Slashdot Mirror
Simple Virus For Teaching?
ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"
What OS are you running? You could create a simple bat script that pops up an annoying message every 20 or 30 minutes to show your students an "infected' machine.
Simple worm for beginners!
Here, let me link you to an executable file so you can download it and run it on an entire lab of computers. It's safe, don't worry.
http://en.wikipedia.org/wiki/EICAR_test_file
Windows? Fairly easy to remove.
I don't even know if I'm joking.
This has been around forever. http://www.eicar.org/anti_virus_test_file.htm
Do NOT click on any links posted in the comments on this article.
Works on the students, too.
Use Michelangelo, you're favorite Ninja Turtle and March 6th event!
Using the Freedom of Speech while I still have it.
Stoned is a classic and a pleasure to disassemble. It fits in a boot sector (512 bytes) and it's not particularly malicious, but it has all the elements that a virus needs. I don't know if it would still work on a modern computer, though: Some old viruses used funky instructions that became obsolete (like "POP CS"), and this one seems to have issues working on large-capacity disks.
Virii all have different signatures, so it doesn't matter what signature you choose.
Just write a script that pokes something into the registry and adds a funny file to the Windows system directory, and use it on each computer before class.
Then write a script that pretends to find it and tell them where it is when they run it in class.
Ask them what they should do next.
It sounds instructive, but you will probably get fired for lacking good judgement.
There are plenty of stories where teachers do similar things that end up getting them fired. Teaching students how to write viruses, faking a classroom kidnapping, how to plan a terrorist attack, etc.
Teaching your students how to write a virus is a classic case of bad judgement. Your superiors will tell you "What were you thinking?" and you will get let go.
Teach them verbally how viruses are created, but don't assign anything as homework.
Just pick any of the scores of .exe files masquerading as cracks on LimeWire. You’ll have to turn off the AV and executable file filter to download it, of course...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
No matter how safe is the OS they are using, or what antivirus they have to run there, the biggest risk is on the other side of the keyboard. Show them the Good Times "virus", a bit of social engineering is easier to be seen than abstract code.
Obviously, you should know exactly what it is that the virus is doing. No, not approximately: I mean all the way down to the machine instruction level. If it comes only in a binary, disassemble and figure out everything. Use virtual machines to add a layer of protection, and be aware that some malware knows it's being run in a VM and may behave differently under these conditions. Of course, those are much more than you need.
The safest bet is to write your own. That way, you know what it's doing.
First of all, EICAR isn't helpful at all, it's simply a magic string that AV software is supposed to pick up. It won't teach anyone anything about how a virus actually works.
Second, if you have to ask /. about this, you probably shouldn't be playing with these things. There are a million virus writing guides out there, a simple search turns up pages like this:
http://vx.netlux.org/lib/static/vdat/tutorial.htm
Most of these tutorials were written a long time ago, with topics such as infecting .com files (not that anyone remembers what those are anymore). If you want a simple overwriting virus, that isn't hard to find examples of or make at all. Howeverm there won't be a way for the students to clean the infected files, as the information in the beginning of the file will have been lost. If you want something that infects .EXEs while still letting them run without problems, you're going to end up with complicated code that adds sections onto an executable, modifies the EXE header, etc. While none of this is too hard to understand if you have programming ability and time to sit there and look at how it works, what you're looking for won't exist at a Computers 101 level.
Try getting yourself one of those stuxnet worms, i hear they are pretty good.
It wasn't even mentioned that this is a coding class.
It is a class about computers, and he wants to teach virus removal.
Stop being such a lawyer and actually read the summary ffs.
Heh this is probably correct... Best would be to go get some virus CODE and display it on a screen and step through how it hooks itself into a system. A great thing to use here is the 0ldschool types that would infect the exe headers and plant itself at the end. Or some that do the code cave storage. Then move from there and show them rootkits, as they are pretty much just a way more advanced version of those. Plenty of resources online for that. One particular book that is somewhat old now but still really informative http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319
RTFA again. He said he would install it and they would remove it. While your point about how doing this could possibly get him fired still stands, he's talking about only having the students remove it.
Just code your own virus. You'll know how to remove it. Alternatively, if you are teaching an advanced class as well, have those students write it.
He asked for a simple virus the students can remove by hand, not how to create them. I think the point he's trying to make is using a computer safely and if you do get a virus, what to do and how to remove it. I suppose the reason he asked to compile it is so he can see the source code? Or maybe I'm just an insensitive clod!
Something oldschool. So even when administration DOES try to fire you, you can say "REALLY? Over a virus that infects floppies, on a network that doesn't have a single floppy drive installed?". Just don't do it on the first week of May.
Quartz Extreme and Core Image. Are there any other real reasons to spend all that money on generic hardware?
Here: http://members.rediff.com/eggo/viruspascal.htm This is a really simple virus that you could use. Sorry the page is in portuguese, but the code itself is easy to understand.
At my university, we have a computer security lab just for this purpose. It's completely isolated from the internet and the campus network, with all computers, servers, switches, etc. available for student access.
As with all dangerous things, the key is to make everyone aware of the dangers and the consequences, and then closely supervise them. A lab course I took actually required us to use plutonium for neutron activation. As far as dangerous things go, that's on the top of the list. But we wore film badges and were supervised, and everything turned out okay.
What do you expect a student to learn from being told "there is a virus on this machine, remove it by hand"?
If they are in the "demystifying the black box" phase, they have no idea what you're talking about.
Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose. Give them an overview of how a machine or user might be tricked into running malicious software. Teach them about how malicious software might propagate. Use historical examples. Talk about privileges.
Virus is a slang term that brings up all kinds of scare reactions in ordinary people. They immediately assume that machines are vulnerable to bacteria floating around on the wind, or something similar. You need to de-emphasize the term "virus". It's just software. Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.
