Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Classroom Activities Guide What is a computer virus? пЃ® A computer virus is a malicious program that spreads from computer to computer. Viruses, Worms, Trojan Horses пЃ® Have you heard other names for malicious computer programs? вЂ“ Viruses, Worms, Trojan Horses пЃ® There are technical differences between each of these, but all of them attempt to run on your computer without your knowledge. Malware The most general name for a malicious computer program is malware. пЃ® You may have heard computer programs called software. пЃ® The word malware comes from MALicious softWARE. пЃ® How does malware invade your computer? You have probably heard of some ways that malware can invade your computer. пЃ® What are they? пЃ® вЂ“ Through email attachments вЂ“ By clicking on a web link when surfing the web вЂ“ By downloading a program that claims to be a game or cool picture вЂ“ Others? Front Door Attacks пЃ® What do many of these attacks (through email, web browsing or downloads) have in common? вЂ“ They all require the actions of a legitimate user. пЃ® They can be considered вЂњfront doorвЂќ attacks because a user is tricked into opening the door for the attack through their action. Understanding Front Door Attacks пЃ® The key to understanding front door attacks is that when you run a program it runs with *all* your rights and privileges. вЂ“ If you can delete one file, any program you run can delete all your files. вЂ“ If you can send one email, any program you run could send thousands of spam emails. пЃ® This includes any program you run even accidentally by opening an email attachment or clicking on web link. Back Door Attacks Not all attacks require action by a legitimate user. пЃ® вЂњBack doorвЂќ attacks target vulnerabilities in server software that is running on your computer. пЃ® Server software is software that listens for requests that arrive over the network and attempts to satisfy these requests. пЃ® вЂ“ A web server is an example of server software. Are you running any servers? Most home computer users think they are not running any server software. пЃ® However you would be surprised. пЃ® For example, most default installations of Windows run a number of network services by default. пЃ® How can you check? At a Windows command prompt, type the command вЂњnetstat вЂ“anвЂќ. пЃ® It will display a list of server software that is listening for requests over the network. пЃ® Things to Notice In the List The server listening on port 135 was attacked by the Blaster worm. пЃ® The server listening on port 435 was attacked by the Sasser and Korgo worms. пЃ® Server Software пЃ® Server software is designed to provide useful features. вЂ“ For example, server software allows you to mount files from other computers or share printers between computers etc. пЃ® So how then can server software be used to attack a computer? Legitimate vs. Illegitimate Requests пЃ® Basically server software receives a request over the network, examines the request and decides if it can satisfy the request вЂ“ Legitimate requests do not cause an attack. вЂ“ Most illegitimate requests do not cause attacks either because the server simply answers that it does not understand or cannot satisfy a request. Carefully crafted, devious requests To attack server software, authors of malware do not just send any old illegitimate request. пЃ® They send very carefully crafted illegitimate requests that exploit a weakness or flaw in the server software. пЃ® What is an example of such a weakness? (part 1) пЃ® When programmers write server software, they write it to listen for requests that come in over the network. пЃ® They might assume that no request will ever be longer than 1000 letters long. пЃ® This might be a perfectly valid assumption for all reasonable requests, but an attacker might send a request that is 100,000 letters long. What is an example of such a weakness? (part 2) пЃ® If the server only left room for 1000 letters, then the rest of the letters may get copied over the legitimate program instructions. пЃ® Thus, the request sent by the attacker takes the place of the legitimate program instructions and the server starts to execute the attackers code instead. Buffer Overflow Attacks This type of attack is called a вЂњbuffer overflow attackвЂќ because it overflows the buffer of space left for a request with too many characters. пЃ® Such an attack could be prevented if the server always checked for requests that are too long. пЃ® вЂ“ Sometimes programmers neglect to do that and this is what produces the weakness or flaw that is exploited by the attacker. вЂ“ If you are learning to program, you should know that you can prevent many viruses by following good programming practices. Buffer Overflow Attacks ArenвЂ™t Easy пЃ® The attacker must вЂ“ Know how long of a request to send вЂ“ Send precisely the right data that can be interpreted as instructions by the server вЂ“ Find a machine running a server with that weakness. пЃ® If the attacker sends the wrong data, the server might crash instead of running the attackers instructions. Exploiting a weakness If an attacker crafts an attack that works on their local machine then chances are that it will work on many other machines. пЃ® Attackers tend to target the most common computing platform вЂ“ Windows вЂ“ so that their attacks will impact the most machines. пЃ® What do viruses do? Once an attacker manages to exploit a weakness, they can run any code they want on the victimвЂ™s machine. пЃ® Attack codes vary in what they try