1 / 29

kép forrása: paranoia.foolmoon/articles/mind_control_virus.html

1. Viruses, malicious program codes Virus types, definitions Methods of prevention and protection Methods of virus infection, spreading Methods of destruction Symptoms of infection , possibilities of detection Possibilities of the removal of malicious codes. Virus types, definitions

rsage
Download Presentation

kép forrása: paranoia.foolmoon/articles/mind_control_virus.html

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1 • Viruses, malicious program codes • Virus types, definitions • Methods of prevention and protection • Methods of virus infection, spreading • Methods of destruction • Symptoms of infection, possibilities of detection • Possibilities of the removal of malicious codes Virus types, definitions Methods of prevention and protection Methods of virus infection, spreading Methods of destruction Symptoms of infection, possibilities of detection Possibilities of the removal of malicious codes kép forrása: http://paranoia.foolmoon.com/articles/mind_control_virus.html

  2. 2 25th of January, 2003. : the SQL1434.A ('Slammer') worm was the most virulent virus of the history. It doubled the number of attacked computers in every 8.5 second and more than 90 % of servers, about 75000 computer became infected more speedy than happened earlier. The worm spread desolation in an unknown degree, practically cut the Internet connection of South-Korea and blocked the ATM terminals in the USA. www.artech.se/~ace/ slammer.jpg

  3. 3 • Virus types, definitions • Malicious program codes • Virus • Program- infecting • Boot program infecting • Hiding in macro • Associated • Worm • Trojan • General • Copy-protection • Usage limiting • Infecting • Network spy • Missed • Combined • Malicious data files (Spam) www.sci.ccny.cuny.edu/~lima/

  4. 4 • Malicious program codes : Programs or codes, or files or parts of files that have effect on running programs or codes, getting to the computer without the owners knowledgeand against his/her wish. They represent wide spectrum of damaging from simple memory allocation to destroying software or hardware. Spreading on computers passive or active manner their effect touches mass of computers. • Virus • Worm • Trojan • Combined . • Malicious data files (Spam): Do not alter the hardware or software of computer but slow down or make the normal work impossible by their content or frequency. Their general form is the e-mail sent by mail-robots.

  5. 5 • Virus: Malicious program code that cannot run itself, so has to attach or insert itself to a program or document having running part. It can spread itself actively. File types that can be infected byvirus are e.g.: ADE, ADP, BAS, BAT, BIN, CHM, CMD, COM, CPL, CRT, DLL, EXE, HLP, HTA, INF, INS, ISP, JS, JSE, LIB, LNK, MDB, MDE, MSC, MSI, MSP, MST, OBJ, OVL, PCD, PIF, PRG, REG, SCR, SCT, SHS, SYS, URL, VB, VBE, VBS, WSC, WSF, WSH, etc. • Program- infecting • Boot program infecting • Hiding in macro • Associated http://www.squeaky.demon.co.uk/

  6. 6 • Virus: • Program- infecting : Virus that connects to a pure machine code program that can run itself or as a part of other programs. Typical carrying program or program part file types are: BIN, COM, DLL, EXE, LIB, OBJ, OVL, PRG, SYS, etc. The program-infecting virus spreads on data mediums or sending on network alike. • Boot program infecting : Virus that connects to the Master Boot Record (MBR) that presents the active partition before the operation system is loaded, or to the loader program that can be find in the Boot record. It spreads with floppy or mobile winchester. The MBR can be find in the beginning of hard disk, Boot records are in the beginning of partitions and system floppy disks. • Hiding in macro: Virus that hides in non machine code but ininstructions that can be interpreted and performed by the operation system or some of the applications. Extensions of macro files, or documents of applications that can run macro are: BAT, DOT, DOC, XLS, XLT, etc. The macro virus spread with data mediums or sending on network alike. It is platform-independent and works in different operation system environments. • Associated: virus that associates with an executable, faultless program and hides using the name of that program. It utilises the COM., BAT., EXE running priority if the program names are the same and the starting command gives the name without extension. It creates itself with .COM extension next to the .EXE. www.mcps.k12.md.us/clipart/ gif/boot.gif