Write a simple program that copies itself to the Windows folder and starts itself at boot. The program should show an alert box saying "HACKED BY PROFESSOR HANDSOME!!!!" if it sees it is being run from the Windows folder. Put it on a USB key with an autorun.ini, tell them you have placed a virus you wrote on there, and let them sort it out. Just be sure you're on an XP machine and that autorun is enabled.
Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.
It's Windows, so it's easy... just create a CD or USB drive with two files:
autorun.inf :
[autorun]
open=installpopup.bat
installpopup.bat : /k echo "Hi I am a virus"
cmd.exe
copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.
actually in the article he makes it clear he wants to infect a computer to show students how to remove it. Still is risking it, especially since it is normally a simple procedure to remove a virus with an anti virus program.
every anarchist is a baffled dictator. Benito_Mussolini
or must it be GPL?
My favourite batch file. It is a shame Windoze does not support a proper POSIX language, but only this crappy DOS batch stuff. AFAIK this script does not work on vista, but works on Windows 7 and XP.
msg %username% Memory exception at 0x%RANDOM%
goto START
It loops, layering more and more pop-ups the longer it runs. As soon as one is closed or 60 seconds elapses another appears in the centre of the screen, de-focusing whatever the user was typing in or doing. Put it in allusers/startmenu/startup.
Now write a second batch file and hide it somewhere along with another copy of the above. It should check IF FILE EXIST for the above script, and if it does not exist then copy the above script back to the 'startup' directory. Make this IF FILE EXIST batch file execute on start-up via registry.
The benefits are that nothing harmful is done and other processes are piggybacked for the operation ( I believe explorer.exe perhaps stores the popup queue? ), so you won't spot anything out of the ordinary in taskmanager
Fixing can be done by simply deleting the files ( if the kids can find where they are located ).
AFAIK The pop-ups survive even into the login prompt if the user logs out.
Linux has bugs. Windows has holes. I am +10/11GMT.
Yea, er... did you miss the FIRST TWO FUCKING SENTENCES of the post?
Here, in case you really did:
Currently I am teaching a 101 class on computers. It is more of a demystifying the black box type of class.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
We did the same thing in health class. The first part of the tutorial was really fun, the latter part not so much.
You are most likely going to be better off to just write a program or script that makes a few files called "lookatme" along with a few registry entries and have them remove that.
Most virus' that you will find will tip the AV software. Almost all easy virus' will be automatically removed by it too. If you are not running some AV software, then your in a little trouble to begin with as you shouldn't be teaching people to run windows boxen without AV software.. Sure, you could probably set the AV software to ignore the file itself, but it likely wouldn't ignore the execution if it wasn't a strait up program that just wrote files (memory injection and process hiding techniques will most likely cause issues as most AV clients nowadays rely more on heuristics then actual signatures).
If I was you, I would write a script that makes a text file in the windows directory, the system directory, temp directory and maybe adds a few registry entries in the run portions of the registry. Perhaps one of the text files could read something like- "you have been pawned by the elite text virus" or something and have it open on start up. Perhaps put it on every other computer and have them search for how to remove it on the one next to them while working in pairs. Make a simple instruction on how to remove it by looking in the appropriate start up areas, looking in the common file target areas, and then finally by downloading a reverse script and running it that removes all traces of it.
Oh yea, surf for porn/ something as shady on each computer before you load the fake virus so part of the removal.disinfection process can be getting freely available tools like Adaware or malwarebytes and so on and it will find something to remove. If they aren't connected to the internet, then make sure the free tools are something that doesn't need an internet connection to download. You might also want to remove the AV software and have them simulate installing it afterward to ensure/instill that there should be some level of protection at all times.
Er, did you even read the damn post?
Here, let me help you out with the first four fucking words:
Currently I am teaching...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Someone that is asking a question such as the OP isn't going to know what a distro is dude, you have to break it down for them. Regardless, your post wasn't even remotely funny. It was redundant and boring, the kind of thing that a 13 year old posts these days.
He's not asking how to teach them to write a virus...
Please (re?)read the post...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Perhaps a better learning experience would be to connect the lab (or a handful of the students own computers) to the Internet, and stick a box running Snort (www.snort.org) with Emerging Threats (www.emergingthreats.net) signatures in between. If, by some miracle (or the fact that they're all Mac's) you don't have any immediate indicators of infection, then head on over to teh Googles and search for 'smiley tool bar' or 'free porn' with the I'm-Feeling-Lucky button. That ought to do the trick.
Get a full packet capture of the session so you can dissect how the virus was able to get on the machine, where it left hooks, how its similar and different to other types of malware, etc.
I agree that a review of a simple virus is a worthwhile endeavor, but perhaps that's best learned via a good book or whitepapers on the Internet. Save the demo for something that's relevant and 'live'.
And on second thought, maybe its best if you set up a demo machine to be infected. That way you can nuke it from space afterwards, just to be sure.
A friend of mine who taught at a community college actually did this back in the mid 90s. He took a copy of Nowhere Man's Virus Creation Lab and tossed together a couple annoying but non-destructive viruses and infected a few stand alone machines for the students to play with.
You can probably still find VCL out there, or a more modern DIY virus kit. Though with the new ones, I'm not sure I would trust they don't have any hidden functionality.
.sig: Now legally binding!
Dude this is slashdot. I skip the first 4 sentences and read the last line to sum it up for me. Besides, I wonder what he is doing teaching this if he has to ask this. Just install a damn virtual machine and play in there. Don't infect the lab that other teachers students need to use with a virus that you have to ask someone for.
You don't want an actual virus. Viruses are becoming less common, they are now the delivery vector more than anything. Most of my badware experience in the last year or three has been exploits, generally server-hosted and browser-targetting. Malware is the payload and payday, that's where the action is. Malware is also typically the user-facing component as well.
