Académique Documents
Professionnel Documents
Culture Documents
Trojan horse
Prepared by:
Vaibhavi Oza
Avani Panchal
Seminar Report on
Submitted By:
Section Head – IT
Mr. Manthan Khopker
( Seminar Guide)
Miss Binita Patel
Date: -
Place: -
1 Introduction to Virus
1.1 Definition 1
1.2 History of virus 2
1.3 Virus Evolution 4
1.4 Working of virus 6
1.5 Types of virus 7
2 Introduction to worm
2.1 Definition 10
2.2 History of worms 11
2.3 Working of worms 13
2.4 Types of worms 16
Introduction to Trojan
3
horse
3.1 Definition 18
3.2 History of Trojans 19
3.3 Working of Trojan 20
3.4 Types of Trojan 23
Difference between
4
virus worm &Trojan
4.1 Difference 26
ABSTRACT
The seminar we are going to present is on the Computer Virus, Worms and
Trojan horse.
In today’s time every one uses computers and internet. The one who uses
them must have come across to these words. People do know these words,
but don’t know what actually they are and what the differences are between a
Virus, a Worm & a Trojan horse.
In this seminar we are going to introduce you to what is a virus? What are the
types of it? How do they work? How can you prevent your computer from
those threats?
The same way we will tell about the Worms and Trojan horse. And also we
would talk about the latest attack patterns, as you can notice there were no
big attacks in the year2008 which can affect mass number of computers, but
still they have affected the systems.
ACKNOWLEDMENT
I would also like to thank our faculties Ms Binita Patel for providing us the
guidelines whenever needed.
I would also like to thank our Head of the department Mr. Manthan Khopker
for keeping an eye on us.
Oza Vaibhavi .
Panchal Avani.
1. Introduction to Virus:
1.1 Definition:
Two categories of viruses, macro viruses and worms, are especially common
today.
Computer viruses are never naturally occurring; they are always man-made.
Once created and released, however, their spread is not directly under human
control.
1
1.2 History:
Traditional computer viruses were first widely seen in the late 1980s, and
they came about because of several factors.
The first factor was the spread of personal computers (PCs). Prior to the
1980s, home computers were nearly non-existent or they were toys. Real
computers were rare, and they were locked away for use by "experts."
During the 1980s, real computers started to spread to businesses and homes
because of the popularity of the IBM PC (released in 1982) and the Apple
Macintosh (released in 1984). By the late 1980s, PCs were widespread in
businesses, homes and college campuses.
The second factor was the use of computer bulletin boards. People could dial
up a bulletin board with a modem and download programs of all types.
Games were extremely popular, and so were simple word processors,
spreadsheets and other productivity software. Bulletin boards led to the
precursor of the virus known as the Trojan horse. A Trojan horse is a
program with a cool-sounding name and description. So you download it.
When you run the program, however, it does something un cool like erasing
your disk. You think you are getting a neat game, but it wipes out your
system. Trojan horses only hit a small number of people because they are
quickly discovered, the infected programs are removed and word of the
danger spreads among users.
2
Floppy disks were factors in the spread of computer viruses.
The third factor that led to the creation of viruses was the floppy disk. In the
1980s, programs were small, and you could fit the entire operating system, a
few programs and some documents onto a floppy disk or two. Many
computers did not have hard disks, so when you turned on your machine it
would load the operating system and everything else from the floppy disk.
Virus authors took advantage of this to create the first self-replicating
programs.
3
If one of the infected programs is given to another person on a floppy disk,
or if it is uploaded to a bulletin board, then other programs get infected. This
is how the virus spreads.
The spreading part is the infection phase of the virus. Viruses wouldn't be so
violently despised if all they did was replicate them selves. Most viruses also
have a destructive attack phase where they do damage. Some sort of trigger
will activate the attack phase, and the virus will then do something --
anything from printing a silly message on the screen to erasing all of your
data. The trigger might be a specific date, the number of times the virus has
been replicated or something similar.