  7. 7 • Worm: Malicious program code that draws profit from errors of network operating systems mainly, it can copy, spread and run itself self made manner on the network. It infects primarily operation systems running connected to the network, can spread itself directly or attached to e-mail. • Trojan: Malicious program code that does not reproduce itself, does not make copy. It is embedded into a program that looks like a normal one so the user of the program installs it on his/her computer infecting it such a way. The infection may make a "backdoor" for the programmer of the Trojan. • General • Copy-protection • Usage limiting • Infecting • Network spy • Missed • Combined: Such a type of malicious program code combines some of the features of the functioning of virus, worm and Trojan malicious program codes. http://www.challengeglobalization.org/html/econ_lit/cartoon9.shtml

  8. 8 • Trojan: • General: A Trojan program code intended to run the malicious instructions, hidden in a program having desirable function. • Copy-protection: A Trojan program code intended to cross running of an illegally copied - primarily game - program. • Usage limiting: A Trojan program code intended to block running of the embedding program after a given time or starting cycle. E.g. demos. • Infecting: A Trojan program code that allows to go free a second virus infecting the computer with it. • Network spy: A Trojan program code that delivers the infected computer to the writer of Trojan opening a "back door" on the computer. • Missed: a needed program thathas to be downloaded from the network - really a Trojan - has the conditions of the usage accepted. Among the normal lines there is a small size text about accepting advertising messages (Spam) from the net. The naiv user pushes the Accept button without reading all the text. www.thetechguys.com/ virus_protection.htm

  9. 9 • Features of categories of malicious program codes: www.quantockonline.co.uk/ kids/gallery_01.html

  10. 10 • Methods of prevention and protection The main factors of spreading of malicious programs: • Weaknesses of the used operating system and applications (safety gaps, services of macro language, etc.) • Uninformed, irresponsible user. The developers of malicious programs prefer widely used operating systems and applications of Microsoft. Choosing other operating system reduces the possibility of infection, suffering a loss. The work applied in prevention will be recovered many times avoiding the damaging of data and software. www.co.arlington.va.us/ dhs/aec/youth.htm

  11. 11 • Methods of protection of computers not connected to network • Train yourself on topics virus prevention, removing, inform your colleagues about dangers • Frequent backup of data files, preferably in more copies • Regular checking using refreshed virus protection program • Usage of resident virusprotectionshell that checks the new files coming tothe computer • Virus protection programs applying heuristic algorithm can detect the virus analysing its behaviour or looking for special code segments but may give false alarm too • Store safety copies of software • Use original, legal software • If there is possibility to choose the operating system freely then choose the safer against viruses: Unix, Linux, NetWare, etc. • Write protect floppy disks, flash drives before using them in anothercomputerespecially if reading required only • Our mobile rack winchester ought to be plugged in virus checked computer only • Before applying the floppy disk, flash drive or rack winchester of others perform a virus checking

  12. 12 • Methods of protection of computers not connected to network .. • Turn on the protection in BIOS setupagainst BOOT viruses and prohibit booting from floppy, or instead booting from hard disk load operating system from read-only peripheral (CD ROM, EPROM) • Against macro viruses turn off the macro running function in applications that can run macros • Define different user groups on your computer and login using the groupthat gives less rights enough to perform your task. Do not login as administrator if the task do not need the maximum rights.

  13. 13 • Methods of protection of computers not connected to network .. • If a new file arrives to the computer always check it before use • If it fulfils your goals instead of .DOC files of Word use the .TXT files of Notepad or .RTF files of Wordpad because these formats can not store macros. • Using more than one virus protection software in the same time gives higher safety generally but virus protection software can find suspicious code in each other causing fals alarm • Do not yieldyour computer storing important data to other persons • Save your passwords against not competent persons, against becoming known • Use screen saver with password that turns on in a few minutes to save your computer has been left alone temporarily • Use passwords that can be solved hardly • Avoid programs - mainly computer games - having copy protection code because they are susceptible to punish theirs copying • For protection rarely changed data or program files control summa can be used.

  14. 14 • Methods of protection of computers connected to network a. Protection of client computers • Every method applied for protection computers not connected to network can be used • Allow automatic upgrade of virus protection program and operating system via network • Apply separated computer for e-mailing • Run applications from servers • Turn off automatic opening of attached files in e-mail program • Primitive e-mail programs that are not capable of opening attached files can be used to filter electronic letters • Suspicious, alluring, attractive letters have to be rested for about two weeks in the "mail box", during this time messages can arrive about their evil-minded nature, damaging purpose • Our friend or best colleague may be the given sender of the malicious e-mail, if the subject or content of the mail is suspicious, take a call to him/her and ask: really he/she has sent the letter? www.fis.uniroma3.it/ biblioteca/