Go find Antivirus 2009, or the most recent respin of that godawful thing. It's fairly straightforward to remove, fairly obvious when it's present, and just aggressive enough against removal operations to be realistic. It won't self-replicate and spread, but it will give you a removable and obvious "infection".
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
you'll be all set! No, of course you won't get fired.
It might be caught by modern browsers, but if you turn off all the security features (or just load up IE5 or something like that), you might be able to pull the one where you open an html document (with embedded javascript for the "virus" portion) and it, in turn, opens up two copies of itself. Those two each open two copies, and so on and so forth, until you've brought your machine to a screeching halt with the glut of windows opening up.
Easy to fix, too. Just manually shut down the machine (either hard power off or yank the cord), then delete the offending file.
(((dB)))
A very simple conceptual and inoffensive "virus" could be a simple bat that copies itself with a >> to any bat file... something really annoying I made once was a file called: "glutton.bat" which had,
@echo off
echo Can't stop eating...
echo I just can't...
echo glutton.bat>>target.bat
As soon as glutton is ran, target gets "infected" with a new line... and when "target.bat" is ran, it will just keep increasing its size ad infinitum.
This is not executable and still explains the fundamental concept of how a virus behave.
Now, if you want to infect a network with a proper worm, that is another story and I think that explaining about exploits and autorooters is way out of the scope of a 101 class IMO.
Create a batch file with a shady sort of name
You can use a simple command like >> start iexplore -k "error.htm"
Use http://download.cnet.com/Bat-To-Exe-Converter/3000-2069_4-10555897.html to convert the file to an executable. Have your students run the file so that it opens the error page in IE kiosk mode.(Annoying enough to not have a "Close" button) Demonstrate how open windows can be tracked to their parent process(error.htm is opened by sh4dY.exe) from within task manager. Hunt down and terminate the offending process, delete the exe and maybe the offending web page.
If you wanted to teach students about viruses and had a Win 98 system or any system that has DOS you could do really simple demos. A nice sounding batch file with a format command would be a start. Once the students understand that even primitive programmers can create malware easily then you might show them some of the scripts that people plug into their own programs to cause devastation. Next might be to explain that advanced programmers and even governments can write really sinister viruses but that may involve years of learning. It might also involve years in prison.
Who are they going to blame?
I can picture that bright, inquisitive kids (and maybe of the few bad apples too) get a hold of a virus and create a copy of it / upload it to a server / save it to a usb drive, and then it gets out and infects other school computers, then guess who's door they're going to knock on?
Yes, there's plenty of ways that kids can get virus code on their own. But there's a big difference between when a kid picks up a loaded gun from home, vs getting one from the teacher, and hoping that it doesn't go off in an unintended manner.
It was filled with people who barely knew how to work a television remote, let alone use a computer. I think you might be wasting your time...
Filthy, filthy copyrapists!
Teach them how a computer actually works - if they don't know what's normal, how the heck are they supposed to recognize when something is wrong?
Besides, if they're too stupid to recognize what's normal by now (like they've never really used a computer before), you're wasting your time "demystifying computers." If they're too old, or too young, you're again wasting your time. Perhaps we should send you to Soviet Russia and have a virus remove YOU!
Get 'The Giant Black Book of Computer Viruses' - old but I remember it had simple ASM viruses you could play with.
Can I light a sig ?
This is a great idea for a intro level course. Not only does it teach about viruses, but about social engineering viruses - the ones that do no harm unless you "buy in" and follow the malicious instructions. Leave a cheap USB stick on their desks, or on the floor. It just needs to contain the self written virus and autorun.ini, those who plug it in fail, those that don't, pass - at least the first stage of the test. Then let them develop their own break-out groups to remove it from those student's machines that fail the first part. Great lesson! Very inventive and engaging! Make the virus like the one (I cannot remember the exact name) that infects machines by displaying a Microsoft Security Essentials message saying IE is infected, then tries to get you to download anti-malware software that actually is malware. My two cents ( of course my 2 cents are valued at rates from the 1970's, so through devaluation and inflation... whatever)
if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.
For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.
Use
copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead
Demonstrated how someone is murdered. I was glad I didn't draw the short straw to be the victim.
They're now serving life.
So with this type of example in today's computing world, I would suggest a simple program that is autorun at start say in the registry under windows/current version/run or the like. it could write a copy of itself to the temp folder and check every 5 seconds to see if the key or file has been modified/removed. This can all be done easily with say a vbs/batch/pshel script.
example location:
HKLM\software\microsoft\windows\current version\run\
Just keep say the main copy in %TEMP% and try to keep persistence in the %windir%.....The possibilities are endless
and using $ for variables was awful i will $variable any day!
If I effed up the Windows registry locales, sorry. I don't use windows much anymore.
Sure... he is teaching his computer newbs how to WRITE a virus in a 'demystify computers' class. And next period in health they will be designing the DNA of a retrovirus.
- For the complete works of Shakespeare: cat
This sort of thing is exactly what the "whatcouldpossiblygowrong" tag is for. I'm surprised it hasn't shown up yet...
Paleotechnologist and connoisseur of pretty shiny things.
...if they know of a good virus candidate?
http://www.clamav.net/
Uh, Linux geek since 1999.
Actual answer 1) You should write this yourself 2) How the virus is going to spread depends a lot on the lab you are working in. You best hard code the “infection” by name or ip. 3) You will need some form of admin rights. 4) Create Virus. 5) Give it to your class. 6) Infect PCs 7) Somehow this will go horribly wrong. 8) You will get fired.
He's planning to intentionally infect the school network with a virus as part of a lesson. Sounds like something you get fired for.
no deleting sys files by hand is always a bad idea
warning pointless sig
This so reminds me of Monkey.B which was a virus running rampant years ago on DOS machines. If you can get an old box, load dos or win95/98 on it you can dload Monkey.B and it will be easy to see. Just go to BIOS settings and your hard drive size chs will all be changed. Simple removal as well.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
To be fair, it was annoying and could cause problems with the system. ;)
Write it yourself. The fact that you would even consider this without thinking about the potential for it to be a serious Career Limiting Move means that it should be a fun ride :)
Seriously though, install XP at some base service pack level - sp1 or sp2 might do, then connect it to the internet without any firewall. The viruses will find you.