As virus creators became more sophisticated, they learned new tricks. One
important trick was the ability to load viruses into memory so they could
keep running in the background as long as the computer remained on. This
gave viruses a much more effective way to replicate themselves. Another
trick was the ability to infect the boot sector on floppy disks and hard disks.
The boot sector is a small program that is the first part of the operating
system that the computer loads. It contains a tiny program that tells the
computer how to load the rest of the operating system. By putting its code in
the boot sector, a virus can guarantee it is executed. It can load itself into
memory immediately and run whenever the computer is on. Boot sector
viruses can infect the boot sector of any floppy disk inserted in the machine,
and on college campuses, where lots of people share machines, they could
spread like wildfire.
4
In general, neither executable nor boot sector viruses are very threatening
any longer. The first reason for the decline has been the huge size of today's
programs. Nearly every program you buy today comes on a compact disc.
Compact discs (CDs) cannot be modified, and that makes viral infection of a
CD unlikely, unless the manufacturer permits a virus to be burned onto the
CD during production. The programs are so big that the only easy way to
move them around is to buy the CD. People certainly can't carry applications
around on floppy disks like they did in the 1980s, when floppies full of
programs were traded like baseball cards. Boot sector viruses have also
declined because operating systems now protect the boot sector.
Infection from boot sector viruses and executable viruses is still possible.
Even so, it is a lot harder, and these viruses don't spread nearly as quickly as
they once did. Call it "shrinking habitat," if you want to use a biological
analogy. The environment of floppy disks, small programs and weak
operating systems made these viruses possible in the 1980s, but that
environmental niche has been largely eliminated by huge executables,
unchangeable CDs and better operating system safeguards.
Boot sector viruses alter the program that is in the first sector
(boot sector) of every DOS-formatted disk. Generally, a boot
sector infector executes its own code (which usually infects the boot
sector or partition sector of the hard disk), then continues the PC
boot up (start-up) process. In most cases, all write-enabled floppies
used on that PC from then on will become infected.
A macro virus is a virus that exists as a macro attached to a data file. In most
respects, macro viruses are like all other viruses. The main difference is that
they are attached to data files (i.e., documents) rather than executable
programs. Many people do not think that viruses can reside on simple
document files, but any application that supports document-bound macros
that automatically execute is a potential haven for macro viruses. By the end
of the last century, documents became more widely shared than diskettes,
and document-based viruses were more prevalent than any other type of
virus. It seems highly likely that this will be a continuing trend.
Stealth viruses: A stealth virus is one that, while active, hides the
modifications it has made to files or boot records. It usually achieves this by
monitoring the system functions used to read files or sectors from storage
media and forging the results of calls to such functions.
7
This means that programs that try to read infected files or sectors see the
original, uninfected form instead of the actual, infected form. Thus the virus's
modifications may go undetected by antivirus programs. However, in order
to do this, the virusmust be resident in memory when the antivirus program
is executed, and the antivirus program may be able to detect its presence.
8
Boot sector viruses: Boot sector viruses infect or substitute their own code
for either the DOS boot sector or the Master Boot Record (MBR) of a PC.
The MBR is a small program that runs every time the computer starts up. It
controls the boot sequence and determines which partition the computer
boots from. The MBR generally resides on the first sector of the hard disk.
Since the MBR executes every time a computer is started, a boot sector virus
is extremely dangerous. Once the boot code on the drive is infected, the virus
will be loaded into memory on every startup. From memory, the boot virus
can spread to every disk that the system reads. Boot sector viruses are
typically difficult to remove, as most antivirus programs cannot clean the
MBR while Windows is running. In most cases, it takes bootable antivirus
disks to properly remove a boot sector virus.
2. Introduction to Worms:
2.1 Defination:
A worm is a computer program that has the ability to copy itself from
machine to machine. Worms use up computer time and network bandwidth
when they replicate, and often carry payloads that do considerable damage.
Worms normally move around and infect other machines through computer
networks. Using a network, a worm can expand from a single copy
incredibly quickly.
