. Separately to retort itself, the virus can have or not a more or less harmful action, energy of the posting of a simple message to the destruction of all the data

1.2.2 How does it work?

There are a great number of the data-processing types of viruses which vary the properties of those. It should be known that a program cannot be called virus that if it has the property to reproduce and to pass from a system to another. A virus is thus a succession of instructions including/understanding: a sequence intended for the reproduction, a sequence of orders, most of the time intended for the destruction and possibly a sequence of camouflage.

The viruses known as “traditional” start to disappear to yield their place to the more general-purpose viruses. This is due to the reduction in exchange of programs (containing the traditional viruses) and the increase in exchange of documents which can contain macros or applications integrated into the document (sources: e-mail, text processing, spreadsheets…). One can distinguish three main categories of virus: the virus’s boot-sector, the virus’s files and viruses macro.

The viruses “boot-sector” It acts of a type of virus infecting the part making start the computer, the sector of starting. These types of virus are not very contagious. Indeed, so that a computer is infected, it must be started with a sector of infected starting, which was common on the first computers but which became rare today. However this kind of virus is extremely dangerous. Indeed, it is in the first sector of the disc and takes care with each lighting of the computer.

This kind of virus is active as from the moment when the computer is lit, until the moment when it is extinguished. It thus has a complete control of the machine. It can be one of the viruses most difficult to detect and/or with éradiquer, considering the “incrustation” of the virus in the system. If the sector of starting of a computer is not protected from the writing, it is so that the user can change, if it wishes it, its operating system. This says this kind of virus is in the process of disappearance: it is increasingly rare to start its machine with a diskette. or someone’s hard disc. 

The virus’s files (parasitic)

Non resident Viruses     At the time of the infection, this type of virus seeks a target file, and replaces by its viral section the first segment of the program, which it adds at the end of the program. At the time of the execution of the file, it is the viral code which is initially launched. This viral code seeks other programs to infect, it infects them. Then it restores the first section of the infected program and carries out it. The loop is then buckled: the virus could be propagated in a completely invisible way. It is thus an extremely contagious virus. The detection of this kind of virus is however rather easy, the infected file being larger than the healthy file, since it contains the virus in more of the program.

Resident Viruses             They are viruses which remain present in the read-write memory of the computer (RAM, not to confuse with the hard disk which can also be called report). Once that an infected file is carried out, then the virus is placed in the read-write memory, where there remains active. Then, as soon as another program is carried out and that it is not infected, the virus infects it. The difference with a virus non-resident is that there does not need procedure to find a target, since it is the user who indicates it by carrying out a program.

Multiform viruses        These viruses gather the characteristics of the parasitic viruses and “Boot sector” viruses.

 Macro viruses            Macro is a series of orders intended automatically to carry out some tasks of a specific application such as the office automation software (Word, Excel…). Certain applications authorize with their macros an access to the files. It is thus starting from these programs that it is possible to even create macros recopying themselves. One can consequently call them “virus”. The first destroying macro viruses appeared in 1995. They infected almost all the Word files. The operation of a macro virus is relatively simple: – it is seeks files target and infect them (comparable with the traditional viruses).

However there are names of macros which are carried out automatically at the time of a given action (Auto Exit, when the program is left; Auto Close, when a document is closed, AutoOpen, when a file is opened…). Thus the virus is spread. The disadvantage for these viruses is the evolution of macro. Indeed, a virus planned for Word 2.0 will not function probably any more under Word 6.0. The majority of the macro viruses are limited to infect the documents files (word, excel…) or some achievable files of the operating systems.

Furtive viruses They completely modify the operation of the operating system. They are very difficult to detect by an antivirus, so much the operating system appears healthy.

Polymorphic viruses (mutant)     They are different with each infection. Except the first segment intended for the decryption, the whole program and the virus are encrypted. These viruses are thus extremely difficult to detect and almost impossible to destroy without removing the infected file.

Virus filibusters (Bounty hunters)          These viruses aim at the modification of the antivirus in order to make them not-operational. Even if they are very rare, they remain nevertheless effective. It should be known that a virus can gather one, several, even all the characteristics seen above. The more the virus has characteristics, the more it will be dangerous, complicated and voracious in resources of exploitation of the computer.

1.3-Malware

1.3.1 Worms

The data-processing worms are entities which became Masters in art to be introduced and to adapt. They make weigh an insidious threat on the systems of transport of the companies, with their capacity to only paralyze an entire network in a few hours. They can generate unavailability’s, losses of data and financial losses important. A virus is a piece of conceived malicious data-processing program and writes so that it reproduces.