But you could have a bit more fun than that. Write an exe file that simply pops up a "if this was a virus you'd be pwn3d by now" message. Then pick one of the popular kids in the class (lets call her Jane Smith), and send an email around to your whole class from an anonymous hotmail account (or some service that allows sending exe files) with a subject of "Ha Ha. Look at what Jane Smith got up to last night." and include the exe file with a message "pics attached". Fail everyone who opens it. You'll probably still lose your job due to the idiots they put in power, but at least you'll have taught your class a lesson (the lesson being "if you're a teacher, it pays not to think for yourself".)
You don't say what the age of your students is. If it's a university or TAFE level class you might get away with it, but you only have to offend one daddy's girl and it's all over.
I believe this is the url of the last virus I obtained: www.opengl.org/documentation/red_book/
I'm pretty sure it's a legitimate site, so the virus may have come from an ad, in which case there isn't a 100% chance that going to that sight will work, but if it does that would be a good option. It delivered one of those obnoxious and ironic viruses that had pop-ups pretending to "detect a virus". It was a trojan, but it was easy to clean-off by hand, it was an older virus, so all anti-virus software should find it, and the location the virus is linked to was shut-down a long time ago, so it is low risk.
Hand them an OS installation CD. Tell them how once a machine is owned, you don't know how far, so back up data and restart from scratch. Done.
Just get virtualbox on each of the machines, install windows (don't bother activating' just take a snapshot after install), then start being very irresponsible and click on every banner ad you see. Also, see if anybody still uses kazaa and start searching for...anything really.
This might be a bit safer way to go: Antivirus software is sometimes tricked with false positives. I don't know what virus scanner you have on your lab machines but you can do a web search and find legitimate, harmless software that will trigger a false alert for whatever you have. Download one of those and use that to demonstrate to your students.
I assume since you say its a 101 class that by "remove by hand" you mean by using an anti-virus program and not hacking the registry. If so, then a harmless program will work as well as a true virus/worm.
I use McAfee and it alerts on a CD eject task bar tool I once had. It thinks it is a trojan joke program (I guess to make you think your CD drive is busted). That would make a fine demonstration and a good example of don't blindly download every "cool" program you see on the 'net.
>Let's not do an instructive simulation of a common computer anomaly, lest some tech-retarded administrator punish you for being a good teacher.
and please don't ever try and teach a medical class
Create a virus that overwrites the MBR making the computer non-bootable.
There are 11 types of people, those who know unary and those who don't.
No where was it mentioned about creating one. Ever.... actually read the summary ffs.
I think you may have missed this part of the summary:
do I try to write one my self
Ask me about repetitive DNA
The answer is simple. Find the person in your class who is smarter than you (you should recognize him/her. You were that person when you were in school), and give him the chance to shine that the a-hole professor never gave you.
If you are not allowed to question your government then the government has answered your question.
He wants to infect some computers in a lab, that's why the virus cant be one that spreads to other computers so he doesn't infect the whole damn network. Now sure the best thing to do would be setup some computers on just a local LAN that doesn't have any access to the school network but that might not be an option.
Not illustrate, demonstrate. Which, while I don't share the extreme views of the GP, I think is likely to come back to bite you. These people don't know what a script is, showing them a "psuedo-virus" isn't going to substantially enlighten them, nor enhance their lives in any meaningful way. Move on to useful things and spend more time on those.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
Cripe I'm old. I remember when writing a worm was an AI project. I also remember when air was clean and sex was dirty. It was all a long time ago...
Give them something entertaining and instructive to do: Introduce them to Core Wars. Modern viruses have little or nothing in common with EICAR any more. You could introduce almost all the concepts of a Comp 101 class through good Core Wars competition.
"The mind works quicker than you think!"
1: Install a siemens PLC in computers 2: connect to the internet the network 3: wait for sutxnet to infect 4: profit??
I wrote a virus in middleschool (Windows 3.1 and DOS) which I showed to a friend, who infected some girl's computer. Turns out her computer belonged to her dad's small business. The ensuing shit-show of confused administrations, criminal charges, civil threats and pissed parents ended with a restraining order on ME and apparently some trouble for the "exploratory program" administrator, who at some point allowed me to use a computer, though it was most certainly not in any way involved with my extracurricular activities. Never underestimate the ability of an organization such as a school to dish out punishment on the wrong people. I agree with the parent poster, steer clear.
While Live CDs are the best way to remove a lot of viruses, and the only way to remove some, you're just being a dork.
I know, I know....AC and all....
But, instead of doing this pointless crap to get FRSTSOYSPOSGSTTPTT, why don't you do something useful.
Like, maybe point the poster to something that could be exactly what they're looking for:
http://www.bo2k.com/software/index.html
BackOrifice 2000.
Remote control/administration tool, which can be used for all sorts of perfectly legitimate things, or be totally nefarious.
It's also open source, modular, and the client control console will run on Linux.
What more could he want?
"City hall" in German is "Rathaus" Kinda explains a few things......
I think you may have missed this part of the summary:
do I try to write one my self
Keep in mind, he's trying to find a way to get the isolated network infected so the students can learn about removal. One of the options available, to those who are skilled enough, is to write one. Even in that sentence, I do not see any hint of a plan to let the students try to write one, or even see the source code to the theoretical virus. He simply wants a relatively harmless virus to use for the purpose of teaching how to deal with them. I believe some can be found at http://offensivecomputing.net/ although you need to register before you'll be able to get any.