  15. 15 • Methods of protection of computers connected to network .. a. Protection of client computers .. • Insert your e-mail address into your address book to get information if a malicious program posts forward itself from your computer to addresses stored in your address book • Try to avoid downloadable, interesting programs or if downloading is chosen then read carefully the information before accepting it and if it makes mention of advertisement (spam) then do not download it • The suspicious, deleted letters have to be removed from the folder of deleted letters too • Use and configure perfectly the built in firewall of Windows XP if this is the used operating system • Get information about safety condition of your Windows-based system running the Microsoft Personal Security Advisor application that can be reached on the web: the important safety settings, patches of the operating system, Internet Explorer or Outlook Express mail-program and macro-settings of the Office applications can be got to know • Etc.

  16. 16 • Methods of protection of computers connected to network .. b. Protection of server computers • Most of the methods applied for protection ofclient computers can be used for servers too. • Apply three level of protection:virus protection shell on the client,virus checking on the file server,detection and filtering letters containing virus on the e-mail servers. The last task can be performed by the firewall too. • Use the logging of data transfer for the possibility to reconstruct attacks, hacker-events.

  17. 17 • The firewall • The firewall works between the corporate or institutional server and the outer network and filters the input data traffic primarily. The firewall performs filtering ofdata packets based on the protocol-identifiers that determine the function of data packets. This filtering means restrictions that may cause troubles. E.g. the telnet protocol can be used to reach outer computers but this service can be disabled in the opposite direction. • The restricting effect of firewall can concern transferred data or the source of data. The firewall physically a computer running special software or a router ("pocket guider"). It can perform logging tasks too. • A special capability of the firewall may be emulation of a computer for the malicious program. If the program works suspiciously in the emulated environment or tries to damage something the firewall program deletes it. www.unige.ch/mimescope/ quoi3.htm

  18. 18 • The firewall .. • Types of firewalls: packet filter and application filter. • The packet filter checks the starting and destination addresses of data packets travelling on the network. The destination address contains the very important port number too. • The application filter checks the files reassembled from the packets. It can protect against e-mail attachments. • The protection power of a firewall configured not perfectly is low. If all the mentioned precautions are made your safety level will be high but total safety can be reached never! onefoggy.tripod.com/ images/worm.jpg

  19. 19 • Methods of virus infection, spreading Spreading of viruses utilise irresponsibility of computer users in most of the cases, e.g. missing the checking possibilities, careless attitude at handling e-mails. Mediums suitable to spread viruses: Floppy disks, CD/DVD disks, mobile hard disks, flash memories, network: downloaded files, files attached to e-mails. Spreading of worms: directly in network packets or in e-mail attachments. Trojan programs: can spread with data mediums or on the net alike. The deceived users can be blamed for spreading.

  20. 20 Combined malicious program codes: can combine spreading and destroying methods of virus, worm and Trojan. E.g. can come as an e-mail attachment, cooperates with a virus arrived earlier, or can utilise the safety gap of network operating system for downloading the further part of malicious program from network(worm-like activity), moreover can infect web-pages stored on the server using Javascript. If the web-pages are opened from a client it installs a virus on the local, client computer using the Javascript (Trojan-stile activity). It changes one of the DLL file used by Notepad, WordPad and Word to a DLL that can install viruses on the shared clients, moreover it can manipulate shared EXE and DOC files. The opening of the infected documents using the manipulated application programs yields the further infection of client computer (virus-like activity). Such a complex technique is applied by W32.Nimda malicious program code. Malicious data files (Spam): e-mails sent by e-mail robots, advertising banners; they spread on network.

  21. 21 • Locations of malicious program codes • In the memory • Sits in as a resident program (TSR – Terminate and Stay Resident) • Not resident, occupies memory for the time of infection only • Sits in the top of memory to avoid becoming overwritten • Loads into memory holes, e.g. into part of video memory, buffers, stacks, heaps that become overwritten at last • MBR and Boot viruses on hard and floppy disks: • Partially overwriting the partition record or Boot sector • Connecting to files • Adding to the end of file • Inserting to the beginning of the file • Inserting into or overwriting the inner part of the file • Sitting into the Command.com • Associating to an EXE file using the same name but COM extension. • In form of malicious macros attached to document files • As an e-mail attachment that utilises automatic opening. http://www.i4at.org/lib2/worms.htm

