Abstract— Computer viruses are widely recognized as a significant computer threat. The “birth rate” of new viruses is high and increasing due to global connectivity, and technology improvements can accelerate their spread. In response to this threat, some contemporary research efforts are aimed at creating computer virus immune systems. This paper analyses the computer viruses and attacks and also some countermeasures to prevent them. In particular, we discuss Intrusion Detection and Prevention techniques for handling web based attacks and to patch up different kinds of vulnerabilities in computer system.

I. INTRODUCTION
Web based system makes the next way of computing. Global prosperity and even faster pace of business are driving the desire for employees, partners and customers to able to communicate from different location in this world.
With this phenomenal growth of computing devices, the threat of viruses is likewise growing. New platforms such as MAC OS of Apple and Microsoft Windows are highly attractive targets to virus and Trojan writers. As technology in the world of networking industries advances, virus writers have plenty of room for growth. Worse thing is security measures such as firewalls and virus scanners i.e. antivirus softwares are not widely used. The future may be even worse. With distributed programming platforms such as .NET, combine with Microsoft’s Windows platform the potential for viruses is even greater.

II. OVERVIEW OF THREATS AND POTENTIAL DAMAGE
On the surface, the vulnerability of wireless devices to viruses and malicious code threats appears to follow the same patterns of vulnerabilities that the wired world has experienced. Yet, upon closer inspection, the vulnerabilities are more numerous and complex and can be categorized into three groups:
• Application-based threats
• Content-based threats
• Mixed threats Application-based Threats
Application-based threats are posed by executable malicious code that latches on to existing, or new, wireless applications. The first malicious application-based program that specifically targeted the Palm operating system (OS) used in Palm Pilot personal digital assistants (PDAs) was Liberty Crack.

Content-Based Threats
In content-based threats, the content (e.g., derogatory messages) is the threat, or malicious use of the content is the threat (e.g., spamming of email). While email has become the “killer app” of the wireless world, it is also one of the most vulnerable to attack. Hence, the most common content-based threats to the wireless infrastructure occur through infected email or spam mail.
Another potential content-based threat that may soon enter the wireless world, as wireless devices become more sophisticated over time, is the embedded script virus or worm. Prior to the first observation of this class of viruses, viruses could be contracted only through email by double clicking on an infected email attachment. With the discovery of embedded script viruses, such as the VBS_Kakworm and VBS_Bubbleboy, viruses can now infect a user’s system when the email is opened.

Mixed Application/Content-Based Threats
The third type of threat is worse than the previous two types combined. While not yet seen in the wild or even in the laboratory, a threat that integrates techniques from both of these threat types could be formidable indeed. Imagine a virus that involved the unwitting download of sophisticated malicious code attached to a shareware program that wiped out wireless device applications and propagated itself rapidly across the wireless infrastructure via address books of email. Such a virus could cause damage to each device it encountered and spread across a country, or across the world, overnight.

III. VIRUS

The terms “computer virus” and “virus” are used very loosely in everyday conversation and have become synonymous with “trouble”.
A virus is usually not something that creates cool screen effects and enables you to hack into Pentagon. The “Launching virus” screen as seen in Hollywood movies bear no resemblance with real life viruses. In reality, a virus infection is most often invisible to the user. The machine may slow down a little. Some programs may be unstable and crash at irregular intervals, but then again that happens every so often on clean systems too.
Still, some viruses have some sort of screen effect. The Windows virus “Marburg” fills the desktop with red circles with a white “X” inside”. A couple of viruses will make desktop icons escape the mouse cursor. Such effects are not particularly common, since they expose the existence of the virus.
Viruses require a host, and their goal is to infect other files so that the virus can “live” longer. Some viruses perform destructive actions although this is not necessarily the case. Many viruses attempt to hide from being discovered.

Different Types of Computer Viruses
There are Different Types of Computer Viruses could be classified in (origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system or platform they attack) etc. Let us have a look at them…
Enlarge Image Computer Virus is a kind of malicious software written intentionally to enter a computer without the user’s permission or knowledge, with an ability to replicate itself, thus continuing to spread. Some viruses do little but replicate others can cause severe harm or adversely effect program and performance of the system. A virus should never be assumed harmless and left on a system. Most common types of viruses are mentioned below:

1.Resident Viruses
This type of virus is a permanent which dwells in the RAM memory. From there it can overcome and interrupt all of the operations executed by the system: corrupting files and programs that are opened, closed, copied, renamed etc.