The Penguin Producer
just have all your students look at porn on the computers for 1 day's lesson, then the next day the computers will all be well infected
www.RacquetUp.org - Helping Detroit Youth
Then what do you recommend for viruses that aren't yet detected by most antivirus software?
Just wait for definitions to come out?
No. You find and delete a system file by hand.
"City hall" in German is "Rathaus" Kinda explains a few things......
Yeah but the odds of running into BO in real life is slim to none, so if you are gonna teach them about bugs, why not something useful? I'd suggest one of the Rogue AV or security tool variants. Those infections are as common as dirt, being in the PC fixit biz I should know, and removal involves all the classics...F8 boot into safe mode, deleting the reg keys, then running a nice CD or USB key scanner (I'd of course recommend CD, as it is cheap and easy). Hell you can have them make their own AV Rescue Disc which then they can take home with them, and is a nice tool to have.
So I guess the real question is if this is gonna be a BS class, where you teach them something that the odds are virtually zipola of running into IRL, or give them a nice overview of how to DIY fixit work? Because while the Security Tool variants freak out the users they are actually pretty damned easy to kill once you know what you are looking for, and pretty much any bug short of a rootkit follows the SOP bugs like Security Tool use. IMHO it would be a good all around lesson, and as long as the machines aren't on the net not a threat. As a bonus you would give them an up close and personal glimpse at how scareware works, which sadly is becoming QUITE popular for malware writers. by knowing the signs and being able to spot the phonies they can actually help their less clueless relatives and be safer themselves.
ACs don't waste your time replying, your posts are never seen by me.
There's a lot of nitpicking about what is or is not technically a virus. The common use is to mean any piece of software that is malicious, but I assume you want something specifically benign. So, that leaves the question of what "type of virus" you want to emulate.
I saw someone mention demonstrating the autorun feature with a program that installs itself and sets autorun. This could give an opportunity to demonstrate how to delist such processes from the startup routine.
Do you want something that spreads? That could be thin ice, as well as being more difficult to do yourself, since it would need to take advantage of a vulnerability or misconfiguration.
You might find something they'll enjoy, like a game, and piggyback a do-nothing "trojan" with it. Give it to a kid you can count on to play it during class, as well as share it with his friends, and tell him not to play it during class. The payload of the trojan should execute during class a few days later. Maybe just pop up a dialogue every 30 seconds indicating the "infected" state, or maybe something with a little more pizazz,like setting a jolly roger desktop background. Then (after making a note of who ended up "infected") you can start the lesson on security, trusting executables, autorun, startup processes, etc.
The kids might (or might not) think you're cool because you wrote a virus, but as has been mentioned, higher ups might not. I would keep the phrase "It's not really a virus" on my lips the whole day.
and pretty much any bug short of a rootkit follows the SOP bugs like Security Tool use.
Might want to check your methods, there.
Last several installs of SecurityTool I've seen included a rootkit.
"City hall" in German is "Rathaus" Kinda explains a few things......
You should look into using DETER Testbed for this type of class. http://www.isi.edu/deter/ In short, DETER is an Emulab clone for Network Security type of experiments. There is an on-going effort to promote DETER for education purpose and the DETER team has access to several types of virus. https://education.deterlab.net/ Hope this helps. Young
I wrote this a few years ago. It is pretty evil, but does not cause any permanent damage to a computer. All it does is add a shortcut to the remote reboot command to the startup so when a user is logged on, the computer reboots. It can be easily removed with msconfig in safe mode. The cool thing is that most Anti-Virus programs ignore it.
You can download it here, and the removal tool here. I even made an iso that when inserted into a computer with autorun enabled, silently installs the program. The exe's were made with NSIS.
Why not teach a simple buffer overflow exploit? A simple bit of C code with a scanf into a fixed length character array is your starting point. Have them craft a string to input that overflows the buffer and does something identifiable.
There are only 6,863,795,529 types of people in the world.
The excellent honeynet project has some exciting challenges - examples of viruses and hacking in the wild, well packaged. The old 'Forensic challenge' is perhaps the most exciting for students to do: http://old.honeynet.org/challenge/index.html
you ever worked in the education system?
the itinerary for ANY level of education all the way from grade four to a doctorate course in a university for computer sciences:
1) Computer Sciences.
1.a) Microsoft Windows. (if funding was provided by MS.)
1.b) Unix security
2) Programming
3) Keyboarding
and that's honestly about it. on a sheet of paper, with the school's letterhead at the top. if you're LUCKY, they might have what has been taught there for the last several years.
teachers today have almost complete control over what they teach, in most districts.
I consider this a pretty bad idea. A terrible idea. I commend your efforts to think outside the box, but anything you give or show these kids is bound to show up somewhere it shouldn't be. It's been my experience that study at this level of security is in the purview of much more advanced students who can truly understand what the code is doing and handle the responsibility of that knowledge. Your students will gain much more from a focus on productive coding rather than exploits. That's not to say that there isn't the oddball guru in your class or among this article's Slashdot readers who could handle it without a hitch. But, at their level the cost/benefit just isn't worth it.
I swear to God...I swear to God! That is NOT how you treat your human!
Not a virus.
I'm sorry if I haven't offended anyone
You want to teach a bunch of kids how to make computer viruses? :)
if you really want to demonstrate something self-propagating, write a shellscript that uses ssh with a special user and public-key authorization to copy itselself to remote machines.
Generate a ssh-key just for this purpose and copy it to the target-machines.
It's more a trojan than a virus, but don't feel tempted to make it more stealthy (naming it 'ls', changing target's $PATH), that's too dangerous.
And before this, if you are in the US, talk to your lawyer and check brainless zero-tolerance-policies that might be applied to you.
About 17 years ago we had a hack called NetBunny that would send the energizer bunny from one lab computer to the next. It ran on classic MacOS. Apparently it was updated to 'NetBunny 2 1/2'.