When the worm is launched, it opens a back door into the computer, adds the
infected machine to a botnet and installs code that hides itself. The botnets
are small peer-to-peer groups rather than a larger, more easily identified
network. Experts think the people controlling Storm rent out their micro-
botnets to deliver spam or adware, or for denial-of-service attacks
10
2.2 History of computer worm:
Malware with self-replicating capability has been an issue in the world of
computing for several years, dating back to the first self-replicating code
created by Ken Thompson in 1984. Over the past few years, both worms and
viruses have become major problems, mainly due to widespread use of the
internet. This wide open platform enables these infections to spread rapidly
with no geographic restrictions. Worms in particular are becoming more
sophisticated as malicious coders have learned from their mistakes and
successes as well.
Early Infections
Self-replicating applications date back to the early days of the Unix operating
system. Ken Thompson's code was essentially a compiler modification that
manipulated login procedures and the compiler itself. The conventional virus
became a common plague in the era of the Apple II system. This infection
moved rather slowly, yet provided the means of distributing some of the most
known viruses, such as Chernobyl and Michelangelo.
11
Although released on accident, the benign concept doesn't really apply to the
Morris Worm, as it had a significant amount of impact because of the bug in
its code. When re infecting a computer, there remained the possibility that
ssthe new infection would be persistent, allowing other worms to run and
terribly impact system performance. However, this caused the worm to be
noticed instantly, and therefore, quickly contained.
Modern Worms
12
one should also create a strategy to elude worm exploits. While there is no
perfect solution, there are many steps that can be taken to prevent damage
and reduce the spread of infection. Anti-virus software and firewalls are a
must these days, two powerful weapons that will keep you one step ahead of
a worm outbreak. It is also critical to conduct routine backups of your data as
these infections can easily corrupt or completely overwrite existing files.
When it comes to the disruption of worms and other malware, it's much
better to be safe than sorry.
To understand the working of the worm we will see working of some of the
worms that how they attacked and how dangerous they can be.
Worms normally move around and infect other machines through computer
networks. Using a network, a worm can expand from a single copy
incredibly quickly. The Code Red worm replicated itself more than 250,000
times in approximately nine hours on July 19, 2001.
The Code Red worm slowed down Internet traffic when it began to replicate
itself, but not nearly as badly as predicted. Each copy of the worm scanned
the Internet for Windows NT or Windows 2000 servers that did not have the
Microsoft security patch installed. Each time it found an unsecured server,
the worm copied itself to that server. The new copy then scanned for other
servers to infect. Depending on the number of unsecured servers, a worm
could conceivably create hundreds of thousands of copies.
13
Replace Web pages on infected servers with a page featuring the message
"Hacked by Chinese"
Launch a concerted attack on the White House Web site in an attempt to
overwhelm it .Upon successful infection, Code Red would wait for the
appointed hour and connect to the www.whitehouse.gov domain. This attack
would consist of the infected systems simultaneously sending 100
connections to port 80 of www.whitehouse.gov (198.137.240.91).
When the worm is launched, it opens a back door into the computer, adds the
infected machine to a botnet and installs code that hides itself.
14
Email Worms
Spreading goes via infected email messages. Any form of attachment or link
in an email may contain a link to an infected website. In the first case
activation starts when the user clicks on the attachment while in the second
case the activation starts when clicking the link in the email.
Be aware that during spreading some worms construct new sender addresses
based on possible names combined with common domain names. So, the
sender address in the email doesn't need to be the originator of the email.
16
Another way is that the worms scan the Internet for machines still open for
exploitation i.e. not patched. Data packets or requests will be send which
install the worm or a worm downloader. If succeeded the worm will execute
and there it goes again!
IRC Worms
Chat channels are the main target and the same infection/spreading method is
used as above - sending infected files or links to infected websites. Infected
file sending is less effective as the recipient needs to confirm receipt, save
the file and open it before infection will take place.
17
3. Trojan Horse:
3.1 Definition:
A Trojan horse is a computer program which carries out malicious
operations without the user's knowledge. The name "Trojan horse" comes
from a legend told in the Iliad (by the writer Homer) about the siege of the
city of Troy by the Greeks.
