THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE

 

By Peter Szor
Published by Addison-Wesley Professional
ISBN: 0321304543   Buy Now!
Published:February, 2005
Pages:744

 About the author

Peter Szor graduated from the University of Veszprem Hungary in 1991. He is best known as the author of the popular Hungarian virus scanner called Pasteur, which he developed between 1990 and 1995. Szor.s interest in computer viruses began in 1990. He worked on various anti-virus scanning engines over the last decade including F-PROT, AVP, and Norton AntiVirus. Szor was invited to join CARO (Computer Anti-virus Researchers' Organization) in 1997. He is a frequent speaker at Virus Bulletin, EICAR, and ICSA conferences, and a regular contributor to Virus Bulletin magazine. In 1999 Szor joined Symantec, where he designs and develops anti-virus technologies for the Norton Anti-virus product line. He is the author of several U.S. patents that are pending.

Free Chapter:
      9.1 Introduction

This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a "worm." We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain. The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats. Table 9.1 Well-Known Computer Worms and Their Infection Methods Name / Discovered Type Infection Execution Method WM/ShareFun February 1997 Microsoft Mail dependent mailer Word 6 and 7 documents By user Win/RedTeam January 1998 Injects outgoing mail to Eudora mailboxes Infects Windows NE files By user W32/Ska@m (Happy99 worm) January 1999 32-bit Windows mailer worm Infects WSOCK32.DLL (by inserting a little hook function) By user W97M/Melissa@mm March 1999 Word 97 mass-mailer worm Infects other Word 97 documents By user VBS/LoveLetter@mm2 May 2000 Visual Basic Script mass-mailer worm Overwrites other VBS files with itself By user W32/Nimda@mm September 2001 32-bit Windows mass-mailer worm Infects 32-bit PE files Exploits vulnerabilities to execute itself on target Table 9.1 suggests that infection of file objects is a fairly common technique among early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending on attaching itself to a host file. However, this definition does not mean that worms cannot act as file infector viruses in addition to network-based propagators. Of course, many other worms, such as Morris3, Slapper4, CodeRed, Ramen, Cheese5, Sadmind6, and Blaster, do not have file infection strategies but simply infect new nodes over the network. Thus defense methods against worms must focus on the protection of the network and the network-connected node.

1 2 3 4 5 6 7 8 9  Next page >> 

 

" Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect."

—Concise Oxford English Dictionary, Revised Tenth Edition.