An OS X port came out called NetBunnyX.
Now I can't find much info on it. But it definitely had the feeling of innocent, kid friendly malware.
I would like a site on the web that would act as a fake AV site. Like the ones when you browse to it pops up a message that you are infected....
I could probably set something like this but if it became popular people would try to convert it to the real thing and I do not have the time to monitor that juicy of a target.
Yes, because he wants to make sure the "fake" virus he uses for the removal exercise doesn't contain some hidden, actually damaging, payload.
Someone has already suggested the EICAR test file, which is ideal. It pops up a message box, and is easy to remove. He can add links the various windows startup files, the registry, he can go old school and call it from a batch file, and he's safe in the knowledge that he's in no danger of hosing his systems.
Nowhere in the stub did he say he was going to teach the kids about actually writing the virus they were to remove. Reading comprehension fail.
Finally had enough. Come see us over at https://soylentnews.org/
I recommend you find some source code virus, one that finds a source file and copies itself into the source file... While it has to rely on somebody compiling the source in order to spread (if it is written in a compiled language), this is easier to understand and analyze (and remove!) than a "binary virus"
I can give you a copy of rbot, that I used in a basics of malware analysis workshop. It connects to the botnet (irc server, domain name under your control), where it receives further instructions from botmaster (scan, ddos attack, upgrade, etc.). The bot itself isn't very sophisticated, no rootkit protection, just copies itself in system folder and makes an autorun entry in registry. Other option is A or B variant of conficker, you can get it on http://www.offensivecomputing.net./ Once you understand how it hides itself, it's quite easy to find it and disable it.
On any tech forum, including slashdot, you have wannabe haxx0rz who ask "how to write teh virus???" They never get a serious answer, obviously.
The OP (ed1023) thinks he can trick slashdot readers with some social engineering into thinking they're really helping someone this time by telling him "how to write teh virus???". Who knows, maybe he will succeed. Maybe he will write teh virus.
I'll assume your school has Windoze installed on the lab computers: 1) Leave your computers on the network to keep your virus updating software up to date. Why? Because students are going to place in USB drives/devices/etc that may be ALREADY infected. Trust me on this. 2) Make sure the students' accounts are NOT administative accounts 3) Install a free virtual PC system, like's SUNs Virtual Box 4) Install Windows98 in the Virtual Box System. 5) Look for a virus that existed BEFORE 2002. Some current viri can actually penetrate Virtual Machines (VMs), and if you think you are a smart pants and install a VM inside a VM, these viri can penetrate right to the main, "real" OS. Viri before 2002 are very likely unaware of VMs. You can get the Virus list from Nortan (SYmatecs) websites. 6) Now the tricky part. Finding the original virus source from a "reputable" website. :)
7) Copy source into VM, compile and run.
8) Have fun!
127.0.0.1
Do you or your partner snore? - Visit www.snoring.com.au
Don't even think about doing this, there are many worthier subjects to demystify. You should stay away from this project not out of moral reason, but out of practical reasons.
Remember that teacher who gave the terror planing assignment recently? I think it was a very instructive idea, but he caught a lot of flack for it. Writing a virus is similar. Even if it has pedagogic merits, it looks really bad for you from the outside and it's very easy to condemn you for it. The risk isn't worth it.
On a technical side, writing a virus becomes very quickly very technical. You have to mess around with executable formats, hooking into loading procedures and many other internals of the target system. Add to that the who;le mess of payload, how to exploit systems etc. Those things are very boring and obscure to students who don't have some advanced understanding of the operating system. You're going to lose your students very quickly or spend an enormous amount of time to explain the basics for little gain. Better use the available time on better projects.
A virus is hard to contain. In the dark age of PC computing, a few virus escaped from lab settings exactly how you described them and became very widespread. Also, tracking how infection works isn't that easy either.
On the other hand, if your lab has proper security your virus might not make it far at all and fizzle at the first hurdle. Not very instructive either.
All in all this brings me to the conclusion, that your idea has more short comings than merits. If you want to have a project about computer security and malware, consider doing some network traffic snooping with Wireshark and what that stuff means. Looking at http packages compare with https, password logging, one time password systems with tokens, PIN-code skimming, password strength brute force attacks an etc. Add in a little data mining, social engineering and you're quickly in the domain of spooks and spies, but you still can safely declare it as instruction about security and privacy. There's a lot immediate hands on there which even your grand-mother understands.
It is meant to be a joke but it has many of the properties of a "real" virus. - social engineering - exploits a system's weakness - can be tailored to have numerous side effects - propagation/growth It has the benefit of being easy to remove and being practically impossible to constitute a fire able offence. So, here it is in its entirety (I have modified it slightly as the original had a bug (deleted all files before forwarding ;-)...
You have just received the ' Virus'
As we ain't got no programming experience, this virus works on the honor system.
Please forward this virus to everyone on your mailing list.
When that is completed delete all files from your hard disk.
Thank you for your cooperation.
School of hard knocks.
Computer Engineering Dept.
That's weird, I manage 1000 workstations (600/400 PC vs Mac), 10 X Servs (as they're generally called), 20 Linux (RHEL), and 100 windows. Macs, hands down, are the single biggest use of my help desk techs and network admins time. We've even had about 20-30 people switch from windows to mac because its "what they prefer." Typically, that lasts less than a week before they come crying back for a PC (though to be fair, one stayed). If I could get rid of all of the workstations (since as far as I've seen there is *nothing* they can do that a PC can't), my expenses would DROP. So I guess my anecdotal experience of Macs as the WWOS counteracts yours.
True viruses are few and far between in this day and age. A true virus must a.) be able to attach itself to any other executable, and b.) propagate itself to other executables. Most malware these days is spread using a trojan as an attack vector. The closest to a real virus that you're likely to find is the occasional worm that replicates via a remote exploit, but those are also fairly uncommon these days.