The worms are different from the viruses

      The viruses need a human intervention to be propagated. Once the opened infected file, the virus is retorted towards other files or other discs of the user. The worms car-retort themselves of a machine to another by means of a support network, infecting as many machines as possible.

      New technologies support the propagation of the worms. Indeed, the majority of the prolific worms exploit the network system, which accelerates their propagation because of the contact list and their electronic addresses. Once the worms launched, not only the machines is infected, but the whole network itself is blocked by the mass sending of electronic messages.

Moreover, the operating systems Microsoft Windows represent 90 % of the workstations in the world as well as the office automation continuation Microsoft Office. It is thus not surprising that 99 % of the viruses are conceived for the operating systems MS Windows. This standardization thus increased the vulnerability of computers. The potential points of vulnerability are often well-known and easy to exploit for the creators of malevolent programs.

There are 3 fundamental methods of launching of the worms, 1) the worms with launching by a user require the intervention of a user to be carried out on a new system. For example the opening of an infected enclosure, 2) the worms with automatic launching can be propagated on a new system and be carried out themselves on this system without intervention of the user.

He exploits a certain aspect of the host system (operating system, transport…) to be carried out automatically when he is introduced into the new system, 3) the worms with hybrid launching use functionalities of the two types of preceding worms. Thus ExploreZip, after the opening of the infected file, was propagated on other machines by the network.

The data-processing worms have existed for more than fifteen years. Since the worm Xerox, created at the origin for light tasks of maintenance network or the worm Morris, the first largely widespread malevolent worm tackled networks in 1988, the threat of the worms evolved/moved… One of the worms which made more spoken about him these last years is worms “ILOVEYOU”. Once carried out, it was sent itself to all the contacts recorded in the address book of the system of Outlook transport. Moreover, it located other scripts in the system and replaced them by copies of itself. When infected scripts were launched thereafter, the worm was again started.

1.3.2 Trojans

The name “Trojan horse” comes from the famous legend told in Iliade (of the Homère writer) concerning the seat of the town of Troy by the Greeks. The data-processing Trojan horse is thus a program hidden in another which carries out underhand orders, and which generally gives an access to the machine on which it is carried out. The principle of the Trojan horses east of generally opening a port not protected a such fault in a wall, of a computer to allow a pirate to take control of it.

The goal of the pirate is initially to infect your machine while making you open an infected file containing the Trojan one, and in the second time to reach your machine by the port opened by the Trojan one. However to be able to infiltrate on a machine, the pirate must know the address IP which identifies it on Internet. As follows: – Is address IP is fixed (company or private individual connected by cable…) in which case the address is easily identifiable; – Is IP address dynamic (is assigned to each connection), in which case the pirate must scanner of IP addresses randomly in order to detect those corresponding to infected machines.

A Trojan horse is not necessarily a virus, insofar as its goal is not to reproduce to infect other machines. On the other hand certain viruses can also be Trojan horses, i.e. to be propagated like a virus and to open a port on your machine! It is in addition difficult to detect such a program because it is necessary to determine if the action of the program (the Trojan horse) is desired or not by the user.

CHAPTER – II

STATISTICS

worm	Characteristics	Risk Level	Propagation size
Sapphire (alias Slammer) (January  2003)	– Ver qui a attaqué le réseau Internet à une vitesse fulgurante, par Déni deService (DoS) – A exploité une faille connue et patchable de certains serveurs Microsoft SQL (SQL 2000 et Desktop Engine 2000) – Durée de vie très courte (quelques jours)	High Risk	Entre 75 000 et 350 000 machines infectées selon les sources
Blaster) (August  2003)	– Ver qui s’est répandu par le biais d’une faille DCOM du service RPC (Remote Procedure Call) de certaines versions de Microsoft Windows – Une attaque par déni de service a été lancée en août contre la site windowsupdate.com	Très élevé	Entre 300 000 et 500 000 machines infectées selon les sources

2. Statistics

 

 

CHAPTER – III

SIDE EFFECTS OF VIRUS SPREADING

3. Side effects of virus spreading

3.1 Side effects on the economy 

The impacts of virus spreading are critical to recover and it creates massive inconvenience in relation to the cost.  In past few years, attack of virus has resulted in loss of millions of dollars. Computer Crime Security Survey has reported that virus is the serious form of attack to the computers with a loss of $26,928,869 and nearly 83% of computer users were affected by the attack. The survey also reported that the lowest cost to the sufferer was $42,000 and the highest was around $6,500,000.