to do. пЃ® Have you ever suffered a computer attack? What happened to your machine? How hard was it to recover? пЃ® What does malware do? пЃ® Some attackers just want to see if they can make an attack succeed. вЂ“ The malware they write may simply displaying something to the user or announce its presence in another way. пЃ® Other attackers want to do damage to others without trying to benefit directly. вЂ“ The malware they write might delete files or otherwise corrupt the system. What does malware do? (continued) пЃ® Still others try to write malware that steals information from the victim. вЂ“ The malware they write might search for credit card numbers or other personal information and send it back to the attacker. вЂ“ Spyware might watch for victimвЂ™s passwords or otherwise spy on their online activity. What does malware do? (continued) пЃ® Still others write malware that uses the victimвЂ™s computer for their own purposes. вЂ“ Use it to store files (often illegal) and make them available to others вЂ“ shifting liability away from the attackers. вЂ“ Use it to attack other computers вЂ“ making it harder to trace the attack to its real source. Self-replicating Regardless of its other goals, a large percentage of malware tries to spread itself automatically. пЃ® Malware programs may try to spread by пЃ® вЂ“ Sending out email with infected attachments. вЂ“ Send out carefully-requests back door attack packets. Consequences of Attacks пЃ® If you have ever been attacked by a computer virus, you know the damage it can cause вЂ“ Your computer can begin to run very slowly and constantly pop-up annoying messages that make it difficult to do anything productive. вЂ“ Having the virus removed by a technician can be expensive and time-consuming. вЂ“ The virus itself may destroy irreplaceable files like family pictures or videos. Even if the virus itself does not cause data loss, often the process of removing the virus can require reinstalling the operating system and all the programs. вЂ“ Your credit card or other private information can be stolen. World-wide damage estimates пЃ® Computer viruses cause a huge amount of damage worldwide. вЂ“ Damages from just one virus (The I Love You Virus) are estimated at $10 billion dollars. It is also estimated that 45 million people worldwide were affected. пЃ® Costs come from restoring damaged systems, replacing lost information, steps taken to prevent attacks and steps taken to prepare to recover from attacks. Case пЃ® Jason, a 16 year old honor student, wrote a computer virus that causes 4 billion dollars of damage and impacted countless home and business computers. The authorities traced the virus to him. Jason says that he is very sorry and didnвЂ™t mean for it to get so out of hand. He said he was just fooling around to see if he could do it. Discussion How would you feel if you were a friend of JasonвЂ™s? пЃ® How would you feel if you had lost your entire MP3 collection or a book report you had worked on for 3 weeks? пЃ® What type of punishment would recommend in this case? пЃ® Blackhat vs. Whitehat Blackhat computer hackers look for flaws in software to exploit them or break into computer for malicious purposes. пЃ® Whitehat computer hackers look for flaws in software to fix them or attempt to break into computers to audit their security. пЃ® What do whitehat hackers do? Analyze server software for flaws that could be exploited and recommend fixes. пЃ® Analyze new viruses or malware to characterize what they are doing and to build patches. пЃ® Audit the overall security of computer systems. пЃ® Defenses пЃ® Even if you are not whitehat hacker there is a lot you can do to defend your computer against attack пЃ® Defending against front door attacks means being careful about what programs you run and what attachments and links you open пЃ® Defending against back door attacks means knowing what services are running on your machine and keeping them patched Defending against front door attacks пЃ® 1) Be careful opening email attachments even from friends. пЃ® 2) Be careful clicking on web links found on less reputable web sites. пЃ® 3) Beware of free downloads that seem too good to be true. пЃ® 4) Use a good virus scanner and keep your virus signatures up-to-date. пЃ® 5) Consider using less popular email readers and web browser software.( Attackers target the most popular software.) There are excellent and free open source options. Defending against back door attacks 1) Use netstat to see what services are running. пЃ® 2) Periodically check to see if any new services have been started. пЃ® 3) Keep your server software patched and up-to-date. пЃ® 4) Consider shutting down any services you do not need. пЃ® Prepare to recover from an attack пЃ® No matter how careful you are it is still wise to prepare to recover from an attack if one does occur. вЂ“ 1) Back up your personal data such as digital pictures, letter and papers youвЂ™ve written, your address book, etc. вЂ“ 2) Keep track of the software youвЂ™ve installed on your computer including where you got it and any activation keys you paid for. Review Questions пЃ® пЃ® пЃ® пЃ® пЃ® What is a front door attack? What are some examples? What is a back door attack? What are some examples? Give some examples of what malware tries to accomplish. Describe ways that whitehat hackers try to make systems more secure. Describe things you can do to secure your computer against attack. Conclusion пЃ® Knowing the different kinds of attacks and the goals of attackers can help you understand how better to defend yourself.