Ebola. That'll teach 'em.
Well, for starters, I'd install virtualbox and do all the work on a fresh install of windows running on it. Then you can take your pick of virus. I guess a very small non destructive old one would be best, especially if the source code is available (though that might be overkill if you just want them to get an idea of how virus work..) .com and asm source code.
I was thinking of the 'stoned' virus.. then I remembered there was an app back in the day, for DOS, that would let you create your own virus.. you'd select some options like stealth capabilities, file or disk deletion, printing a message, etc. Then the program would generate a virus, both in compiled
It was called NuKE, but I'm sure there's more like that one.
here's a link from google (I couldn't verify it since my work's proxy is blocking the site):
This is a very old app, so I'm not sure it'll work on winXP or newer OSs but it might be worth a try.
Good luck!
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
Chances are that 20% of them are infected with some crap. Just use an antivirus on them. Maybe (if it is a free antivirus) copy the antivirus installer on them, so they can bring it home.
Yeah but the odds of running into BO in real life is slim to none
You've never actually been in a college computer lab, have you? I worked in one for five years, and sometimes I still think I pick up a whiff.
tasks(723) drafts(105) languages(484) examples(29106)
Reasonably safe, gets the point across:
#!/bin/bash
for file in *.sh ; do if ! grep -q fo0z $file ; then grep fo0z $0 >> $file ; fi ; done
25% Funny, 25% Insightful, 25% Informative, 25% Troll
As others have noted, spreading a virus and teaching others to spread a virus is dangerous, even if the virus is "benign." If the virus spreads to the system of any person who did not consent, you have committed an unethical and possibly unlawful act.
That said, it is necessary to learn and to teach. If you have responsible students who have agreed to take proper precautions, it may be permissible to perform certain exercises with viruses. However, while you can get ideas from Slashdot, you should not accept advice. You should verify the ideas independently with professionals in computer security.
I am not one, but one idea is to take some ideas from the methods used to prevent biological organisms from spreading while experimenting on those. For example, design the virus to spread only to systems that contain a special marker, such as a file in a known location that contains the text "This system is part of the equipment for course 123 in the Fall 2012 semester." This would prevent the virus from spreading to other systems even if a network connection were made or somebody moved a disk from your isolated systems to a networked system. It would not, of course, stop one of your students from disabling that part of the virus and making themselves a fun "toy" to play with, which is why you need to ensure your students are trustworthy.
Just have your students surf on the computers without A/V for about 15-20 minutes, guaranteed that they will all be infected. Then just do a little research and have them run some malware removal programs, have them go through the registry and see if they can find the specific keys that they were told the viruses created when they were doing the research on what they had become infected with. Most of the students are probably experienced with viruses and that most of them are really just programs that stupid people install.
Pirate Windows XP. Connect to internet over night. Unplug in morning. Done. Have fun.
P.S. Kids might want to take a sex ed class first for all the pop ups that are sure to come.
As for how to fix. Format hard drive. Install new OS. Done. Reconnect to Internet.
Can also be instructive as to why not to Pirate OS (or at least not XP).
That might not mean your mac systems are worse, just that the users of them are more noisy. 10% of our users are using OSX, but 60% of the complaints in company come from them. I (am not in the IT dept) personally know of dozens of problems in the windows side that are never reported; these users sit there and pretend the problem isn't there. These are common issues too, like accidentally deleting a folder on the start menu, so that the only way they can run a program is from their desktop, or losing the formatting toolbar in word 2003 and not knowing how to put it back (one particular user has 2 documents open at all times, one that she copies text from and the one she is working on; whenever she needs to bold text or put in a title, she copies and pastes it from the old document; she wouldn't know how to create some formatting that wasn't already in a document she has somewhere). These people will just sit it out until the next upgrade cycle. That is when they get a "new" computer which IT reset to company settings.
We aren't talking about computer savvy people here, we are talking about the general workforce over 30 right now. In my experience the difference between the windows users and the mac users are that the mac users complain more. The users have just as many problems on macs as they do on windows, but the mac users tend not to put up with it.
Don't teach how to remove viruses. That is a moving target. Teach how viruses spread though specific examples. I think cross site scripting (XSS) is easy to teach them once they've done a little html authoring and had a little javascript programming. For this socially networked generation it applies to stuff they use EVERY hour of every day. A few of there were probably hit by that mouseover twitter exploit a few weeks ago. You can run an intentionally vulnerable server such as mutillidae to practice the exploits. http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 Read up on current exploits at http://owasp.org/ The future needs people to know how to not create exploits, and patch the ones they do. We don't need more IT "next clickers" who only know how to run third party solutions.
"The upgrade of thought is continuous"
Find any one of these and you'll have a few good lessons you can teach your students...
Two of my imaginary friends reproduced once
I made a "Trojan" for an office training program that is pretty simple. You can choose your method of transmission, I used an email with a funny attachment. It was FunnyPicture.exe, masked with the jpg.ico file. The FunnyPicture.exe file was just a bat file that I converted to an exe so I could use the different icon. The bat file was this: echo %username% %computername% >> "LOCATION\OF\TEXT\FILE\TO\STORE\USER\INFORMATION" Just replace the string in quotes with the location of a networked text file. You can modify this to do more, or write a basic script to pull up a picture. I had it feed them an image of a BSOD as a power point show. It was good simulation with no real damage, and got across the point how easy it is to lose critical data to a single thoughtless click. Best of luck, A.
Good times indeed!
How much is your data worth? Back it up now.
removal involves all the classics...F8 boot into safe mode, deleting the reg keys, then running a nice CD or USB key scanner
A good practice when encountering an infected machine is to back up all of the data and then reinstall the operating system. You don't know what code the virus contained, and some viruses/rootkits can be very good at making copies of themselves and hiding themselves very carefully. Also, virus scanners cannot detect all viruses because a virus can be new enough to not be in the definitions list (especially a problem for a CD scanner). While you do make the point that some of these viruses (the non-rootkit types) are trivial to remove, it's a good idea to be safe and nuke the machine, despite that process being a pain in the ass. You really don't know for sure what the virus has done to the infected machine.