Legend has it that the Greeks, unable to penetrate the city's defences, got the
idea to give up the siege and instead give the city a giant wooden horse as a
gift offering.
The Trojans (the people of the city of Troy) accepted this seemingly harmless
gift and brought it within the city walls. However, the horse was filled with
soldiers, who came out at nightfall, while the town slept, to open the city
gates so that the rest of the army could enter.
Thus, a Trojan horse (in the world of computing) is a hidden program which
secretly runs commands, and usually opens up access to the computer
running it by opening a backdoor. For this reason, it is sometimes called a
Trojan by analogy to the citizens of Troy.
steal passwords;
18
The name Trojan horse is a bit different so as it has a tell is bounded with it.
It was called so because of a Greek tale.
A Trojan horse derives its name from the Trojan War. Legend has it that King
Odysseus built a Trojan Horse as a gift to the city of Troy to signify
surrender. He then ordered the Greek army to retreat and left the ‘gift’
outside the city gates. However it turned out that the Horse had more than 40
soldiers hidden in its belly. Once inside the city of Troy, these soldiers snuck
out and opened the gates for their fellow soldiers who went on to attack the
unsuspecting city.
So as the same way a Trojan horse come into your computer as a ‘gift’ or you
can say a non harmful package of software but once you run it you will know
what actually it was.
19
3.3: Working of Trojan horse:
Trojans work similar to the client-server model. The attacker deploys the
client to connect to the server, which runs on the remote machine when the
remote user unknowingly executes the Trojan on the machine.
The typical protocol used by most Trojans is the TCP/IP & UDP protocol. It
will usually try to remain in a stealth mode, or hidden on the computer. When
Trojan is activated, the server starts listening on default or configured ports
for incoming connections from the attacker. It is usual for Trojans to also
modify the registry and/or use some other auto starting method.
Most of the Trojans use auto-starting methods so that the servers are restarted
every time the remote machine reboots or starts. This is also notified to the
attacker. Some of the well known system files targeted by Trojans are
Autostart Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat,
& Config.sys.
20
Modes of Transmission
Trojan can infect the target system with different modes of Transmission.
Common transmission mode is as follows:
Instant Message
IRC (Internet Relay Chat)
Attachments
Physical Access
Instant message
People can also get infected while chatting / talking / video messaging over
any Instant Messenger Application. It is a risk that the user undertakes when
it comes to receiving files no matter from whom or where it comes.
IRC
In Internet Relay Chat, the threat comes from exchange of files no matter
what they claim to be or where they come from. It is possible that some of
these are infected files or disguised files.
Attachments
21
Physical Access
Physical access to a target machine is perhaps the easiest way for an attacker
to infect a machine.
Browser and E-mail Software Bugs
If port 139 is opened, the attacker can install trojan.exe and modify some
system file, so that it will run the next time the system is rebooted.
22
3.4 Types of Trojan horse:
Trojan horses are broken down in classification based on how they breach
systems and the damage they cause.
The seven main types of Trojan horses are:
Destructive Trojans
Proxy Trojans
FTP Trojans
The attacker gains full control over the systems that the Trojan infects, and
gains full access to files, private conversations, accounting data and so on.
The remote access Trojans acts as a server, and listens on a port that is not
supposed to be available to the internet. Attacker in the same network located
behind the firewall can easily access the Trojans. Example: Back Orifice and,
NetBus.
23
Destructive Trojans:
The sole purpose of the Destructive Trojans is to delete files on the target
system. Destructive Trojans are generated on the basis of a fixed time and
data much like the logic bomb. Example: dll, .ini, or .exe files.
Proxy Trojans:
Proxy Trojans convert the user’s computer into a proxy server. This makes
the computer accessible to the entire world or only the specified attacker. The
attacker has full control over the user’s system, and can also launch attacks
on other systems from the affected user’s network. Generally it is used for
Telnet, ICQ or IRC in order to purchase goods using stolen credit cards,
other illegal activities.
FTP Trojans:
FTP Trojans are used for FTP transfers and allowing the attackers to connect
to the victim’s system via FTP.
24
Hazards of Trojan
25
26
27