Viruses and Worms – CompTIA Security+ SY0-401: 3.1

Viruses are well known for corrupting our operating systems and documents. In this video, you’ll learn how viruses work and how worms are able to replicate without human intervention.

<< Previous Video: Malware OverviewNext: Adware and Spyware >>

A virus is a very specific kind of malware. It’s a type of malware that’s designed to replicate itself, very similar to what a real virus might do in the human body. It may not even need you to click anything, but what it does need you to do is to run a program. An executable on your computer has to run, and that gets the virus going.

And once that virus get started with that executable, it can then transfer itself to other things in your computer. It can transfer to your USB drive. It can transfer across the network to wherever that executable is that you’re executing, that you’re running on a separate hard drive somewhere.

So it can go through all of your file systems. It can go through the network. And that program can really hop around to a lot of different things all from that one computer. It can be a very, very big problem if you have a lot of different file systems you access, if you have a big network at work. These viruses tend to go a lot of different places.

Some viruses, though, you may not even know where they are. They may not do anything that’s very malicious– at least, not obviously very malicious. They may be sitting there and simply making your computer run slower, or they may not be doing much of anything at all.

This is one of the challenges with viruses, is some can be very, very bad. Some can be very, very good, or at least something where you wouldn’t even know that they are there. Other viruses start deleting files. They start corrupting files. They start encrypting files without your knowledge. That may be a very, very big problem.

And obviously viruses are extremely, extremely common, especially in a Windows environment. There are thousands and thousands and thousands of new viruses identified every week. That’s why we mentioned that it’s so important to make sure that your antivirus signatures on your computer are constantly updated. You should update then at a minimum every day so the you can be absolutely sure that if you download something from the internet that you at least have your antivirus signatures updated to identify that if it happens to be something that’s known.

There are many different kinds of computer viruses. One that’s been around for a long time is a boot sector virus. Don’t even need operating system for this. You can sit in the boot sector of your hard drive, and when the operating system starts up, it then becomes infected.

Boot sector viruses can also be a little bit challenging to remove, because when you’re in your operating system, you may not have direct access to the boot sector. So very often year after boot your machine up with a special disk or use a special program that can get access to the boot sector to be able to remove that particular kind of virus.

Program viruses are a lot more common. They’re part of an application. They’re embedded into an application. Maybe the virus has attached itself to the application, to the program itself, and that program virus runs whenever that application starts up in your computer.

Script viruses are things that you don’t see very often, but they can still cause problems, because they are part of your operating system. Sometimes there could be scripting in a browser as well. JavaScript is a very common scripting language that is almost always enabled in a browser. And if a bad guy identifies a vulnerability in how JavaScript can communicate to other things in your browser or to what’s on your computer, they can then start gaining access to your computer and doing anything they’d like to your operating system.

Another very common type of virus, and one that was really enabled by the functionality that we enabled in some of our applications, is a macro virus. When Microsoft Office first started allowing macros– so Microsoft Word, Microsoft Excel, all of the Windows and Microsoft Office applications starting enabling macros. The bad guys began to find ways that those macros could take advantage of things outside of Office. So you could run a Office program, you could open a Word document, you could open a spreadsheet, and that macro that’s inside of that would then gain access to the operating system.

Now Microsoft always goes back and corrects these things. You’ll see updates all the time that correct some known vulnerabilities in Microsoft Office and the way these macros work. But it’s something to the back guys like to use, because so many people use these Microsoft Office applications. And the more people that are using a particular app, the more opportunities the bad guys have to take advantage of that.

Multipartite viruses are viruses that are able to use multiple methods that we’ve already discussed working together to do something bad on your system or to embed itself or copy itself to somewhere else. So that means that you need both a program virus and a macro virus, for example, running at the same time, working in conjunction with each other to be able to then embed or copy itself somewhere else.

Obviously, those have to be very well thought out. They have to all work together. You can’t just have the program virus or just have the macro virus. They both have to be there working together to have that virus take effect.