Examples include: Randex, CMJ, Meve, and MrKlunky.

2.Direct Action Viruses
The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

3.Overwrite Viruses
Virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content. Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.

4.Boot Virus
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information on the disk itself is stored together with a program that makes it possible to boot (start) the computer from the disk. The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive.
Examples of boot viruses include: Polyboot.B, AntiEXE.

5.Macro Virus
Macro viruses infect files that are created using certain applications or programs that contain macros. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.
Examples of macro viruses: Relax, Melissa.A, Bablas, O97M /Y2K.

6.Directory Virus
Directory viruses change the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly running the virus program, while the original file and program have been previously moved by the virus.
Once infected it becomes impossible to locate the original files.

7.Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system.
This makes it impossible for anti-viruses to find them using string or signature searches (because they are different in each encryption) and also enables them to create a large number of copies of themselves.
Examples include: Elkern, Marburg, Satan Bug, and Tuareg.

8.File Infectors
This type of virus infects programs or executable files (files with an .EXE or .COM extension). When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. The majority of existing viruses belong to this category, and can be classified depending on the actions that they carry out.

9.Worms
A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to negative effects on your system and most importantly they are detected and eliminated by antiviruses.
Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson.

10.Trojans or Trojan Horses
Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do not reproduce by infecting other files, nor do they self-replicate like worms.

11.Logic Bombs
They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs.
Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.

12.Malware Malware, short for malicious software, is software designed to infiltrate a computer without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[1] The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses.
Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U. S. states, including California and West Virginia.[2][3]
Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.
Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[4] According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether." Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.

IV. TYPES OF ATTACKS
• Web Based Attacks
• External Media
• E-Mail attachments
• Network sharing
• Weak Passwords
• Pirated Softwares(Freewares)

Web Based attacks

1.Drive by download: 1. Downloads which the user indirectly authorized but without understanding the consequences (e.g. by installing an unknown ActiveX component or Java applet). 2. Any download that happens without knowledge of the user. 3. Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the "supplier" may claim that the user "consented" to the download though s/he was completely unaware of having initiated a malicious software download. 4. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of "drive-by downloads" of this sort.

2.Browser exploit:
A browser exploit is a piece of code that exploits a software bug in a web browser such that the code makes the browser do something unexpected, including crash, read or write local files, propagate a virus or install spyware. Malicious code may exploit HTML, JavaScript, Images, ActiveX, Java and other Web technologies. HTML alone is harmless (can only crash browser in some cases on vulnerable web browsers), however, in conjunction with malicious ActiveX or Java code, it can potentially freeze or crash a browser, or even crash the computer running that browser.
The term "browser exploit" can also refer to the actual bug in the browser code.

External media

• Pen Drives
• CD-ROMs
• Hard Disks
• Memory Card
1.Pen drives Pen drives contain a flash memory. So they are more prone to viruses. Whenever we insert a infected pen drive into a computer, it affects the autorun.exe file.

2. CD-ROMs CD-ROMs are most affected by viruses than pen drives. If CD is infected and if we insert it into computer it directly runs autorun.exe file.

3.Hard Disk and memory cards External hard disks, memory cards and pen drives are affected in a same manner.

Network sharing Earlier mainframe computers were used which were like a closed box. At that time it was kept aside in one corner of room. If anyone wants to used it, then they have to actually go there and complete the job.
Nowadays many network topologies are used like bus, star, ring, token ring etc. So the concept of network sharing came into picture.
Shared network is more prone to get infected from viruses. In this scenario infected computer gets easy access to other computer in the network. If in a network there are number of computers and suppose one computer gets affected by virus then the virus spreads in the entire network as if it feels whole network is a single computer.

Weak password Suppose for your account you set a password as “12345” or just keep it blank then it is easy to get crack by hackers. Some malwares get access to user data by cracking the passwords. After the data is hacked then the hacker has a total control on your computer. Pirated softwares Nowadays we get as many as freewares on the internet. But the fact is these freewares can be infected from some dangerous viruses. When we download these freewares, automatically virus file gets installed on your computer in the background without your knowledge.