  22. 22 • Work of triggers, delays that activate punishing, destroying effect of malicious program codes: • Watching date • Following characteristics, values of files • Detecting amount of spreading • Counting number of starting cycles • Reacting to events • Remote starting • Applying combined conditions. The malicious programs stay hidden until activating for destruction

  23. 23 • Hiding, camouflaging methods of malicious program codes: • The FAT virus hides in the cluster of disk that will be overwritten in the last time or hides in a sector that is shown as bad sector. It modifies the starting address of the infected program, runs first then starts the infected program. • Stealth: it shows the original file size redirecting the interrupts to itself. • Association: makes the created .COM virus hidden. • Polymorphism, mutation: the code of descendant virus has a little modification to deceive the virus protection programs. Techniques: altering code segments having the same effect, inserting NOP (no operation) instructions, decoding the body of virus using varying key. • Permutation: varying the order of virus segments to avoid matching of virus signatures. • The retro-viruses block the work of virus protection software or manipulate them to decrease the efficiency of theirs work. • Combined methods integrate the above methods. • Trojan technique: the malicious program looks like a normal, interesting, attractive program. home.planet.nl/~hkcc/info/ vasteitems/providers/

  24. 24 • Methods of destruction The spectrum of destruction goes from tricky effects to crash of network services of a WLAN network. Deliberate application of malicious programs is a criminal act. • Tricking: playing music, showing pictures, opening CD tray, text manipulation, manipulation of input devices, extra password, etc. • Disturbing the user by extra advertisements, e-mails • Occupying resources (e.g. allocation of disk space, memory area, free network ports; utilisation of interrupts, machine time; extra printing, etc.) • Intervening into program-management of operating system • Deleting, destructing files (data- and program files, drivers, etc.) • Damaging file allocation tables, deleting or formatting partitions

  25. 25 • Making impossible the work of corporate, institution to enforce financial claims. • Destroying hardware • The spy program opens "back door" on the computer so the writer of virus can steal files or load up compromising material • Etc. www.mitre.org/pubs/edge/ june_98/second.htm

  26. 26 • Symptoms of infection, possibilities of detection • Unusual work of computer: hanging, causeless hard disk operations, incoherent screen content, unusual messages, etc. • Injured or missing files • Halted or automatically restarting computer • Errors in normal running of programs • Disappeared menu items • Changes in length of programs, modified creation time • Too many unbidden advertisements in the e-mail box, or at browsing Internet • Too quickly running out from memory • Checking of hard disk indicates bad sectors, errors in file chainings • Virus was found on the computer of our colleague • Our e-pals inform us that our sent letters had virus http://www.soon.org.uk/humor/computer.htm

  27. 27 • Network administrator notifies that our computer may spread viruses, worms • Forwarding e-mails require extraordinarily long time • Unauthorized persons speaks about our data • The computer produces inexplicable hardware error • Office files can be saved as templates only • The virus protection program has found virus • Polymorphic, code manipulating viruses hiding against virus protection software. To detect them virus protection software using heuristic algorithm may be required. • Etc.

  28. 28 • Possibilities of the removal of malicious codes If the infection detected turning off the computer is expedient.Network computer should be detached from the network. • Tools and activities needed to remove the virus and restart the infected computer: • Write protected system floppy. Set floppy as the boot peripheral in BIOS if it is needed. Some of the mainboards can boot from CD ROM or flash drive too. Using the system floppy the computer can be restarted without activating the virus. • Virus detection and removal program. Running it the virus can be caught up and removed. The clearing of virus can not regenerate the infected files in every cases. In such situations the installation disks and earlier backups may be needed. • FDISK: The removing of boot viruses can be performed by overwriting the boot sectors on disks running FDISK with the /MBR switch after starting the system with a system floppy. This overwriting may cause problems if the infected boot sector contained special information for multi-boot system or special disk-handler. Instead of FDISK, virus removal programs can be used too.

  29. 29 • Rounds of the duties after virus removal: • A control-running of virus detection program to test if the removing action was successful. • Localisation of the source of virus. In case of suspicion checking and virus immunization of external data mediums (floppy, CD, DVD, flash drive, mobile hard disk) is practical. • If it is possible, notify the source of virus to make possible the immunization there too. • Getting virus via network the reattaching of computer to the network is practical after immunization of all the network computers. • The modern operating systems (e.g. Windows XP) save the system recovery files automatically. After virus removal the virus can infect from these files again so disinfection of these files is important too. http://www.brown.edu/Facilities/CIS/User_Services/Publications/Newsbytes/Nov02/newsbytes1.html

More Related