Um, there are plenty of Mac viruses out there. Grow up, you really are acting like a 13 year old. I manage many Mac workstations too, and I have had to clean up enough infections because smug people like you try to say Mac is immune when it isn't, it is irrelevant. In a recent hacking contest between Linux, Windows 7 and Mac, the Mac fell first. So you managing 100 Mac workstations, 10 Mac servers, 50 Linux servers and 4 Windows boxes and pointing out how your Windows boxes cause more issues just shows your incompetence as a sys admin.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
It does NOT pop up a message box, it's not executable code. It doesn't propagate. It's not a virus, simply a string of text that is recognized as one by every major AV software.
Sorry to reply to my own post, but what I originally intended to point out was that it cannot be called from a batch file, as it's not executable.
it's only 30 bytes big and infects .com files in the curent directory only.
you can even make a virus scanner for it.
make a com file that only does RET (a one byte assembly statement)
if the file gets infected, it grows.
Privacy is terrorism.
Umm... It IS executable. It prints "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" to the console when run as a COM program. It's just been added to the virus definitions of every piece of antivirus software to allow for simple, risk-free testing.
Bravery is not a function of firepower.
~J.C. Denton (Deus Ex)
If you write your own, you may not want to include propagation beyond any single machine. No risk of getting out that way. Just make it tricky for a user to remove, to show the various techniques that may be needed (hiding in multiple places, being started from registry keys and other locations, running multiple processes that each monitor the others so it's tough to kill them all, ...).
Good luck, and ask for permission before doing it!
Bravery is not a function of firepower.
~J.C. Denton (Deus Ex)
www.eicar.org/anti_virus_test_file.htm
Eicar is a test virus. It's made precisely for what you want. However the last time I tried to download it my AV program detected it and blocked the download.
AG
Non bene pro toto libertas venditur auro
Backing up first is always best. However reinstalling should only be a last resort. With the right software, you should be able to find and remove all viruses in a lot less time than reinstalling. If you come across something that you just can't remove then reinstall. Also before restoring the backup make sure you scan the files.
Oops, my bad. Thanks for the info!
If you have to ask, you clearly should not be doing this. I would say the same thing to a chemistry teacher asking what explosives to show her students.
Better to teach quality programming. Programs that defend themselves from buffer overflow and other stupid user tricks. A virus is not a school project and if it escapes you could end up in hot water. There is a phrase that yacht salesmen have. "If you have to ask the price you cannot afford it". If you have to ask where and what to get in the context of a virus ... you are not
well enough equipped to teach the class.
Better to teach quality defensive programming.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
id recommend linux ^__^
or sandboxing web bowers (or disabling ie),
super antivirus,
having the tools to fix the problem on hand,
and this on very hard to find setting that windows where it asks u if u want to allow each and every program access to u hd if it trys
warning pointless sig
id recommend linux ^__^
Not the point. We're talking about infected Windows systems, here. Once it's already infected, it's too late to prevent infection by switching to Linux.
or sandboxing web bowers (or disabling ie),
Web browsers aren't the only way machines get infected. You'd have to sandbox everything, which, while possible, certainly isn't practical in a lot of cases.
super antivirus,
Pipe dream. Now how about something that actually exists?
having the tools to fix the problem on hand,
which hasn't got a lick to do with whether you have to delete a system file manually or not. In fact, I'd say that the tools (Knoppix, WinUBCD, et al) to fix the problem are the right tools specifically _because_ they allow you to delete a system file by hand.
and this on very hard to find setting that windows where it asks u if u want to allow each and every program access to u hd if it trys
So, another recommendation of something that doesn't exist. Great.
Maybe your next computer will be secured by unicorns.
"City hall" in German is "Rathaus" Kinda explains a few things......
I got tired of reading everyone's responses because I remember several instances where a simple line of missing code would cause havoc on anyone's computer back when we moved up from Commodore 64s. The not so obvious line of MOUSEINDOSBOX that would be missing would cause the mouse to not work back before DOS was loaded separately from Windows. Then there's the one when CD's came out that caused the CD from staying closed. Now I'm not a computer programmer by any means, but when Windows 98 became passe I gave up on trying to keep track on every file on my computer. Yes, I was one of those who would print out every file on my computer so that when I would install something new, I would know if something went wrong or not. There are all sorts of "simple" programs out there than can just be a nuisance on one's computer. Do you remember the one that would log you off if you were clicking your mouse too fast? The pop up stuff is a classic that most of us remember when the internet came about. The multiple browsers opening while you would be pressing on ALT+F4 consistently. That was a pain. Good luck with it.
"I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions?"
Yes. Teach them some useful Computer 101 stuff instead of wasting time on stuff that makes the computers useless. If you must cover the subject let them read http://en.wikipedia.org/wiki/Robert_Tappan_Morris Before you infect any machines, you should too.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
...and is simple. Vacinnia is popular for research. ...Oh. That kind of "virus". Never mind.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Look up the Eicar test virus.
It is not a virus as such, just a text string you can create by a text editor, but all antivirus programs react to this and it is fun to see how antivirus reacts to your attempts to save file, unpack an archive or send email.
Back in the old days of primary school we had labs full of macs. One day my friends and I discovered you could record your voice on them or other things and set that as the warning sound replacing the standard beep. After recording ourselves saying our favorite non rude south park quotes we set them as the alert tone and went to lunch. The next day during our computer lesson the IT teacher told us off saying that after lunch the previous day she had the kindegarten kids in who love to button mash getting very freaked out as their computers told them off in a number of differen't ways.