V. VULNERABILITY AND COUNTERMEASURES

The vulnerability of operating systems to viruses Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.
This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. The users of Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated and non-integrated Microsoft applications (such as Microsoft Office) and applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable.
Although Windows is by far the most popular operating system for virus writers, some viruses also exist on other platforms. Any operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are less secure than others. Unix-based OS's (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their own protected memory space.

Anti-virus software and other preventive measures Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviours. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for. Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats. One may also minimise the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent).
If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. Backups on removable media must be carefully inspected before restoration.

VI. INTRUSION PREVENTION SYSTEM An IPS is typically designed to operate completely invisibly on a network. IPS products do not typically claim an IP address on the protected network but may respond directly to any traffic in a variety of ways. (Common IPS responses include dropping packets, resetting connections, generating alerts, and even quarantining intruders.) While some IPS products have the ability to implement firewall rules, this is often a mere convenience and not a core function of the product. Moreover, IPS technology offers deeper insight into network operations providing information on overly active hosts, bad logons, inappropriate content and many other network and application layer functions.

Types

1.Host-based A host-based IPS (HIPS) is where the intrusion-prevention application is resident on that specific IP address, usually on a single computer. HIPS complement traditional finger-print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. As ill-intended code needs to modify the system or other software residing on the machine to achieve its evil aims, a truly comprehensive HIPS system will notice some of the resulting changes and prevent the action by default or notify the user for permission. Extensive use of system resources can be a drawback of existing HIPS, which integrate firewall, system-level action control and sandboxing into a coordinated detection net, on top of a traditional AV product. This extensive protection scheme may be warranted for a laptop computer frequently operating in untrusted environments (e.g. on cafe or airport Wi-Fi networks), but the heavy defences may take their toll on battery life and noticeably impair the general responsiveness of the computer as the HIPS protective component and the traditional AV product check each file on a PC to see if it is malware against a huge blacklist. Alternatively if HIPS is combined with an AV product utilising white listing technology then there is far less use of system resources as many applications on the PC are trusted (white listed), however some time must first be spent 'allowing' currently installed applications and any that are installed at a future date - a common drawback with white listing-based solutions. HIPS as an application then becomes a real alternative to traditional antivirus products.

2. Network A network-based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.) Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyse, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic. This can be prevented with more effective UTM system

3. Content-based A content-based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.

4. Protocol Analysis A key development in IDS/IPS technologies was the use of protocol analysers. Protocol analysers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behaviour or exploits. For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyser could detect this anomalous behaviour and instruct the IPS engine to drop the offending packets. Not all IPS/IDS engines are full protocol analysers. Some products rely on simple pattern recognition techniques to look for known attack patterns. While this can be sufficient in many cases, it creates an overall weakness in the detection capabilities. Since much vulnerability have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability. This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.

5. Rate-based Rate-based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviours. Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., and drawing on stored traffic statistics.

Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rule base and the quality of the stored statistics. Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).

VII. CONCLUSION Viruses inevitably infect every platform. In addition, future infections are likely to be far worse. Because of the nature of wireless networks, airborne viruses of the future might spread with overwhelming speed. Securing the web world from viruses is a multi-layered effort. Corporations must secure their networks with solutions that include provisions for catching wireless threats as they pass through the Internet gateway, email servers, and desktops. Service providers and others should plan now to implement antivirus solutions to secure the traffic they manage for their customers.

REFERENCES

[1] "Defining Malware: FAQ". technet.microsoft.com. http://technet.microsoft.com/en-us/library/dd632948.aspx
[2] Documentation from Symantec, Trend Micro and F-Secure.
[3] National Conference of State Legislatures Virus/Contaminant/Destructive Transmission Statutes by State.
[4] jcots.state.va.us/2005%20Content/pdf/Computer%20Contamination%20Bill.pdf [§18.2-152.4:1 Penalty for Computer Contamination]
[5] "Symantec Internet Security Threat Report: Trends for July-December 2007 (Executive Summary)" (PDF). Symantec Corp.. April 2008. pp. 29. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf. Retrieved 2008-05-11.
[6] Norman Book on Computer Virus.