Similarly another survey conducted by the Australian Computer Crime and Security has reported that 81% of the computer users were affected by the virus attack out of which 56% suffered from financial losses of around $2,333,890. The survey sates that nearly 35% of the sufferers recovered faster within a day, and 32% of the victms recovered in about a week. The rest of the 33% took longer time to recover which includes two big organization.

The report from Business week has reported that damage from Blaster virus was around $550 million and another vrius Sobig.F has created a damage of around $499 million. The losses includes production, time, sales, and additional bandwidth cost. On August 23, 2003, Economist times have reported that Sobig.F virus is the main cause for the damage through internet. One of 15 mails carried around the virus and this was the significant cause for the virus attack in cert.org. The organization received around 12,000 and more infected mail every day resulting in thousands and more message per minute. Since Sobig virus is made sophisticated every time it is difficult to stop such viruses. (Sobig.F is the 6^th version).

The experience gained from virus attack has created larger problems with internet security as the internet is defenseless to these type of activity and the harm is likely to increase in future. In past the virus has damaged the computers, networks and mail servers and in future the function of the virus would be more than propagation. The virus programmed for future can cause more malicious attack destroying or corrupting the data and program files or may even seep out susceptible information.

  These viruses without doubt can be intended to attack the government organization, research laborites, schools, business organizations and even the home users as the users of internet from these areas are increasing rapidly. The problem involved with the government organization is that the computer systems are vulnerable to attack and can be used for attack on others. Increase in the dependency of Internet by government and private organization has created increased risk to the business activity.

3.2 Impact of Virus Attack in Organization

Any business is facing constantly the following risk in respect of organizational security as regards to its information security. They are loss of information, loss of data’s and loss of confidentiality. In case if there is any unexpected disaster, the business should be equipped to meet this unforeseen circumstances and should evolve a solid resistance techniques and recovery options.

If a business fails to recognise and counter these risks, it could encounter financial loss, damage to its brand and loosing their competitive edge in the market. For instance, “in a health care industry, if there is an alteration or loss of data of patients, this could even result in death or injury and will cause irreparable damage to that institution.” In this network world, if a hacker pilfers proprietary information and damage data, imagine how much damage it would cause to as that organization and these absurdities can be kept at bay by technological means only. (Patrick Hinojosa, 2000)

Hackers are able to successfully intrude even though the organization have well protected firewalls and hijack information of the targeted organization through e-mail worms, spy ware, remote access Trojans, ad ware, network worms, mustilage as well as blended threats, incremental infections by deploying all of the above. [1]

Hackers and disgruntled erstwhile employees of an organization by deploying worms, viruses attack on corporation systems. This has made a drain on the corporate revenues.

TOP 10 VIRUSES OF 2004

For instance, during the year 2003 alone, there were about 53,000 break-ins which was about 150% increase over the 2000 year figure.[2] Though information security is being considered as a technological problem, today’s network security can not be designed as tamper proof as the new security technology have a short life span as hackers often update their techniques.

For instance , one on-line retailer , Egghead.com lost about one-fourth of its stock value in December 2000 as it web site was under attack by hackers who have unauthorized access to 3.7 million credit card information’s. “Business giants like Merrill Lynch, AOL Time Warner, and Microsoft have started to pay more attention to information security by appointing a chief security officer who will co-ordinate with business leaders and IT managers to evaluate the business risk of losing key systems and to target security spending as business precedence.” (Jim Mccrory, 2003)

CHAPTER – IV

SOLUTIONS

4. Solutions

            Ther are different solutions to prevent the virus attack in goverment and in private organisation and also in individual computers. Several techniques like honeypots, spam controllers, etc. can be used to control virus or worms which tend to infect the computer system.

4.1 Spam’s countermeasure

E-mail messages are classified by the spam filter to give them a category to use as input to the filter part or score for deciding which contains spam. The header, structure and body are being analyzed by the classifying part. One class of spam tool deploys a pattern-discovery algorithm on a huge amount of spam e-mails so as to find patterns and then to find similar patterns in the incoming e-mails to detect spam.