Worms are a special kind of virus. Up to this point, we’ve talked about viruses being executed when you clicked on something or when you ran a program. Worms don’t need you, though. Worms can propagate themselves all over the network all by themselves. All your computer has to do is be turned on. And the worm can take advantage of this.

Generally, it’s taking advantage of a vulnerability that’s been identified in the operating system that it then gets access into your computer, embeds itself, and then hops to another computer. Generally, when you have these operating system updates or these application updates, the things that they close are these opportunities for these worms to propagate. If you get rid of the vulnerability, these worms can’t get on your computer.

But because they’re using our networks to be able to move back and forth, and generally we’re connecting so many systems together, they can propagate very, very, very quickly. Some worms can get on one computer in an organization, and in less than an hour, they may infest every computer in the organization.

Some worms are so good it propagating themselves that in the past, the worms themselves have created so much network traffic that they brought down the network just from a performance perspective. These days, the smart worm writers don’t do that. They make sure that they can very quietly sneak around the network and get embedded to as many computers as they can so that later on, they can install a botnet. They can copy files. They can embed a key logger or do whatever they’d like to do once they’re there.

A worm doesn’t have to be bad, but almost all of them are. A good example of a worm that is doing something good is one called Nachi, which went out and tried to patch your computer. The problem, of course, is that even a third party program coming in the computer and making changes to your computer may not necessarily be what you want. So even if the writer of the virus had good ideas in mind and wanted to make sure that you were running the latest patch to be able to remove a particular vulnerability from your computer, even so, that may not necessarily be something that you would like to occur on your system.

One way many organizations stop those worms from coming into their environment is using a firewall or using an intrusion detection or intrusion prevention system. Those will stop the virus, the malware, the spyware, those worms, as they’re coming in. And so we can stop them right there at the gateway.

But generally, that’s the only place the firewall is. It’s right there to your connection to the internet. That’s the only place your IPS might be is that connection to the internet. You don’t have multiple IPSes generally inside an organization, and if you do, they’re in very limited areas.

So if one machine in your environment gets inside, gets infected, or somebody brings a laptop in from the outside and plugs it in, they can start infecting everybody in your environment with that worm. And many organizations find themselves chasing this worm down. They’ll get a list of machines that are infected. They’ll go out and clean those machines.

But in the meantime, those machines have been infecting others. So the next day, they’re going to a completely different group of machines and cleaning those and end up spending a lot of time going back and forth trying to hunt down to resolve this problem with the worm, using up a lot of resources in their environment.

Another reason it’s so hard to find these worms and to resolve getting these worms off of every computer in your organization is because the worm writers, the guys that program the malware, spent a lot of time making sure this worm would be able to propagate itself in many different ways. A very good example of this is a very recent worm and one that is relatively active– I still see this out here in people’s environments– called Conficker. And the reason we still see it different places is because out on the internet is a Conficker control system that’s able to communicate and provide different aspects of Conficker or back to systems.

If a computer has a shared– it’s a shared computer with a weak password. Maybe there’s files that are shared on that system, and it’s very easy to figure out the password. Conficker will embed itself onto that computer. If you plug a USB memory stick into a computer that’s infected with Conficker, Conficker recognizes this and hops over to your USB key. What it’s hoping is that you’ll take that USB key to another computer that has Auto Run enabled, and as soon as you plug-in that USB drive to another computer, that new machine is now infected with Conficker.

If you have a computer that does not have the latest security updates, there are many, many different variants of Conficker that tend to take advantage of these known vulnerabilities as we identify them. And as soon as a set of known vulnerabilities comes out and we patch it, another set of vulnerabilities is identified. Conficker keeps changing itself to be able to take advantage of those. And if you have open network shares, that’s a great place for Conficker to just to save itself out on that open network share. The next person can go grab some files, run those files, and now they’re also infected with Conficker.

So you see these guys that are developing this worm software and doing this writing have spent a lot of time understanding what’s going on. And it’s going to take diligence. It’s going to take some technology. And it’s going to take you going through and understanding how to block these things to make sure that it doesn’t become a problem in your environment.