Another tool is a prototype of a filter based on statistical learning algorithms. One another tool is employing Bayesian networks to find out spam. An additional method to fight spam is white lists and black lists. White lists contain approved e-mail addresses that can send mail to one’s inbox. Black lists consist of e-mail addresses which are blocked to send e-mail to one’s inbox.

Software like spam bouncer can be deployed to eradicate the spam menace. Spam bouncer is a set of procmail filter or recipes. Thus these recipes can be either used by an individual user in his mail box only or by a whole system of a private and government organization. Spam bouncer is compatible with a UNIX server which has procmail installed in it. Users of Pegasus Mail, Eudora and other POP clients can deploy the spam bouncer on their UNIX shell account to sort their mail before accessing it from the server. POP client programs can be used as these would filter mail by headers.

An individual user can down load the free spam filter available from the internet like www.freedownloads.com , www.tucows.com etc. The spam filter scans mails inviting in the e-mail server and identifies spam mails using set of defined rules. These defined rules include known spam e-mail addresses, suspicious e-mail addresses, spam IP addresses and key word in the header or subject line of the e-mail. Thus the “filter identifies these spam emails, flags them, review them quickly and finally deletes the same.” (Elliot Markowitz, 2004)

4.1.2 How to fight against spam?

Most of the ISP’s are providing counter measures against phishing. This tool warns the user before it enters a website which is on a list of well known phishing websites list. Another anti phishing tool will exhibit the real domain name of the displayed website so as to make it possible for the user to decide whether it is a real domain or fake one.

One another anti phishing tool offers a solution which prevents phishing emails by blocking e-mails with spoofed e-mail addresses and e-mail which originates from spoofed URLs. Some anti phishing tools also alert a user when personal information is to be sent to unreliable websites. Certain E-Commerce companies are also offering tools which inform their clients when they land on spoofed websites.

“One another tool is e-mail software with fixed phishing protection on top of the ordinary spam-filter.” This tool scans incoming e-mails for URLs and evaluates them to a list of categorized websites in a database. The database is updated constantly and includes categories like phishing websites. (Mencimer. S, 2004)

“Another anti phishing tool provides a warning to user whenever he opens a link in an e-mail and if the URL shown is dissimilar to the actual URL, if the link has a numerical IP-address or if the domain name includes a top-level domain.” (Borthick. S. L, 1998)

Some ISPs prevent users from visiting deceptive websites .Some also deploys web crawling technologies to watch the use of the brand’s name on the internet. Thus companies engaged in the anti spam products are earning high revenues as there is steep increase spam mails. “Bright mail “,the giant in the e-mail filtering company was reported to  have earned revenue about $ 30 million during 2003  which was 100% more than its revenue during last year as per International Data Corp. Likewise, “surf control”, a London based e-mail filter company earned $ 18.5 million between April and June, 2003, compared to $ 14.1 million a year ago.”[3]

4.2 Honey pots as a preventive measure

            “Honey pots” was the first and recently developed network deception used in internet revolution.  Researchers and security specialist have been using various types “Honey pots” since the inception of the internet. Like real Honey pots which attract insects, this technical Honey pots acts as an attractive target to internet hackers.

Honey pots are a tricky system that tries to lure an invader away from critical systems. It acts a watching dog and manages to captures data from the hackers.  The system is usually stored with superficially valuable information which is actually fallacious and would not be eschewed by an honest user. Thus any access to the Honey pots is considered as a hacker.

Application of Honey pots in the system has numerous advantages.  The most significant implication of Honey pots is that it reposes confidence on the hackers offering a false impression on the existing security system and prevents the likelihood of the attack or probe to the real machine. Often attackers scrutinize a large block of computers like in government or private organisation looking for fatalities. Even attackers focusing a particular company will scrutinize the openly accessible information owned by the company searching for a mechanism as a starting point. Honey pots reduce this possibility of an attacker selecting crucial information as a target and detect and records the initial scan as well as any subsequent attack.

Honey pots are successful in capturing invaders prying the system. Hackers can be easily distracted to system targets which they cannot damage. This provides researchers enough time to probe into hackers details and to respond them. Finally “this system allows the researchers to examine the hacker’s action and help them to improve the system protection.” (Wible, B, 2003).

4.3 Antivirus

            4.2.1 Antivirus Definition         Antivirus is a software programme which prevents computer from virus attack. The software scans all the files and folders of the system including  memory, CD ROM and diskettes. (Computer Crime, 1997). The functions of the virus are highly convoluted the virus enter the system when an user opens an infected program.  The system copies all the infected programs from the disk to the RAM. The virus copies itself in the RAM and starts spreading all over the system. The cycle continues until it is spread completely. When the user implements a new program the virus enters the program and starts spreading and repeats the cycle again.

4.3.1 Detection Process  

The are different Antivirus software which dose the job of detecting and eliminating the virus. According to Yegulap, 1997, all the software has the library of signature –binary code to identify the virus content. The different software such as Norton Antivirus, McAfee VirusScan 3.0, IBM antivirus etc shares similar attributes.

All these programs identify and destroy the worms and bugs established in the system. Among the Antivirus software Norton Antivirus seems to be the superior software as it uses a particular detection technology called as “Bloodhound”. The software identifies the virus which is transformed away from its usual form.  Hence, it is highly recommendable to use antivirus program to prevent the virus attack in advance instead of loosing valuable information as it is more luxurious to re-establish the computer.

4.4 Firewall

            The need for firewall has become more essential for every computer connected to internet as the vulnerability of the attack seems to be huge when compared to the past.  Firewall is a system which is created to protect the computer from illegal access or from a private system which is connected to internet or intranet. Any information which enters the network passes through the firewall.

The firewall examines the message and blocks the message if it is sensitive. The are different firewall techniques which are as follows, a)  Packet Filter : this firewall examines every packets entering or leaving the network and receive or discards it  based on the user- defined rules.

This method is less effective as it is susceptible  to IP spoofing, b) Application gateway: this firewall applies safety method to certain functions such as FTP and Telnet servers. This firewall is highly valuable,  c) Circuit Level Gateway : This firewall also applies safety method when a TCP or UDP link is established and after the link it allows the packets to run between the host devoid of additional examination, d) Proxy Server : This interrupts all the inflowing and outgoing  message to the network. This server successfully veil the correct network address. For effective protection from unauthorized use firewall with two or more of the above technique can be used.

4.4.1 Preventing Malware

Preventing Malware is very difficult. However, by implementing the certain security measures the outbreak of Malware can be prevented. Malware can be prevented by following the following steps. 1) Every step of action need to be documented. An easy incident response plan can be used for recognition, examination, repression, abolition and for revitalization, 2) the system need to be prevented from the access to TCP ports such as 135,139 and 445 and UDP ports such as 135, 137 and 445,

3) All controls need to be checked at the work station in order to avoid stopping the right access, 4) Implementation of a group policy or a local security policy can be implemented  to prevent the windows from the attack, 5) It is essential that every system with or without security threats need to implement antispyware software to protect the information from the attack before loosing them also implement an network analyzer to protect the host from unwanted access like NetBIOS and MSRPC.  Hence, by proper techniques implemented, the Malware can be prevented though difficult to be cured once infected.

Conclusion

            Thus from the paper we can get an in depth knowledge of what virus is? and the different types of viruses and its attack and preventive measures to be adopted to overcome the damage. The subject can be concluded by stating that ‘prevention is better than cure’, i.e. adapting all preventive measures before any possible attack is better than loosing any valuable information.

Reference

Elliot Markowitz, 2004, “filter identifies these spam emails, flags them, review them quickly and finally deletes the same.”

Jim Mccrory, 2003, “Merrill Lynch, AOL Time Warner, and Microsoft have started to pay more attention to information security…”

Wible, B, 2003, “Honey pots allow the researchers to examine the hacker’s action and help them to improve the system protection.”

Bibliography

Borthick, S. L. (1998, September). Why We Can’t Compare ISP Performance – Yet. Business Communications Review, 28, 35+.

Mencimer, S. (2004, October). False Alarm: How the Media Helps the Insurance Industry and the GOP Promote the Myth of America’s “Lawsuit Crisis.” Washington Monthly, 36, 18+.

: . [1] Article Title: Information Security: Where We’ve Been and Where We Need to Go. Contributors: Patrick Hinojosa – author. Journal Title: T H E Journal. Volume: 32. Issue: 7. Publication Year: 2000

[2] Article Title: Managing Information Security. Contributors: Daniel F. Lohmeyer – author, Jim Mccrory – author, Sofya Pogreb – author. Journal Title: The McKinsey Quarterly. Publication Year: 2002. Page Number: 12+.

[3] Article Title: E-Mail Filters Prove Big Business as Spam Pours inSoftware Firms Watch Revenues Soar. Newspaper Title: The Washington Times. Publication Date: July 17, 2003. Page Number: A01.